CyberWire Daily - Two threats in the wild, and a third in proof-of-concept. Swiss intelligence expects an uptick in Russian cyberespionage. Privateers and auxiliaries in a hybrid war.
Episode Date: June 28, 2023JokerSpy afflicts Macs. ThirdEye (not so blind). Mockingjay process injection as proof-of-concept. Switzerland expects Russia to increase cyberespionage as agent networks are disrupted. The fracturing... of Conti, and the rise of its successors. The Washington Post’s Tim Starks explains the security of undersea cables. Our guest is ​​Brian Johnson of Armorblox to discuss Social Security Administration impersonation scams. And the "UserSec Collective" says it's recruiting hacktivists for the Russian cause. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/123 Selected reading. JokerSpy macOS malware used to attack Japanese crypto exchange (AppleInsider) Prominent cryptocurrency exchange infected with previously unseen Mac malware (Ars Technica) New Fast-Developing ThirdEye Infostealer Pries Open System Information (Fortinet Blog) Process Mockingjay: Echoing RWX In Userland To Achieve Code Execution (Security Joes) New Mockingjay Process Injection Technique Could Let Malware Evade Detection (The Hacker News) New Mockingjay process injection technique evades EDR detection (BleepingComputer) Ukraine war made Switzerland hub for Chinese, Russian spies: Swiss intelligence (South China Morning Post) Swiss intelligence warns of fallout in cyberspace as West clamps down on spies (Record) The rise and fall of the Conti ransomware group (Global Initiative) The Trickbot/Conti Crypters: Where Are They Now? (Security Intelligence)                                                                                                                       Ukraine at D+489: An influence contest, post-mutiny. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Joker spy afflicts Max.
Third eye not so blind.
Mockingjay process injection as proof of concept. Switzerland expects Russia to increase cyber espionage as agent networks are disrupted. The fracturing of Conti and the rise of its successors. Our guest is Brian Johnson of Armor Blocks to discuss Social Security Administration impersonation scams.
And the UserSec Collective says it's recruiting hacktivists for the Russian cause.
I'm Dave Bittner with your CyberWire Intel briefing for Wednesday, June 23, 2023.
A new Mac malware called JokerSpy was used in an attack on a prominent Japanese cryptocurrency exchange,
according to researchers at Elastic.
The malware was partially analyzed by Bitdefender earlier this month.
Ars Technica notes that there appear to be versions of the malware that target Windows and Linux machines as well.
Elastic states,
While we are still investigating and continuing to gather information,
we strongly believe that the initial access for this malware was a malicious or backdoored plug-in or third-party dependency that provided the threat actor access.
This aligns with the connection that was made by the researchers at Bitdefender
who correlated the hard-coded domain found in a version of the sh.pi backdoor
to a tweet about an infected macOS QR code reader,
which was found to have a malicious dependency.
Researchers at Fortinet have observed a new infostealer they're calling ThirdEye.
The malware isn't sophisticated, although its developers are actively making improvements.
Fortinet says, the ThirdEye InfoStealer has relatively simple functionality.
It harvests various system information from compromised machines, such as BIOS and hardware
data. It also enumerates files and folders, running processes and network information.
Once the malware is executed, it gathers all this data
and sends it to its command and control server.
And unlike most other malware, it does nothing else.
So ThirdEye stays focused.
Researchers at Security Joes outline a process injection technique
they've dubbed Mockingjay.
The researchers were able to use a vulnerable DLL in Visual Studio 2022 community
that has a default read-write-execute section on disk.
They write,
In this case, we were able to inject our own code into the memory space of the SSH.exe process
without being detected by the EDR.
The uniqueness of this technique lies in the fact
that there is no need to allocate memory, set permissions, or create a new thread within the
target process to initiate the execution of our injected code. This differentiation sets the
strategy apart from other existing techniques and makes it challenging for endpoint detection
and response systems to detect this method. It's not out in the wild, but security teams should take note.
Switzerland's Federal Intelligence Service warns that Russia can be expected to turn to cyber espionage
as its human intelligence networks in Europe and North America are increasingly rolled up
and as the officers working under diplomatic cover who run those networks are declared persona non grata.
In their statement, they say,
while the Russian intelligence services which operate abroad continue to pose the main threat in terms of espionage,
their capabilities were undermined in many European states and in North America in 2018,
response to the attempted murder of Sergei Skripal,
and in 2022, response to the war against Ukraine,
in some cases significantly. Large numbers of Russian intelligence officers working under
diplomatic cover were expelled. So, cyber espionage can serve as a compensatory measure
when traditional espionage operators are expelled or otherwise denied access.
