CyberWire Daily - Russia’s hybrid war against Ukraine is currently heavier on the cyber than it is on the kinetic. BlackCat’s connection with DarkSide. An alert on LockBit. And six Indian call centers indicted.
Episode Date: February 7, 2022The FSB is active against Ukrainian targets as NATO continues to work out the cybersecurity assistance it will provide Kyiv. BlackCat is found to be connected to the DarkSide gang, either as a superse...ding affiliate or as a simple rebranding of the same old crew. The FBI issues an alert about LockBit. Kevin Magee from Microsoft on their final report on Nobellium and the Solar Winds attack. Rick Howard steers the hash table toward supply chains. And the US has indicted six call centers in India on charges related to some familiar scams. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/25 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The FSB is active against Ukrainian targets
as NATO continues to work out the cybersecurity assistance it will provide Kiev.
Black Cat is found to be connected to the Dark Side gang.
The FBI issues an alert about LockBit.
Kevin McGee from Microsoft on their final report on Nobelium and the SolarWinds attack.
Rick Howard steers the hash table towards supply chains.
And the U.S. has indicted six call centers in India.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, February 7th, 2022.
Researchers update their accounts of Russian cyber espionage as observers look at the complexity of Russia's decision-making with respect to Ukraine. Microsoft late Friday released more information on the
threat actor it calls Actinium and that others call Gamerodon or Primitive Bear. The Microsoft
threat intelligence center, Mystic, quote, has observed Actinium targeting organizations in
Ukraine spanning government, military, non-government organizations, judiciary, law enforcement, and non-profit,
with the primary intent of exfiltrating sensitive information, maintaining access,
and using acquired access to move laterally into related organizations.
Mystic has observed Actinium operating out of Crimea with objectives consistent with cyber espionage.
End quote.
Actinium, Mystic concludes,
represents a different set of activities
than the pseudo-ransomware Wiper
deployed against Ukrainian sites in January.
So, they don't believe Actinium is responsible for Whispergate.
Ukrainian security services have attributed the activity to the FSB,
specifically an FSB unit operating out of Crimea, and it's significant
that Mystic also sees Actinium's geographical base as lying in the peninsula Russia seized in 2014.
Primitive Bear is not generally reckoned as smarter than the average bear, but neither are
its operators complete rookies either. They vary their infrastructure periodically to evade detection,
using over a 30-day period some 25 new unique domains and more than 80 distinct IP addresses.
Its domain name DNS records change on the average of once a day, not fast enough to count as fast
flux, but enough for a plausible form of evasiveness. In general, Actinium quickly
develops new obfuscated and lightweight capabilities to deploy more advanced malware
later. These are fast-moving targets with a high degree of variance. The group also hosts the
malicious macros remotely, which helps them evade detection by static analytical systems.
Microsoft sees Actinium's principal objectives as collection
and establishing persistence within targeted organizations in furtherance of future cyber espionage.
It's typically gained initial access through phishing.
Some of its phishing emails misrepresented themselves as coming from the World Health Organization.
The Wall Street Journal reports,
quote, after the attack last month, Lithuania offered to deploy a group of emergency defenders
known as the Cyber Rapid Response Team to help protect Ukraine's networks. The Rapid Response
Team includes cybersecurity experts from Lithuania, Estonia, Croatia, Poland, the Netherlands, and Romania.
While Ukraine hasn't yet accepted the offer,
Viktor Zhura, chief digital transformation officer at Ukraine's State Service of Special Communications and Information Protection,
suggested that Kiev could use assistance with quick response
and quick countermeasures to defend their networks.
U.S. Deputy National Security
Advisor Ann Neuberger has been consulting with NATO allies to organize a coordinated response
to cyber threats Russia poses to Ukraine and, by implication, to Ukraine's neighbors and supporters.
The Telegraph quotes her on the way in which a hybrid war is likely to develop. She said,
quote, we've been warning for weeks and months, both publicly and privately,
that cyber attacks could be part of a broad-based Russian effort
to destabilize and further invade Ukraine.
