CyberWire Daily - Transparent Tribe seems to want people’s lab notes, and other stories of cyberespionage. The FBI warns of juicejacking. And the Discord leaker seems to have been a 20-something influencer.
Episode Date: April 13, 2023Transparent Tribe expands its activity against India's education sector. A Lazarus sub-group is after defense sector targets. The FBI's Denver office warns of potential juicejacking. Legion: a Python-...based credential harvester. The source of leaked US intelligence may be closer to identification. Johannes Ullrich from SANS explains upwork scams. Our guest is Charlie "Tuna" Moore of Vanderbilt University on the cyber lessons from Russia’s war on Ukraine. Canada responds to claims of Russian cyberattacks. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/71 Selected reading. Transparent Tribe (APT36) | Pakistan-Aligned Threat Actor Expands Interest in Indian Education Sector (SentinelOne) Following the Lazarus group by tracking DeathNote campaign (Securelist) DPRK threat actors target C3X and defense sector at large. (CyberWire) FBI office warns against using public phone charging stations at airports or malls, citing malware risk (CBS News) The FBI warns of juicejacking and other risks of public tech. (CyberWire) Legion: an AWS Credential Harvester and SMTP Hijacker (Cado Security) The Legion credential harvester. (CyberWire) Leaker of U.S. secret documents worked on military base, friend says (Washington Post) U.S. may change how it monitors the web after missing leaked documents for weeks (NBC News) Cyberattacks on Canada’s gas infrastructure left ‘no physical damage,’ Trudeau says (Global News) Russian attacks on Ukrainian infrastructure cause internet outages, cutting off a valuable wartime tool (CyberScoop) US Warns Russia Getting Creative in Cyberspace (VOA) APT Winter Vivern Resurfaces (Avertium) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Transparent Tribe expands its activity against India's education sector.
A Lazarus subgroup is after defense sector targets.
The FBI's Denver office warns of potential juice jacking.
Legion is a Python-based credential harvester.
The source of leaked U.S. intelligence may be closer to identification.
Johannes Ulrich from the SANS Technology Institute
explains Upwork scams.
Our guest is Charlie Tunamore of Vanderbilt University
on the cyber lessons learned from Russia's war on Ukraine.
And Canada responds to claims of Russian cyber attacks.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 13th, 2023.
This morning, Sentinel Labs described recent activity by Transparent Tribe, APT36,
that shows a close interest in India's education sector. The threat group, active since at least 2013, is believed to be based in Pakistan.
Described as not very sophisticated but highly persistent,
Transparent Tribe has been running phishing campaigns baited with education-themed topics.
The typical payload the attacks deploy is the Crimson Rat.
Relatively unsophisticated as it may be,
Transparent Tribe has updated and adapted its tactics, techniques, and procedures to include, according to Sentinel Labs, adoption of Olay embedding as a technique for staging malware from lure documents and the Ease Fuscator Obfuscator to protect Crimson Rat implementations. The campaign suggests that the threat actor's interest in the education sector is intended for espionage.
The operators are interested in research being carried out in Indian universities.
An ongoing remote access Trojan campaign is being conducted by Death Note, a subunit of North Korea's Lazarus Group.
The campaign seems to be focused on defense sector targets, specifically in the
African defense industry since 2022. Dark Reading reports that Death Note's campaigns targeting the
defense sector have not affected U.S. organizations. Kaspersky detailed the organization's infiltration
methods, explaining Death Note initially breached the company via a Trojanized open-source PDF
reader sent via Skype Messenger. Once executed, the PDF reader created a legitimate file and a
malicious file in the same directory on the infected machine. Dark Reading explained,
it then used a technique known as DLL sideloading to install malware for stealing system information and
downloaded a sophisticated second-stage remote access trojan called Copper Hedge from an attacker
controlled command and control server. A June 2022 report by ESET noted early signs of the shift,
stating, as early as 2020, ESET researchers had already documented a campaign pursued by a subgroup of Lazarus
against European aerospace and defense contractors ESET called Operation Interception.
This campaign was noteworthy as it used social media, especially LinkedIn,
to build trust between the attacker and an unsuspecting employee
before sending them malicious components masquerading
as job descriptions or applications. The FBI Denver office is warning against
juice jacking or the criminal use of public charging stations to introduce malware onto a
device. CBS News reports that the FBI has advised against the use of public charging stations.
News reports that the FBI has advised against the use of public charging stations.
No incident in particular triggered the service announcement.
Rather, it was intended as a field office warning.
Officials at the FCC warn that malware can be distributed through corrupted ports,
such as those at malls and airports,
and that such malware has the potential to, for example, lock a device or exfiltrate personal
data and passwords directly to a criminal. The data lifted can be used for online accounts or
sold in criminal marketplaces. But many experts also caution about exaggerating the risk of juice
jacking, which, while a real possibility, also doesn't seem to be a widespread one.
real possibility also doesn't seem to be a widespread one.
