CyberWire Daily - Twitch is breached. MalKamak: a newly described Iranian threat actor. Chinese cyberespionage against India. SafeMoon phishbait. The ransomware threat. What counts as compromise.
Episode Date: October 6, 2021Twitch is breached. A newly discovered Iranian threat group is described. A Chinese cyberespionage campaign in India proceeds by phishing. SafeMoon alt-coin is trendy phishbait in criminal circles. As... the US prepares to convene an anti-ransomware conference, Russian gangs show no signs of slacking off. Betsy Carmelite from BAH on AI/ ML in cyber defensive operations. Our guest is Adam Flatley of Redacted with recommendations from the Ransomware Task Force. And observations on what counts as compromising material. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/193 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Twitch is breached.
A newly discovered Iranian threat group is described.
A Chinese cyber espionage
campaign in India proceeds by phishing. SafeMoon altcoin is trendy fish bait in criminal circles.
As the U.S. prepares to convene an anti-ransomware conference, Russian gangs show no signs of
slacking off. Betsy Carmelite from Booz Allen Hamilton on artificial intelligence and machine
learning in cyber defensive operations.
Our guest is Adam Flatley of Redacted with recommendations from the Ransomware Task Force
and observations on what counts as compromising material.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, October 6th, 2021.
Twitch, the live streaming service that focuses on serving gamers,
has sustained a major data breach.
The Video Games Chronicle reports that an anonymous hacker,
and that's anonymous with a small a,
hosted a 125-gigabyte torrent stream to 4chan this morning
that's said to include Twitch's source code and user payout
information, in addition to other material that the report says amount to basically everything.
What's the motivation for the attack? The anonymous hacker wrote that the dump's intention
was to foster more disruption and competition in the online video streaming space,
because there, that is Twitch's community, is a disgusting toxic cesspool. Twitch confirmed that there had indeed been a breach, tweeting,
the extent of this. We will update the community as soon as additional information is available.
Thank you for bearing with us. End quote. The story is developing. We observe that the comment thread below Twitch's tweet is unhelpful. Security firm Cyber Reason has updated its
account of Operation Ghost Shell, a cyber espionage campaign the firm's researchers described
in July of this year. Among the discoveries they regard as particularly noteworthy are Ghost Shell's
association with a hitherto unknown threat group, Malcomach, believed to be operating in the
interests of Iran, and Malcomach's deployment of the novel shell client remote-access Trojan, a RAT as such things are called,
Malcomac has been operating since 2018 at least.
Some of Malcomac's techniques suggest connections to other Iranian threat groups,
notably Shafar APT or APT39 and Agrius APT,
but there were enough differences to warrant identifying it as a new threat group.
Malcomac abused legitimate cloud services, notably Dropbox, for command and control.
It's been evasive and stealthy. Using those cloud services, for example,
helped its command and control traffic blend in to the unobjectionable background of the traffic
that ordinarily transits those services,
which is how it escaped notice for three years. There were also, Cyber Reason says,
some code similarities with tools used by Russian threat actors. A Yara rule, for example,
seemed to allude to the Russian group known as Turla, but the researchers concluded that,
as attractive as it might first
appear in a search for clues, low-hanging fruit, Cyber Reason called it, this amounted to an
incidental and wasn't grounds for any attribution to any Russian group. Where Malkamak fits into
Tehran's org chart isn't clear. Cyber Reason doesn't rule out that they could be a contractor or a mercenary group.
Whatever Malcomac may be, Cyber Reason's researchers describe them as both capable
and stealthy. Their recent campaigns have displayed an interest in the aerospace industry
in Europe and North America and a very strong regional interest in the Middle East.
regional interest in the Middle East. BlackBerry's research and intelligence team has linked China's APT41 to an ongoing campaign against espionage targets in India. The campaign
is noteworthy for its use of COVID-19 or income tax-themed fish bait as it prospects its targets.
BlackBerry credits earlier research by FireEye, now Mandiant, Positive Technologies,
and Prevalion with setting them on the right track. APT41 has gone by many names, including
DoubleDragon, Barium, Winty, WickedPanda, WickedSpider, TG2633, BronzeAtlas, RedKelpie,
and BlackFly. We really do need a naming committee, don't we?
This most recent report includes a set of indicators of compromise.
It's unsurprising that a cyber espionage campaign would make use of phishing to gain access to its targets.
And it's also unsurprising that it would use topics of current interest as its fish bait.
What is noteworthy, BlackBerry says, is the infrastructure employed.
