CyberWire Daily - The cyber phases of Russia's war against Ukraine. Sanctions and the criminal underworld. Conti’s fortunes. More_eggs resurfaces. BlackCat ransomware warning.
Episode Date: April 22, 2022A look at Russian malware used against Ukrainian targets. Actual and potential targets harden themselves against Russia cyberattacks. Sanctions and the criminal underworld. Conti’s fortunes. A crede...ntial stealer resurfaces in corporate networks. BlackCat ransomware warning. Tomer Bar from SafeBreach discusses MuddyWaters. Dr. Christopher Emdin previews his new book STEM, STEAM, Make, Dream. CISA releases three more ICS security advisories. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/78 Selected reading. Russia outlines when Ukraine war will end (Newsweek) Russia racing against clock to win Ukraine war before May 9 'Victory Day' (Newsweek) A deeper look at the malware being used on Ukrainian targets (The Record by Recorded Future) Ukraine ramps up cyber defences to slow surge in attacks (The Straits Times) Five Eyes Alert Warns of Heightened Risk of Russian Cyber Attacks (Bloomberg) Preparing for Energy Industry Cyberattacks (Wall Street Journal) US sets dangerous precedents in cyberspace (Global Times) Russia’s War in Ukraine Has Complicated the Means Through Which Cybercriminals Launder Funds. Here’s How They’re Adapting (Flashpoint) U.S. Treasury Designates Facilitators of Russian Sanctions Evasion (U.S. Department of the Treasury) Russia says nyet, sanctions Mark Zuckerberg, LinkedIn’s Roslansky, VP Harris and other US leaders (TechCrunch) Russia’s War in Ukraine Has Complicated the Means Through Which Cybercriminals Launder Funds. Here’s How They’re Adapting (Flashpoint) GOLD ULRICK continues Conti operations despite public disclosures (Secureworks) Costa Rica's Alvarado says cyberattacks seek to destabilize country as government transitions (Reuters) Hackers Spearphish Corporate Hiring Managers with Poisoned Resumes, Infecting Them with the More_Eggs Malware, Warns eSentire (eSentire) BlackCat/ALPHV Ransomware Indicators of Compromise (IC3) FBI: BlackCat ransomware breached at least 60 entities worldwide (BleepingComputer) Delta Electronics ASDA-Soft (CISA) Johnson Controls Metasys SCT Pro (CISA) Hitachi Energy MicroSCADA Pro/X SYS600 (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A look at the Russian malware used against Ukrainian targets.
Actual and potential targets harden themselves against Russian cyber attacks.
Sanctions and the criminal underworld.
Conti's fortunes.
A credential stealer resurfaces in corporate networks.
Black cat ransomware warnings.
Tomer Bar from Safe Breach discusses muddy waters.
Our guest is Dr. Christopher Emdin with a preview of his new book, STEM, STEAM, Make, Dream.
And CISA releases three more ICS security advisories.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, April 22nd, 2022.
The record has an overview of the Russian malware that's been used against Ukrainian targets.
Wiper malware has been particularly prominent so far in Russia's hybrid war.
Citing conversations with Ukrainian security officials,
they describe Whispergate, Whisperkill, Hermetic Wiper, Isaac Wiper, Acid Rain, Caddy Wiper, Double Zero, and InDestroyer 2.
The Straits Times reports that Ukraine has worked to upgrade its defenses,
for the most part through implementation of widely understood cybersecurity best practices.
This week's joint cybersecurity advisory by the Five Eyes is prompting similar moves in other countries, Bloomberg reports.
The energy sector is receiving particular attention, an essay in the Wall Street Journal explains.
China, looking on as an observer generally sympathetic to Russia, more or less a tepid ally of convenience,
on the familiar grounds that the enemy of my enemy is, well, sort of anyway,
my friend, sees U.S. preparation in cyberspace as dangerous provocation. The Global Times,
a Beijing mouthpiece, argues that U.S. defend-forward policy is destabilizing
and contravenes international norms of conduct. The U.S. Department of Treasury has taken punitive steps against Russian organizations
found to be enabling other groups evasion of sanctions imposed in response to Russia's war against Ukraine.
Of particular note is the addition of BitRiver AG,
a prominent crypto mining venture, to the list of sanctioned entities.
For its part, TechCrunch reports,
Russia has responded to a tightening sanctions regime by designating various prominent U.S.
citizens as henceforth barred from travel to Russia. Their list includes Meta's Mark Zuckerberg,
LinkedIn's Ryan Roslansky, and Vice President Kamala Harris. The welcome mat will be yanked from others,
the Russian Ministry of Foreign Affairs explained, as it develops and expands its list of Russophobes.