The Russians understand disabling or destroying critical infrastructure
can augment pressure on the country's government, military, and population
and accelerate the receding to
Russian objectives. Why hasn't Ukraine been given access to NATO's cooperative cyber defense of
excellence? The Kiev Post, citing Oleksii Danilov, Secretary of Ukraine's National Security and
Defense Council, says Hungary blackballed Ukraine's membership late last year. Danilov says Hungary was the only NATO member to vote against Ukraine's membership.
The Black Cat ransomware gang, thought to be responsible for fuel delivery disruptions in Germany,
has been traced, tentatively at least, to former members of the Black Matter Dark Side group.
Black Cat is the name Malware Hunter Team gave them
when the threat actor emerged in November.
The gang calls itself ALF-V,
and would rather you address it as such.
Bleeping Computer describes Black Cat
as a feature-rich operation,
unusual in that it writes its code in Rust.
It is, like its apparent predecessors,
a ransomware-as-a-service player that gives its
affiliates a highly customizable attack tool. In a conversation with the record, Black Cat does the
usual horn tooting and, amid other inside baseball gassing, says it's a former dark side affiliate
that borrowed their advantages and eliminated their disadvantages. They say they're apolitical and very good at what they do,
but they quack like Russian privateers.
And Emsisoft analyst Brett Callow thinks Black Cat isn't a former DarkSide affiliate at all,
but simply DarkSide itself,
undergoing a rebranding after their loss of face due to an error that Emsisoft took advantage of
to enable victims to recover their files without paying up.
This cost affiliates millions.
That's also essentially what DarkSide's C2C rival LockBit said back in December.
DarkSide was brought down by the attention it drew when it attacked the Colonial Pipeline in the U.S.,
which suggests that Black Cat's attack on oil tanking
may be a case of history repeating itself.
Speaking of Lockbit,
the FBI's Friday flash alert on that gang
hints that Lockbit may soon receive
some unwelcome law enforcement attention itself.
Lockbit has been a player
in the ransomware-as-a-service market
since September of 2019.
They've achieved additional notoriety more recently for their efforts to bypass initial access brokers or rogue pen testers
and instead recruit insiders from their victims who'd be willing to give up their organizations in exchange for a cut of the take.
To hear Lockabit tell it, the rewards they're offering the faithless for betrayal are
better than chump change. Bleeping Computer quoted one such come-on back in August.
Would you like to earn millions of dollars? Our company acquire access to networks of various
companies, as well as insider information that can help you steal the most valuable data of any
company. You can provide us accounting data for the access to any company,
for example, login and password to RDP, VPN, corporate mail, etc.
Open our letter at your email.
Launch the provided virus on any computer in your company.
Companies pay us the foreclosure for the decryption of files
and prevention of data leak.
End quote.
Millions of dollars seems like a stretch,
but whatever Lockbit's offering is more than the proverbial 30 pieces of silver.
Anyway, it's too much to expect truth in advertising on the criminal-to-criminal marketplace.
As the old UMW leader John L. Lewis said in a different context many years ago,
he who tooteth not his own horn,
the same shall not be tooted. So factor that in. Still, probably not chump change.
The Bureau's advice is sound, if familiar. Use strong and unique passwords. Use multi-factor
authentication. Keep your software up to date. Enable protected files in Windows, use a host-based firewall,
and finally, restrict privileges and access to users who actually need them.
The alert also advises network segmentation, monitor systems and networks for unusual activity,
use time-based access for admin accounts, disable command line and scripting activities and permissions,
regularly backup data offline, and ensure the backups are both encrypted and immutable.
If you see signs of lock bit, the Bureau would like to hear from you.
Good hunting, FBI.
And finally, you know those guys who call you up and say they're from the Social Security Police
and tell you that your social Security number has been involved in
criminal fraud and is about to be suspended. We get them all the time, and they always sound like
they're being placed from some boiler room or someplace like that and not from a nice office
park on Security Boulevard. Some of them have been quite rude when our Social Security desks
sought to engage them in conversation and appeal to their conscience or sense of religious devotion, shouting F you, for example, before slamming down their phone or
growling, we're going to drag you out in handcuffs, stuff like that. Well, hey, what do you know?
