CyberWire Daily - SideWinder and South Asian cyberespionage. Project Zero and motivation to patch. CISA’s advice for cloud security. Classiscam in the criminal-to-criminal market. SolarLeaks misdirection?
Episode Date: January 14, 2021There are other things going on besides Solorigate and deplatforming. There’s news about the SideWinder threat actor and its interest in South Asian cyberespionage targets. Google’s Project Zero d...escribes a complex and expensive criminal effort. CISA discusses threats to cloud users, and offers some security recommendations. A scam-as-a-service affiliate network spreads from Russia to Europe and North America. Awais Rashid looks at shadow security. Our own Rick Howard speaks with Christopher Ahlberg from Recorded Future on Cyber Threat Intelligence. And SolarLeaks looks more like misdirection, Guccifer 2.0-style. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/9 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
There are other things going on besides Soloragate and deplatforming.
There's news about the Sidewinder threat actor and its interest in South Asian cyber espionage targets.
Google's Project Zero describes a complex and expensive criminal effort.
CISA discusses threats to cloud users and offers some security recommendations.
A scam as a service affiliate network spreads from Russia to Europe and North America. Awais Rashid looks at shadow security.
Our own Rick Howard speaks with Christopher Allberg
from Recorded Future on cyber threat intelligence.
And Solar Leaks looks more like misdirection,
Guccifer 2.0 style.
From the Cyber Wireire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, January 14th, 2021.
There are other things going on this week than SolaraGate and post-riot deplatforming.
We lead with those.
First, AT&T Alien Labs yesterday released a report on the Sidewinder threat actor.
Sidewinder is believed to have been active at least since 2012,
but Alien Labs concentrates on operations since 2017.
Its usual tactics include spear phishing, document exploitation, and DLL sideloading.
Attribution is uncertain, but Sidewinder has been most often reported active against Pakistani
military targets. The full report, which includes a list of detection methods, indicators of compromise, and a mapping to the attack framework,
gives a longer list of targets, which have included government and military organizations in Pakistan, China, Nepal, and Afghanistan,
with smaller operations against Myanmar, Qatar, Sri Lanka, and Bangladesh.
Sri Lanka, and Bangladesh. Alien Labs also assesses with moderate confidence that various businesses operating in the national defense technology, scientific research, financial,
energy, and mineral industries of the same nations were also targeted in Sidewinder campaigns.
But this picture, they stress, is incomplete, and in all probability, Sidewinder's interests extend to other targets as
well. Uncertain as the attribution may be, Alien Labs thinks with low to medium confidence that
Sidewinder is an Indian operation. It seems at the very least to have worked consistently in
support of Indian interests. Google's Project Zero has begun a series on zero days it's found undergoing active
exploitation in the wild. This week, it describes a set of four that were used to craft malicious
websites to entrap Windows and Android users. The campaign was sophisticated, evasive, and expensive
to mount. The vulnerabilities exploited were all fixed in 2020. The discussion should lend to
some urgency to applying the relevant patches. The U.S. Cybersecurity and Infrastructure Security
Agency has issued a warning about successful cyber operations directed against cloud services
whose users are afflicted with poor cyber hygiene. CISA's analysis report singles out three classes of attack for particular attention.
Phishing, of course, is common.
The threat actors use phishing emails whose malicious links are designed to harvest credentials
for cloud service accounts.
Forwarding rules also figure prominently in the threat actor's behavior.
In some cases, they've modified an existing email
rule to redirect emails to an account they control. In other instances, they modified
existing rules to pick out certain keywords, typically financially related terms, and had
emails containing them forwarded to the threat actor's account. And the threat actors also
created new mailbox rules that forward certain messages to the legitimate user's RSS feeds or RSS subscription folder.
This technique was intended to evade detection and consequent warning.
Finally, there were instances of authentication abuse in which threat actors accessed their victims' accounts with proper multi-factor authentication.
In some cases, this may have involved defeating multi-factor authentication. In some cases, this may have involved defeating
multi-factor authentication with pass-the-cookie attacks. The threat actors also attempted,
generally without success, to brute force user logins. CISA's report also includes a set of
recommendations for ways in which enterprises can improve their cloud security. Isn't this just about SolarWinds, you might ask?
No.
CISA anticipated your question and wants its audience to understand
that the report has a much broader application.
CISA writes, quote,
The activity and information in this analysis report is not explicitly tied to any one threat actor,
or known to be specifically associated with the advanced persistent threat actor
attributed with the compromise of SolarWinds Orion platform software and other recent activity.
End quote.
If you're using cloud services, and who isn't, take a look and read the whole, not very long, thing.
Group IB this morning released a report about ClassesScam,
a scam-as-a-service criminal enterprise that's selling malicious classified ads.
ClassisScam began its career in 2019, and it initially confined itself to finding Russian-speaking victims on classified ad sites and other comparable online forums.
Its activity peaked in mid-2020 as remote work and online shopping rose during the COVID-19 pandemic. At least 40 groups are currently running the scam.