Their report says, quote,
With the resources of a nation-state-level threat group,
it's possible to create a truly staggering level of diversity in a threat infrastructure.
And while no one security group has that same level of funding,
by pooling our collective brainpower we can still uncover
the tracks that the cybercriminals involved worked so hard to hide. End quote. Cybercriminals
continue to follow niche fads. ESET describes how the currently shiny reputation of the new
and highly volatile SafeMoon altcoin has prompted criminals to use it as fish bait
in a campaign designed to get the marks to download the Remcos rat.
Remcos itself occupies an increasingly familiar gray area.
It has legitimate uses,
but it's also widely employed by criminals
for stealing credentials from a range of browsers,
keylogging, webcam and microphone hijacking, and downloading further malware.
ESET concludes with some cautions about the skepticism you should bring to any unsolicited communications.
Their summation is worth quoting,
When it comes to investing in cryptocurrencies, you need to proceed with caution,
and not just because the market is rife with investment fraud, fake giveaways, and other scams.
But surely you know the drill by now.
And part of that drill is realizing that fish bait will follow the fads.
As the U.S. prepares to organize multinational discussions of ransomware and what to do about it,
U.S. officials say they've seen no decrease in ransomware.
General Nakasone, director NSA, said at Mandiant's summit yesterday that ransomware is a national security issue and that he expects it to remain such for the foreseeable future.
The Hill quotes General Nakasone as saying that he expects the U.S. to come under ransomware attack
every single day. Deputy National Security Advisor for Cyber and Emerging Tech Ann Neuberger said,
NextGov reports, that the 30-nation meeting the U.S. intends to convene will focus on ways of
improving resilience, on increasing visibility through anti-money laundering efforts in particular, on holding nation-states accountable for harboring cybercriminals,
and on helping to build capabilities in other countries.
What about those other nations who harbor cybercriminals?
In particular, what about Russia?
CISA Director Jen Easterly told a Washington Post live event yesterday
that the gang's Russian enablers have shown no signs of backing off, whatever they may have told President Biden when he complained to them during his summit with Russian President Putin.
I have not seen any significant material changes.
We have seen ransomware gangs that seem to have gone offline for a period of time.
That's not that terribly unusual.
We've seen that in the past where infrastructure will come down and then it will reemerge.
The ransomware gang will be renamed.
This is a difficult, complicated problem.
And I think to your point about the president's conversation with the
Russians I think this really has to be a whole of government effort you know with respect to
where CISA is we are all on what I would call a focus on left of boom we are in the space of
helping build resilience to ensure that everybody, businesses
large and small, critical infrastructure owners and operators, understand the steps that they
need to take so that they are not a victim of ransomware. We, of course, help to respond.
We can assist in recovery. And then we share that information to prevent future victims.
That's CISA Director Easterly at the
Washington Post Live. A former advisor to former U.S. President Trump, Fiona Hill, no particular
admirer of her former boss, had told Congress it was highly unlikely Russia had any compromising
material on the ex-president. So, no salacious dirt, apparently.
Such psychological ascendancy as President Putin may have achieved was what we might call
open source. A sense that his American counterpart would be susceptible to flattery,
and there's no compromise necessary for that. Attention to the tabloids in the supermarket checkout aisle could have told
the SVR that, and no elaborate espionage, cyber or otherwise, would have been required.
Speaking of President Putin and the oligarchs who circulate in Russia's circles of power,
where were they in the Pandora Papers, that big leak of information about the use of offshore
accounts and shell companies
by prominent people around the world.
Sure, they were in there, but not nearly as much as one might have expected.
An essay in Bloomberg thinks this is a sign that the oligarchs have de-offshored,
that the lessons of the earlier Panama Papers leaks have been learned.
But there's something there, apparently,
or at least the Washington Post thinks so. The Pandora Papers connect a swell luxury apartment in Monaco with one Svetlana Krivonovic, a St. Petersburg native of humble origins,
who's believed, the Post says, to have been in a long-term, discreet relationship with Mr. Putin.
to have been in a long-term, discreet relationship with Mr. Putin.
Quote,
Previously undisclosed financial records combined with local tax documents show that Krivonovic, 46,
became the owner of the apartment in Monaco through an offshore company
created just weeks after she gave birth to a girl.
The child was born at a time when, according to a Russian media report last year,
she was in a secret years-long relationship with Russian President Vladimir Putin, end quote.
Now that's some kind of compromise, and come to think of it, it's probably available in the
checkout line. We'll take a look the next time we hit the local supermarket.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Adam Flatley is former director of operations at NSA
and currently director of threat intelligence at cybersecurity company Redacted.
