CyberWire Daily - Shuckworm and Killnet continue to hack in the interest of Russia. Iron Tiger's supply chain campaign. TikTok and national security. And an arrest in the case of the Tornado Cash crypto mixer.
Episode Date: August 15, 2022Shuckworm maintains its focus on Ukrainian targets. Killnet's DDoS and dubious proof-of-work. Iron Tiger's supply chain campaign. TikTok and national security. Dinah Davis from Arctic Wolf shares insi...ghts on Dark Utilities. Rick Howard digs into identity management. And an arrest in the case of the Tornado Cash crypto mixer. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/156 Selected reading. Shuckworm: Russia-Linked Group Maintains Ukraine Focus (Symantec) Killnet Releases 'Proof' of its Attack Against Lockheed Martin (SecurityWeek) Killnet greift lettisches Parlament an (Tagesspiegel) Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users (Trend Micro) How Frustration Over TikTok Has Mounted in Washington (New York Times) 3 ways China's access to TikTok data is a security risk (CSO Online) Arrest of suspected developer of Tornado Cash (FIOD) Tornado Cash Developer Arrested After U.S. Sanctions the Cryptocurrency Mixer (The Hacker News) Arrested Tornado Cash developer is Alexey Pertsev, his wife confirms (The Block) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Shuckworm maintains its focus on Ukrainian targets,
Killnet's DDoS and dubious proof of work,
Iron Tiger's supply chain campaign,
TikTok and national security,
Dinah Davis from Arctic Wolf shares insights on dark utilities,
Rick Howard digs into identity management,
and an arrest in the case of the Tornado Cash crypto mixer.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Monday, August 15th, 2022. The Symantec Threat Hunter team, part of Broadcom Software,
this morning released a report on the activities of Shuckworm,
a Russian state threat actor.
The payload in its most recent operation,
which Symantec has been tracking since the 15th of July,
is an information stealer.
The researchers describe the infection vector, saying,
The first suspicious activity Symantec saw on victim systems
was a self-extracting 7-zip file,
which was downloaded via the system's default browser. Subsequently,
mshta.exe downloaded an XML file, which was likely masquerading as an HTML application file.
These files were downloaded from a domain known to be associated with Shuckworm activity.
The malicious domain has been seen before, appearing as it did in an email that
pretended to be from the Security Service of Ukraine and whose fish bait was, according to
CERT-UA, a subject line containing intelligence bulletin. A Trend Micro report observes,
this being the case, it is most likely the seven zip file seen on victim networks in the campaign observed by Symantec was delivered to victims via email.
Also known as Gamerodon, Armegadon, Actinium, or Primitive Bear,
Bleeping Computer last November reported that Ukraine's SSU had connected the group Symantec calls Shuckworm
with a unit of Russia's FSB operating from Crimea. The Symantec
threat hunter team's overall picture of Shuckworm sees it as making up in persistence what it lacks
in tactical sophistication. They say, as the Russian invasion of Ukraine approaches the six-month mark,
Shuckworm's longtime focus on the country appears to be continuing unabated. That this recent activity
continues even after CERT-UA documented it shows that fear of exposure does not deter the group
from its activities. While Shuckworm is not necessarily the most tactically sophisticated
espionage group, it compensates for this in its focus and persistence in relentlessly targeting
Ukrainian organizations.
The report includes a list of indicators of compromise.
And what's your secret, Shuckworm?
Well, like Crazy Eddie's, it seems to be volume.
Tagish Spiegel reports that websites belonging to Latvia's parliament came under a distributed denial-of-service attack last Thursday.
Killnet claimed responsibility, and the nuisance-level attack is certainly directed in the nominally hacktivist Russian Front Group's wheelhouse.
The attack, which largely fizzled, was a comment on Latvia's vote to designate Russia a terrorist state for its aggression and war crimes in Ukraine.
and war crimes in Ukraine.
Kilnett's own designation of Lockheed Martin as a terrorist organization has been followed by the group's claims that the American manufacturer
of HIMARS rocket artillery systems has been successfully subjected
to a ransomware attack that exfiltrated data on company personnel.
Kilnett has published a video they say proves they've got the data,
but Security Week Friday reported continuing assessments, most recently by Searchlight Security, that this is an empty claim.
They say, cross-referencing a sample of the data, it does appear that they are or were genuine Lockheed employees.
However, that does not necessarily confirm that the company was breached.
However, that does not necessarily confirm that the company was breached.
For example, this could be a rehash of old or open-source data in an attempt to undermine the organization and intimidate its employees.
So, Killnet seems to be shining on, at least as far as Lockheed Martin is concerned.
It's really kind of sad.
If you can't trust a Russian intelligence front group, who can you trust nowadays?
Trend Micro reported Friday that Iron Tiger, a state-run threat actor associated with China
and also known as APT27, Emissary Panda, Bronze Union, and Lucky Mouse, has compromised the
Mimi chat app with a view to attacking macOS systems,
the first time that this particular targeting has been used by the group.