The Global Initiative Against Transnational Organized Crime
released a report detailing the Conti cybercrime group's fall
from its prominent perch in the underworld
following the gang's declaration of support for Russia
in the Ukraine-Russia war, stating,
Two days after Conti pledged their support
for the Russian invasion of Ukraine,
things began to unravel for the group.
A Twitter profile with the handle at ContiLeaks
started leaking the ransomware group's internal communication.
Although there are conflicting reports on who was behind the leak,
perhaps a Ukrainian security researcher or an affiliate against the war,
the over 100,000 leaked files were dubbed the Panama Papers of Ransomware. Over the coming
months, Conti's methodical and business-like approach disintegrated, although attacks
continued, including on the networks of the Costa Rican state. On May 19, 2023, it was reported that
Conti's websites were no longer working. The story doesn't seem to end there, however. IBM's Security X-Force
reported on June 27th that their tracking of the cryptors who worked with Conti revealed that the
group remains active, at least in fragmentary or rump forms. IBM states, one year on ITG23,
Conti has experienced many organizational changes, splintering into factions and forging new relationships.
Despite these events, ITG-23 cryptors remain fundamental to tracking post-ITG-23 factions and their activity,
so much so that we believe identifying and tracking the cryptors is just as important, if not even more so, than tracking the malware itself.
Our research indicates that while ITG-23 may have fractured apart after shutting down Conti,
many of its various members continue to be very active,
still communicating amongst themselves and using shared infrastructure.
Conti has fractured into what they call factions,
which X-Force calls out as Royal, Quantum, Xeon, Black Basta, and Silent Ransom.
Conti has provided a case study in cyber-privateering,
a financially motivated criminal gang tolerated and encouraged to make its money attacking the enemies of the state.
No formal letter of mark and reprisal required, just a wink and a nod from the FSB.
And finally, we turn from cyber privateers to
cyber auxiliaries. The group calling itself UserSec has reported on its Telegram page
that the group has formed a new group of pro-Russian hacktivists. Take what follows
with the customary grain of salt. Calling it with a sad failure of imagination the UserSec Collective, they boast
to have attracted groups from Russia, India, Egypt, and other countries supporting the Russian cause.
They also claim to have already carried out a mass cyber attack against many internet service
providers, the details of which remain unreleased. A full list of the groups in the collective was posted this morning. That list is implausibly large.
It includes 15 hacktivist groups and one media organization,
someone called the Quantum Stellar Initiative,
which sounds like a tabloid from the Marvel Universe.
The UserSec Collective has so far claimed an attack against a French government visa site.
Again, view the communiques with appropriate skepticism.
The user set collective is as likely to represent grassroots hacktivism
as anonymous Sudan is to be either anonymous or Sudanese.
Off to the salt mines.
Coming up after the break, The Washington Post's Tim Starks explains the security of undersea cables.
Our guest is Brian Johnson of Armor Blocks to discuss Social Security Administration impersonation scams. Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of
new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
security firm armor blocks recently published research tracking a campaign targeting a large educational institution with emails pretending to be from the social security administration
brian johnson is chief security officer at armor blocks what we saw from our customer base is we have an educational customer
where we saw about 160,000 attempts
tend to be the Social Security Administration,
which is somebody everybody in the U.S.
has access with and communications with.
And even if you're external to the states coming in,
especially in the education space,
everybody deals with this administration.
So it was an interesting thing to see that somebody was, you know, pretending to be them and to, you know, attack the student body at this educational space.
Well, I'd like to dig into the two elements of this.
I mean, it sounds like there's a social engineering side, but then also a technical side.
Is it correct that on the tech side, they were able to bypass some of the normal native email security? Yes. You know, it's really, you know, bypassed what we'd consider the standard
legacy, you know, detection methodologies. This didn't have, you know, a link that could be easily
identified as, you know, something that's done bad.
And this was very scripted, pointed attacks at these individuals.
It had people's names.
It looked very official.
And what they were really trying to get is that interaction with the email so they could
show that there was some issue, some speed of action you needed to take to not have something
bad happen, and hurry and call us and we'll fix whatever is broken, right? So that need that they
really pushed on the human element of it was what they were trying to get through. They bypassed
everything that we would consider coming from a known bad host. Like I
said before, knowing a link in the system, pretending to be coming from something. They
used none of those type tactics. They used good spoofing and the good human engineering to
have this attack move forward. Is it fair to say that they were fairly sophisticated in their
methods here? I mean, would it pass a quick look
to make it seem like it came
from the Social Security Administration?
This email looked extremely legit.
You know, even when we first started looking at it
and it came up and, you know,
our detectionist team sent it to me
and we were, you know, discussing it.