They said, in the near future, a new announcement will follow about the next replenishment of the
Russian stop list in the order of countermeasures against the hostile actions of the U.S. authorities.
in the order of countermeasures against the hostile actions of the U.S. authorities.
There's no particular evidence any of them were planning to, let alone longing, to travel to Russia,
but we'll leave that aside.
It's a move against leading Russophobes.
Sanctions designed to inhibit the flow of money to the entities they affect have a collateral impact on the parasitic criminal economy that accompanies
legitimate markets. Flashpoint describes the ways in which sanctions against Russia have made it
more difficult for cyber gangs to cash out. The takedown of the Hydra market, for example,
represented a direct interdiction of a traditional cash-out avenue. And not only do the sanctions
themselves directly impede the gangs,
but the countermeasures Russia is taking to increase central control of its economy
are also having an effect. Flashpoint writes that gangland chatter suggests the criminals are
looking into peer-to-peer cryptocurrency exchanges, conventional bank transfers that
sanctions don't yet reach, and Chinese-run union pay cards.
The gangs are also considering hunkering down and holding their gains in cold wallets until the heat blows over.
SecureWorks looks at Gold Ulrich, a prominent operator of what the researchers characterize as Conti Ransomware's name-and-shame site,
and describes how it has adapted to recent revelations and setbacks.
Costa Rican authorities are also blaming Conti
for attacks aimed at disrupting that country's presidential transition.
Six public institutions have been affected.
In short, it seems that the incursions into Conti's private chatter
by Ukrainian and Ukrainian-sympathizing operators has had a negligible effect on the ransomware's operations.
Some observers thought that the privateers would sustain reputational damage from the leaks, but it turns out that the reputation under threat was not the kind of reputation people care about in the criminal underworld.
kind of reputation people care about in the criminal underworld.
eSentire reports a fresh infestation of more eggs malware across various company networks. The credential stealer is being distributed in a spear phishing campaign that targets
corporate hiring managers with fish bait representing itself as resumes from fictitious
job applicants. More eggs last surfaced a year ago.
The U.S. FBI has issued a flash alert on Black Cat ransomware
describing the indicators of compromise associated with this strain of double extortion malware.
The alert also describes the typical course of a Black Cat attack.
The FBI says,
Black Cat ransomware leverages
previously compromised user credentials
to gain initial access to the victim's system.
Once the malware establishes access,
it compromises active directory user
and administrator accounts.
The malware uses Windows Task Scheduler
to configure malicious group policy objects
to deploy ransomware.
Initial deployment of the malware leverages PowerShell scripts
in conjunction with Cobalt Strike
and disables security features within the victim's network.
Black Cat ransomware also leverages Windows administrative tools
and Microsoft Sysinternals tools during compromise.
Leaping Computer reports that Black Cat has affected at least 60 organizations worldwide.
And finally, CISA has released three new industrial control system ICS advisories. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
My guest today is Dr. Christopher Emden.
He's a professor of education at the University of Southern California, where he also serves as director of youth engagement and community partnerships at the USC Race and Equity Center.
He's the founder of hiphoped.com. And Dr. Emden is author of the new book called STEM STEAM, Make Dream, reimagining the culture of science, technology, engineering, and math.
We found that those who are brilliant in science and math actually had a really strong artistic
and a creative side. So, you know, in good wisdom, I guess, or in good research, they decided to
include the A in STEM. And so that's how we got from going from STEM to STEAM. Now, unfortunately,
the movement from STEM to STEAM has not been successful. And unfortunately, we still have the
overall dire straits when it comes to getting particular populations to be engaged in STEM
disciplines. So we're now at this sort of inflection point, like this moment. We said just STEM because
they weren't doing well in it. We said STEAM because we thought the arts would fix it, but it's still not working. So where
are we now? And that's where I come in. How do we reimagine this idea of STEAM? How do we not say
just art, but art and culture, art and ancestry, art and imagination and aesthetics. And how do we reimagine what STEM and STEAM instruction looks like in classrooms?
We changed the acronyms.
We never changed the pedagogy and the teaching.
And so my work, my mission, even my book, STEM STEAM Make Dream,
is about how do we reimagine how we introduce young folks to these disciplines?
How do we reimagine the arts?