The researchers say,
we noticed that a chat application named Mimi retrieved the RShell executable, an app we came across recently while investigating threat actor Earth Bear Baroca.
We noticed Iron Tiger controlling the servers hosting the app installers of Mimi, suggesting a supply chain attack.
Further investigations showed that Mimi chat installers have been compromised to download and install HyperBrow samples for the Windows platform and RShell samples for the macOS platform. While this was not the first time the technique was used, this latest development
shows Iron Tiger's interest in compromising victims using the three major platforms, Windows,
Linux, and Mac OS. Mimi, which according to Trend Micro means secret, is designed for Chinese users
who represent the greater part of its clientele. Trend Micro found in the course of its investigation that,
in this instance, Iron Tiger compromised the server hosting the legitimate installers
for this chat application for a supply chain attack.
The targets of the campaign were in Taiwan and the Philippines.
TikTok has, since the previous U.S. administration,
been regarded in Washington as a potential
security threat. It still is, and if anything, the New York Times reports, concerns about the
social medium are growing. The issue is the app's potential for sharing data with Chinese
intelligence services. The Times writes, the bipartisan scrutiny of TikTok, effectively at
its most intense since Mr. Trump tried to force the app's sale to an American buyer in 2020, is mounting as the platform grows ever more popular.
With more than one billion users, TikTok has become a prime engine for cultural phenomena, like the scores of young people who posted last month about dressing in suits to see the latest Minions movie.
people who posted last month about dressing in suits to see the latest Minions movie. Today,
67% of 13 to 17-year-olds in the United States use the app, according to a report last week from the Pew Research Center. For its part, TikTok says its data collection is modest,
certainly nothing like the collection done by competing social media, but congressional leaders
in both parties aren't mollified.
The present U.S. administration sees the problem with TikTok
as an instance of a larger problem with social media,
and it would seek to address the more comprehensive issue
as opposed to that presented by a single platform.
There's a growing bipartisan sense in Congress, however,
that the administration is moving too slowly on
the matter. The deliberate pace of regulation is in part driven by U.S. court decisions,
which ruled against President Trump's executive orders restricting TikTok and another Chinese-owned
app WeChat. President Biden accordingly pulled back both directives. CSO polled security experts and came up with three ways data collected
by TikTok could be put to malign use by Chinese intelligence services. First, it could be used
to prepare target profiles of individual users. Second, it could be used to develop more effective
spear phishing campaigns, and those could easily serve intellectual property theft.
Finally, the data could easily serve intellectual property theft.
Finally, the data could be used for more precisely focused influence operations,
delivered with a rifle-shot accuracy marketers could only envy.
And finally, police in the Netherlands have announced that they've made an arrest in connection with concealing criminal financial flows and facilitating money laundering through the mixing of cryptocurrencies through the decentralized Ethereum mixing service Tornado Cash.
The specific issue seems to involve handling funds stolen on behalf of Pyongyang.
The Netherlands Financial Advanced Cyber Team, that is FACT,
team, that is FACT, suspects that Tornado Cash has been used to conceal large-scale criminal money flows, including from online thefts of cryptocurrencies, so-called crypto hacks and
scams. These included funds stolen through hacks by a group believed to be associated
with North Korea. Whatever it was up to, Tornado Cash has passed a lot of altcoin through its channels. Since the service
opened in 2019, FACT says the service has since achieved a turnover of at least $7 billion,
at least a billion dollars worth of which was of criminal origin. The arrest came Wednesday,
two days after the U.S. placed Tornado Cash on a list of sanctioned entities.
The Netherlands authorities
didn't identify the person arrested beyond calling him a 29-year-old man in Amsterdam,
but according to The Block, the 29-year-old guy's wife has identified him as Alexei Pertsev.
She's standing by her man, saying she's shocked at the arrest and is consulting with attorneys.
saying she's shocked at the arrest and is consulting with attorneys.
My husband didn't do anything illegal, she said.
Presumably, Mr. Pertsev will soon enough have his day in court.
Do you know the status of your compliance controls right now?
Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And it is always my pleasure to welcome back to the show Rick Howard. He is the CyberWire's Chief Security Officer and also our Chief Analyst. Rick, always a pleasure.
Hey, Dave. So I have noticed a pattern
in your CSO perspective episodes of late.
It seems to me,
as a regular listener, dare I say,
a fanboy of the show,
it seems to me that you are spending
a lot of time talking about identity
and specifically how we manage identity in our own
environments, both at home and at work. Am I right that this seems to be a pattern, a bit of an area
of focus for you, or am I just seeing things? Oh, no, Dave, you're onto me. Okay. It looks like
I've been found out. So what I've been slowly realizing over these past couple years
is that most of us consider that orchestrating the security stack for our own digital environments
and all that entails, you know, from people, processing technology, that's the task that we
spend the most of the time with, you know, and as well we should. But if we have any hope of
deploying some kind of zero trust program, which you know I'm a big advocate for, but before you
even start, you have to get a robust identity and access management system in place. Because
if you don't know who is connecting to your material systems or what devices or what
applications are, you can't build any zero trust rules to limit access. You can't build any zero-trust rules to limit access.
