CyberWire Daily - Targeting Olympic organizations. [Research Saturday]
Episode Date: January 27, 2018This week we’re discussing the a campaign the McAfee Advanced Threat Research team recently discovered, one that’s targeting organizations involved with the upcoming Pyeongchang Winter Olympics. R...aj Samani is chief scientist at McAfee, and he shares the campaign's clever details. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024. These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context, Thank you. organization with Zscaler, Zero Trust, and AI. Learn more at zscaler.com slash security.
In this particular instance, we discovered the file that was being used, or really the file that has been being disseminated. That's Raj Samani. He's chief scientist at McAfee. And this week,
we're discussing the campaign that he and the McAfee Advanced Threat Research Team recently
discovered, one that's targeting organizations involved with the upcoming PyeongChang Winter
Olympics. We actually picked it up a little later than the campaign actually began,
because the campaign started on the 22nd of December, and we founded on the 29th. So we're about a week behind when
the campaign actually began. And actually, one of the things that we realized was there were two
campaigns, you know, there was really the initial campaign, which I guess was a little clunky. And
then there was a modified campaign, which was actually really quite clever. And so, you know, a lot of the research that we published focused on that kind of second campaign, which was actually really quite clever. And so, you know, a lot of the
research that we published focused on that kind of second campaign, which was really impressive,
actually. Well, let's go through it one by one, then. The first one, can you describe to us what
was going on? Yeah, so the first one was fairly simple in terms of, you know, it was an email.
I mean, it's always an email, isn't it and and of course within that email there was a
power shell script but what we kind of began to witness was the use of steganography which came
about from the second campaign and you know i think the thing that really surprises us is
actually probably doesn't surprise us anymore but the bad guys follow us and not i'm
saying me specifically but they follow the industry and we kind of saw this i think it
was around about november we published research into apt 28 and they were leveraging a technique
or a feature called dde dynamic data exchange, you know, I think the vulnerability or really the
feature was identified by Proofpoint just a few weeks earlier. And it kind of says to me that
you're seeing threat actors not necessarily using zero days because they don't need to,
because what they do is they follow the research that we're doing as an industry and they
look to weaponize that as quickly as they can and you know this particular campaign on onto the
olympics was doing something similar whereby there was research that was published i think it was the
20th of december um there's probably anyway it was it was about seven days before we actually
saw it being used and weaponized in the wild.
And so it shows a lot about the kind of disparity between we get no visibility about what they do,
and yet they can follow people on Twitter, they can listen to our webcasts, listen to our podcasts even,
and learn the tips and techniques that can be used to infect systems across the globe.
Yeah. So again, in this first crack at it from them, what sorts of things were they up to?
Well, so actually it was very similar in terms of the campaign itself.
It was just the technique that differed.
So in the first attack, it was a Word document document and within that was a PowerShell script.
But the second time round was different in terms of an email was sent.
And actually, probably the first thing to add is the email that was sent actually was from info at NCTC.go.kr.
So it was actually the National Counterterror center that they spoofed the email
from and what was interesting was the nctc at the time were actually doing like preparedness
drills so it wouldn't have been out of the norm for organizations to receive an email from nctc
what was different and obviously the way that we were
able to determine that it was different, was, you know, the IP address that was used was an IP
address coming out of Singapore. It wasn't the mail server from NCTC. So, look, it was using
authority, but actually the timing of it was pretty clever. You know, it was sending that email and the word attachment appeared to be,
you know, had the, in Korean,
it said, organized by the military
of agriculture and forestry,
Pyeongchang Winter Olympics.
And apologies if I mispronounced that.
But what they did was they actually sent the email
to icehockey at pyeongchang2018.com,
but they actually copied about,
well, just in excess of 300 organizations in that. And one of the things I can say is that we're pretty confident that
there were some organizations and some recipients that actually fell for it,
and subsequently were infected. And so this steganography component,
can you describe that for us? First of all, just describe to us, what does that mean?
Okay, so steganography is where you can embed data within an image file.
So, you know, it looks like an image file.
It looks like a normal picture.
But actually, you can hide content and hide data inside that.
So it's a really clever way of obfuscating and hiding
data within image files. So it looks like an ordinary file, but it's not.
