Lebanon Cedar’s wide-ranging cyberespionage campaign. Lazarus Group said to be behind the social engineering of vulnerability researchers. Solorigate spreads. Social media and the short squeeze.
Rick Howard: Hey, everyone. Rick here. This Sunday, on the next CyberWire-X Podcast, I'll be joined by two CyberWire hash table experts - Mike Higgins, the Haven Health CISO, and Greg Notch, the National Hockey League CISO - along with Lior Div, the CEO for Cybereason. We're going to discuss the topic of security platforms versus best-of-breed point products. Do you pick one or the other, or do you deploy some sort of hybrid strategy? Hear it in the CyberWire Daily Podcast feed and subscribe wherever you get your podcasts. You don't want to miss this.
Dave Bittner: Funding for this CyberWire podcast is made possible in part by Tanium. At Tanium, they know that in a distributed world, both business operations' and agencies' missions increasingly begin at the endpoint. Tanium provides unified endpoint management and security for the most demanding IT environments. Their approach decentralizes data collection, aggregation and distribution down to the endpoint, delivering transformational scale, speed and reliability across your distributed workforce. Learn why the Department of Defense and half of the Fortune 100 trust Tanium at tanium.com.
Dave Bittner: Lebanon (ph) Cedar is quietly back and running a cyber-espionage campaign through vulnerable servers. Social engineering of vulnerability researchers is now attributed to the Lazarus Group. That SolarWinds incident is a lot bigger than SolarWinds. Notes on social media and the short squeeze. Verizon's Chris Novak looks at the changing landscape of ransomware payments. Our guest, Professor Brian Gant from Maryville University, examines cybersecurity threats of the new U.S. administration. And the GAO thinks the U.S. State Department should use data and evidence.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, January 29, 2021.
Dave Bittner: ClearSky researchers have outlined cyber incursions they attribute to Lebanon Cedar, also known as Volatile Cedar. It's a threat actor in Lebanon believed to be associated with the Hezbollah faction that operates from that country, although earlier reports from security company Check Point have reported seeing connections between the group and the government of Lebanon.
Dave Bittner: In any case, the group is said to be motivated by political and ideological interests, and it casts a very large net in the information it collects. Lebanon Cedar has prospected targets in the United States, the United Kingdom, Egypt, Jordan, Lebanon, Israel and the Palestinian Authority.
Dave Bittner: Lebanon Cedar is using a new version of the Explosive V4 RAT and the Caterpillar V2 WebShell installed in vulnerable servers. Many of the victims were telecommunications providers. More than 250 servers were compromised in the campaign.
Dave Bittner: ClearSky regards the use of the Explosive RAT as the smoking gun of attribution. As the firm puts it in their report, quote, "we attributed the operation to Lebanese Cedar - also known as Volatile Cedar - mainly based on the code overlaps between the 2015 variants of Explosive RAT and Caterpillar WebShell to the 2020 variants of these malicious files. We identified a high degree of similarity between the RAT we identified to the original Explosive RAT," end quote. No one else, they say, uses it.
Dave Bittner: Lebanon Cedar has been active since around 2012 and has acquired a reputation for circumspection, proving itself to be both unobtrusive and effective. It had been quiet for the last couple of years, but it's now apparently resurfaced.
Dave Bittner: Microsoft has attributed the recently exposed long-con social engineering of vulnerability researchers to the North Korean group Microsoft calls Zinc and most others know as the Lazarus Group.
Dave Bittner: To recap some background on the incident, this Monday, Google's Threat Analysis Group reported that a North Korean threat actor had been engaged in a social engineering campaign that targeted vulnerability researchers. The campaign represented a significant advance in subtlety and craft on Pyongyang's part, a departure from the noisy smash-and-grab hacking so often attributed to the DPRK.
Dave Bittner: The threat actors created research blogs and multiple Twitter personae that they used to discuss various publicly known vulnerabilities, often claiming successful development of proof-of-concept exploits. The Register aptly called the campaign a "long con." The goal was espionage and not the direct financial theft that's frequently the objective of North Korean cyber operations.