They use Telegram bots equipped with ready-to-use pages mimicking popular classifieds, marketplaces,
and sometimes delivery services. 20 of the groups are at work in Russia. The other half have been
found more recently active in Bulgaria, the Czech Republic, France, Poland, Romania, the U.S.,
and the former Soviet republics of the near abroad.
The scammers pose as both buyers and sellers, the point being to engage victims in social media
– WhatsApp is popular – in order to inveigle those victims out of cash, credentials, or other valuable data.
The ads that constitute the fish bait around the hooks usually offer cameras, game consoles, laptops, smartphones,
and similar items for sale at deliberately low prices, Group IB says.
This criminal-to-criminal service is organized as a pyramid affiliate scheme. The Apex Predators at the top get between 20 and
30 percent of the take, with the remaining 70 to 80 percent going to the workers down below.
Group IB estimates Class S scam took in a bit more than six million dollars last year.
And finally, we will end with some Soloragate notes. Bank Info Security says the SolarLeaks goons have added Microsoft and Cisco code offerings to their menu,
where they join the previously noted SolarWinds and FireEye swag.
Here's the current list.
Stolen from Microsoft, Microsoft Windows partial source code in various Microsoft repositories.
Price, $600,000.
Taken, they say, from Cisco, multiple product source code and internal bug tracker dump, going for $500,000.
From SolarWinds, source code for all products, including Orion, as well as customer portal dump for a quarter of a million bucks.
portal dump for a quarter of a million bucks.
And from FireEye, red team tools plus source code, binaries, and documentation,
these at the low, low price of 50 grand.
There's still no particular evidence that any of these offers are good,
and emails to the SolarLeaks ProtonMail account are still bouncing.
Cisco, for one, says it's had nothing stolen, and FireEye, which first detected the SolarWinds backdoor,
says it's found no evidence that SolarLeaks actually has anything at all.
So this looks increasingly like misdirection,
something along the lines of Guccifer 2.0.
We'll see whether the imposter has legs.
It probably won't.
It's been tried before, and people are wiser.
For this sort of thing.
Anyway. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass
your company's defenses is by targeting your executives and their families at home? Black
Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Our CyberWire Chief Analyst and Chief Security Officer Rick Howard has been making the rounds,
checking in with experts on cyber threat intelligence.
He files this report. I've been doing cyber threat intelligence, or CTI, in one form or the other
for the past 20 years. When I got the chance to talk to Christopher Allberg, I jumped on it. No
worries at all. I won't touch anything from now on. Let's get started. Dr. Allberg has been the CEO
of Recorded Future since 2009, and the Cyber Wire
co-produces a podcast with his company called Inside Security Intelligence that our very own
Dave Bittner hosts. Dr. Allberg and I talked about the changes to cyber threat intelligence over the
years, and I asked him about the skill sets needed for today's intelligence teams. Intel analysts,
computer scientists, data scientists, which, you know, sort of at some level. Intel analysts, computer scientists, data scientists,
which at some level are data analysts,
but more numbers-oriented data scientists.
And then finally, maybe even, which is important,
the big data operations.
Because Recorded Future runs on thousands and thousands
of machines at some outsourced data center.
So actually managing that becomes a science in itself.
But now you could have those four groups and they never talk to each other
and it's not going to be any good.
So you need to be able to build analytical processes in that.
You know, the goodness with Intel people is that they're very comfortable
with sort of uncertainty.
They're very comfortable with, you know, fuzzy problems.
Dr. Ahlberg recommended a book that explains the character of intelligence analysts that he is looking for.
It's not a techie book or a how-to book on being an intel analyst. It is a business book written
by Danny Meyer, the guy that founded one of my favorite hamburger joints, Shake Shack. The book
is called Setting the Table. And he talks about 51 percenters, and the 51 percenters are those people
who are all about providing great service,
and then 49 percent about their specific expertise.
And it's the same thing here.
We look for the people who are inherently collaborative,
inherently want to work cross silos, cross functional,
the people who are just dying to work with others,
and don't really have the time for the divas who are not who doesn't want to do that. So when you
find those people who are they're still pretty damn good in their 49%, but they're 51% about,
you know, pulling things together. That's where you find that that that magic.
We talked about how no two Intel teams are exactly the same.
What's the problem you're trying to solve?
That's a hard thing to do,
but you have to actually try to understand that.
Are you trying to help somebody
inform their patching process?
Are you trying to help somebody be more efficient
at doing incident response?
Are you trying to help somebody make that SOC,
tier one analyst in the SOC,
be more efficient at doing XYZ.
Whatever the sort of the problem you're trying to do or higher level constructs than that.
What sort of analysis do you need to do?
What sort of automated correlations do you need to provide for?
Understand the problem and be disciplined about that.
So that when you then don't, if you don't succeed, you can tune the analytics.
Tune what data you need to add, tune whatever you're doing.
So you really think about it as an analytical process.
And actually, I think a lot of people learned in the intelligence community can be put to
work here, but it needs to be more data driven.
And people are not thinking enough about that.