We were all really surprised
about how well this email looked
from the watermarking they put in the system
to how they had the official, you know,
Social Security Administration seal,
you know, address, phone numbers.
I mean, this looked, you know, extremely legitimate.
And so did you find that there were many people
who ended up falling for it?
There were a good number of people
who ended up falling for it.
With this attack, you know, this phishing-type attack,
the dedication of this attack was to call the phone number.
We'll never know how many people actually ended up calling the phone number.
We do know the number of people who called and said,
hey, I did call it.
For this educational space, we were able to stop the email,
stop the attack, and then move forward.
Unfortunately,
the school is the only space being attacked. So I'm sure this was widespread, not just in the
just this one educational facility, but probably many. And so what are your recommendations here
in order for folks to better protect themselves against this sort of thing? So I think the thing
people really need to understand is the adversaries are increasing their attacks,
their complication of the attacks.
The way we used to just look at an email and kind of know inherently that it was bad isn't something we can do anymore.
You know, we need to use the latest techniques, our natural language ability to help those things
and to find those adversaries.
It's really what you need now.
The bad guys aren't using links anymore.
They're not using kind of those traditional,
what we consider in the industry, traditional views and attack methodologies.
They're using very pinpointed phishing and interactions to get you to call,
to get you to sign up for something,
to get you to interact in ways that we don't consider
normal yet. Yeah, it's interesting the degree to which these things are blended now. It's not just
a technical solution that's going to get you here. There's that human element as well.
Right. This human element is now being actively generated. We've really come to a new time.
There's been lots of talk of how machine learning and AI
is changing the space.
This is one of those areas that we've seen change
over the last five years.
Armorbox, we've been using those newer detection
and machine learning AI-based methodologies for detection
to find those adversaries because whether they think that's good, somebody will find a bad way to use it,
just being, you know, different.
So we're really moving into that next phase of what those attacks are going to look like.
How does an attack like this compare to some of the other things that you all see?
You know, 160,000 end users, where does that sit on the spectrum of things?
No, for us, you know, it is a subset of,
you know, data that we see. We see these attacks, you know, every day, every week. We see them much
like what we consider in marketing campaigns as they roll them out. We see, we're starting to see
trends of really smaller businesses, smaller financial companies, medical device spaces,
really becoming the precursor to these attacks.
That's where we're selling kind of the beachhead from.
Once they've found that beachhead and found an attack that works,
and you see these larger attacks like we saw with this one
for the Social Security Administration,
where they went and attacked a very large school.
The 160,000 mailboxes is very loud.
It's not five or six in a space. So they had to
have 40-some re-education that knew this attack was going to work or had worked somewhere else.
That's Brian Johnson from Armor Blocks. And joining me once again is Tim Starks.
He is the author of the Cybersecurity 202 at the Washington Post.
Tim, it's always great to welcome you back.
Always, always.
So, interesting article and analysis you posted today.
This is a fun one. And it's titled, Sharks, Earthquakes, and Cyberattacks. So interesting article and analysis you posted today.
This is a fun one.
And it's titled, Sharks, Earthquakes, and Cyberattacks,
the Threats to Undersea Cables.
What prompted you to take on this topic, Tim?
I think it was just an excuse to write that headline.
Fair enough.
Fair enough.
No.
Sometimes, what is it?
Necessity is another of invention?
Is that the phrase?
Yes. Yeah.
It's a little bit of a slow week on the cyber front. Congress is not around and that always makes things go slower because everybody's on vacation. And I was looking for things to write about and I saw that Recorded Future report in my email inbox and was like, I've never written about this before.
email inbox and was like, I've never written about this before.
I remember there was a story that I edited last year about a cyber attack that
the Homeland Security Investigation Unit of DHS had
said they foiled against an underwater cable.
And I thought, what? Who? What? Why?
How? Who's attacking that? What would they do with it? And so I thought, what? What? Who? What? Why? How?
Who's attacking that? What would they do with it?
And so I thought it was interesting at the time and I saw that report and I'm like, you know what?
This is interesting.
The report essentially says that the threats
to those cables are rising
and it's something that
has, you know, when I started
digging into it a little bit, I was like, this is really fascinating.
I want to write about this because
it's something that people don't think about probably very much.
I don't. I mean, they're underwater. I don't see them and I don't think about them.
But when you think about how vital they are and you look back and see that there's been a lot of
decent scholarship about this, that there's real threats to these things and that could be really
damaging to the internet. It could be surveillance issues.
This is really compelling.
I was like, I've got to write about this.
So to what degree does the Internet rely on these underwater cables to do its thing?
Yeah, so depending on what year, what estimate you read,
minimum of 95% of the intercontinental global internet traffic, minimum.