Dave Bittner: As far as Microsoft's report is concerned, it confirms much of what Google's researchers had concluded about the threat actors' methods. Microsoft writes, quote, "after building their reputation across their established social media accounts, the actors started approaching potential targets on social media platforms such as Twitter and LinkedIn. The conversations were often seemingly innocuous, asking security questions or talking about exploit techniques. If the researcher was responsive, the actor would offer to move communication to another platform - such as email or Discord - in some cases to then send files using encrypted or PGP protected ZIPs," end quote.
Dave Bittner: Redmond provides a set of indicators of compromise, and they offer some advice for those who might be affected. Should you have visited one of the blogs owned and operated by Zinc - Microsoft's report has a list of them - you'll do well to run a full antimalware scan and use the provided IOCs to check your systems for intrusion. If you find any of Zinc's malware, assume your system is fully compromised and rebuild it. To avoid being hit by something like this, Microsoft advises security professionals to use a virtual machine when they're building untrusted projects in Visual Studio or when they're opening links or files sent by parties unknown.
Dave Bittner: The Wall Street Journal reports that the threat actor behind the SolarWinds supply chain compromise, probably a Russian intelligence service, will touch a very large number of victims. About a third of those affected by the incident don't use the afflicted SolarWinds Orion platform. CRN quotes industry sources to the effect that there's "no finish line" for cleaning up after this campaign.
Dave Bittner: Acting CISA director Wales said, according to the journal, that the attackers "gained access to their targets in a variety of ways. This adversary has been creative. It is absolutely correct that this campaign should not be thought of as the SolarWinds campaign," end quote. That is, this particular Huggy Bear was patient and foxy, knowing many things as opposed to just one big thing. The threat actor was able to move from one cloud to another, exploiting small features of the various ways software authenticates itself on the Microsoft service.
Dave Bittner: If you remember other similar attacks against cloud services, notably China's 2016 CloudHopper industrial espionage campaign, and think that this is the same old thing, that seems not to be the case. CISA doesn't think so at least. Acting Director Wales said the Solorigate campaign was substantially more significant than CloudHopper. The journal quotes him as saying, "We continue to maintain that this is an espionage campaign designed for long-term intelligence collection. That said, when you compromise an agency's authentication infrastructure, there is a lot of damage you could do," end quote.
Dave Bittner: After some retail trading platforms - notably, the ironically named Robinhood - suspended, then resumed, trading in GameStop and a few other heavily shorted stocks, it remains unclear what the self-organized social media book-talkers did that was illegal, if indeed it was anything at all. Criticism of the trading suspensions was in the US surprisingly bipartisan, CNBC says, with left- and right-wing members of Congress seeing no crime in retail investors winning their bets at the expense of hedge funds' wagers. It's a novel phenomenon, and the SEC is seeking understanding. Robinhood is getting killed in online reviews by a whole lot of people who think its app is more like the kind of thing the Sheriff of Nottingham would run on behalf of Prince John.
Dave Bittner: The US Government Accountability Officer recommends that the State Department rethink its plans for a cybersecurity bureau. It's not a bad idea, says the GAO, but Foggy Bottom needs to think its plans through. GAO's report says, quote, "The United States faces expanding cyberthreats and the challenge of building international consensus on standards for acceptable state behavior in cyberspace," end quote. It would like to see more data and evidence that would support the State Department's presumed belief that a new bureau could identify objectives and meet them. Quote, "Without developing evidence to support its proposal for the new bureau, State lacks needed assurance that the proposal will effectively set priorities and allocate appropriate resources for the bureau to achieve its intended goals," end quote. So go get them some data and evidence. Who could object to that?
Dave Bittner: Professor Brian Gant is an instructor of cybersecurity at Maryville University. Prior to his teaching career, he served in both the FBI and the Secret Service, protecting the Clinton administration from both physical and cyber threats. Dr. Gant joins us with thoughts on the challenges President Biden and his team face as they bring their cyber strategies into focus.
