The CyberWire Daily Podcast 1.14.21
Ep 1249 | 1.14.21

SideWinder and South Asian cyberespionage. Project Zero and motivation to patch. CISA’s advice for cloud security. Classiscam in the criminal-to-criminal market. SolarLeaks misdirection?


Dave Bittner: There are other things going on besides Solorigate and deplatforming. There's news about the SideWinder threat actor and its interest in South Asian cyberespionage targets. Google's Project Zero describes a complex and expensive criminal effort. CISA discusses threats to cloud users and offers some security recommendations. A scam-as-a-service affiliate network spreads from Russia to Europe and North America. Awais Rashid looks at shadow security. Our own Rick Howard speaks with Christopher Ahlberg from Recorded Future on cyber threat intelligence. And SolarLeaks looks more like misdirection, Guccifer 2.0-style.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 14, 2021. 

Dave Bittner: There are other things going on this week than Solorigate and post-riot deplatforming. We lead with those. 

Dave Bittner: First, AT&T Alien Labs yesterday released a report on the SideWinder threat actor. SideWinder is believed to have been active at least since 2012, but Alien Labs concentrates on operations since 2017. Its usual tactics include spear-phishing, document exploitation and DLL side-loading. Attribution is uncertain, but SideWinder has been most often reported active against Pakistani military targets. 

Dave Bittner: The full report, which includes a list of detection methods, indicators of compromise, and a mapping to the attack framework, gives a longer list of targets, which have included government and military organizations in Pakistan, China, Nepal and Afghanistan, with smaller operations against Myanmar, Qatar, Sri Lanka and Bangladesh. Alien Labs also assesses with moderate confidence that various businesses operating in the national defense technology, scientific research, financial, energy and mineral industries of the same nations were also targeted in SideWinder campaigns. 

Dave Bittner: But this picture, they stress, is incomplete. And in all probability, SideWinder's interests extend to other targets as well. Uncertain as the attribution may be, Alien Labs thinks with low to medium confidence that SideWinder is an Indian operation. It seems at the very least to have worked consistently in support of Indian interests. 

Dave Bittner: Google's Project Zero has begun a series on zero-days it's found undergoing active exploitation in the wild. This week, it describes a set of four that were used to craft malicious websites to entrap Windows and Android users. The campaign was sophisticated, evasive and expensive to mount. The vulnerabilities exploited were all fixed in 2020. The discussion should lend to some urgency to applying the relevant patches. 

Dave Bittner: The US Cybersecurity and Infrastructure Security Agency has issued a warning about successful cyber operations directed against cloud services whose users are afflicted with poor cyber hygiene. CISA's Analysis Report singles out three classes of attack for particular attention. 

Dave Bittner: Phishing, of course, is common. The threat actors use phishing emails, whose malicious links are designed to harvest credentials for cloud service accounts. 

Dave Bittner: Forwarding rules also figure prominently in the threat actors' behavior. In some cases, they've modified an existing email rule to redirect emails to an account they control. In other instances, they modified existing rules to pick out certain keywords, typically financially related terms, and had emails containing them forwarded to the threat actor's account. And the threat actors also created new mailbox rules that forward certain messages to the legitimate users' RSS feeds or RSS subscription folder. This technique was intended to evade detection and consequent warning. 

Dave Bittner: Finally, there were instances of authentication abuse, in which threat actors access their victims' accounts with proper multi-factor authentication. In some cases, this may have involved defeating multi-factor authentication with pass-the-cookie attacks. The threat actors also attempted - generally without success - to brute-force user logins. 

Dave Bittner: CISA's report also includes a set of recommendations for ways in which enterprises can improve their cloud security. Isn't this just about SolarWinds, you might ask? No. CISA anticipated your question and wants its audience to understand that the report has a much broader application. CISA writes, quote, "the activity and information in this analysis report is not explicitly tied to any one threat actor or known to be specifically associated with the advanced persistent threat actor attributed with the compromise of SolarWinds Orion Platform software and other recent activity," end quote. If you are using cloud services - and who isn't? - take a look and read the whole, not very long thing. 

Dave Bittner: Group-IB this morning released a report about Classiscam, a scam-as-a-service criminal enterprise that's selling malicious classified ads. Classiscam began its career in 2019, and it initially confined itself to finding Russian-speaking victims on classified ad sites and other comparable online forums. Its activity peaked in mid-2020 as remote work and online shopping rose during the COVID-19 pandemic. 

Dave Bittner: At least 40 groups are currently running the scam. They use telegram bots equipped with ready-to-use pages mimicking popular classifieds, marketplaces and sometimes delivery services. Twenty of the groups are at work in Russia. The other half have been found more recently active in Bulgaria, the Czech Republic, France, Poland, Romania, the U.S. and the former Soviet republics of the near abroad. The scammers pose as both buyers and sellers, the point being to engage victims in social media - WhatsApp is popular - in order to inveigle those victims out of cash, credentials or other valuable data. The ads that constitute the phish bait around the hooks usually offer cameras, game consoles, laptops, smartphones and similar items for sale at deliberately low prices, Group-IB says. 

