The CyberWire Daily Podcast 1.21.21
Ep 1253 | 1.21.21

Solorigate’s stealthy, careful operators. LuckyBoy malvertising. BEC as reconnaissance? Remote work and leaky sites. And good riddance to the Joker’s Stash.


Dave Bittner: Microsoft researchers detailed the lengths to which Solorigate threat actors went to stay undetected and establish persistence. LuckyBoy malvertising is described. Business email compromise as a reconnaissance technique. More reminders about the risks that accompany remote work. Ben Yelin looks at cyber policy issues facing the Biden administration. Rick Howard speaks with Frank Duff from MITRE on their ATT&CK Evaluation program. And good riddance to the Joker's Stash - here's hoping.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 21, 2021.

Dave Bittner: Microsoft yesterday offered more details on how the Solorigate threat actors worked and why their infiltration of their targets was as quietly effective as it proved to be. It had, for example, been unclear how the handover from the SUNBURST DLL backdoor to the Cobalt Strike loader was accomplished. And Microsoft details how the threat actor obscured that handover as they accomplished it. Redmond's assessment of the Solorigate crew is that they're, quote, "skilled campaign operators, who carefully planned and executed the attack, remaining elusive while maintaining persistence," end quote - accomplished in operational security and adept at minimizing their footprint. 

Dave Bittner: In looking at the Solorigate operation, Microsoft identified six techniques the Solorigate operators used to escape detection. They're worth reviewing. First, they took care to avoid putting up the same indicators for each compromised host. Every Cobalt Strike DLL implant was designed to be unique to each affected machine. One of the tells the threat actors scrupulously avoided was the reuse of folder name, file name, export function names, C2 domain and IP, HTTP request, time stamp, file metadata, config and child process launched. They also varied such nonexecutables as WMI persistence filter name, WMI filter query, passwords used for 7-Zip archives and names of output log files. That, Microsoft says, took a lot of effort and a whole lot more effort than the typical threat group finds it worth expending. 

Dave Bittner: Second, the Solorigate actors took care to camouflage themselves to blend into targets' environments. The tools and binaries they used were named and put in folders that appeared to belong in the affected machine. They mimicked existing legitimate files and programs that they found in the victims' environment. 

Dave Bittner: Third, before they ran their hands-on keyboard activity, which would raise the risk of detection, the threat actors disabled event logging using Auditpol. They re-enabled logging once they were finished. Similarly, they installed special firewall rules before they ran unavoidably noisy network reconnaissance. The rules were designed to minimize outgoing packets for certain protocols. Once the reconnaissance was complete, they systematically removed those firewall rules. 

Dave Bittner: It's also noteworthy, Microsoft says, that the Solorigate operators executed lateral movement only after careful preparation. They began by enumerating any remote processes and services running on the target host, and they moved laterally across the network only after they disabled security services that might detect them. 

Dave Bittner: Finally, Microsoft believes they time-stomped the time stamps of various artifacts - altered them, that is - and also used professional wiping procedures and tools with a view to complicate the defenders' problem of finding and eliminating the DLL implants from the affected systems. So whoever they were - and the smart money is still on Russian intelligence services - the Solorigate threat actors showed rare patience, sophistication and attention to detail far beyond what organized crime normally attempts. 

Dave Bittner: SecurityWeek describes research by Media Trust into a cross-platform malvertising campaign LuckyBoy that's afflicting users of iOS, Android and Xbox systems. It checks for blockers, test environments and debuggers before it runs. Once it does execute, LuckyBoy uses a tracking pixel to redirect the victim to malicious sites like phishing pages or bogus software updates. The campaign, which surfaced last week, appears to be in its early testing phases. It's another instance of malware using relatively complicated means of obfuscating itself. It's not as complex as what the Solorigate operators used, but even criminals try to stay undetected. 

Dave Bittner: Proofpoint has found a business email compromise campaign that uses Google Forms to bypass keyword-based email content filters. The researchers see the campaign as a hybrid, combining social engineering with exploitation of the scale and legitimacy of Google services. The messages themselves are relatively primitive, with the poor idiomatic control so often found in criminal communications, but Proofpoint suspects they'll find takers nonetheless. The researchers think that the BEC effort represents an email reconnaissance campaign to enable target selection for undetermined follow-on threat activity. 

Dave Bittner: The increase in remote work during the pandemic has, of course, greatly increased most organizations' attack surface. Yes, yes, we know this is old news, but bear with us. Or rather, bear with Wandera, whose 2021 Cloud Security Report has some interesting findings on the extent to which the criminal underworld has embraced the opportunities remote work affords. Your remote work, not theirs. Oh, and remote workers could behave better, too. Wandera says that accessing what they primly call inappropriate content - and we leave it as an exercise for the listener what counts as inappropriate content - has at least doubled since the onset of the pandemic. Did you know that websites in the adult, gambling, extreme and illegal content categories are more likely to leak data than nice sites? Well, they are, you know. Avoid the near occasion of compromise. 

