CyberWire Daily - Russian privateering continues. Stonefly is straight out of Pyongyang, and the Lazarus Group has never really left. Foggy Bottom seeks (Russian) snitches.
Episode Date: April 27, 2022Heard on the Baltimore waterfront. Privateering against Western brands. An update on sanctions and counter sanctions. Stonefly, straight outta Pyongyang. Lazarus is also back (and not in the good way).... Richard Hummel from NETSCOUT discusses their bi-annual Threat Intel Report. Jon DiMaggio from Analyst1 joins us to discuss his new book, “The Art of Cyberwarfare - An Investigator’s Guide to Espionage, Ransomware, and Organized Cybercrime.” And the US Department of State has added six Russian GRU officers to its Rewards for Justice program. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/81 Selected reading. Britain says Ukraine controls majority of its airspace (Reuters) Latest strikes on Russia hint daring Ukraine is not intimidated by the Kremlin (The Telegraph) West gearing up to help Ukraine for ‘long haul’, says US defence secretary (the Guardian) U.S., allies promise to keep backing Ukraine in its war with Russia (Washington Post) Russia-linked hackers claim to have breached Coca-Cola Company (CyberNews) Stormous ransomware gang claims to have hacked Coca-Cola (Security Affairs) Chinese drone-maker DJI quits Russia and Ukraine (Register) Russia to Cut Gas to Poland and Bulgaria, Making Energy a Weapon (Bloomberg) Russia cuts off gas to Poland, Bulgaria, stoking tensions with E.U. over Ukraine (Washington Post) Why Russia’s Economy Is Holding On (Foreign Policy) Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets (Symantec) A "Naver"-ending game of Lazarus APT (Zscaler) U.S. offers $10 mln reward for information on Russian intelligence officers -State Dept (Reuters) US offering $10 million for info on Russian military hackers accused of NotPetya attacks (The Record by Recorded Future) Rewards for Justice – Reward Offer for Information on Russian Military Intelligence Officers Conducting Malicious Activity Against U.S. Critical Infrastructure - United States Department of State (United States Department of State) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Heard on the Baltimore waterfront, privateering against Western brands, an update on sanctions and counter-sanctions.
Stonefly, straight out of Pyongyang, Lazarus is also back, but not in the good way.
Richard Hummel from Netscow discusses their biannual threat intel report.
John DiMaggio from AnalystOne joins us to discuss his new book, The Art of Cyber Warfare,
an investigator's guide to espionage, ransomware, and organized cybercrime.
And the U.S. Department of State has added six Russian GRU officers
to its Rewards for Justice program.
From the Cyber Wire studios at DataTribe, I'm Trey Hester with your CyberWire summary for Wednesday, April 27th, 2022.
We're attending the Global Cyber Innovation Summit today in Baltimore,
and while all discussions are being held under Chatham House rules,
we can say that discussions of Russia's cyber operations have turned on two general impressions.
The first is that Russia has indeed conducted cyber attacks,
notably the earlier Wiper attacks, but that these attacks have not had the widespread
effects of earlier Russian attacks.
The second is that for reasons that are still imperfectly understood, cyber deterrence in
this case seems to be working, and that this is the reason Moscow has been pulling its
cyber punches.
But of course cyber attacks can be deniable in the grey zone.
Some recent ransomware attacks are being interpreted as privateering. Two groups in particular, the gangs behind Conti and Stormis,
have been particularly active in the Russian interest. Conti, the better known of the two,
has sustained doxing and compromise of internal chatter by hacktivists and probably Ukrainian
intelligence services. But these seem to have not slowed it down.
Security Week reports that at least 30 new victims of Conti
have been claimed on the gang's site in the month of April alone.
The other operation, Stormis,
only came to prominence around the outset of Russia's invasion of Ukraine.
The group has claimed, according to Security Affairs,
to have successfully obtained access to some of
Coca-Cola Company's servers from which they've stolen some 116 gigabytes of information.
CyberNews says that the file names mentioned by Stormis suggest that the gang is claiming to have
taken, quote, financial data, passwords, commercial accounts, email addresses, and other data, end
quote. Stormis has a dubious reputation, but word on the street
is that they're not what they claim to be. Their victims tend not to confirm the attacks Stormis
claims, and there's speculation, reported by SOC Radar and others, that Stormis is a scavenger
operation, that is, they simply scrape up material others have dumped and represent it as their own.
They simply scrape up material others have dumped and represent it as their own.
Oil exports have enabled Russia to preserve its economy from collapse, foreign policy explains,
largely because customers have been soft on the sanctions they say they're willing to impose.
Quote,
Despite predictions of doom for the heavily sanctioned Russian economy,
nearly two months into Russian President Vladimir Putin's invasion of Ukraine, his country's oil exports to Europe and nations such as India and Turkey have actually risen,
and its financial sector is so far avoiding a serious liquidity crisis.
Quote,
Sanctions may work in the long run, experts say,
but for now, many of the same countries that are sanctioning Russia
are still seriously undercutting their efforts by buying energy from them, in some cases in even larger amounts during April than in March.