Dave Bittner: This criminal-to-criminal service is organized as a pyramid affiliate scheme. The apex predators at the top get between 20 and 30% of the take, with the remaining 70 to 80% going to the workers down below. Group-IB estimates Classiscam took in a bit more than $6 million last year. 

Dave Bittner: And finally, we will end with some Solorigate notes. BankInfoSecurity says the SolarLeaks goons have added Microsoft and Cisco code offerings to their menu, where they join the previously noted SolarWinds and FireEye swag. Here's the current list. Stolen from Microsoft, Microsoft Windows partial source code and various Microsoft repositories - price, $600,000. Taken, they say, from Cisco, multiple products' source code and internal bug tracker dump going for $500,000. From SolarWinds, source code for all products, including Orion, as well as Customer Portal dump for a quarter of a million bucks. And from FireEye, Red Team tools, plus source code, binaries and documentation - these at the low, low price of 50 grand. 

Dave Bittner: There's still no particular evidence that any of these offers are good. And emails to the SolarLeaks ProtonMail account are still bouncing. Cisco, for one, says it's had nothing stolen. And FireEye, which first detected the SolarWinds backdoor, says it's found no evidence that SolarLeaks actually has anything at all. So this looks increasingly like misdirection, something along the lines of Guccifer 2.0. We'll see whether the imposter has legs. It probably won't. It's been tried before, and people are wiser - to this sort of thing, anyway. 

Dave Bittner: Our CyberWire chief analyst and chief security officer Rick Howard has been making the rounds, checking in with experts on cyber threat intelligence. He files this report. 

Rick Howard: I have been doing cyber threat intelligence, or CTI, in one form or the other for the past 20 years. When I got the chance to talk to Christopher Ahlberg, I jumped on it. 

Rick Howard: No worries at all. 

Christopher Ahlberg: I won't touch anything from now on (laughter). 

Rick Howard: Let's get started. 

Rick Howard: Dr. Ahlberg has been the CEO of Recorded Future since 2009. And the CyberWire co-produces a podcast with his company called "Inside Security Intelligence" that our very own Dave Bittner hosts. Dr. Ahlberg and I talked about the changes to cyberthreat intelligence over the years. And I asked him about the skill sets needed for today's intelligence teams. 

Christopher Ahlberg: Intel analysts, computer scientists, data scientists, which, you know, sort of at some level or data analysts but, you know, more numbers-oriented data scientists, and then finally, maybe even - which is important - sort of the big data operations, you know (unintelligible) - because sort of Recorded Future runs on thousands and thousands of machines at, you know, some outsourced data center. So actually managing that becomes a science in itself. But now you could have those four groups and they never talk to each other, and it's not going to be any good. So you need to be able to build analytical processes in that. 

Christopher Ahlberg: You know, the good news with the intel people is that they're very comfortable with sort of uncertainty. They're very comfortable with, you know, fuzzy problems. 

Rick Howard: Dr. Ahlberg recommended a book that explains the character of intelligence analysts that he is looking for. It's not a techy book or a how-to book on being an intel analyst. It is a business book written by Danny Meyer, the guy that founded one of my favorite hamburger joints, Shake Shack. The book is called "Setting The Table." 

Christopher Ahlberg: And he talks about 51 percenters. And the 51 percenters are those people who are all about providing great service and then 49% about their specific expertise. And it's the same thing here. We look for the people who are inherently collaborative, inherently want to work across silos, cross-functional, the people who are just dying to work with others. And those are the - don't really have the time for the divas, who are not - who doesn't want to do that. So when you find those people who are - they're still pretty damn good in their 49% percent, but they're 51% about, you know, pulling things together. That's where you find that magic. 

Rick Howard: We talked about how no two intel teams are exactly the same. 

Christopher Ahlberg: What's the problem you're trying to solve? And that's a hard thing to - you know, like, but you have to actually try to understand that. Are you trying to help somebody inform their patching processes? Are you trying to help somebody be more efficient at doing incident response? Are you trying to help somebody more - you know, make that SOC, tier 1 analyst and the SOC be more efficient at doing X, Y, Z? Whatever the sort of the problem you're trying to do or, you know, higher-level constructs than that, what sort of analysis do you need to do? What sort of automated correlations do you need to provide for? Understand their problem and be disciplined about that so that when you then don't - if you don't succeed, you can tune the analytics, tune what data you need to add, tune whatever you're doing so you really think about it as an analytical process. And actually, I think a lot of people learned, and the intelligence community can be put to work here. But it needs to be more data driven, and people are not thinking enough about that. 

Rick Howard: From my perspective, the commercial CTI offerings are still stuck on reporting technical artifacts versus reporting on how to stop the success of an adversary campaign. 

