CyberWire Daily - Sniffing at the DIB. Sideloading cryptojacking campaign. Nord Stream and threats to critical infrastructure. US Cyber Command describes hunting forward in Ukraine. Fraud meets romance.
Episode Date: October 5, 2022Data’s stolen from a US "Defense Industrial Base organization." Major sideloading cryptojacking campaign is in progress. Nord Stream and threats to critical infrastructure. US Cyber Command describe...s "hunt forward" missions in Ukraine. Andrew Hammond from SpyCast speaks with hacker Eric Escobar about the overlap of traditional intelligence and cybersecurity. Our guest is AJ Nash from ZeroFox with an update on the current threat landscape. Fraud meets romance. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/192 Selected reading. Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization (CISA) CISA: Multiple government hacking groups had ‘long-term’ access to defense company (The Record by Recorded Future) US Govt: Hackers stole data from US defense org using new malware (BleepingComputer) Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild (Bitdefender Labs) Drone-loaded seabed ship is latest weapon in Royal Navy's arsenal to counter Russian threat (The Telegraph) Opinion Undersea pipeline sabotage demands the West prepare for more attacks (Washington Post) Ukraine Hasn’t Won the Cyber War Against Russia Yet (World Politics Review) USCYBERCOM Executive Director David Frederick Outlines Cyber Threats & Highlights Importance of Industry Partnerships (GovCon Wire) Romance scammer and BEC fraudster sent to prison for 25 years (Naked Security) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Data's been stolen from a U.S. defense industrial base organization.
There's a major sideloading cryptojacking campaign in progress.
Nord Stream and threats to critical infrastructure.
U.S. Cyber Command describes hunt-forward missions in Ukraine.
Andrew Hammond from Spycast speaks with hacker Eric Escobar
about the overlap of traditional intelligence and cybersecurity.
Our guest is A.J. Nash from ZeroFox with an update on the current threat landscape
and fraud meets romance.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 5th, 2022.
The U.S. Cybersecurity and Infrastructure Security Agency released a report yesterday detailing Alert AA22-277A. From November 2021 through January 2022, CISA uncovered activity
from likely multiple advanced persistent threat groups on a defense industrial-based sector organization's
enterprise network. The organization affected isn't named in the report. The APTs used Impacket,
an open-source toolkit to gain access, and then used custom data exfiltration tool Covalent
Stealer to steal sensitive data. In this case, as Bleeping Computer notes, CISA did not indicate
who was behind the APTs. CISA says, during incident response activities, CISA uncovered
that likely multiple APT groups compromised the organization's network, and some APT actors had
long-term access to the environment. The agency reports that some APTs may have gained
access to the victim's Microsoft Exchange server as early as mid-January 2021. Bleeping Computer
reports that they used the Hyperbro remote access Trojan and well over a dozen China Chopper
webshell samples on the organization's network, as well as exploiting
the proxy logon collection of Microsoft Exchange server vulnerabilities. CISA has published
separately a detailed analysis of both Covalent Stealer and Hyperbro, the set of tools that
figured prominently in the exploitation. Bitdefender researchers say they've detected a significant cryptojacking
campaign in the wild. It's a sideloading campaign and represents an evolution in criminal
cryptojacking technique. Bitdefender explains, this is the case of an active cryptojacking
campaign that uses a dynamic library link hijacking vulnerability in OneDrive to achieve persistence and run undetected on infected devices.
Cryptojacking, should the term be new to you,
is the criminal practice of installing an altcoin miner
on someone else's non-cooperating device,
where it operates quietly in the background,
hogging electricity and other resources to mine coin
on behalf of those who
installed it. The kinetic sabotage of the Nord Stream pipelines in the Baltic region remains
under investigation. NATO has formally designated the incident sabotage, but it's primly refrained
from calling out a perpetrator until the investigation is complete. That said, many others consider the incident a shot across western bowels as winter approaches,
a threat to take down energy infrastructure at a time when it will be most needed in the Northern Hemisphere.
A Washington Post editorial makes a representative argument, stating,
This is the kind of capability usually wielded by a state actor.