Turns out they may not be legit after all. The U.S. Attorney's Office for the Northern District
of Georgia has announced the indictment of six call centers in India and their directors on charges related to conspiracy to defraud.
The scams included not only the Social Security police schtick, but also loan scams and IRS payment fraud.
The U.S. Attorney also offers some advice for that dwindling number of Americans who still answer their voice calls. Quote, the public should exercise caution with any caller who claims to be a government employee.
Government agencies will never threaten you with immediate arrest or other legal action if you do
not send cash, retail gift cards, wire transfers, or internet currency. They will also never demand
secrecy from you in resolving a debt or any other problem.
End quote.
Good advice.
Remember, none of this is real.
Although we confess we'll miss listening to the editorial staff's chats with the scammers
and their appeals to the better nature of the boiler room.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And it's always a pleasure to welcome back to the show our own Rick Howard.
He is the CyberWire's Chief Security Officer, Chief Analyst.
Rick, it's great to have you back.
You know, last year, 2021, seemed to me to be the year of the supply chain attack.
You know, we had big headline news about IT vendor victims.
We talked about SolarWinds.
We talked about Accelion.
And I know a number of our listeners who lost a huge portion of their holiday break dealing with the whole Log4J vulnerability.
Yeah, that's true.
You know, it feels like supply chain attacks are new or certainly focused on, but that's really not the case, is it?
It feels like that. I know what you mean, right?
But, you know, supply chain attacks have been around
since the internet was young.
You know, nation state actors like, you know,
North Korea, Russia, China, and the U.S., by the way,
you know, they've all been using that technique
since at least the early 2000s
and probably much earlier than that.
In the commercial space, probably the most infamous case,
I wonder if you remember in this, Dave, is when the hackers broke into the Home Depot network.
This is back in 2014.
The way they did it is they first compromised the Home Depot HVAC contractor, then leveraged their credentials to get into the Home Depot network.
So that was the first one that I can remember.
one that I can remember. Yeah, so it's not so much that it's new, but I guess it feels right now like we're just really focused, thinking hard about how to protect against this particular
attack vector. And that is the topic indeed of this week's CSO Perspectives episode.
Yeah, that's right. We decided to take a closer look at the strategies that could mitigate the
risk to something tolerable, youable. And to be fair,
though, all of us network defenders have known about this attack vector for years, but it hadn't
really happened that many times. And so we didn't really dedicate a lot of resources to solving it.
I mean, all of us have a million things we have to do, right? So this is one more thing on the
plate.
But with all the news from last year,
protecting against supply chain attacks
has become a priority in the network defender zeitgeist, right?
So we take a look at our first principle,
zero trust strategy, all right,
to limit access and privilege to all the software
and vendors that you use in the supply chain today.
And then how a technique called software bill of materials,
which has been in the news of late, these SBOMs,
basically a food label for the software that you use,
might help us in the relatively near future.
All right, well, we will check it out for sure.
It is CSO Perspectives, part of CyberWire Pro.
You can find out all about it on our website, thecyberwire.com.
Rick Howard, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And I'm pleased to be joined once again by Kevin McGee.
He's the chief security officer at Microsoft Canada.
Kevin, it's always great to have you back on the show.
You and your colleagues recently released your final report on Nobelium, which is, of course, part of the SolarWinds campaign there.
I want to check in with you on that what are some of the things in the report that uh caught your eye i took a number
of lessons away from the report dave and and uh they really gave me an opportunity through this
uh this attack in this report to step back and start to look at the broader picture of some of
these uh the future of these attacks and that's looking at the broader picture of some of these uh the future of these attacks
and that's looking at the overall ttp of the specific threat actor over a longer period of
time you can start to seize out patterns or see you know sort of the future of where attacks are
headed that you can't see an individual sort of random smash and grab attacks this was a very
thought out nation state sponsored or or equivalent attack, primarily devoted to gain strategic advantage
over another country by stealing secrets. And it was a slow and patient attack that was very
methodically planned and executed over time. So there are a lot of opportunities to really see,
again, what a specific threat actor is doing and get a sense for how we can protect against that
threat actor. But also, we know
that other threat actors are looking at the success of this attack, and they're going to
start replicating that success. So how can we prepare for those eventualities as well, too?