Christopher Ahlberg: We always had this idea that, you know, the reason we're indexing all this data and organizing it is to understand real-world activities. And so that means that, you know, sometimes, of course, you're going to be looking at IPs and domains and net flow in between them and - you know, down in the weeds. But at the same time, you know, you want to try to understand not only sort of threat actors at the realm of talking about APT 28 or, you know, Putter Panda or whatever their names might be. There is obviously a big sort of debate whether attribution matters or not. But even if you don't believe that attribution matters, I do think that intents matter. I do think that, you know, understanding these things holistically matters. 

Rick Howard: I love cyberthreat intelligence. It is so fascinating. And if you are looking for an interesting and exciting career, CTI is a great field. And while you're thinking about it, check out the "Recorded Future" podcast on threat intelligence. You can find it at 

Dave Bittner: That's the CyberWire's Rick Howard. 

Dave Bittner: And joining me once again is Professor Awais Rashid. He's the director of the National Research Center on Privacy, Harm Reduction and Adversarial Influence Online at the University of Bristol. Professor Rashid, it's great to have you back. I want to touch today on shadow security. And I think, certainly, as we are several months into COVID and the shift to everyone - or many people working from home, it's a more important topic than ever. 

Awais Rashid: Absolutely. And, you know, shadow security is where individuals or groups start to bring in what would be nonstandard security tools or practices to actually undertake security as part of their work. And usually this becomes quite significant. And often shadow security and, generally, shadow IT, as the term is known, is frowned upon because that means that people are actually utilizing IT systems or security tools and mechanisms that are not within the regular IT or security infrastructure of the organization. 

Awais Rashid: And the first tendency can often be to say, well, that's actually very bad, and you mustn't do this. And of course, you know, we want to avoid shadow practices where we can. But there is another way of looking at this. And the question we must ask is why the shadow practice is going on in the first instance. It basically means that what we have in place is not working effectively enough that people have to resort to shadow practices. And this also comes in terms of shadow security. And it could well be that, for example, they're deploying shadow security because they can't update particular things on their systems that would actually allow them to work in more secure ways. It could also be that they are many systems in place, and they have to think about more secure ways of dealing with data and information and so on and so forth. 

Awais Rashid: So instead of asking the question - and certainly, that's what I always say to people - that if you observe shadow practice, you know, the first question you must ask is, why is this taking place in the first instance? Because there must be a good reason, because ultimately, people want to get on with the job that they have at hand, and they usually would try and deploy things that will actually enable them to get on with the job that they have at hand. And that's really, typically, where shadow practices start to emerge. 

Dave Bittner: But don't we find ourselves in kind of a complex situation here where because so many people have shifted to work from home, there may be security elements that their home ISP is providing for them that they may not even be aware of. And as someone in charge of security for an organization, how do you take inventory of all of those possibilities that are out there now? 

Awais Rashid: That is a wonderful question. And I mean, this is a question that has been, you know, asked for the - you know, for nearly now, you know, six to nine months since there has been this kind of big shift to working from home. And I think the question that needs to be asked is, you know, people are now working in a very different setting. And as an organizational IT department and also a security department, how are we actually enabling people to do their work? 

Awais Rashid: So if, for example, we are requiring that, you know, people must communicate using a very, very kind of secure communication mechanism and it doesn't actually work with their home router, for instance, in the first instance, you know, they may resort to, for example, using online messaging platforms like WhatsApp because they may think, well, OK, you know, it's sending encrypted and I'm actually getting on with my job. And one of the things that we did very early on in this - and, you know, a number of my colleagues worked on this - was to look at as to what would be good practice with regards to security and remote working. 

Awais Rashid: And then the question then comes is - that if, you know, this is the sort of conversation that you are quite willing to have, say, sitting in a crowded coffee shop, where you are not concerned about, you know, being overheard, then, you know, it is effectively not a very confidential conversation at all, right? So basically, any reasonable online platform will allow you to do your - to do that kind of conversation. If it's a conversation you expect to have in a closed meeting room within your organization, then you must consider, you know, what are the various security properties of the various platforms and things like that. But also, if it is really supposed to be a big, you know, sort of corporate confidential information, then you really, really need to think about, you know, what are the practices that need to be in place, who needs to be there and what kind of identity management you are doing and things like that. 

Awais Rashid: And I think the key here is that we are now in that landscape where we are actually utilizing, you know, a very, very diverse infrastructure, you know, in people's homes to carry on our daily jobs. And security departments and IT services have to also now start to think about as to how do they actually operate in that kind of setting? What tools are they providing? Are there good VPN services? Is there good accessibility of, you know, online platforms and services where people can do their work securely? How easy to use and access they are and do they require lots of complex configurations on part of the users? 

Awais Rashid: So we are back here to, you know, one of my favorite topics, which is, you know, reducing the burden of security on the user. And, you know, in this kind of remote working sense, when we are all under great pressures, I think it's really important that we think about how do we reduce that burden so that people can do their job and not having to resort to shadow security practices simply to get on with what they're doing. 

Dave Bittner: All right. Well, Professor Awais Rashid, thanks for joining us. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed - beyond your dreams. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire Team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.