Cato Security described this morning how the Legion AWS Credential Harvester, malware intended to target and abuse emails, is working in the wild.
The Legion tool is sold via Telegram, an increasingly important C2C channel.
It includes modules dedicated to enumerating vulnerable SMTP servers, conducting
remote code execution, exploiting vulnerable versions of Apache, brute-forcing cPanel and
web host manager accounts, interacting with Shodan's API to retrieve a target list, and
additional utilities such as abuse of AWS services. The threat actor was potentially tracked by Lacework as Androx Ghost in December of last year.
Linguistic signs indicate that the threat may be based in Indonesia.
The Washington Post has investigated the Discord Papers, as they're now being called,
by going to the obvious place, the Discord group where the intelligence documents
were first posted. The leaks came through a small invitation-only clubhouse named Thug Shaker
Central, established on Discord in 2020. Its members were apparently looking for fellowship
and diversion during the pandemic, and found it among a collection of military wannabes who shared a
willingness to engage in casual low-grade racist humor and fantasies about conspiracies.
The leader of the clubhouse, a young man with the derivative handle OG, is described as a
young charismatic gun enthusiast who shared highly classified documents with a group of far-flung acquaintances searching for companionship amid the isolation of the pandemic.
O.G. told his followers, who seemed to have been disproportionately teenage boys,
that he worked on a military base, which he declined to identify,
and that he spent his days working with classified material in a secure
facility. The two youths with whom the Post spoke, one of whom they interviewed with the permission
of his mother, which indicates how young the members of the group are, say they know OG's
real name, the state in which he works, and that he's in his early to mid-twenties.
Counterintelligence officers traditionally use the acronym M.I.S.E.
for money, ideology, compromise, and ego
to summarize the motivations of people who commit espionage.
O.G. seems to have been motivated strongly,
apparently exclusively, by ego.
One of O.G.'s besotted followers told the Post,
If you had classified documents,
you'd want to flex at least a little bit, like, hey, I'm the big guy.
The material began to leak from its initial Discord channel on February 28th,
when one teen member of Thug Shaker Central posted some of its photos to a different Discord
channel. Other files subsequently spread to a Discord server devoted to the game Minecraft.
OG stopped sharing classified information in mid-March,
but on April 5th, some of the material already posted
appeared in 4chan and Russian Telegram channels.
At that point, the leak finally came to the attention of the US government.
When OG became aware that his leaked files had leaked beyond his online family,
he was, the follower told the Post, distraught.
The Post quotes the followers, saying,
He said something had happened, and he prayed to God that this event would not happen,
but now it's in God's hands.
NBC News reports that the incident has prompted the U.S. government to review the
way it monitors social media for security threats. The intelligence community is now grappling with
how it can scrub platforms like Discord in search of relevant material to avoid a similar leak in
the future, said a congressional official. How that might be accomplished is under study,
and the solution is not obvious.
One of the leaks in the Discord papers outlined attempted Russian cyberattacks against Canada's natural gas infrastructure.
Prime Minister Trudeau said yesterday that the country's infrastructure sustained no physical damage from such attacks.
And finally, while cyberattacks in the hybrid war continue to fall
short of pre-war fears and expectations, officials caution against anyone letting their guard down.
The Voice of America quotes NSA Cybersecurity Director Rob Joyce's warning not to dismiss
Russian offensive cyber capabilities. Joyce said this week,
In cyber, I think people have underestimated really how much
game they, Russia, brought, whether it be the Viasat hack to nine or ten different families of
brand new unique wiper viruses that have been thrown in that ecosystem. There's continued
attacks on Ukrainian interests, whether it's financial, government, personal, individual,
business, just trying to be disruptive.
One of the threat actors that will bear watching is Winter Wyvern.
Advertium has published a summary of Russia's Winter Wyvern and its recent activities.
The researchers urge continued vigilance against what they describe as a scrappy and often overlooked group.
Coming up after the break,
Johannes Ullrich from the SANS Technology Institute explains Upwork scams.
Our guest is Charlie Tuna-Moore of Vanderbilt University
on the cyber lessons from Russia's war on Ukraine.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
It is my pleasure to welcome back to the show Charlie Moore.
He goes by Tuna to his friends.
He is a distinguished visiting professor at Vanderbilt University and former deputy commander at U.S. Cyber Command.
Charlie, welcome back.
Hey, Dave. Great to be back with you. Thank you so much.
I want to touch today on where we stand when it comes to the conflict in Ukraine, Russia's war
there, and some of the lessons that we're learning when it comes to the cyber elements of that.