And how do we change the landscape of STEM education in this nation? You know, I think people certainly
recognize the reality that not every school system in the United States is created equal,
and there are, you know, lots of systemic reasons for that. Does adoption of STEM sort of track along with that? Do the wealthy school systems
in affluent areas, are they able to, do they have the extra bandwidth, the resources to be able to
focus on this where some of the communities that are struggling don't? Dave, I'm going to say
something really provocative here. And it is that even the most affluent school districts who we would imagine are preparing young folks to be amazing in STEM are also struggling with getting young folks to retain in STEM, to declare science majors or engineering majors.
So we do have an issue with socioeconomics, right?
Young folks in urban settings are not finding opportunities or resources are inhibiting them from being able to fully engage. And there are things that we have
to do around equity with the distribution of resources, yes. But I also want to make clear
that even the affluent school districts who have resources, who have the wealth to be able to
introduce young folks to STEM are also struggling with getting young folks to retain success in there. So the issue here is a national issue. And I think the solution is actually the same across the board,
which is that STEM instruction must focus on the particular needs of a population,
the particular artistic and cultural needs of young people, and must be relayed to what's
going on in their lives every day. Now, if that approach is employed everywhere, I think we get better. But here's where it gets even more interesting, is the recognition that
you can't standardize that. You can standardize the approach of censoring culture and censoring
youth experiences and censoring what young people are into and meeting the needs of particular
populations, but you will also have to recognize that there are different needs in different places, right?
That more affluent school districts may do something completely different, and those
students might have a very different culture than young folks in urban spaces.
And so I think a solution to our problem is to recognize that instruction in STEM cannot
be hyper-standardized.
It must be localized.
It must be unique to the needs of a population.
It must be localized. It must be unique to the needs of a population.
And it must bend itself to where young folks are while keeping academic and intellectual expectations high. So we don't sacrifice the rigor, but we recognize that the approach to getting to the rigor must be different based on a different population.
There's no innate genius required to have a position in science and math.
There's no like you're not born as a particular type of genius.. There's no, like you're not born as
a particular type of genius. And that's the reason why you're an engineer. No, it's just that you
spend time with it. It's that you love it. It's that when you deal with it, when a problem arises,
you sit with that problem long enough to be able to come up with solutions. You're creative and
imaginative enough that you have that stick-to-itiveness to be able to overcome those
challenges. And that stick-to-itiveness, that creativity, that willingness to sit with a problem until you can solve it,
that willingness to sit for 9, 10, 11, 12 hours with a problem until you solve it,
comes with seeing yourself as part of that discipline. And so if we deal with the sort
of socio-psychological dimensions of this work and convince young folks that science and math
are what they can do, I'm not saying they're all going to be scientists and mathematicians, they certainly
will feel like it's a part of who they are and they're willing to put in the work to be successful
academically. Now, whether or not it's their thing, what happened over the course of the journey,
right? A kid can love science, think they're a scientist, and then stumble into pottery and say,
you know what? I just want to do pottery for the rest of my life.
But I'm a scientifically and mathematically literate person who ends up being someone who's
interested in pottery. And so I'm like, oh my gosh, I'm into science and math. It's amazing.
And guess what? I want to engage in nanotechnology. That's my decision. But I can engage in
nanotechnology being a scientifically and mathematically literate person. So my work is about having an equal baseline of perception of self, of basic literacy in these subjects, of basic competency in these projects.
And then as life unfolds, if it becomes your thing, you can leap into it and be successful.
And if it does not be your, and even if it's not your profession, it can still be your thing.
You can attach that to what your passion is.
You know, I want a world where a kid is like, you know what?
I'm a writer, but I'm a scientist.
I want to be a science journalist.
You know, I'm a scientist, but I'm really into swimming.
I'm going to find ways to fine tune my body and understand what I eat and train myself
with scientific knowledge to be a better swimmer.
It's about this baseline of equal scientific literacy
and perception that it is a piece of your identity
that we have to get to in this nation
if we want to close the gaps between the science jobs and the science people.
That's Dr. Christopher Emden.
The book is titled STEM, STEAM, MAKE, DREAM.
Reimagining the Culture of Science, Technology, Engineering, and Math.
There's a lot more to this conversation.
If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects, where you get access to this and many more extended interviews. Thank you. with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
The threat actor Muddy Water, also known as Mercury or Static Kitten, was recently attributed to Iran's Ministry of Intelligence and Security by U.S. Cyber Command.
Tomer Bar is director of security research at Safebreach, and I checked in with him for some insights on Muddy Water.
So according to CISA, Muddy Water is a subunit under the Iranian Ministry of Intelligence and Security.