You can't create an identity governance and administration committee,
or IGA, as the cool kids say, unless you know those things, right?
But once you do, you can then start to tackle one of the most complex problems
in identity and access management, which is privileged identity management, or PIM.
And that's the one thing about this identity management stuff.
It's chock full of acronyms.
But how do you manage the employee accounts, their devices,
and any critical software apps that require some sort of elevated privilege
to run in your environment, but to reduce the potential impact if they are hacked?
So for this week's CSO Perspectives episode,
over on the subscription side on the CyberWire network,
we're talking about PIM and the things you should consider
as you're setting up your program.
All right, well, that is over on the pro side.
On the free side for CSO Perspectives public,
you are rolling out the idea of adversary playbooks.
Yeah, this is one of my pet peeves days for the cybersecurity industry in that many of us don't
really know what it means when you read an article in the press that says something like
Emissary Panda breeds networks via Zoho and exchange servers. You know, some people think
that Emissary Panda is a group of Chinese nation-state actors, and that might be the case.
But in the commercial world where we don't have access to classified government intelligence,
Emissary Panda is a colorful name that we attach to observable hacker attack sequences using the
MITRE ATT&CK framework to standardize on the operational language. So in other words, we've
seen these sequences in the wild. I call these things
adversary playbooks, and we study them so that we can insert prevention and detection controls
into our already deployed security stack. So, in this CSO Perspectives public episode,
we talk about how to do that in your own organizations. All right. Well, before I let you
go, what is the word of the week on your Word Notes podcast?
This week's word is homograph fishing, and I kind of like just saying that out loud.
All right, so it's just the—
So it's the technique where—
Rolls tripping way off the tongue?
Yes, it does. It should be a musical on Broadway any day now, I'm sure.
So it's that technique where hackers use similar looking letters in a URL, like the number
zero and the letter O, to trick you into clicking that bad link. And we even tie this idea back to
the Mission Impossible TV and movie franchise. So how great is that? All right. Well, look forward
to all of it. Rick Howard is the CyberWire's chief security officer, our chief analyst,
but more important than any of that, he is the host of the CSO Perspectives podcast.
You can find out all about that on our website, thecyberwire.com.
Rick, thanks for joining us.
Thanks, Dave.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. client. And joining me once again is Dinah Davis. She is the VP of R&D operations at Arctic Wolf.
Dinah, it is always great to welcome you back to the show. I know there is some research that you wanted to bring our attention to today. Can you share us what caught
your eye? Yeah, it was this interesting article about a ransomware as a service group called Dark
Utilities. And they've gone like full on marketing,. They're a completely legit business.
They've got this beautiful website.
And they've got lines like, simple injection.
It's very easy to use.
EXE the file or the command on the server.
And here we go.
Or persistence.
You don't need to start the script at every restart.
It will start automatically.
Just making sure it's going to work really well for them.
Or like their little crypto mining bit here.
You can use all your connected servers for mining XMR by putting your wallet in the config.
So like just like really trying to sell it.
Like this is so easy.
This is so great.
So this is a bit of a problem.
How much would you expect to pay for this malware? Don't answer because there's more.
Right. And you know what, how much you would pay? 10 euros. 10 euros for access to this.
That's it. So they're like, that's kind of crazy, right? They're going, they're lowballing
the market, right? And the research, the article said that as of August 4th, the platform had over
3,000 users. So that's $30,000 right there for this group, right?
We should point out that this research comes from the folks over at Cisco Talos,
who always do good work over there.
What other stuff caught your eye here?
Yeah, so it offers remote system access and DDoS capabilities,
as well as crypto mining.
And they also have very active Discord and Telegram communities,
so they've got help and all of that.
And it supports Windows, Linux, and Python-based tools.
So that means you can get into multiple architectures.
So it's very interesting.
I mean, the good news is here, researchers can get accounts too, which is obviously what they've done to check it out.
I don't think any of the tools are that crazy. These are tools that have been around, but they're
just offering them with instructions and support in such a way that it's going to make it easy for
kind of like anybody to try and go at this. So really lowering the bar here on the level of technical sophistication you have to
get into this business? Yes, that's exactly it, right? So you don't need to be very savvy to be
able to start using this because they have all the support that comes with it. Are there any
recommendations here for organizations to protect themselves against this sort of thing? Yeah, so researchers have already started
to recognize the file signatures.
So, you know, making sure all of your security stuff
is up to date,
making sure all your systems are up to date
so that you are not vulnerable.
Again, it just goes back to like the same things
we say all the time, right?
Make sure all of your systems are up to date.
Do your
vulnerability patching. Use multi-factor authentication so that, you know, it's harder
for people to get in and train your employees, right? Make sure they've done awareness training,
that they're aware of the things that they need to do. Yeah. All right. Well, it's interesting
for sure. Again, this is from the folks over at Cisco Talos, and this utility is called Dark Utilities.
Dinah Davis, thanks for joining us.
Clear your schedule for you time
with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security Puff. I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is
Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Justin Sabey, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.