CyberWire Daily - “Static expressway” tactics in credential harvesting. Emotet is back. Black Basta linked to Fin7. RomCom hits Ukrainian targets and warms up against the Anglo-Saxons. Cyber cooperation?
Episode Date: November 3, 2022Leveraging Microsoft Dynamics 365 Customer Voice for credential harvesting. Emotet is back. Black Basta ransomware linked to Fin7. A Russophone gang increases activity against Ukrainian targets. Betsy... Carmelite from Booz Allen Hamilton on adversary-informed defense. Our guest is Tom Gorup of Alert Logic with a view on cybersecurity from a combat veteran. And Russia regrets that old US lack of cooperation in cyberspace–things would be so much better if the Anglo-Saxons didn’t think cyberspace was the property of the East India Company. Or something like that. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/212 Selected reading. Abusing Microsoft Customer Voice to Send Phishing Links (Avanan) Emotet botnet starts blasting malware again after 5 month break (BleepingComputer) Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor (SentinelOne) RomCom Threat Actor Abuses KeePass and SolarWinds to Target Ukraine and Potentially the United Kingdom (BlackBerry) Russia cyber director warns no U.S. cooperation risks "mutual destruction" (Newsweek) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash N2K code N2K. Dynamics 365 customer voice for credential harvesting. Emotet is back.
Black Basta ransomware gang is linked to FIN7.
A Russophone gang increases activity against Ukrainian targets.
Betsy Carmelite from Booz Allen Hamilton on adversary-informed defense.
Our guest is Tom Gorup from AlertLogic with a view on cybersecurity from a combat veteran.
And Russia regrets that old U.S. lack of cooperation in cyberspace.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, November 3rd, 2022. Avanon today blogged about attempts by hackers to abuse Dynamics 365 Customer Voice,
a Microsoft product used to gain feedback from customers.
Threat actors were found to be using legitimate appearing links from Microsoft notifications
in order to send credential harvesting pages. One of the malicious emails looks like it's from
the survey feature from Dynamics 365. It informs the victim that a new voicemail has been received. Another email provides
a legitimate customer voice link from Microsoft, but when play voicemail is clicked, it redirects
to a phishing link of a lookalike Microsoft login page. The malice is in the button. The actual
phishing page doesn't show up until the end of the process. Avanon calls this style of attack the static expressway.
Attackers follow the static expressway to leverage legitimate sites
in a way that enables them to get past the security scanners
that so many organizations use as a vital part of their defense.
Avanon explains,
The logic is this. Security services can't outright block Microsoft.
It would be impossible to get any work done.
Instead, these links from trusted sources tend to be automatically trusted.
That has created an avenue for hackers to insert themselves.
Criminal groups are protean, but not for the honest world in a good way.
An example of their slippery adaptability may be seen in the reappearance of one notorious gang
that hadn't been heard from much since police began kicking down doors late last year.
Emotet, the notorious gang whose activities have been largely suspended for five months
due to disruption by international law enforcement operations,
has returned to action, Bleeping Computer reports. Cryptolimus researchers found that
Emotet suddenly resumed spamming at 4 a.m. Eastern time yesterday. The crime group is
back in distro mode, Cryptolimus tweeted. Emotet had been associated with the Conti
ransomware gang, but since Conti went into hiding this past June, there have been signs that Emotet had been associated with the Conti ransomware gang, but since Conti went into hiding this past June, there have been signs that Emotet was beginning to collaborate with the Black Cat and Quantum gangs.
As Cryptolimus said,
Looks like Ivan is in need of some cash again, so he went back to work. Be on the lookout for direct attached XLS files and zipped and password-protected XLS.
There's similar changeability on display in the case of Black Basta.
Researchers at Sentinel Labs report finding links between Black Basta ransomware and the Russian criminal group Fin7.
The evidence is circumstantial but regarded as convincing by Sentinel Labs, who state,
Substantial, but regarded as convincing by Sentinel Labs, who state, We assess it as likely the threat actor developing the impairment tool used by Black Basta is the same actor with access to the Packer source code used in FIN7 operations,
thus establishing for the first time a possible connection between the two groups.
It can be difficult to separate criminal organizations.
