CyberWire Daily - VPN users remediate systems. New Supernova infection. Cryptojacking botnet afflicts vulnerable Exchange Servers. Facebook takes down spyware groups. Ransomware. Cellebrite bug found.
Episode Date: April 22, 2021Agencies continue to respond to the Pulse Secure VPN vulnerabilities. Updates on the SolarWinds compromise show that it remains a threat, and that it was designed to escape detection and, especially, ...attribution. A cryptojacking botnet is exploiting vulnerable Microsoft Exchange Server instances. Facebook takes down two Palestinian groups distributing spyware. Ransomware draws more attention. Craig Williams from Cisco Talos looks at cheating the cheater. Our guest is Bruno Kurtic from Sumo Logic on their Continuous Intelligence Report. And a Cellebrite vulnerability is exposed. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/77 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Agencies continue to respond to the Pulse Secure VPN vulnerabilities.
Updates on the SolarWinds compromise show that it remains a threat
and that it was designed to escape detection and especially attribution.
A crypto-jacking botnet is exploiting vulnerable Microsoft Exchange server instances.
Facebook takes down two Palestinian groups distributing spyware.
Ransomware draws more attention.
Craig Williams from Cisco Talos
looks at cheating the cheater. Our guest is Bruno Kurtik from Sumo Logic on their
continuous intelligence report. And a Celebrite vulnerability is exposed.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 22, 2021. U.S. organizations continue to recover from the cyber espionage campaign, probably Chinese in origin, that exploited vulnerabilities in Pulse Secure's VPN.
CyberScoop reports that at least two dozen U.S. agencies are known to run the VPN, but how many of those were compromised remains unclear.
A number of those users are national laboratories involved with defense
and national security work. Most U.S. government agencies have until tomorrow to report their
self-scrutiny and remediation to CISA. The solar wind supply chain compromise,
which has been partially eclipsed in the news by more recent incidents,
like the aforementioned VPN exploitation, is far from over.
The U.S. Cybersecurity and Infrastructure Security Agency this morning released an alert warning
that it had found instances of the Supernova malware during a CISA incident response.
The affected entity is addressing the attack, and CISA says its own engagement with this incident is continuing.
Supernova
is the backdoor associated with the SolarWinds compromise. RiskIQ has a rundown of the SolarWinds
incident to date. One of the things they note is the difficulty of attribution. The U.S. government,
from the White House to CISA and NSA, has been pretty unambiguous in calling out Russia's SVR as the bad actor behind the campaign.
And those last two mentioned agencies publish some of the malware used in the incident that
they say they've traced to the Russian organs. RiskIQ points out that the private sector has
generally been more tentative in its attribution. It's not that the private sector thinks the
Russian service is innocent, but rather that the kinds of similarities and tactics, techniques, and procedures
private sector analysts look for were, in this case, ambiguous.
RiskIQ thinks this ambiguity was deliberate,
and they agree with the U.S. officials who attribute the campaign to the SVR.
They say, quote,
pattern avoidance was a tactic used in all aspects of the SolarWinds
campaign, end quote. The threat actors used different command and control IP addresses for
each victim, and that in itself makes the correlation analysts like to use more difficult.
The researchers found that Cozy Bear's infrastructure was registered under varying
names and at different times over several years to avoid
establishing a traceable pattern. The SVR probably bought the domains from resellers or at auction.
Cozy Bear also hosted its campaign infrastructure, at least their first stage infrastructure,
entirely within the U.S. That's not only likely to lend an air of innocence to their traffic, but it also means that
they may be more likely to escape the attentions of the U.S. National Security Agency, whose remit
is of course foreign intelligence and not domestic surveillance. We note in passing that General
Nakasone, Director NSA, yesterday again told the Senate that he didn't want his organizations given
authority to monitor domestic traffic.
Defense Systems quotes General Nakasone as saying,
quote,
I'm not seeking legal authorities either for NSA or for U.S. Cyber Command, end quote.
The second stage of the campaign was still mostly hosted in the U.S.,
but by the third stage, Cozy Bear was largely working from overseas.