To what degree are the TTPs used in an attack like this, you know, considered to be burned now
that, you know, they've been used up and we have to move on to other things. Is that a factor in something
like this? Sadly, a lot of the techniques they use in the intrusion were basic password spraying,
exploits the vulnerabilities of unpatched devices. That was some of the basics. So they're really not
burned. I think what this group's made them different is the bespoke human operated nature
of their attacks. They leveraged a wide range of techniques to achieve penetration.
They adapted their tool set to the victim's unique environment. They did things like
waiting a month until a reboot to see which
systems weren't patched and then exploiting those systems. So just the patience
and stealth deployed by this threat actor, I think, is what makes them
unique. Not specific zero days or anything like that.
And that can lead us into a false sense of security when we say, hey, it was a zero day, it's burned.
This is a new way of approaching attacks as opposed to a specific secret weapon that this organization used to mount this attack.
So the things we've learned from this
attack, how does it inform how we go forward here? What are the takeaway lessons here for
organizations? Yeah, I've got really three that I really focused on in reading through this report.
And ultimately, we've discussed this before, I feel we need to stop focusing on the individual
arrows, the attacks, and start identifying shutting down the archers. And that's going after the adversary and understanding what the adversary looks like
and how they go about their business. And there's a great paper by a fellow you might know named
Rick Howard and his partner, Ryan Olson, implementing intrusion kill chain strategies.
Really, the idea of an adversary playbook, I think, is starting to take off, building on the
work of Lockheed Martin on the original kill chain,
but really identifying what is the TTP of a threat actor,
how do we collect that, how do we understand the actions they take,
and then how do we automatically deploy and update our security controls
and our security posture in real time, be that SOAR, be that DevSecOps or whatnot,
but a real-time sort of response to
threat actors, not just individual attacks, is I think the first lesson that I really took away.
The other two quick ones are just identity. Identity is the primary attack vector used,
and we need to really focus on identity as the new perimeter. And I think we're all coming to
terms with that. But I think the most important one is we need to take care of our security teams. This is a low and slow attack vector over a year or so.
Taking care of our security teams, defender fatigue is really a real thing. We need to make
sure that we're looking after our teams. We need to have reserves. We have to ensure that there's
not fatigue and exhaustion that's happening with
our teams so that they can identify, they can react, and they can spot some of these long-term
trends. But then, you know, be all hands on deck when there is an incident and be prepared and have
the energy and reserves to respond. And how do you do that? As a leader of a team, you know,
in this time of COVID, it's got to be a challenging thing to do.
It's very challenging.
And we've discussed in the past, being an introvert, it's really hard to inspire your troops during a pandemic when you're doing it on video.
So we've gone away from prioritizing things like team building or collaboration or whatnot because there's just so much work to do.
And a lot of our people are feeling just defeated when they face threat actors like this that are so organized. And the campaign is
so well executed over time by a nation state actor during a pandemic. Again, stepping back
on looking at how we can do things more strategically, how we can start to build
automation and take advantage of things like
artificial intelligence or adversary playbooks or SOAR or whatnot, to take some of the workload and
some of the mindless tasks away from our defenders so that they can focus on what they do best,
which is things like threat hunting and whatnot, which machines really just can't do as well as
humans yet today. But it's also more fulfilling work for the individuals on the team as well,
to do something different rather than always following up on whether that was a real phishing
attempt or not, which can be very disheartening and really lead to vendor fatigue very quickly.
All right. Well, interesting insights as always. Kevin McGee, thanks for joining us. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security.
I join Jason and Brian on their show
for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks
where all the fine podcasts are listed.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Trey Hester,
Brandon Karp, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Kirill Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here
tomorrow. Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your