Their members are opportunistic, their organization fluid,
but it seems that FIN7 may be, at the very least, closely cooperating with Black Basta.
BlackBerry describes the recent activity of RomCom,
a threat actor that presents itself as a financially motivated criminal organization,
but which is more likely to
represent a group acting on behalf of the Russian government. BlackBerry had earlier noted the
group's use of spoofed versions of Advanced IP Scanner to hit Ukrainian military targets.
The company's researchers have since found that RomCom has expanded its operations
to exploit the brands of SolarWinds Network Performance Monitor, BlackBerry explains, legitimate HTML code from the vendor to spoof, registering a malicious domain similar to the
legitimate one, trojanizing a legitimate application, uploading a malicious bundle
to the decoy website, deploying targeted phishing emails to the victims, or in some instances,
using additional infector vectors. So far, Ukraine has been the primary target of the latest RomCom campaign, but there are signs pointing to some targeting of Anglophone countries, especially the United Kingdom.
BlackBerry concludes,
RomCom rat, Cuba ransomware, and industrial spy have an apparent connection.
Industrial spy is a relatively new ransomware group that emerged in April 2022.
While RomCom has sought to cloak itself in crime,
the group seems to be working under the direction of a hostile intelligence service.
BlackBerry says,
Given the target's geography and characteristics combined with the current geopolitical situation,
it's unclear if the real motivation of the rom-com threat actor is purely
cyber-criminal in nature. BlackBerry doesn't go this far, but it's difficult to resist the
inference that rom-com is working for the Russian organs. And finally, there's a look at how Russia
sees cyberspace, or more accurately, how Russia wants the rest of us to think it sees cyberspace.
Newsweek interviewed Artur Lukmanov, acting director of Russia's Department of International
Information Security, on Russia's views concerning international norms for the use of information
communication technologies. Mr. Lukmanov says that Moscow stands for goodness here, stating, Russia insists
on the principles of justice, sovereign equality of states, non-interference in internal affairs,
and peaceful settlement of conflicts. These are the principles of the UN Charter. In practice,
this has meant central Russian control over the information accessible to its subjects.
has meant central Russian control over the information accessible to its subjects.
Sovereign equality and non-interference in internal affairs means Russia's ability to control the information its population receives.
Mr. Lyukmanov went on to argue that international norms in cyberspace
should involve joint inquiry into cyber incidents, saying,
We are striving to reach such an understanding that governments and their competent agencies
could directly investigate cyber incidents, putting aside unsubstantiated assessments.
A demand to show us the evidence has long been the customary Russian response to accusations
of misbehavior. He continued,
Ideally, ICTs should be used for such norms is all too likely, he said,
to result in mutual destruction.
We leave an assessment of Mr. Lukmanov's words as an exercise for the listener.
In the meantime, if you're listening, U.S. Cyber Command,
we've got just two words for you.
Good hunting.
Coming up after the break, Betsy Carmelite from Booz Allen Hamilton on adversary-informed defense.
Our guest is Tom Gorup of AlertLogic with a view on cybersecurity from a combat veteran.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
Thank you. ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your
executives and their families at home. Black Cloak's award-winning digital executive protection
platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect
your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Tom Gorup served six years in the U.S. Army with the 10th Mountain and 101st Airborne Divisions in Iraq and Afghanistan, respectively,
during which he earned several medals, including the Purple Heart.
Tom is currently Vice President of Security Operations at AlertLogic.
I was curious to know how his experience as a combat veteran has informed his approach to cybersecurity.
My experience on the battlefield really helped translate into the digital world when I started to make connections on how I was securing forward operating bases, how I was securing battle positions.
I was in the infantry and it wasn't uncommon for me to have to set up battle positions on top of the mountainside or, you know, even in land in Iraq.
And when I was setting up these battle positions, we typically looked at, we used a tactic called OKOCA.
Observation Field of Fire, Cover Concealment, Obstacles, Key Terrain, and at-loose approach. When we were using these tactics, we were typically, what I've found over the years,
is that we were typically evaluating kind of three key pillars there.
We're looking at visibility.
We're trying to understand what these battle positions can see.
We're looking at exposures.