The shifts were probably intended, at least in part,
to avoid falling into the sort of pattern that would alert observers.
The threat actor also had its first stage implant
beaconed to its command and control servers with random jitter after two weeks.
The second stage used the familiar penetration testing tool, Cobalt Strike,
and the malware used in the
third stage looked nothing like the tools used earlier in the campaign. Analysts who found one
stage's malware would have found it difficult to follow the attack into other stages. The RiskIQ
researchers write, quote, taken together, the threat actors implemented their TTPs in this
campaign to avoid resemblance to prior patterns associated with APT-29 or any of the other known Russian APT groups.
Researchers or products attuned to detecting known APT-29 or other Russian APT activity would fail to recognize the campaign as it was happening,
and they would have had an equally hard time following the trail of the campaign once it was discovered, end quote.
But they're confident that their own telemetry also points to APT28, the SVR, Cozy Bear, herself.
The record talked with SolarWinds CISO, and it's a cautionary tale for organizations who may think they have their security bases covered.
SolarWinds CISO Tim Brown said,
A nation-state attack of this level and sophistication meant it was very patient,
deliberate, targeted. That type of campaign isn't your general attack that you prepare for.
Now what we have to do is prepare for more of those as a community.
Cyber Reason has found the cryptojacking botnet Promete exploiting unpatched Microsoft Exchange Server instances.
Promete, which uses victim machines to mine Monero, was discovered last summer,
but Cyber Reason believes the Promete gang has been in action since 2016.
Promete is random and unselective, its goal apparently being the infection of as many systems as possible.
It's been active in North America, Europe, South America, and East Asia,
but it does appear to systematically avoid hitting targets in former Soviet bloc countries,
which suggests that its operators are leery of attracting adverse Russian attention and would rather stay on the good side of Russian law enforcement.
The sectors affected are equally wide-ranging, including financial services, insurance,
retail, manufacturing, utilities, travel, and construction.
Promethe is evidently a criminal operation.
It has, however, been happy to make use of the exchange server exploits
first deployed by China's Hafnium threat actor.
Facebook announced yesterday that it's taken down two Palestinian groups
who'd been using the social network for a politically motivated surveillance campaign.
The two actors have been identified as the Preventive Security Service, the PSS,
and the Gaza-based threat actor, Arid Viper.
They seem to have been particularly
interested in prospecting and impersonating journalists and other gadflies. Some of their
content presented itself as solicitation for complaints of human rights violations.
The PSS-associated group used both Windows and Android malware, as well as social engineering
campaigns to install spyware in targets' devices.
Arid Viper used bespoke and hitherto unidentified iOS surveillanceware,
and they too relied on social engineering to distribute their malware.
Bloomberg reports that Apple supplier Quanta Computer, a Taiwan-based manufacturer of MacBooks,
has been hit with a $50 million
extortion demand by the R-Evil ransomware gang, a well-known criminal enterprise based in Russia.
Ransomware as a whole continues to be a pervasive criminal threat to both data availability and
data security. The U.S. Justice Department, according to the Wall Street Journal, is
establishing an anti-ransomware task force. It hopes, thereby, to increase training, devote more resources to the problem,
and increase intelligence sharing. It also seeks, significantly, to work toward gaining
more clarity about links between criminal actors and nation-states.
And finally, Moxie Marlinspike, developer of the secure messaging app Signal,
has released information about a vulnerability in Celebrite's digital forensic products.
The vulnerability exposes Windows devices that run Celebrite to the possibility of remote code execution.
Celebrite has been widely used by law enforcement organizations in both nice and nasty regimes.
It had recently announced its development of a forensic tool for analyzing signal communications.
So reports are treating Marlon Spike's announcement as a case of the biter being bit.
Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Sumo Logic is a real-time analytics and security company,
and for the past five years, they've published their Continuous Intelligence Report,
which focuses on cloud-based cyber attacks.