Though NATO did not say officially what everyone suspects unofficially. The author of this strike against Europe's
stability and security was Russia. The Post goes on to point out the cyber threat to infrastructure,
stating, in April, the Cybersecurity and Infrastructure Security Agency, along with
the FBI and the National Security Agency, issued a joint warning about the cyber threat to critical infrastructure,
such as energy and utilities. And so far, Ukraine and its supporters have kept cyber damage to a
minimum. That doesn't mean the threat has become inconsequential, and Western governments and
utilities are well advised to remain on alert.
An Atlantic Council essay presents grounds for thinking that Norway's oil and gas production
platforms in the North Sea may become targets in an expanded Russian campaign against European
energy infrastructure. Those platforms experienced unexplained drone flybys last week, which the Council's essay regards as
in some ways more disturbing than the sabotage of Nord Stream. The Executive Director of U.S.
Cyber Command, David Frederick, described U.S. participation in Ukraine's cyber defense during
his presentation at GovConWire's Cybersecurity and National Security Summit. He characterized the
mission as a series of hunt-forward operations. The U.S. teams from the Cyber National Mission
Force were dispatched to Ukraine late last year and worked with their Ukrainian counterparts
to assess and secure critical IT and infrastructure networks. Frederick noted that in the course of operations,
U.S. Cyber Command gained valuable insight into Russian methods of cyber war,
much of which insight Cyber Command has shared not only with government partners like CISA and
the FBI, but with the private sector as well. And finally, a Georgia man has been sentenced for his role in business email compromise and romance scams.
The U.S. Department of Justice has announced that one Elvis Aosha Ogi Polor has been sentenced to 25 years for his role in a widespread ring of romance and business email compromise scams.
email compromise scams. The U.S. Attorney's Office for the Northern District of Georgia says that Elvis opened and directed others to open at least 50 fraudulent business bank accounts
that received over $9.5 million from various online frauds, including romance frauds and
business email compromise scams. He then laundered the fraud proceeds using other accounts, including dozens of accounts
overseas. The BEC operations were pretty routine. He and his five accomplices pretended to be
organizational managers directing employees to transfer money to accounts controlled by fraudsters.
The romance scams were catfishing expeditions in which Elvis and his partners set up fictitious social media persona to induce the lovelorn to send him cash.
At any rate, Elvis will now receive a sabbatical, courtesy of the Federal Bureau of Prisons.
Coming up after the break, Andrew Hammond from Spycast speaks with hacker Eric Escobar about the overlap of traditional intelligence and cybersecurity.
Our guest is A.J. Nash from ZeroFox with an update on the current threat landscape.
Stick around. Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it
comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. at blackcloak.io.
Cybersecurity and reputation management company ZeroFox recently shared their threat landscape report
for the second quarter of 2022,
outlining some of the trends they're tracking.
A.J. Nash is vice president of intelligence at ZeroFox.
You know, as a result of Russia's invasion of Ukraine
and the ongoing conflict and world response to that
and sanctions, there's been a real challenge
for criminals in getting money.
You know, and that's always a bit of a challenge
for them anyway.
The idea of committing a crime is one thing,
but then finding a way to capitalize on that,
to convert that into money is a bit of a
challenge, but most of them have systems in place. And thanks to sanctions and thanks to changes in
financial systems that came from those, there's been some real struggle there. And to see that
reflected, to see known Russian-speaking actors' frustrations over that and how they've been trying
to deal with that, I found to be really, really interesting. It's a fascinating thing to watch unfold.
Does that create any kind of pivot from them?
Do they shift to something else?
You know, they have been working on that.
So one of the pivots we've seen is a shift to just other countries.