We're trying to identify where the weaknesses are.
And then when we come under attack, we want to see how that attack is pointing out flaws or weaknesses within our battle position and adjusted accordingly.
So once I started making those connections, I realized that it's no longer these tactics and techniques that I learned while in the military directly applied to digital space.
I just had to learn my tools.
I was no longer using claymores or machine guns.
I'm using antiviruses and firewalls. So making those connections was huge in my transition.
I'm curious, as a veteran yourself, and indeed a combat veteran, is there a particular mindset
that you find that other folks who've been through the same sorts of things that you have, have within them?
Absolutely. I think the mindset brought on from the military world, especially IT security space, is the take any mountain type attitude.
One of the toughest things I had to adjust to, or at least better understand as I transitioned from military world to the civilian world was,
oh, we can't do that
or that's impossible.
Often got those types of response
from all sorts of people,
from IT to desktop support, et cetera.
And that's not a mentality a soldier has, right?
Our objective is to take a mountain
and we're going to take that hill
and we're going to take that mountain
any way, shape, or form.
We're going to figure it out and get creative in solving that problem.
I think that discipline and that rigor, that work ethic that comes from being in the military
is extremely valuable, especially IT security.
It's a nonstop industry.
We're constantly seeing new attacks.
We're seeing evolution of old attacks.
So you have to stay diligent.
You have to stay diligent.
You have to stay disciplined and constantly keeping up with the trends.
I believe the military, especially in the infantry, teaches you those skill sets.
And what is it like to translate that mindset to folks who have not
had that experience? How do you pass that on in a way that normal folks who aren't veterans can
understand? Great question. The way we can transfer that type of knowledge, I believe, is mainly by
leading by example. I guess a great way to look at it is when I'm going to hire people,
I can't often teach people to be motivated.
If they really want to be in the security space,
they'll show it on the front end of the hiring process.
On the other end,
it's how can I take that motivation
and bring it forward?
The drive, the discipline
is something that sometimes people need to,
that those that are motivated,
have a drive but don't know where to put it.
The military, and I think that experience allows me to lead that by example
and showing that with my team, here's how I execute and here's how I move things forward.
And I always think that leading by example is the best way to transfer that type of knowledge.
What are your recommendations then for organizations who want to transfer that type of knowledge.
What are your recommendations then for organizations who want to take this sort of approach?
How do they get started?
So organizations that really want to take hold of security posture, make it easier to communicate, is really to break out their work and break out their environment into
those three categories.
Visibility, you need to start getting an understanding of your environment.
I can't count how many customers that I've worked with over the years
that have come to me with spreadsheets.
And that's their asset inventory.
And they manage it all manually.
But when a new asset is spun up or some other tools is put within their environment,
they're not aware of it.
So visibility is critical.
It's important on the battle space
and it's just important in the digital world.
So starting off with looking at our visibility,
what can we see, what can't we see?
Do our vulnerability scanners touch all of our environment?
Do we have agents deployed everywhere
where we would expect them to be?
But then going a little bit further
and knowing when drift happens.
So we want to understand when new assets
are spun up and they don't meet the security controls.
These things all fall into
the visibility bucket.
The word exposures
there is intentional.
We want to elevate that conversation
and bring it to not only
talking about out-of-date software,
your typical vulnerabilities,
we also want to understand
where our misconfigurations are in the cloud.
I have overprivileged IAM roles or exposed S3 buckets.
These are common, common problems.
But is it easy for us to identify these issues?
And then threats.
How am I being attacked?
What are the types of attacks that I'm
experiencing? What assets are under attack? And how can I use that to inform other parts of my
environment? One thing that security tools, security services are often really good at
is pumping out work, right? They're work-producing engines. You turn the wheel, you get more work.
They're work-producing engines.
You turn the wheel, you get more work.
You have visibility gaps here.
You have vulnerabilities and exposures there.
You have these threats going on in this part of the environment.
The tough part here is now, how do I prioritize that work?