Brian Gant: Well, as he comes into office, you know, with the unfortunate events that happened at the Capitol with the Capitol breach, I think national security and domestic terrorism should be the items in the forefront, you know, as he comes into office. As hackers, or threat actors, as we call them in the cybersecurity world, their main objective may be to just demonstrate that the U.S. is in chaos in terms of the different groups between the left and the right, a lot of the domestic terrorism that's occurring, militias and things of that nature. And they may just want to seek to attack national news outlets like CNN or Fox News, or they may go after government websites - OPM, DOD, White House websites, things of that nature - to cause any kind of disruption, knowing that the the Capitol insurrection was successful and just seeing the disruption that it caused.
Dave Bittner: What is your expectation here? Are you hopeful that President Biden is going to have a good handle on this, that the - from what you've seen as an observer, the team, the names that he's mentioning, is this cause for hope?
Brian Gant: Yeah, it's definitely cause for hope. It seems as though his experience as a former vice president will kind of give him a leg up on those intel briefings and reaching out to local, federal and state partners to see what he can do to not only beef up the physical, but also the cybersecurity presence of this country. I was fortunate enough to guard Vice President Biden during my time as a Secret Service agent, and he was known to be very adept at, you know, reading those intel subcommittee reports from Congress and acting on them where need be. So just in what I've seen in the last four or five days in terms of the number of National Guard troops and number of law enforcement officials who will be on hand and this - you know, the inauguration is considered an NSSE event, which is a national security event. So the impact and the ramping up of incident management is much easier when you have it, that NSSE designation.
Dave Bittner: You know, it's interesting, when we had the riot at the Capitol, it was really an intersection of physical security and cybersecurity, particularly in that, you know, the way that some of those computer systems were accessed. You know, people didn't have time to log out of machines. And we even have reports of some machines possibly being stolen. You know, it strikes me with your background, having been with the FBI and then also the Secret Service, that, you know, that intersection of physical security is something that's within your experience that perhaps a lot of folks in cyber don't always think about.
Brian Gant: Absolutely. You hit the nail right on the head. Cybersecurity and physical security go hand in hand. And it's one of the things that I tell my students here at the university. You may think that they are two separate departments, but the liaison between the two, the better relationship you have with your physical security department and understanding physical security access to critical infrastructures and things of that nature, the better job you'll have at layers of protection.
Brian Gant: Security is all about layers. And that's one thing that the Capitol did not have. It did not have those protective rings. It did not have the physical bike rack pushed out far enough. It did not have the additional physical presence of National Guard troops or law enforcement officers surrounding that ring. And sometimes it's just as simple as putting a physical body outside of a server closet that houses some protective information. So, you know, understanding the correlation between the two and accepting it will only enhance your security plan.
Dave Bittner: That's Professor Brian Gant from Maryville University. There is a lot more to our interview. Don't forget to go listen to extended versions of this and many other interviews and CyberWire Pro. It's on our website, thecyberwire.com.
Dave Bittner: And I'm pleased to be joined once again by Chris Novak. He is the global director for Verizon's Threat Research Advisory Center. Chris, it is always great to have you back. I wanted to touch today on ransomware and some of the things that you and your team are tracking when it comes to the evolution of ransomware, what you're seeing on the payment side and with ransomware in general. What can you share with us today?
Chris Novak: Yeah. Thanks, Dave. Great to be back. And it's interesting because this is an area of research that we've done for quite a bit of time. You know, we've been looking at ransomware, and it's kind of almost - I don't know if I want to say comical because it's so bad at the same time. But when we first started doing research into the area of ransomware many, many years ago, it was kind of one of those, hey, we should keep an eye on this. This might actually become something, but right now we're not really seeing all that much. And then as the years went on, we kind of saw it go from not making our Top 10 list to rapidly moving up the list to now where it is, you know, essentially at the top of the charts in terms of the commonality of it.
Chris Novak: And, you know, one of the things that we keep seeing is, especially when we look at some of, you know, like, federal agencies and public sector, you know, we're seeing a fair bit of attacks against them, as well as obviously also the private sector. But, you know, if you look at that and you see - you know, we surveyed a number of federal agencies, and about 30% of them had responded that they had fallen victim to ransomware attack. And again, you know, I think there's some number of these that, you know, like many attacks, that may be underreported.