Adam also serves on the ransomware task force,
a group assembled by some of the top names in the industry.
They delivered their 81-page report to the Biden administration in April.
I think that the most important
recommendation that was made was that ransomware be treated as a national security issue instead
of just a criminal issue. And that is what's going to be the real game changer here, because
ever since the administration accepted this recommendation and then implemented it, they are now able to pull
all kinds of tools off the shelf that were not normally turned against cyber criminals,
because the priority has raised up. It's now on the national security priority, and now they can
engage other parts of the government besides normally. Normally, what you would expect are things like
actions from the Treasury and actions from law enforcement. But now they can really reach out
into the full capabilities of the government to tackle this problem. So what went into that
specific recommendation? How did you and your colleagues come up with the notion that ransomware should be considered a national
security issue? Well, there was a couple of things. The problem has been growing exponentially over
the past year and a half to two years. And we've started to see that this indiscriminate targeting
is starting to have real world impact. So it's not just loss of money, but they're hitting hospitals in the middle of the pandemic,
shutting down systems that are, you know, life-saving systems.
They're also going after things like the food supply,
the power supply, all kinds of critical infrastructure
that they're targeting just without any type of morality whatsoever.
Even the ransomware groups that claim that they don't do it,
we see them totally continue to go after these critical things.
So these operations aren't just about the U.S. losing money anymore.
It's about actually causing threat to life in some cases
and causing real problems for our national security.
As you saw with the colonial pipeline, that was shut down for a relatively short amount of time.
And you saw how much panic buying there was and how much that the whole eastern seaboard was kind of shaken by that event.
So now that the government has adopted that particular recommendation that it be treated
as a national security issue you mentioned that that puts some more tools at their disposal
what sort of things do they have available to themselves now so some of it is going to be
increased priority within the organizations that were already working ransomware. So groups like CISA, FBI, Secret Service, Treasury,
they've all been working this problem really hard,
but they didn't have all the resources that they needed
to really amp it up and go after it.
So they're going to be able to get more resources
because of the raised priority.
And then there are other pieces of the government
that just were not engaged in cybercrime, which can now be brought to the table. So
think about our intelligence agencies and other capabilities that can now shift their focus
to look at these cybercrime actors when before they weren't even on their target deck.
And what's next for the task force itself? I mean, is there,
is it continuing? Is there more work ahead? Yeah, absolutely. We are providing a lot of
consultation to government and private industry organizations who, who they like the recommendations
and they want assistance or don't want to understand it a little bit better.
So we're doing a lot of work behind the scenes
to sort of help people who want to do the right thing.
And is that the whole range of government
in terms of options that are on the table,
everything from sanctions through the military itself?
Yeah, I mean, everything that we do
needs to obviously be proportionate and reasonable.
But there are a lot of things that can be done
that used to be off the table,
which can now be on the table
because of that national security designation.
And that can really be the game changer
if we have the real will to do it.
That's Adam Flatley.
He's Director of Threat Intelligence at Redacted
and a member of the Ransomware Task Force.
Cyber threats are evolving every second and staying ahead is more than just a challenge
it's a necessity that's why we're thrilled to partner with threat locker a cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. And I'm pleased to be joined once again by Betsy Carmelite.
She's a senior associate at Booz Allen Hamilton.
Betsy, it's always great to have you back.
You know, I wanted to touch base with you when it comes to AI and ML in cyber operations, particularly defensive operations.
I think for a while we certainly went through a round of having AI and ML being hot buzzwords.
And it seems to me like we've settled into more of a rational place with these technologies, more practical than perhaps we were before.
What is your take on this? Where do we stand when it comes to cyber defensive operations and AI and ML?
Sure. I wanted to really talk about the requirement for augmenting traditional cyber operations with the use of AI and ML.
And that's without question very much needed.
AI and ML. And that's without question very much needed. Just look at the past year of attacks,
our attack surface expansion, and our understanding of cyber mission challenges as a result. Obviously, attacks are more sophisticated, targeted, and frequent.
Secondly, we're seeing organizations and agencies rely on cyber tools that fail to integrate,
and they depend on siloed network data for alerts.
And this is where we're seeing AI come in to help. And then third, rapid streaming analysis
and analytic approaches aren't offered in a vendor agnostic platform. So the end result
in defensive cyber operations is delayed analysis and delayed detection.
is delayed analysis and delayed detection.
Does the AI and ML serve as a way to sort of stitch together various products that people might be using
and do it in a very automated sort of way?