So Dubai, for instance, in United Arab Emirates,
is a popular destination now, you know, just setting up accounting over there and trying to move money there and then figure out a way to get back. But the challenge is a lot of these folks want to get
the money back into Russia to support themselves, their families, et cetera. And it's that transfer
that's really, really hard. So you're seeing more peer-to-peer transfers. It's not the same,
but it reminds me a bit of the Huala system in the Middle East of just finding ways to move money
that are outside of the standard financial systems, you know, because Swift is a problem for the Russians right now too. So listen, as we all
know, criminals are creative. They'll find a way, you know, but it's making it hard for them,
no doubt about it. And there's frustrations and that ends the frustration with their own
government and with what's going on. You know, there's plenty of cyber criminals, like, you know,
criminals anywhere really. They're not necessarily political, like some can be, but a lot just want to make the money. And this is just a real big
inconvenience for them, frankly. But yeah, they're working around it. They're finding ways. It's just
harder and it's costing them more money and it's taking more time and energy. What other things in
the report grabbed your attention? There were some interesting pieces. The initial access broker
marketplace, we've been following that quarter over quarter.
We report on that, and that's been a really big issue. We saw a dip in Q1, and then in Q2,
we started seeing a resurrection. Not quite to the previous levels, but I suspect we'll continue to
see it grow. This is an ongoing tactic that works really well. People get access to organizations,
and then they're turning around and selling that to somebody else. It's essentially a middleman.
Hey, we'll get access, we'll get in.
We're not going to actually do the exploiting and take advantage of it necessarily, but
we'll sell it off to somebody else to do it.
So that's growing.
That's a continuing threat.
Some things we saw that you would expect malware is going to continue to be a problem and has.
Ransomware continues to be a problem.
These are very effective, you know, ways of causing problems for folks.
We've seen that.
These are very effective ways of causing problems for folks.
We've seen that.
I think one of the things that I found interesting personally was a real notable increase in what we call LNK shortcut files.
So an LNK shortcut is a shortcut.
LNK is just Microsoft terminology.
So anybody who sees a shortcut,
you click on something to get to another document, etc.
Seeing those and fake Windows 11 upgrades,
which makes sense anytime there's a Windows upgrade,
there'll be fake upgrades sent out.
But seeing those LNK shortcuts used to deliver malware
is a growing
trend that I thought was really interesting because people
still have a tendency to just click on things.
So if it looks trustworthy, oh, it's just
an Excel document. It's just a Word document. It's just
something somebody sent me. People still click
on those and that gained a lot of traction.
So there's been a few really interesting things that have come out of it and some that you would
expect. Digital extortion continues to be a problem. As I said, ransomware and extortion
go together. Extortion's a really effective and frankly, really cheap methodology for an adversary.
You don't actually have to do anything. You and I can go into the extortion business. I'm not
recommending it, but it doesn't take
a lot of effort, frankly. We can put together a form
letter, we can send it out to a bunch of people and tell them
they have to put money into a Bitcoin
wallet, or we're going to release
all this information we stole from them. And we don't have to steal
anything from them. We don't even have to be technical. We don't have to be
good. But we can send that threat out,
and we see, if you do that,
people pay. There are people who
the fear is there, and if you set the price point low enough, large companies will say, you know that, people pay. There are people who, the fear is there,
and if you set the price point low enough,
large companies will say, you know what, just give them $500.
I don't know if it's real or not, but it's too scary to figure out.
And you do that at mass.
You send out 1,000 of those things, you make a lot of money.
So I think that's a tactic I find very interesting to watch
because it's tough for prospective victims,
for people who've been at
least threatened, a lot of times to understand if they actually have been compromised. A lot of
organizations really struggle with that. So when the threat comes in and it's scary and you're
worrying about having all your data released and possible brand damage, et cetera, a lot of
organizations just want to pay it, thinking that'll solve the problem, which it really doesn't.
Either you didn't have a problem to begin with and you're paying somebody for nothing,
or you may in fact have a problem
and you can't trust criminals
not to follow through on extorting you.
I promise if you pay somebody extortion money
there's a reasonable chance
they're going to come back and ask for more.
That's been true in all of history for extortion.
So I really enjoy the report
and I really enjoy what the team does
because we get into those discussions
about actors, specific groups, and motivations.
And it's more interesting to me as a non-technical person than just reading report after report after report about all these technical things, these IOCs.
And don't get me wrong, those are important.
And we have those in there for people that need to take action too.