And they actually used a tool called PS Image, which had been published about a week earlier.
So again, they were monitoring the types of tools that the industry were producing
and they used that for nefarious purposes. And quick turnaround there as well. I mean,
they're not wasting, they're not sitting on their hands. I mean, it was a week. And actually,
there was a lot of obfuscation involved in, I guess, that kind of second iteration because,
you know, the user would receive an email and within that would be a word
document if they enabled the content there'd be a um a powershell script into incidentally we know
who was behind this it was an author by the name of john so that clears it all up right john was
behind it all right it's kind of tongue-in-cheek, but actually the PowerShell script
was actually, had the
name of John as the author.
So what it then does, it
then connects to a remote server
and that remote server
then downloads an
image file, and within that image file
there was another
script within that,
which then was launched by the command line and then would
then connect and actually that powershell script then you know that was then executed had a lot of
obfuscation within that obviously once that once that script ran it would then connect to the
command and control server and uh and obviously that would then allow the criminals the ability to be able to connect to
these particular systems. And, you know, we were able to actually gain access to the log server
and having a look through the logs, what we were able to determine was that there were connections
from South Korea. So we know that there were systems that were compromised as part of this
attack.
And what does it seem like they're after?
Anything they want, because once they've got access to these systems by the C2 server, then they can do what they want.
I mean, you know, I think that's kind of where we kind of hit a wall, which was, you know, we were able to determine how they got in.
We were able to determine the fact that systems were impacted.
But what they did was they then had an encrypted session between the victim and the control server.
And by the way, the control server is actually hosted in Costa Rica. So what we don't know,
obviously, was what's inside that connection. Obviously we, you know, obviously because it's encrypted and our ability to be able to go further really requires us being able to
get access to the C2 server
and then being able to inspect
what goes on thereafter.
So obviously that's kind of
one of the challenges that we face
as an industry is at some point,
you know, we can only tell
some of the story.
Now, looking at your research, is it accurate that one of the
command and control server seemed to be a compromised server?
A server that perhaps the people running it didn't know that they were
serving up this function? So actually, it's the
Apache server that was being used for the logging purposes.
I see. And that was compromised. And so what
appears to happen here is that somebody's just running the server
completely unaware that it's being used for malicious purposes.
And so in terms of attribution, in terms of who's behind
this, what kind of clues do you have there? Well, so we
intentionally don't do attribution.
And one of the reasons we don't do that is because, you know, we can have all of the
technical indicators in place. And what I will tell you is the technical indicators suggest
that it's nation state, and it's a group that speaks Korean. Now, you're going to say to me, Raj, okay, I know who that is,
right? It's, you know, if you look at the list, and it's pretty much one, you know, one entity,
but there is clear evidence to suggest that there are groups out there that intentionally leverage
and use false flags, you know, for example, using language packs, or, you know, even something as
simple as making the IP address appear to come from somewhere it isn't. So what we won't do is, and what we will never do as a company is say,
okay, we believe it was country X or country Y. I know, you know, there are other organizations
that may be willing to do that, but I kind of feel, I think we've got a kind of sense of purpose,
which is, you know, what we'll do is we'll share all of our technical evidence with the industry so that we can learn from this. You know, fundamentally,
we need to understand the threat actor and how they're evolving and how they're getting better.
But any information with regards to attribution, you know, should be left to public sector such
as law enforcement. And so how can people protect themselves against this sort of thing?
law enforcement. And so how can people protect themselves against this sort of thing?
I probably want to just take a slight detour. This is actually one of four publications and really phenomenal research that my team have done. Like I said, we began in, I think November was
the first one that I think was remarkable where we had evidence of a group that we believe could be APT28 using dynamic data exchange.
We then had a nation state who've never really done this before, who migrated over to the mobile
space. They actually went after religious groups, we believe, to target defectors. And then just,
I think just a week after this one, we published research on a similar
nation state who were going and using social media and chat apps to go after journalists as well as
defectors. And so the number one thing that anybody can do is be aware of what's happening.
Because, you know, in the last few weeks, we've seen one of the most prevalent
and nefarious threat actors move to mobile.
And that's never happened before.
We've seen threat actors leverage dynamic data exchange.