The Recorded Future Report, 95% is what I think ODNI said,
the Office of Director of National Intelligence said back in 2017.
The Recorded Future Report says 99%.
So it's almost all of it is the essential answer.
Yeah.
And we're talking fiber optic cables here primarily is what's carrying this traffic?
I believe so, yeah.
There's a pretty long section in the Recorded Future Report, if you click on the story,
that describes the cables and what they physically are.
I skipped over that a little bit in my head.
Because I was really more interested in focusing on the nature of the threat.
Yeah. Well, let's dig into that.
What are the threats we're talking about here?
and focusing on the nature of the threat.
Yeah, well, let's dig into that.
What are the threats we're talking about here?
Sharks.
Really? And, of course, earthquakes.
And, of course, cyber attacks, which is what I was interested in.
Let's start with sharks.
What do sharks have against underwater cables?
I know.
What is it exactly, right?
We've got a lot of hostilities from sea creatures lately, right?
We've got the orchids attacking the boats.
Right.
They just don't like us in general. hostility is from sea creatures lately, right? We've got the orchids attacking the boats.
They just don't like us in general.
So there are a lot of threats to these energy cables that are very incidental.
They're natural threats, like, of course, also earthquakes, tsunamis.
Anything you can think of that might physically affect these things
is out there.
And to be clear, the physical threats are more common
than the cyber threats.
So I don't want to overplay
this, but if you're talking
about, and the ODNI report
had an interesting section where they
ranked things by where
the threat was. And if you're talking
about threats to
energy cables that are above ground,
it's actually in these kind of network
management companies that
help operate, manage,
protect these interstate cables.
And those are the things that would be hacked.
You're not going to go
underwater and hack something
down there. You would hack the company
that's managing the system.
What about for
espionage? I mean, do we have cases?
It seems like this would be something that someone would love to pull a submarine up next to and tap into if they could.
Yes, that is something that the report does go into.
That's interesting.
There's a couple different ways that there might be a surveillance threat.
One would be, first off, China is developing a lot of undersea cables these days,
Chinese companies.
And so if you have one of those cables
running into your country,
and it's Chinese managed or operated,
you've got to consider the fact
that China might be spying on you through it.
The other way it might work is landing stations
where you might insert
hacking for surveillance kind of technology.
And there's a country, I can't remember which one it is from the report,
that there were rumors that were circulating in that country
that Indian intelligence was trying to get an implant
into one of those landing stations in one of those countries.
To the degree that it was truthful or not truthful,
the government was not answering the questions about it. So there's reason to suspect that that might actually be
a real thing. What we've also seen that the report talks about is Russia seems to be very
interested in mapping these undersea cables these days. So you have to wonder why they would be
interested in doing that. The internet is sort of famously resilient and redundant.
Do these cables go down as a matter of routine and things get routed to other cables?
They do go down sometimes, yeah. And sometimes it's not that damaging. With some of the more
routine things that happen, maybe it'll slow down the internet traffic. We're also seeing, interestingly,
that a lot of companies in the United States
are investing in these things as well.
So I think they mentioned Meta, Facebook, Microsoft.
Some of the companies you might expect
are starting to develop these kibbles for themselves.
So they're interested in this business as well.
And what is the regulatory regime here?
Is this one of those things where you get 20 miles offshore and it's the Wild West?
I mean, one of the things that other reports talked about, not this particular one,
delved into the fact that there's not much regulatory protection for them as far as it
goes with cyber attacks.
The United Nations has talked about these are things you should do to protect them physically.
The United States does have, I'm trying to remember what they call themselves.
I think it's a Department of Justice unit, telecom team or something like that, that
has shut down some of these attempts to operate cables into the United States or out of the United States.
But yeah, it's a little bit of the Wild West is the answer.
Yeah.
It's an interesting article for sure.
And I should mention also that for the next day or so,
the paywall is down at the Washington Post.
So this is a great time to go check out and collect
and download all those articles you've been meaning to read that have been paywalled.
Yeah, and just to be a little bit of a salesman,
I completely agree with everything you're saying.
Also, it should be known that if you are a person who subscribes to the CyberSecurity202,
it is free in your inbox every day.
But if you want to read old stuff, if you want to go back and see articles that we've written,
and you just do Google searching and happen across something, yeah, you probably need a pen.
Yeah.
All right.
Well, Tim Starks is the author of the Cybersecurity 202 at The Washington Post.
Tim, thanks for joining us. Thank you. with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. CyberWire? For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com. Your
feedback helps us ensure we're delivering the information and insights that help keep you a
step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and
podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter. Thanks for listening. We'll see you back here tomorrow.
Thank you. channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.