Dave Bittner: And finally, remember the Joker's Stash, the online carder forum that took its lumps from law enforcement during 2020 but succeeded in resisting complete eradication? SecurityWeek reported in December that the FBI and Interpol had seized a number of the illicit markets' blockchain domains, which put a big dent, but not a fatal hole, in their operations. 

Dave Bittner: The same publication now reports that Joker's Stash has said it's going out of business. In an all-good-bad-things-must-come-to-an-end mood, the souk's proprietors have posted an announcement to some of its many unaffected domains that they're off to what they call a well-deserved retirement. It's time for us to leave forever, they say, and they plan to wipe all their stuff for good on February 15. That's Washington's birthday, but - we cannot tell a lie - we have no idea if that holiday has any importance for the Joker. 

Dave Bittner: The hoods behind Joker's Stash say they intend to settle all their accounts in the criminal-to-criminal market before they go dark, but we'll see. Other such services have simply absconded. It also remains to be seen how real the promised retirement proves to be. We hope we'll all be able to say good riddance. 

Dave Bittner: MITRE describes their attack framework as a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. That sounds about right. To help bridge the gap between that knowledge base and how it may apply to defenders in everyday use, MITRE provides attack evaluations. Our own Rick Howard files this report. 

Rick Howard: A minor attack framework is the most complete open source collection of cyber-adversary activity in the world. 

Rick Howard: Can you hear me OK? 

Frank Duff: I can. 

Rick Howard: I ask Frank Duff, the director of the MITRE ATT&CK Evaluation Program, to explain what ATT&CK is and how it got its start. 

Frank Duff: MITRE ATT&CK is a knowledge base of known adversary behaviors. The concept there is that to better defend our networks, we have to understand what adversaries are actually doing on them. So MITRE ATT&CK was generated from a research project many years ago, meaning five to eight depending on when you consider conception. But we started the effort as a way of making it so we could communicate more effectively between our defenders and the people that were testing out our research hypotheses, the Red Team, as it were. And so we needed a way to explain what the Red Team was doing such that the defenders could understand it and create better defenses, better analytics, better censoring. 

Rick Howard: Since then, that initial research has grown into a full-blown wiki. The question that immediately comes up then is how do you convert the MITRE ATT&CK list into prevention controls for your security stack? Frank says one way to do it is with threat emulation. 

Frank Duff: Let's pick a adversary that is of interest to us for whatever reason, figure out which techniques they use, how they use them - so their modus operandi - right? - like their pacing that they use, the types of tooling that they use to do it, still not focusing on specifically their malware. But what - how do they use these techniques? What behaviors are they generating? What data are they creating on these endpoints that would further detection and protection capabilities? 

Rick Howard: The MITRE ATT&CK Evaluation program that Frank runs is not a consumer report-style analysis of a cybersecurity product. It's strictly a thumbs-up and thumbs-down scorecard on how each participating vendor detects the TTPs of a specific adversary attack sequence. 

Frank Duff: So we'll allow any vendor that wants to participate. You can apply to be participated. Vendors pay for it. But - so you sign up. You want to do it. We don't care about your market segment. As long as we can do the same... 

Rick Howard: Yeah. 

Frank Duff: ...Methodology against you, we're doing a threat-informed methodology. You can say how you detect in your own way. We don't declare winners. We don't rank. We don't rate. We don't... 

Rick Howard: So far, the evaluation program is considered to adversary groups - APT29, the Russian adversary group behind the 2016 DNC hacks, and APT3, the Chinese adversary group behind the breaches at Equifax, Anthem and OPM. The group they are working on right now is FIN7, the cybercrime group that has primarily targeted the U.S. retail, restaurant and hospitality sectors since mid-2015. But here's the takeaway. Encourage your vendors to participate in the MITRE ATT&CK Evaluation program. It costs you nothing, makes their products better and makes the entire security community more safe. 

Dave Bittner: That's the CyberWire's Rick Howard. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland's Center for Health and Homeland Security and also my co-host on the "Caveat" podcast. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Interesting story from the folks over at CyberScoop. This is titled "The Big Cyber Issues Joe Biden Will Face His First Day in Office." Of course, recently inaugurated President Biden is hard at work underway with his new administration, but he's got some challenges ahead of us here. What are some of the things that the folks at CyberScoop have laid out here, Ben? 

Ben Yelin: So he certainly has no shortage of problems to deal with - civil unrest, the... 