Well, yes, you can use products that are existing.
I want to really focus this more on some of the components and
the services and the capabilities that AI and ML can offer because product integration is something
that can come really after you come up with a strategy and look at what you need to address.
But two components that you can apply to the cybersecurity setting where AI and ML come in.
And this is especially interesting to me in my career
as a threat intelligence analyst
because these are really game changers
in helping operations.
First, we see AI and ML addressing the challenge
of real-time adaptability.
In security operations,
ideally you're seeking immediate analytic insights and not retrospective views or delayed insights.
With AI systems, data feeds are processed in motion at the edge
and across all data sources.
So if you think about the volume of data and data sources
that are pulled from network and endpoint sensors, logs, the millions of assets in a large organization, you're thinking of terabytes of data.
So analyzing that data at the point of ingest before it's funneled into a SIM so that raw data normalization occurs closer to the point where the data is generated is key because you create a common data model earlier.
And that common data model means better data for analysts
and faster response time because analysts aren't manually
pulling the data together from the SIEM.
This reduces their time to be doing that heavy lift.
This does require, however, security analysts, business
strategists, and data scientists all talking together so that there's an understanding of how
data needs to be used in that security use case. And then the second way AI can be used in this operations model is to enrich data analysis also at the point of ingest.
The common data model that I just mentioned brings multiple data feeds together.
So in the enrichment process, the event data that's coming from sensors and logs,
so like right off of your network, is fused with non-event data. So maybe that's threat
intelligence or vulnerability data.
And that brings meaning to a current circumstance
for the operations team.
With the AI-driven integration of this data at the edge
prior to SIEM filtering,
analysts are given the time to complete more complex tasks
around the analysis and how they need to respond. So as opposed to
the time consuming data fusion across multiple feeds, dashboards, and reports. You know, that's
fascinating. The whole notion of having the AI be out on the edge, I mean, it kind of reminds me of
the human nervous system. If you touch a hot stove, your hand gets
yanked away before your brain really knows what's happening, right? You know, your nervous system
says there's danger here. We need to make an adjustment. And only later do you look and see,
oh, I was touching a hot stove. I mean, it seems like a similarly effective protective use case
here. Yeah. And basically, to your hot stove,
you're detecting that hot stove a lot earlier. You're detecting things that you weren't able
to detect previously. So one example to really illustrate this that comes to mind is how AI and
ML could possibly have helped detect detection in the detection of the Sunburst malware
using the SolarWinds Orion software supply chain attacks.
The use of AI in the detection of patterns,
specifically how Sunburst used the domain generation algorithm,
also known as the DGA,
to generate and change the command and control channels,
could have determined the anomalies of the malware's behavior.
And to be clear, we're not talking about pinpointing
whether the activity is malicious,
but rapidly identifying the DGA behavior patterns
that would help an analyst
and reduce that analyst's reliance on multiple tools,
multiple data sources,
and identify those
previous and expected behaviors earlier. And also reduce false positives in those detections.
Right. So the AI can come to the human analyst and say, hey, there's something here that I think
may deserve your attention. Yes. Yeah. And this actually improves the workforce experience
and is one of the benefits of AI integration and cybersecurity.
We often recommend that cyber operators and analysts
really look at how their SOPs and their manual activities
are impacting their work.
I spend a lot of time with my analyst team looking at the attack surface of organizations,
and AI-enabled data and enrichment processes could really reduce that cumbersome correlation
time of data inputs when you really need to be getting the core threat analysis and threat
modeling out there.
There are other increased cost savings because
of the improved response time and activities for preventing breaches and malicious attacks.
It also leads to improved brand reputation for an organization and increased consumer trust,
knowing that the organization has improved security protocols. So there's a lot of education
that probably needs to be done
for an organization
to look into applying AI
to their security operations,
learning about the breadth
of AI use cases
for cybersecurity
for both government
and commercial missions.
And again,
knowing the challenges
of the workforce
in executing their cyber missions as practitioners.
AI, in this case, can very much augment security operations, the defensive posture that organizations take to stay out of attacks and produce better results.
All right. Well, interesting insights for sure. Betsy Carmelite, thanks for joining us.
Thanks, Steve.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building
the next generation of cybersecurity teams and technologies. Our amazing Cyber Wire team is
Elliot Peltzman, Trey Hester, Brandon Karp, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Bilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Thanks for listening. We'll see you back here tomorrow. Thank you. ambitious, but also practical and adaptable. That's where Domo's AI and data products platform
comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Receive alerts and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.