And this APT group has conducted broad cyber campaigns in support of this ministry objectives since approximately 2017.
2017. And they are focused on cyber espionage, but they also use to deploy ransomware as part of their activity. And so what is the current state of Muddy Waters activities? What are we
seeing them doing these days? Okay, so they are still active, very active. They never rest. And the targets are spread all over the globe. Mostly they are focused
on the Middle East, but also we see targets from Asia to Africa, Europe and North America as well.
And they are targeting different sectors, the oil and natural gas sector, telecommunication, defense, local government, and other sectors.
But this is the major sectors that they are targeting.
And they are stealing victims' data.
Also, there are some evidence that they share this stolen data with other malicious cyber threat actors.
So it's very interesting.
And what sort of tools are they using to go about the things that they do?
What are their techniques?
Okay, so they're using a lot of techniques,
more than 20 different MITRE techniques all along the cyber kill chain.
So for initial access, they usually use spear phishing.
So for initial access, they usually use spear phishing.
Sometimes they use spear phishing mails, including a zip file with an Excel that includes a malicious macro.
And once you enable the macro, it will run and infect the computer.
And the second major attack vector is spear phishing using a PDF file
that seems legitimate, but it drops a malicious file to the victim's network.
So this is the initial access.
And after the initial access, they use a lot of proprietary tools. They have a large arsenal, and they're very sophisticated developers
because they are developing maruars in almost all the possible programming languages.
I can at least say that they are using six programming languages,
different ones, C++, PowerShell, VBA, WSF script, Python, JScript, and much more.
So each tool is different and unique.
And once the security researchers community thinks that we are capturing the tool,
the next day comes and pop up their next tool.
Sometimes they infect the same machine with more than one tool.
So if you want, I can detail some important facts on their main tools.
So when you're dealing with a threat actor like Muddy Water,
who has such a spectrum of tools at their disposal that they're using, what are your recommendations for organizations to protect themselves?
It's a very good question.
But before that, I will also mention that Muddy Water is not only using their own self-developed tool.
They are using a lot of public malware and hack tools like Mimikatz, Lasagna, and other credential dumpers.
And also they commonly use post-exploitation framework, public one, like Empire, Pulseplate, Kodak, and RETS.
And they are also using GitHub and Pastebin for C2 server.
So when customer organization enterprises design their security architecture, they should take to their attention that they are required to deal with self-developed tools
and also public tools and communication to legit sites
like Telegram, like GitHub, or like Pastebin.
So it's more difficult than other commodity tools.
more difficult than other commodity tools. But there are a few recommendations
that the CISA and we
think that will keep you safe.
So the first recommendation is to deploy application
control software and limit which executable code can run
by users.
And extra attention should be paid to the email attachment and file download via links in emails, which usually contains executable code.
So these are more suspicious and should be taken care of with caution.
are more suspicious and should be taken care of with caution.
Another recommendation is using multi-factor authentication because, as I said, maybe water harvesting your credential.
So if you will use multi-factor authentication,
usually with a temp code or another mean of security like a cellular phone, then you will be
most protected. So multi-factor authentication
on web mail, VPNs, and any
account which the access is critical for the organization.
Also limit the use of administrative
privileges. This is always good, not just for muddy organization. Also limit the use of administrative privileges. This is always good,
not just for muddy water. It will limit the damage that the threat actor can do when they succeed in
achieving the initial access. Of course, enable antivirus and anti-malware software.
Of course, updating the signature definition in a timely manner because an antivirus and anti-malware software, of course, updating the signature definition in a timely
manner because an antivirus which is not updated, it's like if you have no antivirus at all.
Sometimes you can consider adding an email banner to emails received from outside of the organization
and disabling hyperlinks in those mails because this is not the majority of the emails and they are more suspicious.
And last but not least, train your user.
It's not just about technology and security controls.
Sometimes the weakest point of cybersecurity are the user, which need just one mistake,
and you are welcoming the Iranian APT
into your environment.
So do training awareness simulations
and recognizing the importance of phishing report
and social engineering attempts between the employees and adapt threat
reputation service and finally install updates and patches to the operating system software
and firmware because Muddy Water is using plenty of exploit against Exchange and against Microsoft Office
and also against the domain controller
in order to achieve domain admin privileges
and getting the entire network under their control.
That's Tomer Bar from Safe Breach.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't miss this weekend's Research Saturday and my conversation with John Hammond from Huntress.
We're discussing targeted APT activity.
Baby shark is out for blood.
That's Research Saturday.
Check it out.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll
see you back here next week. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com