Chris Novak: But the landscape there is changing dramatically because we're also seeing all of this being complicated further by things like COVID, where we're seeing that is being used as a foothold or an attractant to say, hey, you know, how do we get people to click on a link? How do we get people to download something? How do we get people to share information? We tell them we have masks, we have tests, we have vaccines, we have - you know, and all sorts of crazy things that we'll see. But if we look at kind of the terminology of all the different things and various, you know, social engineering campaigns, we're seeing that that is very high on the list of what they're using these days in terms of COVID-related scams to get a foothold to deploy the ransomware.
Chris Novak: And then the other thing I'd also say that's kind of a complicating factor that we're seeing on the rise is, do you pay, or do you not?
Dave Bittner: Right, right. Yeah, I was going to - that's where I was going to go next with you because, you know, the - at the outset, the initial advice from folks like the FBI and sort of across the landscape was don't pay the ransom. You're only encouraging them, and so on and so forth. But now it seems to me like it's more complicated than that. People have insurance, and the dollar amounts, the ability to restore, even if you have backups - I mean, it's not so cut and dry these days.
Chris Novak: Yeah. You're 100% right on that. You know, a lot of times I get that question of, you know, what should we do? And I'm like, look; I'll give you as much advice and guidance based on past experience of what I've seen happen elsewhere. But at the end of the day, everybody needs to make their own decision, right? It's like your own personal self. You need to ultimately decide what you're going to do. And it's interesting because when we look at that, you know, one, there's the possibility of, hey, if you pay, does that make you an interesting target? Does it mean someone else is going to come after you because they know you're likely to pay? Or in some cases - you mentioned cyber insurance. We're actually seeing attackers getting wise to the fact that, hey, you know what? If you have insurance, well, heck, you're not even going to, quote, "feel this," right? You know - and, you know, there's the - you know, everyone likes to talk about, you know, when insurance pays, you know, people kind of refer to it as a victimless crime. And I would imagine the insurance companies would beg to differ.
Dave Bittner: (Laughter) Right, right, right.
Chris Novak: But that is obviously playing into their calculus now of, well, if more organizations have insurance and we can get that to pay, then let's go ahead and ask for larger ransoms or in some cases even trying to figure out what coverage limits an organization might have in order to figure out how much they should ask for. And it gets even more complicated than that is in some cases, you pay the ransom, you don't necessarily get your data back, or it doesn't necessarily stop them from publishing it, right? You're - at the end of the day, you're still dealing with criminals here.
Dave Bittner: What's your sense for the near horizon? I mean, is it - the way that things stand right now, is that pretty much the state of things? Are we kind of in equilibrium, you know, with - it's hard to know if things are getting better or worse, but it seems certain that for the moment they're here to stay.
Chris Novak: Yeah, I'd say that that's a fairly accurate assessment of it. I would say that we are probably - I would say we are at a steady state. I think it's not getting horribly worse, but I don't think it's getting dramatically better at the same time. And I think part of it is organizations are still trying to figure out what is the right thing to do.
Chris Novak: The one thing that I am happy to see, if you will, is that we are seeing more and more requests for organizations wanting to do things like establish a ransomware playbook or do things like ransomware simulation so they can understand if something like this were to happen, what it might be like and how their response might hold up because I think that's an issue that a lot of organizations tend to feel. Like, hey, you know, as crazy as it may sound, some of them are still kind of flying by the seat of their pants in terms of what are we going to do if this happens. And then once it happens, all of a sudden they realize, you know, we have to shut down the office because nothing works. What are we going to do?
Chris Novak: And, I mean, I've even seen some organizations that they've said, hey, we're not worried. We've got great backups. And then I'll ask, well, when was the last time you did a ransomware situation? Because this is not just let's restore one PC from backup, right? This could be dozens, hundreds, thousands. Who knows? Have you ever actually done a ransomware simulation? Because the thing that I've seen happen is organizations just trust that they have backups, and then they go to do the restore and they realize, oh, my God, this is going to take us weeks to restore this data. And all of a sudden they're like, wow, this may not actually be less expensive than paying the ransom.
Dave Bittner: Yeah. Yeah. All right. Well, Chris Novak, thanks for joining us.
Chris Novak: You bet.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Spread a little sunshine. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.