We've seen them using steganography.
This is all new.
And so we need to be aware of the tactics
and techniques that they're using.
And I'm not going to quote Sun Tzu because, you know, it's 2018.
But we need to understand the way that these threat actors are evolving so we can better defend ourselves.
And I would say, you know, publications like Cyber Wire, for example, and organizations such as ISACA and others,
such as ISACA and others, they're so important in terms of being up to date with the way that these techniques are being leveraged and being used. And so I think for me, the most important thing
here is be aware of the way that threat actors are evolving and adapt and adjust your defense
accordingly. I'm not quite sure how to ask this question. The fact that this is centered around
the Olympics, do you think that they are specifically targeting Olympic organizations,
or do you think that the Olympics are sort of an excuse, if you will, you know, a framework for
which to hang a campaign that they would have done anyway. Did you follow where I'm going with that question? Yeah, no. I mean, if you look at the organizations that they targeted, they went
after organizations predominantly associated with the Olympics. The entire theme of this was
associated with the Olympics. So this was a targeted campaign specifically focused on the Olympics. Much like we saw the APT28 group in November,
that was targeted at organizations associated with the military,
specifically those engaged with the U.S.
It is very, very specifically minded towards compromising specific organizations.
And so there's no doubt in my mind, they wanted to go after these organizations.
And so that points to more of an espionage goal than say, making money.
Oh, yeah, no, without doubt. You know, I remember the last time we spoke, we talked about ransomware,
for example, you know, there was uncertainty whether ransomware is making money or for
disruption. I mean, this one for me suggests
absolutely intended for espionage. I don't think there's any monetary gain involved in any of this
at all. So if people want to find out more about this particular campaign and some of the other
work that you and your team are doing, what's the best way to do that? So we actually post
everything on our blog site, which is securingtomorrow.mcafee.com.
But, you know, have a look on Twitter.
Myself and the team will always tweet all of the latest research that we're doing.
So it's Twitter, which is at Raj, R-A-J underscore Samani, S-A-M-A-N-I.
But also McAfee Labs.
We've got our own Twitter feed through McAfee Labs as well.
And we've got a great pipeline of research coming out. So the best thing you can do is be up to
speed with the way that these criminals are adapting their techniques. And hopefully we'll
shine a light on that. Can you speak to the nature of community when it comes to researchers like
yourself, both at McAfee and other companies, the importance of putting this information out there and collaborating? Oh, I'd love to speak about community because, you know, I started in
this industry and it was an InfoSec community and, you know, it's now become an industry.
What we do is we collaborate, we communicate, we share information with partners wherever we can.
information with partners wherever we can. And in most cases, I would say it's well received.
But, you know, lately, there's been a kind of trend of individuals to kind of, I guess, talk badly about vendors. And I'll give you an example. So Bruce Schneier recently did a blog
on the No More Ransom initiative, and he was very, very positive about it.
And in the reader comments, there was one individual who says, look, I don't trust McAfee.
I don't trust Kaspersky. They've done No More Ransom. What's in it for them?
And what I would say to that is, look, I realize, you know, yes, we're a commercial company and commercial companies are there to make money.
And, you know, commercial companies are there to make money. But for us as researchers, we do everything that we can to share samples with each other. And, you know, when WannaCry happened, we were communicating on Slack forums and messages and doing everything we can to get the light to this. And if you've got any feedback, if anybody kind of has any suggestions, please let us know. And, you know, it's an open door. And if anybody wants to
collaborate and share information with us, we're willing to do that. I mean, you know, we launched
No More Ransom against ransomware. That's about 100 organizations. We also work on the Cyber
Threat Alliance, for example. That's ourselves and Symantec and Fortinet and others. So really, the intent here is, is we've got to work together because the bad guys are
working together. And they've been doing it for a long time. So as an industry, I think we've got a
lot of catching up to do. Our thanks to Raj Samani from McAfee for joining us.
You can read their complete report, which is titled Malicious Document Targets Pyeongchang Olympics.
It's on the McAfee Labs website at securingtomorrow.mcafee.com.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. The Cyber Wire Research Saturday is proudly produced in Maryland Learn more at blackcloak.io. And I'm Dave Bittner.
Thanks for listening.