What are your insights here? Yeah, it's a fascinating subject to take a look at.
What are your insights here?
Yeah, it's a fascinating subject to take a look at.
And I think one of the things you have to begin with here is this really is the first nation-state war, one involving a nuclear-capable power, where we are seeing full-spectrum
cyberspace operations taking place.
And so there's a lot to look at here in lessons learned to be garnered.
When I first look at this, I'm immediately reminded of a quote that I was forced to memorize when I was a first-year cadet at the United States Air Force Academy.
And, Dave, the quote is, victory smiles upon those who anticipate the changes in the character of war, not upon those who wait to adapt themselves after the changes have already occurred.
Now, that quote comes from Italian air marshal Julio de Haye
during the period between the Great Wars and the 20th century.
And specifically what he was talking about was what he saw as the dominance
of this new third domain of warfare called the air.
But I think that quote and his insights there are just as relevant today when we think about what's going on in the cyber slash the digital domain.
Because of the technological advances in computing, networking, big data analytics, AI, and other tools, the ability to achieve persistent information dominance over one's enemy has changed the character of war, in my opinion.
And how has that specifically played out in this situation?
Well, I think first I got to give a little bit more background to answer that question.
So because of what I refer to as digital convergence, now, what do I mean by digital convergence? I mean that virtually everything we use to sense or see what is occurring in the
battle space, to gather that data, to transfer that data, to store that data, to analyze that
data, and turn it into information that decision makers can then use to direct
operations occurs within the cyber or digital domain. So it's because of this digital convergence
and by achieving cyber digital superiority over our adversaries, that's what we really mean when
we talk about trying to achieve or the ability to achieve information superiority or dominance. And obviously throughout military history, knowing more about the battle
space and adversaries resulted in significant advantages, and it's often been a huge determining
factor. But today's technological advancements provide us the opportunity to effectively achieve
persistent information advantage over our adversaries, and thus allowing not only success in individual battles, but strategic levels of dominance military leaders throughout history could only dream about.
and we look at current events and what's going on in Ukraine is it's giving us a little glimpse of one aspect of what digital convergence means to warfighting. So if we remember back in February,
February 24th, when this invasion first began, the vast majority of experts, including our own
military experts, were saying they believed you know the ukrainian capital
kiev would would fall in as little as 72 hours and since then we've had a lot of analysis and
a lot of things have been written and discussed about the many failures of the russian military
and undeniable there's many components to this but we've also spent a lot of time focused on the advanced weaponry that we've been giving to
Ukraine and how that's helped turn the tide of the battle and no doubt we've given tens of billions
of dollars I think total aid now we're approaching 200 billion dollars of advanced weaponry and
another type of assistance that's been given to Ukraine. But what's really important to remember
is that some of these very effective
and lethal weapon systems
are really game-changing
because of the real-time information
being provided to the Ukrainians,
primarily utilizing the cyber and digital environment
that allows them to be employed with speed and precision
against prioritized enemy targets in support of an overarching military strategy.
That is extremely, extremely important and I think has really given them an asymmetric
advantage over the Russians. In your estimation, how much are the Russians actually underperforming versus what we thought their capabilities were versus that the Ukrainians are taking advantage of the capabilities of their allies to help defend them?
Or how much is it a combination of those things?
It's absolutely a combination of those things. I mean, there's just some fundamental problems that we've seen
with the Russian military. Their ability to perform logistics support, just baseline
logistics support, is just absolutely atrocious. The day-to-day care and support of their equipment
that they brought into the battle space and while it's in the battle space is not up to you know our standards by any means their inability to really perform joint
and combined operations primarily we're talking about in the air land cyberspace and space
really doesn't exist anywhere to the level that obviously the United States and our NATO friends and allies
train to. But I think underlying all of those problems really gets back to a lot of the
assistance that they are getting from Western nations. And this isn't to by any means belittle
the incredible effort by the Ukrainians and their willingness to fight and defend their homeland and
all the sacrifices they are making.
But I do believe that underlying much of their support is this information advantage that we've essentially been able to gift to the Ukrainians.
was developed during the counterterrorism fight over the last 20 years, where the United States really refined its ability to find, fix, track, target, and what we would call finish enemy
targets at a speed and with a level of precision that even our near-peer adversaries like Russia
and China simply cannot match. And so being able to gift that type of data to the Ukrainians and empower them to understand
what the Russians are up to, what their plans are, where their forces are located, what we think
their schema might be, where certain types of targets are going to present themselves,
that's been an asymmetric advantage that we've been able to provide them.
That's been an asymmetric advantage that we've been able to provide them.
As both our allies and our adversaries look at what's going on here,
how do you suppose this is going to inform how they approach these sorts of conflicts in the future?