Bruno Kurdyk is founding VP at Sumo Logic, and he joins us to share this year's findings. We always wanted to find out kind of how are enterprises leveraging technologies as
they transform from traditional business model to digital business models. And as part of that,
as they migrate their workloads to the cloud. So about five years ago, we conceived of creating a report
that's not based on a survey,
but rather based on actual data
because we have a multi-tenant platform
that helps our customers manage those technologies.
And we started monitoring to understand
what type of data is flowing through our system,
what kind of technologies are people using, what kind
of architectures, and decided that it would be a very valuable piece of information to
share with the world as companies embark on this transformation, they can learn from others
and essentially sort of not just do it in their own silo.
Let's dig into some of the security things that you're tracking.
What sort of things have you found there?
Yeah, interesting stuff.
So we've been tracking the adoption of security technologies
over the years steadily, right?
And what are the people in the cloud using?
How are they defending their cloud workloads
and on-premise workloads?
And what we've discovered is that as people move to the cloud,
and I'll talk about some examples here, they're consuming sort of the data, the outputs of the data that are available for them to understand their own security.
Google audit, Azure audit, all of these technologies that essentially provide you with a trail of what is happening inside of your account, which is what is to be expected.
That is what companies do on premise when they have technologies right.
Then we wanted to understand what kind of vendors are being used.
What kind of vendors do you expect to find in cloud security operations versus on-prem
security operations versus on-prem security operations.
And so we actually found that we have a whole page on this in our report that looks at traditionally on-premise technologies, right?
Companies that were in hardware like Palo Alto and some companies that grew out on-prem
like Carbon Black continue to kind of have a significantly more deployment on-premise
than in the cloud.
And then other companies that are cloud-native,
quote-unquote, like Okta or CrowdStrike or Zscaler,
all of those have significantly more workloads
appearing in the cloud-native customers, right?
And so, which is, again, not surprising,
but it does sort of show you
that companies with the cloud architectures
tend to win in cloud workloads and companies that don't have, that have sort of a you that companies with the cloud architectures tend to win in cloud workloads and
companies that don't have, that have sort of a, you know, deploy yourself architectures end up,
you know, being deployed on premise. So that's what we find in technology adoption. And then
we've also investigated quite a bit, the sort of what types of attacks are people experiencing?
Where are those attacks coming from? What are they attacking and so on?
That's Bruno Kurdyk from Sumo Logic.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
and joining me once again is craig williams he is the director of talos outreach at cisco craig always great to have you back um you guys have done some really interesting research here
lately about um how some bad actors are taking advantage of some of the collaborative platforms
like Discord and Slack and so on.
Can you take us through what you all have been looking at here?
Sure.
One of the things we look for at Talos is the abuse of services.
Depending on how long you've paid attention to threat on the internet,
one of the things you'll find true is that if it's free to use on the internet, someone will abuse it, right? I mean, it holds true for everything.
And so when we had a significant number of collaboration apps all vying for more users,
we expected it would be something that was abused. And sure enough, we saw in our telemetry
actors using those apps to distribute malware. And the further we dug in the hole,
the more cool stuff we found.
Well, let's dig in specifically to Discord.
I mean, just give me a brief overview.
I mean, what's the intended use of Discord?
And then how did you find folks taking advantage of that?
Sure, so Discord is like Slack or WebEx Teams
or any of those chat apps, right?
The overall goal is to allow users
to connect to a server
and to separate into rooms
and within the rooms
communicate with one another,
exchange files.
My son uses it to play D&D.
Right, yeah.
We use it to play Rainbow Six Siege.
Matt Olney and I over at Talos.
We're super not toxic, I promise.
But so Discord is incredibly popular
and it's installed on a massive number of systems.
I would say it's probably one of the favorites out there.
And so as a result, actors have been looking at that user base
and looking at the services it offers to find a way to abuse it.
And sure enough, they were able to find some things that they found attractive.
What specifically are they doing here?
Well, one of the really common ones is that Discord allows files to be downloaded by anyone using a URL.
So for example, the way this would work, if I'm a bad guy, I'm going to go register a Discord account with a throwaway email.
I'll go upload a file and then I'll get the link to share that file to others.