Dave Bittner: (Laughter). 

Ben Yelin: ...You know, continuing pandemic, everything else that's going on in this country, the economy. But there are a lot of cybersecurity issues that he's going to have to address and he's going to have to address rather quickly. The first is responding to the SolarWinds mess. We're still in the early stages of understanding this hack and, you know, the extent to which it's not only infected our government's network and systems but has also seeped into the private sector. President Biden vowed to get to the bottom of the hack, which I think most public policy experts think was the work of Russian operatives who were able to infiltrate these networks at federal agencies. 

Ben Yelin: So that's really going to be his first order of business - getting to the bottom of this attack and then deciding, you know, whether to respond with similar force, so to speak, whether, you know, we are going to prioritize offensive cybersecurity operation or cyber operations against our foreign adversaries. If, you know, President Biden concludes, based on all the information available, that the Russian government and its minions are responsible for this attack, then that really is going to have a big impact on, you know, what the president is going to do in his first year. And there's this quote from the incoming national security adviser, Jake Sullivan, saying, you know, we're not going to tell you exactly what we're going to do, but there will be costs for attacks like this. So whether that's offensive cyber operations or sanctions or something else, we don't know. 

Dave Bittner: Yeah. 

Ben Yelin: But they are telegraphing they're going to do something about that. You know, and then the Biden administration is going to have to make a decision on offensive cyber operations in general. That's something that the Trump administration prioritized. They expressed eagerness to use cyber operations. You know, I think everybody - there's sort of a widespread agreement that we need to invest more in protecting our own networks. But the extent to which, you know, we're going to engage in offensive cyber operations, I think, is a policy question that's still at large. And then, you know, just generally trying to curb destructive hacking - this article mentions, you know, a number of the most prominent hacks and how much damage they've done to private sector industries, starting from the alleged North Korean 2014 attack of Sony Pictures, the Russian NotPetya assault in 2017. 

Ben Yelin: You know, this is something that has to be an all-hands-on-deck effort. It can't be done solely domestically. Part of it has to be done with our international partners. And, you know, that's why the Obama administration had added the cybersecurity coordinator position at the State Department - so that they could have a voice in international relations. The Trump administration disbanded that position a couple of years later. So really, there are a lot of things on the table. You know, I think President Biden would have probably preferred not to be facing, among other emergencies, the impacts of the SolarWinds attack, which I don't think, you know, we've really gotten to the bottom of. 

Dave Bittner: Yeah. 

Ben Yelin: But them's the breaks, as they say. And... 

Dave Bittner: Yeah. 

Ben Yelin: ...This might consume the early days of his administration. 

Dave Bittner: Yeah, and it really points to how, as you say, it's a global situation here and that even working on our relationships with our allies, which have certainly been strained over the past few years, is going to be a key component of our safety, even in the cyber realm. 

Ben Yelin: Absolutely. And these relationships are going to take a while to rebuild. It's not necessarily one of those forgive and forget, where we pretend that the last four years didn't happen. I mean, we really do have frayed alliances, particularly with our NATO allies. But we have these shared interests, you know? Our adversaries are the adversaries of those in the European Union, other Western democracies. And if they try to attack us, they're going to try to attack some of these other countries as well. So that just, you know, enhances the importance of diplomacy. 

Dave Bittner: Right, right. Well, of course, all of these issues pale in comparison to the fact that evidently, President Biden has a Peloton bike that he wants to use. 

Ben Yelin: The Peloton - no. 

Dave Bittner: (Laughter). 

Ben Yelin: Yeah. 

Dave Bittner: It's all going to come crashing down because the president has an IoT-connected exercise bike, right? 

Ben Yelin: The exercise bike is going to doom all of us. 

Dave Bittner: (Laughter). 

Ben Yelin: The country is just going to collapse because of that Peloton in the residential area of the White House. I will just say, for those people who are potentially worried about cybersecurity concerns relating to this IoT device, they'll figure it out. He has access... 

Dave Bittner: (Laughter). 

Ben Yelin: ...To some of the foremost cybersecurity experts in the country. 

Dave Bittner: Right, right. 

Ben Yelin: It's not really going to be a problem. And in response to The New York Times who say - you know, if they say this cuts against Biden's working-class image, a lot of people have Pelotons. And I don't, personally. But I know... 

Dave Bittner: Yeah. 

Ben Yelin: ...A lot of people who do. And... 

Dave Bittner: Right (laughter). 

Ben Yelin: I think we're all going to be fine. 

Dave Bittner: Yeah. This, too, shall pass. 

Ben Yelin: Yep. 

Dave Bittner: All right. Well, Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. You can't beat the feeling. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.