CyberWire Daily - Solorigate’s stealthy, careful operators. LuckyBoy malvertising. BEC as reconnaissance? Remote work and leaky sites. And good riddance to the Joker’s Stash.
Episode Date: January 21, 2021Microsoft researchers detail the lengths to which the Solorigate threat actor went to stay undetected and establish persistence. LuckyBoy malvertising is described. Business email compromise as a reco...nnaissance technique? More reminders about the risks that accompany remote work. Ben Yelin looks at cyber policy issues facing the Biden administration. Rick Howard speaks with Frank Duff from Mitre on their ATT&CK Evaluation Program. And good riddance to the Joker’s Stash (we hope). For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/13 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Microsoft researchers detail the lengths to which SolaraGate threat actors
went to stay undetected and establish persistence.
Lucky boy malvertising is described.
Business email compromise is reconnaissance technique.
More reminders about the risks that accompany remote work.
Ben Yellen looks at cyber policy issues facing the Biden administration.
Rick Howard speaks with Frank Duff from MITRE on their attack evaluation program.
And good riddance to the Joker's stash.
Here's hoping.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 21st, 2021.
Microsoft yesterday offered more details on how the SolaraGate threat actors worked and why their infiltration of their targets was as quietly effective as it proved to be.
It had, for example, been unclear how the handover from the Sunburst DLL backdoor to the Cobalt
Strike loader was accomplished, and Microsoft details how the threat actor obscured that
handover as they accomplished it. Redmond's assessment of the Solarigate crew is that their
skilled campaign operators who carefully planned and executed the attack, Redmond's assessment of the Solarigate crew is that they're In looking at the Solarigate operation, Microsoft identified six techniques the SolarGate operators used to escape detection.
They're worth reviewing.
First, they took care to avoid putting up the same indicators for each compromised host.
Every Cobalt Strike DLL implant was designed to be unique to each affected machine.
One of the tells the threat actors scrupulously avoided
was the reuse of folder name, file name, export function names,
C2 domain and IP, HTTP requests, timestamp, file metadata, config, and child process launched.
They also varied such non-executables as WMI persistence filter name, WMI filter query,
passwords used for 7-zip archives, and names of output log files.
That, Microsoft says, took a lot of effort,
and a whole lot more effort than the typical threat group finds it worth expending.
Second, the Solorigate actors took care to camouflage themselves to blend into targets' environments.
The tools and binaries they used were named and put in folders that appeared to belong in the affected machine.
They mimicked existing legitimate files and programs that they found in the victim's environment.
Third, before they ran their hands-on keyboard activity, which would raise the risk of detection,
the threat actors disabled event logging using AuditPoll.
They re-enabled logging once they were finished.
event logging using AuditPoll.
They re-enabled logging once they were finished.
Similarly, they installed special firewall rules before they ran unavoidably noisy network reconnaissance.
The rules were designed to minimize outgoing packets for certain protocols.
Once the reconnaissance was complete,
they systematically removed those firewall rules.
It's also noteworthy, Microsoft says, that the SolaraGate operators executed lateral
movement only after careful preparation.
They began by enumerating any remote processes and services running on the target host, and
they moved laterally across the network only after they disabled security services that
might detect them.
Finally, Microsoft believes they timestamped the timestamps of various artifacts, altered
them that is, and also used professional wiping procedures and tools with a view to complicate
the defender's problem of finding and eliminating the DLL implants from the affected systems.
So, whoever they were, and the smart money is still on Russian intelligence services,
the SolaraGate threat actors showed rare patience, sophistication, and attention to detail
far beyond what organized crime normally attempts.
Security Week describes research by MediaTrust into a cross-platform malvertising campaign,
Lucky Boy, that's afflicting users of iOS, Android, and Xbox
systems. It checks for blockers, test environments, and debuggers before it runs. Once it does execute,
Lucky Boy uses a tracking pixel to redirect the victim to malicious sites like phishing pages
or bogus software updates. The campaign, which surfaced last week, appears to be in its early testing phases.
It's another instance of malware using relatively complicated means of obfuscating itself.
It's not as complex as what the Solargate operators used, but even criminals try to stay undetected.
Proofpoint has found a business email compromise campaign that uses Google Forms to bypass keyword-based
email content filters. The researchers see the campaign as a hybrid, combining social engineering
with exploitation of the scale and legitimacy of Google services. The messages themselves are
relatively primitive, with the poor idiomatic control so often found in criminal communications,
but Proofpoint suspects they'll find takers
nonetheless. The researchers think that the BEC effort represents an email reconnaissance campaign
to enable target selection for undetermined follow-on threat activity.