For its part, Bloomberg reports, Russia has imposed counter-sanctions on both Poland and
Bulgaria to punish them for their support of Ukraine, cutting off deliveries of natural gas
to those countries. Neither Warsaw nor Sofia seem likely to knuckle under the pressure.
The Register also reports that the first significant Chinese company to shutter under operations in Russia
is drone manufacturer DJI, which has also suspended operations in Ukraine.
Two new reports of North Korean cyberactivity were released today.
Symantec is tracking a resurgence of cyber espionage by Stonefly,
also known as DarkSoul, Blackmine, Operation Troy, and SilentKalima.
The most recent attack, which began in February, has been against, quote,
an engineering firm that works in the energy and military sectors, end quote.
It's believed Stonefly exploited a log4j vulnerability on a
public-facing VMware Vue server. Stonefly pivoted from there to compromise 18 other systems in the
network. Narrowly focused on technical intelligence, Stonefly makes heavy use of commodity malware.
The other report on DPRK's cyber ops comes from Zscaler, who's following the Lazarus Group's recent activities.
An ongoing spear phishing campaign, whose fish bait is typically related to cryptocurrency and whose fish hook is concealed in a Lazarus-controlled Dropbox account.
Correlation of domains identified earlier with the Lazarus Group led Zscaler to connect the campaign to Pyongyang's best-known threat actor.
And finally, the U.S. Department of State has added six Russian GRU officers to the
Rewards for Justice program. The six Russian operators, all members of Unit 74455,
also known as Sandworm, Voodoo Bear, Telebots, and Iron Viking, are wanted in connection with
the NotPetya attacks. The six GRU hoods are alleged
to have been, quote, members of a conspiracy that deployed destructive malware and took other
disruptive actions for the strategic benefit of Russia through unauthorized access to victim
computers, end quote. Information on the six can draw a reward up to $10 million.
So step right up, Russian citizens. If you see something, say something.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. Dave sat down with John DiMaggio from AnalystOne to discuss his new book, The Art of Cyberwarfare,
an investigator's guide to espionage, ransomware, and organized cybercrime.
You have to be really creative, meaning, you know, when we see these stories that are going across most newspapers and headlines, they're bad guys that have found really creative ways to break into networks.
And one of the big differences to most threats out there, these advanced organized threats, especially nation states, if you stop and you mitigate their attempts to get into your network, they're not done.
They're going to come back a different way.
There's a human behind it, and they call them persistent threats for a reason.
So you have to treat them differently.
And so when I say sort of the art of that, you have to think like a bad guy out of the box.
You can't just wait for automation to tell you that there's a bad event taking place.
You can't just wait for automation to tell you that there's a bad event taking place.
You have to go and hunt for a human because that is literally what's behind it.
It's a human behind a keyboard that is being creative and finding ways to get around your defenses.
So you can't rely on automation for that.
You, as a threat hunter, as a defender, you have to proactively go and search for these things. And in doing that over the years,
you know, I just found that a lot of, and I don't mean this in a negative way, because it's the way that we teach cybersecurity today, is a lot of, you know, analysts, they just, they rely too heavily
on, you know, security resources and tools to alert them that something is bad, bad is happening.
And the reality of it is, is that often bad guys get into your network
and then they use the tools that are already there
and there's never an alert that's even going to go off.
So whether it's finding a new creative way to exploit a vulnerability in your network
or whether it's finding legitimate use of tools that do bad things,
you have to go hunt and you have to be creative about it.
And it changes.
You have to change with the bad guys and you have to be creative about it. And it changes. You have to change with the
bad guys and you have to be creative on how you do that. So that's why I felt like the word art,
if you will, was the best description of the content of the book. Yeah. What do you hope
people take away from the book? When they're done reading and they put it down, what lessons
would you like them to have learned? That is a great question, Dave. You know, I think that if there's one thing I would want analysts
to take away from this is to change their mindset on how they look at threats and how they track
those threats. And what I mean by that is, you know, the reason that there are so many organized attackers that have success is because we think too much about defending from a traditional aspect.
And I guess the one thing I would want analysts to really do is to remember that there's a difference between an advanced attacker and your traditional attack. And though it might only be 10% of the
activity or less that you see a year, those advanced attacks have to be treated differently
because it is a human behind it. And when you analyze these real world threats, you have to
really take in and assess, is this something that is a small level day-to-day attacker or could this be,
you know, a cyber criminal gang or could this be a government state sponsored threat?
And, you know, I teach in this book how to actually profile though when you do have an
attack and how to take that data and reverse it to use against your adversary to learn
and create intelligence about them that you can now defend with. So I really want to change the thought process that analysts have when they see threats.
Like any job, I feel like we just get almost bored with what we do, and we just get too content, and adversaries are not.
So I really want to inspire analysts to use the methodology and the resources that I talk and teach about in this book in their day-to-day job and to remember to be creative and to hunt for threats and to not sit and wait for things to appear on a screen to tell you that something bad is happening.