But instead of sending it to people just on Discord, I'll send it out in a million email messages to victims saying it's a new shiny thing that they want.
And so are they playing off of the fact that the domain name, it's going to be coming from a Discord domain name and that lends it a bit of legitimacy?
You know, that could be the case.
Honestly, that's not something I really even considered
because we see so many random URLs.
I think it's more the fact that it's reliable, free hosting.
What else are you seeing here in terms of,
I know one of the things you looked into was
even the types of compression systems that they're using,
what's popular.
Exactly, that kind of surprised me.
When you think about malware attachments in the Windows world,
there are file formats that not every antivirus engine can process.
Typically, you see a lot of common ones, but sometimes you see unusual ones.
This was one of the cases where we saw a variety of unusual
ones, and I think what was most surprising about it was the frequency
at which we saw the unusual ones. For example,
we saw ACE compression more often than we saw the unusual ones. For example, we saw Ace compression
more often than we saw Zip compression.
Yeah, any insights there?
What's behind that?
Well, Ace is a compression format that's very popular
with video game mods and things like that.
And so I think they assume that a lot of people
have it installed, and if they don't,
perhaps they'll go get the tool to undo it.
And because it's so infrequently used in the normal world,
most antivirus engines may not be able to process it.
And so effectively, by using ACE compression,
they're evading file attachment scanning on the way to the victim.
So what are the take-homes here?
I mean, in terms of how people could keep an eye out for these sorts of things
what are you guys recommending?
I think there's a couple of things here.
As far as home users, don't click on links and emails.
Saying that is almost pointless because we know everyone clicks on links and emails.
It's like saying, just patch.
There's some people who can't and there's some people who can't stop clicking on links and emails. It's like saying, just patch. There's some people who can't, and there's some people who can't stop
clicking on links and emails.
I think what you really have to change that to,
if people aren't going to follow proper instruction,
is when you download an email attachment,
scan it with your antivirus engine
and make sure that you've scanned the uncompressed data.
Or do the lazy thing,
and if it's not a normal format, just delete it.
Yeah, that's interesting.
In terms of the things that they are trying to put out there in the world, would your typical endpoint protection detect them?
Once they're downloaded and unzipped or decompressed from whatever they are, are we talking about a high degree of sophistication or not? It depends on the sample.
Honestly, we've seen the entire variety. I think the compression alone will probably prevent some
scanning. If you have any sort of network monitoring security tool that's trying to scan
email attachments, it may see the URL, try and fetch it tool that's trying to scan email attachments,
it may see the URL, try and fetch it,
and not be able to scan it.
But once it's on the end user system,
if they have good security software,
it should be able to scan it.
Hopefully it will provide that intelligence to the user.
But at the end of the day,
it really is going to come down to the fact that they should not be running links
from unknown sources.
This type of thread isn't new,
this is just applying the same old lesson to a new medium
because Discord basically is offering free hosting
so that it's more useful to users.
And unfortunately, anytime it's free,
someone's going to abuse it.
And that kind of goes to the rest of the paper
where we document people actually going as
far as using Discord for C2 in the organization of the crimeware, right? And this isn't just
Discord. Discord is just the most popular one. We also see it on Slack and some others, but it
comes back to that age-old thing, right? If it's free, people are going to abuse it.
There's a separate set of take-homes here for developers.
If you're going to try and allow users to access files
from people they don't know without logging in,
you've got to try and add some protection mechanisms.
Maybe make sure they're in the same room,
maybe make sure they've verified their account,
maybe make them log in. Then at least users would have to have a Discord account and they should be receiving files from Discord at that point. So there are things you
can do. There's development decisions you can make. Maybe you shouldn't have a globally
downloadable URL at all. It seems like that would kind of make sense.
But unfortunately,
it's the old trade-off of security for features.
It just depends on your priorities.
Yeah.
Alright, well there's a lot more to this
and you can check it out over on
the Cisco Talos blog.
Craig Williams, thanks for joining us.
Thank you. briefing at the cyberwire.com. The Cyber Wire podcast is proudly produced in Maryland out of
the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity
teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.