The increase in remote work during the pandemic has, of course, greatly increased most organizations'
during the pandemic has, of course, greatly increased most organizations' attack surface.
Yes, yes, we know, this is old news, but bear with us. Or rather, bear with Wandera, whose 2021 cloud security report has some interesting findings on the extent to which the criminal
underworld has embraced the opportunities remote work affords. Your remote work, not theirs.
remote work affords. Your remote work, not theirs. Oh, and remote workers could behave better, too.
Wanderer says that accessing what they primly call inappropriate content, and we leave it as an exercise for the listener what counts as inappropriate content, has at least doubled
since the onset of the pandemic. Did you know that websites in the adult, gambling, extreme, and illegal content
categories are more likely to leak data than nice sites? Well, they are, you know. Avoid the near
occasion of compromise. And finally, remember the Joker's Stash, the online Carter forum that took
its lumps from law enforcement during 2020, but succeeded in
resisting complete eradication? Security Week reported in December that the FBI and Interpol
had seized a number of the illicit market's blockchain domains, which put a big dent but
not a fatal hole in their operations. The same publication now reports that Joker's stash has
said it's going out of business. In an all-good-bad-things-must-come-to-an-end mood,
the Souks' proprietors have posted an announcement to some of its many unaffected domains
that they're off to what they call a well-deserved retirement.
It's time for us to leave forever, they say,
and they plan to wipe all their stuff for good on February 15th.
That's Washington's birthday, but we cannot tell a lie.
We have no idea if that holiday has any importance for the Joker.
The hoods behind Joker's stash say they intend to settle all their accounts
in the criminal-to-criminal market before they go dark, but we'll see.
Other such services have simply absconded.
It also remains to be seen how real the promised retirement proves to be.
We hope we'll all be able to say, good riddance.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Together, head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian
and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect
your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
MITRE describes their ATT&CK framework as a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
That sounds about right.
To help bridge the gap between that knowledge base and how it may apply to defenders in everyday use, MITRE provides ATT&CK evaluations.
Our own Rick Howard files this report.
provides attack evaluations. Our own Rick Howard files this report.
The MITRE ATT&CK framework is the most complete open source collection of cyber adversary activity in the world. I can. I asked Frank Duff, the director of the MITRE ATT&CK evaluation program,
to explain what ATT&CK is and how it got its start. MITRE ATT&CK is a knowledge base of
known adversary behaviors. The concept there is that to better defend our networks,
we have to understand what adversaries are actually doing on them.
So MudderAttack was generated from a research project many years ago,
meaning five to eight, depending on when you consider conception.
But we started the effort as a way of making it so we could
communicate more effectively between our defenders and the people that were testing out our research
hypotheses, the red team as it were. And so we needed a way to explain what the red team was
doing such that the defenders could understand it and create better defenses, better analytics, better censoring.
Since then, that initial research has grown into a full-blown wiki.
The question that immediately comes up then is how do you convert the MITRE attack list
into prevention controls for your security stack?
Frank says one way to do it is with threat emulation.
Let's pick a adversary that is of interest to us
for whatever reason,
figure out which techniques they use,
how they use them.
So their modus operandi, right?
Like their pacing that they use,
the types of tooling that they use to do it.
Still not focusing on specifically their malware,
but how do they use these techniques?
What behaviors are they generating? What behaviors are they
generating? What data are they creating on these endpoints that would further detection and
protection capabilities? The MITRE ATT&CK evaluation program that Frank runs is not a consumer report
style analysis of a cybersecurity product. It's strictly a thumbs up and thumbs down scorecard
on how each participating vendor detects the TTPs of a specific adversary attack sequence.
So we'll allow any vendor that wants to participate, you can apply to be participated,
vendors pay for it. But so you sign up, you want to do it. We don't care about your market segment,
as long as we can do the same methodology against you. We're doing a threat-informed methodology,
you can say how you detect in your own way.
We don't declare winners.
We don't rank.
We don't rate.
So far, the evaluation program has considered two adversary groups,
APT29, the Russian adversary group behind the 2016 DNC hacks,
and APT3, the Chinese adversary group behind the breaches at Equifax, Anthem, and OPM.
The group they are working on right now is FIN7, the Chinese adversary group behind the breaches at Equifax, Anthem, and OPM.
The group they are working on right now is FIN7,
the cybercrime group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015.
But here's the takeaway.
Encourage your vendors to participate in the MITRE ATT&CK Evaluation Program.