That's John DiMaggio from Analyst One. Cyber threats are evolving every second, and staying ahead is more than just a
challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity
solution trusted by businesses worldwide. ThreatLocker is a full
suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
Dave recently sat down with Richard Hummel of Netscout to discuss their biannual threat intel report.
In this report, we talk about the triple threat.
And we've been talking about triple extortion now for the past year, year and a half.
And what this is, is adversaries typically involved in the ransomware game, either ransomware as a service or deploying it themselves, have been adding tools to their portfolio that they can then apply more levers and get people to pay that ransom.
And so the idea of triple extortion is ransomware followed by data theft and holding that data hostage and then following it up with a DDoS attack to deny services at the actual network layer or systems and services that you might be running.
And so we're seeing more and more of these adversaries get into this triple extortion game. And even worse, we're seeing some ransomware
gangs realize that DDoS in and of itself can be a tool to be able to extort victims of payment.
And so as we start to see more of this, these ransomware operators are very sophisticated.
They're good at what they do. And you can just look at their revenue return to realize that. What happens when they start getting into these more sophisticated DDoS
operations and applying that same kind of sophistication? And so this is a phenomenon
that we expect to see continue. Yeah. One of the things that caught my eye in the report was
just how inexpensive DDoS for hire services have become. Can you give us some insights there?
So this was actually an eye-opener for myself as well.
In fact, I was talking to somebody similar to you, Dave,
and we were getting on the topic of this DDoS for hire
or what the costs are.
And I had somebody come to me and say,
hey, what is the average cost of a DDoS attack?
And my gut reaction was 10, 20 USD.
And I didn't really know. And when I started looking, did anybody else know? Was there blogs?
Was there reports? There's not a lot of people that talk about this. And so I put on my little
gray hat. I got my malware lab out and I said, all right, let's go spelunking. And so I logged
into about 19 of these DDoS for Hire platforms. And it turns out that all 19 of the ones that I looked at, they have a free tier of service.
Free tiers to launch things like DNS amplification, NTP, CLDAP, and even some of the TCP-based stuff.
And so the barrier to entry is no longer present.
There is zero reason to keep somebody from launching a DDoS attack.
It used to be you had to have a crypto wallet or you had to have some know-how
or you had to install a tool.
But now all you have to do
is get a VPN connection or a Tor browser,
find one of these DDoS for Hire platforms
and input an IP address of your victim
and boom, there you go.
Buried entry gone.
Yeah, and I suspect that could tie directly back
into what we were talking about with the ransomware gangs.
Because if I can send a warning shot across their bow with a free DDoS attack that I've gotten from someone else, that could rattle their cage a little bit.
Absolutely. And a lot of the DDoS attacks we see associated with this triple extortion or these ransomware operations, they do look like they're sourced from booter stressor
services, another name for DDoS for hire platforms. Because we look at the duration of these attacks,
we look at the types of attack vectors, the bandwidth, the throughput, otherwise known as
volume and speed. And we can look at all of these things in concert. And we can look at it across
the entire global footprint. And now we can say that, look, all of these have a similar pattern.
They have an upper bandwidth, they have an upper throughput. They have average durations that are
much shorter than something sourced from a botnet. And that's not to say you can't use botnets from
these platforms, but by and large, the DDoS for hire platforms use reflection amplification.
And so a lot of times, yeah, in these triple extortion events, you'll see these Buddhist
dresser platforms being used as part of that toolkit. And where do we stand in terms of defending against these sorts of things?
What is the state of the art there? So, knock on wood here, but the vast majority, if not all,
of the DDoS attacks so far that we've seen come from these DDoS for Hire platforms, these Buddhist
dresser services, can be mitigated by just being prepared and having some
form of defensive protection mitigation posture in place. Now, a lot of people say, hey, I have
a firewall that's going to protect me. Maybe it might protect you from some of these attacks,
but what happens when your state tables fill up? Or maybe I have IDS IPS, so I'm going to detect
these and then I'm going to offload the traffic. But the thing with DDoS is it's very fast and very furious. Is that going to happen fast enough to be able to
keep your services online, to keep that lag out? If you're a service provider, how do you handle
that, right? You don't want lag. You don't want your customers to have connection issues and drop
issues because that's what generates user complaints. And then all of a sudden you have
users going elsewhere for their services. So the key here is preparation. Preparing is 80% of the
battle when it comes to DDoS. And if you understand that you will be a target at some point, whether
you are the direct target or you are collateral damage, DDoS attack traffic will hit you or affect
your life at some point in time. Understanding that and realizing that and then taking steps
to prepare against it are going to go a long way to be able to protect you against these kinds of attacks.
That's Richard Hummel from Netscop.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technology.
Our amazing Cyber Wire team is Liz Ervin,
Elliot Peltzman, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan,
Coral Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Trey Hester,
filling in for Dave Bittner.
Thanks for listening.
See you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.