But I really enjoy reading about what's going on in the criminal environments and what motivates actors and what they're talking about and why they're shifting to different techniques. So it makes
for a really readable report for pretty much anybody and really useful. Yeah. Well, I mean,
based on the information that you all have gathered here, what are your recommendations?
How should people respond to the information you all have put out? Yeah, it's a good question.
Each of the sections, so our paper, we break it down into individual sections, right? Whether it's vulnerability exploitation or botnets or
initial access brokers. And each section, we do provide recommendations per section. So we give
people an opportunity to know, you know, what does this mean and what can you do about it?
And in many cases, the recommendations quite honestly are about vigilance and monitoring.
But in some, there are specific examples of what people can do in terms of, you know, updating policies or, you know, the CVE exploitations, for instance.
We name the CVEs and we talk about what they are and what's being exploited and what patches can
be put in place to make changes. So for each of the sections, there certainly is some actionability
available. You know, in some cases, a lot of it is just you really need to understand this.
You need to set up monitoring.
You need to set up alerting.
You know, a lot of times when we talk about what's going on in the cyber criminal, you know, the dark web, the underground, the cyber criminal marketplaces, a lot of that comes down to, are you seeing this yourself?
But certainly some of it does come down to you're going to have to have the right resources available, whether it's in-house, whether it's, you know, third-party vendors.
you're going to have to have the right resources available,
whether it's in-house, whether it's third-party vendors.
Some of the discussions in here are about,
do you have the resources to know what's going on?
The goal of Intel, aside from what I just said,
the other goal of Intel is to be proactive.
The goal is to move the needle to the left, right?
In that whole right-left continuum of threats,
you want to really get as far to the left as you can.
And Intel is the only way to get there. Everything else, by definition, is reactive. Something's already happened to you,
something's touched you, and that's fine. We do a lot of that too. There's no way around it.
This is why it matters. This is what you can do about it. Those are the three components we talk about in building intelligence. But a lot of it is, long-term, what can you do about it is make
sure you have the awareness, you have the people, you have the technologies, you have the accesses
to see what's going on, to see these trends, to know about what people are talking about and planning before it
happens. That's AJ Nash from ZeroFox.
Andrew Hammond is host of the Spycast podcast from the Spy Museum.
And in a recent episode, he spoke with hacker Eric Escobar about the overlap of traditional intelligence and cybersecurity.
Here's a part of that interview.
I was just wondering, just to start off, Eric,
so you're a professional hacker.
You attempt to compromise all different types of networks
from the military through to amusement parks.
I guess one of the first questions that I had
just when I was thinking about this interview,
you've seen quite a lot.
Is there anything that keeps you up at night?
Is there anything in the wee small hours where you're like, that one really like scares me?
You know, the ones that really keep me up at night are anything to do with critical infrastructure,
which is, you know, obviously colonial pipeline and all the havoc that that caused.
Those are the ones that really just keep me up at night for a couple of reasons.
I mean, really, if you look at any of our traditional, you know, different internet uses, Amazon, you know, Google, Apple, like all these different services, what's the worst that's
going to happen? You might lose some files, you know, you might need to recover from a backup,
you know, your information might get out there, but with all the critical infrastructure, there's chance of potential for loss of life, which is way worse than anything
that can happen in the cyber realm. So those are the ones like, like watching any critical
infrastructure get compromised is really the thing that keeps me up at night because, you know,
lives are in the balance, lives are on the line. And we do a lot of testing for critical
infrastructure. And I've seen computers and machines that have been online and not been taken offline longer than I've been alive.
At the Spy Museum we have a shard from the Aurora generator test in 2007 which basically is a test
to prove that a piece of code can affect the physical world. And basically, to cut a long story short, they blew up a generator.
So something that's intangible can affect the tangible world.
So that's ultimately what you're talking about.
Is that correct?
Yeah, that's my actual job is doing exactly that.
Not too dissimilar, a couple weeks ago we compromised up uh what's it called an oil refinery so that same
exact like hey we're able to access um you know industrial control systems and if we touch the
wrong computer if we do something wrong things go boom um and so that that's why it's my fear
because exactly that that code can affect the real world in those uh you know in those circumstances
when did it dawn on you that you you, this is somewhere where you could distinguish yourself?