And when we can break it out into visibility, exposures, and threats,
we can more effectively prioritize our work. What's the next most important thing you
should be working on? And that's the objective here is to break them out, categorize them,
and then prioritize them based on where your risks are. That's Tom Gorup from AlertLogic. And joining me once again is Betsy Carmelite. She is a principal at Booz Allen Hamilton,
also their Federal Attack Surface Reduction Lead. Betsy, it is always a pleasure to welcome you back
to the show. I want to touch today on this notion of adversary-informed defense, working on that offense-to-defense cycle and innovation and those sorts of things.
Can we start with some basics here and help me understand when we say adversary-informed defense, what exactly are we talking about here?
Sure. We're looking, Dave, at how our adversaries also look at our national cyber
ecosystem. It's one battle space. So standing in the shoes of an adversary and looking at that
battlefield, what do they see? That's exactly how we should be looking at our defense and offense
approach to that battle space as well. It comes as no surprise to you that our
nation's adversaries are dedicating significant resources to honing tactics and executing cyber
operations that threaten our national and economic security. For this, the United States needs to
develop policies, plans, programs, and activities for a whole-of-nation, one-battle-space
focused effort on full-spectrum cyber activities and actors. So where we're talking about using
offense to inform defense and vice versa, also really a whole-of-nation change of management
exercise as to how we look at the adversary. So that's what we're focusing on here.
To what degree are we functioning in this mode and to what degree is this an area open for innovation?
So this is definitely an area open for innovation. I'm going to talk about one of the ways that we've,
at Booz Allen, have brought a lot of our knowledge and diverse
thinking about how offense and defense come together.
But the U.S. really must better integrate and synchronize the way it conducts cyber
offense and defense with a refreshed national strategy.
And we're seeing a lot of this in some of the policies that have come out in the last
year or so.
Related policies, whole- government operating models. It sounds maybe overstated, but the siloed way that we
approach with just looking at offense and looking at defense really needs to come together. Doctrine
that goes beyond military minutia or merely a military-focused approach needs to change, and greater clarity and deconfliction around roles and responsibilities are important.
So it's very important when paying close attention to the adversary
and its techniques, technologies, and tactics to remember this is a long game.
It's really easy to overinvest on technical controls
and then underinvest on cyber defensive operations. And here's why. Knowing the adversary
can take years. So this is where our cyber analysts have brought their knowledge about
offensive defense and brought that together to scale a solution. And so one of
these that we developed is called SnapAttack. And this is a cloud-based software solution
that brings together threat intelligence and hacker trade graft to proactively detect and
defend against cyber threats. And one of its hallmarks, it also enables community collaboration
around threat intelligence and attack emulation and detection analytics to help organizations
identify vulnerabilities and risks before threat actors attempt similar techniques.
And this library is really quickly becoming one of the largest
libraries of documented attacker behavior in the world. And so this is a collaborative sort of
thing? I mean, is this a public-private thing or is this staying within Booz Allen? How does it work?
So SnapAttack was developed and launched publicly by Booz Allen Stark Labs.
This is a multidisciplinary elite team of security researchers, threat hunters, penetration
testers, reverse engineers, network analysts, and data scientists dedicated to stopping
cyber attacks before they occur.
And they built this based on years of experience
in the commercial and nation-state level
cyber operations and cyber defense,
otherwise known as blue teaming,
as well as in cyber offense, known as red teaming.
And so last year, Booz Allen announced
it had spun out SnapAttack to a standalone company.
The product development team will continue to be led by SnapAttack's original developers,
both of whom began their careers at Booz Allen, and really exemplify how we innovate and grow
cutting-edge technology at scale.
And so we're looking at this to be, and it's currently really a game changer in that
purple teaming space where you're seeing the red and the blue teams combine.
And what is the ultimate goal here? I mean, as you move forward with these sorts of efforts,
what are you looking towards the horizon? We are still very tied to this innovation solution, and we're making investments such as in our carrier-grade 5G lab and our IoT incubator investments so that we can incorporate those types of threat detection capabilities within that. And obviously,
always looking for continued public partnership with how we can enhance that really robust
detection library and library of threat analytics.
All right. Well, Betsy Carmelite, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full
suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shake and espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karpf,
Eliana White, Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan,
Carol Terrio, Maria Vermatsis, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Catherine Murphy, Janine Daly, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, Simone Petrella, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Thank you. Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.