Well, I hope one of the lessons we take away is the absolute importance
of this digital space and achieving true digital slash
information superiority. I really believe that moving forward, if you simply build the best
ships and the best aircraft and the best tanks and train the best soldiers, sailors, airmen,
and Marines, that's not going to be enough.
Underlying it all is going to be that information superiority. It's going to not just make it
possible to do that job well, it's going to be critical in order to be able to win
and to perform those fundamental military functions.
Before I let you go, there is a summit coming up at Vanderbilt
University, which is where you are a distinguished visiting professor. Can you give us a few of the
details about that event? Yes, thanks for giving me the opportunity to do that. So we're hosting
the Vanderbilt Summit on Modern Conflict and Emerging Threats. It's going to take place May 4th and 5th on the Vanderbilt
campus in Nashville, Tennessee. And the summit conveys internationally renowned leaders and
experts from academia, military, government, and industry to explore collaborative approaches to
some of the most critical security challenges of our time. So this year, we're going to focus on
global competition, cyber threats,
and the national security implications of advancements in technology like artificial
intelligence. We have an incredible group of speakers and panelists that are coming out,
including General Nakasone, the Commander of U.S. Cyber Command and the Director of the National
Security Agency. General Retired Todd Walters, who was formerly the NATO Supreme
Allied Commander and UCOM Commander, Jen Easterly, the Director of the Cybersecurity and Infrastructure
Security Agency, a whole lot of other folks. And if people are interested to get more information
and hopefully join us, you can go to vu.edu slash summit. And that's vu as in Victor Uniform dot edu slash summit for more information.
So hope to see folks there.
All right.
Charlie Tuna Moore is a distinguished visiting professor at Vanderbilt University and former
deputy commander at U.S. Cyber Command.
Charlie, thanks so much for joining us.
Thank you, Dave.
Always great talking to you.
And joining me once again is Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute and also the host of the ISC Stormcast podcast.
Johannes, it's always great to welcome you back.
You and your colleagues have been tracking
some scams on Upwork lately.
What's going on here?
Yeah, so Upwork is a platform
that allows you, as a freelancer,
to offer your services.
Often used by developers
and then companies can hire these developers
for specific projects.
And like all of these platforms,
there is a vetting system you have to go through
in order to actually sign up for it,
and there are reviews and the like.
What I noticed lately, in particular on Slack channels
for local technology groups,
that people joined these Slack channels for local technology groups that people joined these Slack channels and then offered jobs via Upwork.
But the way this worked is they weren't actually giving you work.
They were asking you to use your Upwork account.
work account.
And the trick here is that, first of all, now they're using your reputation in order to offer jobs.
And of course, they're going to give you a cut of whatever they're making, but they're
using your good reputation to offer probably some shady services here in the end.
The other reason this is done, apparently, is that some US-based companies have restrictions whether or not they're allowed to outsource work overseas.
And they're specifically interested in gaining access to US-based developers' Upwork accounts and then offer a pretty good amount of money in order to basically, as they call it, manage their work.
So sometimes the way these ads are being framed is that you're going to be a project manager for this team overseas.
You're going to be their English-speaking face to the U.S. market via your Upwork account.
English-speaking face to the U.S. market via your Upwork account.
In some cases, they even kind of ask you if they can just,
to make it easy for you after all,
after all, you don't want to have too much work,
to just basically, if you install any desk or some remote control software on your PC,
they'll just use your PC and your Upwork's account remotely.
So this way, it's really no work for you.
What could go wrong?
Well, I mean, that's an obvious red flag there.
But what are some of the other red flags people should be on the alert for here?
Well, with any platform like this, as a freelancer,
it's your reputation that's on the line.
So you definitely have to be careful how you're protecting your account.
And I'm pretty sure if they're paying you money for it, they're also willing to steal it.
So this is something that you have to monitor.
You have to check the communication being passed through your Upwork account.
And again, the same is true for any other platform like this,
Fiverr or whatever.
There are many similar platforms that basically offer you to manage work.
And if you're accepting work via the platforms, well, use their mechanisms.
So it may be okay for you to outsource some of the work that you are receiving
to developers overseas
via their Upwork account.
But be upfront to your clients, too, as to who is doing the actual work.
Again, after all, it's your reputation on the line.
And outsourcing some work like this that you feel comfortable, that you can review and
such, may not be really all that bad.
But be upfront to your clients about what you're doing.
I would suspect also there's potential peril here.
If you're acting as a
middle person between some folks
in a country that isn't supposed to be doing business with the U.S.,
that could lead to trouble there as well.
There could be some legal issues,
like in the more extreme cases,
where you're bypassing embargoes and things like this.
That could certainly be an issue as well.
Yeah.
All right.
Well, Johannes Ulrich, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Ivan.
Our mixer is Trey Hester, with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.