Oh, you know, I don't think it has yet. Have you ever heard of, have you ever heard of imposter
syndrome? Everybody feels like, I feel like they're, they're an imposter to a degree. And,
and for those in your audience listening, imposter syndrome is where you, you feel as if like, man,
somebody didn't figure out that I don't know what I'm doing? There was one time my wife, you know, she walks in my office and she's like, are you just Googling
how to do something for your job? And I'm like, absolutely. And she's like, what if your co-workers,
you know, found out or, you know, like, and so really to answer your question, like I, like some
people might look at me and be like, wow, Eric is a great hacker. He compromises and breaks in all
these large companies. And then I have the people that I look up to,
I'm like, oh my gosh,
like you could never call me a hacker
compared to, you know,
these individuals that I've met
and these individuals that I know,
like they're the real deal.
One of the things that I was,
that I'm interested in is,
you know, with this field,
you know, like Spycast
is on the Cyber Wire network now.
And we've done traditional intelligence espionage and people kind of get that more or less okay that's over here
and then they sort of get cyber they're like okay that's computers that's over there
i'm increasingly interested in the places where they overlap and it seems that you know a lot of
people are like okay well the nsa like that's seems that, you know, a lot of people are like,
okay, well, the NSA,
like that's an area where,
you know, both of them overlap.
And other than that,
it gets a bit fuzzy
and I'm not sure about it.
But, you know,
when you hear the term InfoSec,
like information security,
I mean, that's what a lot
of what intelligence agencies do.
Or when you were speaking about
like breaking in without using malware, it's like intelligence agencies do or when you were speaking about like breaking in without using
malware it's like intelligence agencies as well they i mean sure you can do some kind of brute
force attack and get information but if you scream out that you've just done something then they're
going to go away and change all their codes and and do a whole bunch of countermeasures to try to
protect themselves against what you've just committed against them. So I don't want to say
that both of them collapse into one another, but it just seems really interesting to me,
all of the places that they overlap. And I don't know if I've ever read a book or something that
adequately explains that overlap, but do you have any thoughts about that?
Well, it's interesting when you think about it, you know, so you mentioned, you know,
ways that they overlap, really just information. You know, if you're a spy agency, if you're a
nation state and you're trying to discern information, there's a lot of guesswork,
a lot of educated guesswork that goes into that. And so an example that I always kind of like to
think about realistically, if you look at, say, the United States political landscape,
totally not a hot button issue. If you are a foreign, you know, nation and you're trying to understand,
hey, what, you know, what are the political parties, you know, angling to do? What's going
on here? Well, think if they were able to break into, say, the, you know, manufacturer of like
flags, right, of little American flags that would get waved around at campaign rallies.
Well, if you knew how many orders of each of those flags were going to respective,
you know, different political campaigns and parties and all that stuff,
well, now you've built up just with that information of orders of flags.
If you're able to compromise a small manufacturing place,
now you know all the ordering, all the processing information of how that goes,
typically logistics of who, how, where, and why those flags are going to be in that position. You typically know how many are in the war information of how that goes, typically logistics of who, how, where, and why
those flags are going to be in that position. You typically know how many are in the war chest or
how many people they're expecting at a campaign rally, right? And so it's one of those things
that it's information security because you don't necessarily know how the information is going to
be used. You might have a threat actor that breaks in trying to that same flag company,
trying just to steal email addresses so that they can send out, you know, phishing emails just willy nilly. Or you might have a
nation state trying to compromise that same flag factory for the purpose of trying to define what
does the political landscape look like in the United States for the upcoming midterms. There's
a lot of, there's a lot of hypotheticals. And then there's a lot of like, oh, you know, where things
actually overlap, like you said, with NSA and other intelligence agencies.
That's Andrew Hammond from the Spy Museum and host of the Spycast podcast.
You can hear the rest of this interview on the Spycast here on the CyberWire network.
Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, Thank you. Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Catherine Murphy,
Chris Russell, John Petrick, Jennifer Ivan,
Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.