From my perspective, the commercial CTI offerings are still stuck on reporting technical artifacts versus reporting on how to stop the success of an adversary campaign.
We always had this idea that the reason we're indexing all this data and organizing it is to understand real-world activity.
And so that means that sometimes, of course, you're going to be looking at IPs and domains and NetFlow in between them and down in the weeds.
But at the same time, you want to try to understand
not only thread actors at the realm of talking about APT28
or Potter Panda or whatever their names might be.
There's obviously a big debate whether attribution matters or not.
But even if you don't believe that attribution matters,
I do think that intents matter.
I do think that, you know,
understanding these things holistically matters.
I love cyber threat intelligence.
It is so fascinating.
And if you are looking for an interesting and exciting career,
CTI is a great field.
And while you're thinking about it,
check out the Recorded Future podcast on threat intelligence.
You can find it at cyberwire.com slash podcast.
That's the Cyber Wire's Rick Howard.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your And joining me once again is Professor Awais Rashid.
He's the director of the National Research Center on Privacy,
Harm Reduction and Adversarial Influence Online at the University of Bristol.
Professor Rashid, it's great to have you back.
I want to touch today on shadow security.
And I think certainly as we are several months into COVID and the shift to everyone or many people working from home, it's a more important topic than ever.
Absolutely. where individuals or groups start to bring in what would be non-standard security tools or practices to actually undertake security as part of their work.
And usually this becomes quite significant.
And often shadow security and generally shadow IT, as the term is known, is frowned upon,
as the term is known, is frowned upon because that means that people are actually utilizing IT systems or security tools and mechanisms that are not within the regular IT or security
infrastructure of the organization. And the first tendency can often be to say,
well, that's actually very bad and you mustn't do this. And of course, we want to avoid shadow
practices where we can, but there is another way
of looking at this. And the question we must ask is, why this shadow practice is going on in the
first instance? It basically means that what we have in place is not working effectively enough
that people have to resort to shadow practices. And this also comes in terms of shadow security.
And it could well be that, for example, they're deploying shadow security because they can't update particular things on their systems that would actually allow them to work in more secure ways.
It could also be that there are legacy systems in place and they have to think about more secure ways of dealing with data or information and so on and so forth. So instead of asking the question, and certainly that's what I always say to people, that if you observe shadow practice, the first question you must ask is, why is this
taking place in the first instance? Because there must be a good reason. Because ultimately,
people want to get on with the job that they have at hand, and they usually would try and deploy
things that will actually enable them to get on with the job that they have at hand. And that's really typically where shadow practices start to emerge.
But don't we find ourselves in a kind of a complex situation here where,
because so many people have shifted to work from home,
there may be security elements that their home ISP is providing for them
that they may not even be aware of?
And as someone in charge of security for an organization,
how do you take inventory of all of those possibilities
that are out there now?
That is a wonderful question.
And I mean, this is a question that has been asked
for nearly now six to nine months since there has been this kind of big shift to working
from home. And I think the question that needs to be asked
is, people are now working in a very different setting
and as an organizational IT department and also
a security department, how are we actually enabling people to do their work?
So if, for example, how are we actually enabling people to do their work? So if, for example,
we are requiring that people must communicate using a very, very secure communication mechanism
and it doesn't actually work with their home router, for instance, in the first instance,
they may resort to, for example, using online messaging platforms like WhatsApp because they
may think, well, okay, it's encrypted and I-end encrypted, and I'm actually getting on with my job.
And one of the things that we did very early on in this,
and a number of my colleagues worked on this,
was to look at as to what would be good practice
with regards to security and remote working.
And then the question then comes is that if this is the sort of conversation
that you are quite willing to have, say, sitting in a crowded coffee shop where you are not concerned about being overheard, then it is effectively not a very confidential conversation at all.
So basically, any reasonable online platform will do to do that kind of conversation.
If it's a conversation you expect to have in a closed meeting room within your organization, then you must consider what are the various security properties of the various
platforms and things like that. But also, if it is really supposed to be a big corporate
confidential information, then you really, really need to think about what are the practices that
need to be in place, who needs to be there, what kind of identity management you are doing,
and things like that.
I think the key here is that we are now in that landscape where we are actually utilizing
a very, very diverse infrastructure in people's homes to carry on our daily jobs.
And security departments and IT services have to also now start to think about as to how
do they actually operate in that kind of setting? What tools are they providing? Are there good VPN services? Is there good accessibility
of, you know, online platforms and services where people can do their work securely?
How easy to use and access they are? And do they require lots of complex configurations on parts
of the users? So we are back here to, you know, one of my favorite topics,
which is, you know,
reducing the burden of security on the user.
And, you know, in this kind of remote working sense,
when we are all under great pressures, I think it's really important that we think about
how do we reduce that burden
so that people can do their job
and not having to resort to shadow security practices
simply to get on with what they're doing.
All right.
Well, Professor Weiss-Rasheed, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed beyond your dreams.
Listen for us on your Alexa smart speaker, too.
dreams. Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of
cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Guru Prakash,
Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, Thanks for listening. We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.