It costs you nothing, makes their products better, and makes the entire security community more safe.
That's the Cyber Wire's Rick Howard.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security and also my co-host on the Caveat podcast.
Hello, Ben.
Hello, Dave.
Interesting story from the folks over at CyberScoop.
This is titled,
The Big Cyber Issues Joe Biden Will Face,
His First Day in Office. Of course, recently inaugurated President Biden is hard at work
underway with his new administration, but he's got some challenges ahead of us here. What are
some of the things that the folks at CyberScoop have laid out here, Ben?
So he certainly has no shortage of problems to deal with.
Civil unrest, the continuing pandemic, everything else that's going on in this country, the economy.
But there are a lot of cybersecurity issues that he's going to have to address, and he's going to have to address rather quickly.
The first is responding to the solar winds mess. We're still in the early stages of understanding this hack
and the extent to which it's not only infected our government's network and systems, but has
also seeped into the private sector. President Biden vowed to get to the bottom of the hack,
which I think most public policy experts think was the work of Russian operatives who were able to infiltrate these networks at
federal agencies. So that's really going to be his first order of business, getting to the bottom of
this attack and then deciding, you know, whether to respond with a similar force, so to speak.
Whether, you know, we are going to prioritize offensive cybersecurity operation or cyber operations against our foreign adversaries.
If, you know, President Biden concludes, based on all the information available, that the Russian government and its minions are responsible for this attack, then that really is going to have a big impact on, you know, what the president is going to do in his first year. And there's this quote
from the incoming national security advisor, Jake Sullivan, saying, you know, we're not going to
tell you exactly what we're going to do, but there will be costs for attacks like this. So whether
that's offensive cyber operations or sanctions or something else, we don't know. But they are
telegraphing, they're going to do something about that. And then the Biden administration is going to have to make a decision on offensive cyber operations in general.
That's something that the Trump administration prioritized.
They expressed eagerness to use cyber operations.
I think everybody – there's sort of a widespread agreement that we need to invest more in protecting our own networks.
But the extent to which, you know, we're going to engage in offensive cyber operations, I think is a policy question that's still at large.
And then, you know, just generally trying to curb destructive hacking.
This article mentions, you know, a number of the most prominent hacks and
how much damage they've done to private sector industries, starting from the alleged North Korean
2014 attack of Sony Pictures, the Russian Natpetia assault in 2017. You know, this is
something that has to be an all-hands-on-deck effort.
It can't be done solely domestically.
Part of it has to be done with our international partners.
And, you know, that's why the Obama administration had added the cybersecurity coordinator position at the State Department so that they could have a voice in international relations.
The Trump administration disbanded that position a couple of years later. So really, there are a lot of things on the table.
You know, I think President Biden would have probably preferred not to be facing, among other
emergencies, the impacts of the SolarWinds attack, which I don't think, you know, we've really gotten
to the bottom of. But them's the brakes, as they say. And this might consume the early days of his administration.
Yeah, and it really points to, as you say,
it's a global situation here,
and that even working on our relationships with our allies,
which have certainly been strained over the past few years,
is going to be a key component of our safety,
even in the cyber realm. Absolutely. And these relationships are going to take a while to
rebuild. It's not necessarily one of those forgive and forget, where we pretend that the last four
years didn't happen. I mean, we really do have frayed alliances, particularly with our NATO allies. But we have these shared interests,
you know, our adversaries are the adversaries of those in the European Union, other Western
democracies. And if they try to attack us, they're going to try to attack some of these other
countries as well. So that just, you know, enhances the importance of diplomacy. Right, right. Well,
of course, all of these issues pale in comparison
to the fact that evidently President Biden has a Peloton bike that he wants to use. The Peloton!
No! It's all going to come crashing down because the president has an IoT-connected
exercise bike, right? The exercise bike is going to doom all of us. The country is just going to collapse
because of that Peloton
in the residential area of the White House.
I will just say, for those people
who are potentially worried about cybersecurity concerns
relating to this IoT device,
they'll figure it out.
He has access to some of the foremost
cybersecurity experts in the country.
It's not really going to be a problem.
And in response to the New York Times,
who say, you know, they say this cuts against Biden's working class image,
a lot of people have Pelotons.
And I don't personally, but I know a lot of people who do.
And I think we're all going to be fine.
Yeah, this too shall pass.
Yep.
All right.
Well, Ben Yellen, thanks for joining us.
Thank you.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
You can't beat the feeling.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Heltzman,
Puru Prakash, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Narelle Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here
tomorrow. Thank you. solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.