Cyberespionage prospects telecom companies: Operation Diànxùn. Working against exploitation of Exchange Server. And rerouting SMS messages (it cost only $16).
Dave Bittner: McAfee describes Operation Dianxun, a probable Chinese collection effort directed against telecoms and 5G technology. Organizations around the world continue to work to thwart exploitation of Exchange Server vulnerabilities. What's a web shell, and what can it do? Ben Yelin looks at cellphone data gathered from the U.S. Capitol riot. Our guest is Ross Rustici from ZeroFOX on the evolution of ransomware. And how much does it cost to redirect all your SMS messages to some goon? Turns out only 16 bucks.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 16, 2021.
Dave Bittner: McAfee's Advanced Threat Research Strategic Intelligence team late this morning released its research into a threat actor they found operating against telecommunications targets, specifically against individuals working in that industry. McAfee is calling the campaign Operation Dianxun after the Mandarin word for telecommunication, appropriately enough. Their work includes a technical analysis of the campaign's tactics, techniques, and procedures, which show some signs of overlapping TTPs used by both RedDelta and Mustang Panda, groups that have generally been associated with Chinese intelligence services.
Dave Bittner: It's not clear exactly how victims have been infected, but McAfee believes with moderate confidence that they were lured in some fashion to a domain under the control of the threat group where malware was installed in their devices with a view to further exploitation. The malicious domain was designed to look like a career site for Huawei.
Dave Bittner: The individuals the campaign sought to lure were mostly in Southeast Asia, Europe and the U.S., and the threat actors appeared to be interested in German, Vietnamese and Indian telecom companies. The motive, McAfee thinks, was probably to collect against proposed bans of Chinese equipment from the global 5G rollout and also to steal sensitive or secret information in relation to 5G technology.
Dave Bittner: McAfee has also offered some advice on threat hunting and other ways of increasing an organization's defenses against campaigns like Operation Dianxun.
Dave Bittner: The operations of that other Chinese-run threat group, Hafnium, remains, of course, in the news. Its cyber-espionage campaign exploiting now-patched Exchange Server zero-days morphed in late February into multiple campaigns conducted by both state-directed and criminal threat actors. France 24's account of the incident bears out their headline - it's turning into a global crisis.
Dave Bittner: Criminal interest in exploiting unpatched Exchange Servers continues unabated. Security firm Check Point says that it's observed attacks increase by an order of magnitude just over the past week from 700 on March 11 all the way up to 7,200 just yesterday, on March 15. Quote, "the country most attacked has been the United States, with 17% of all exploit attempts, followed by Germany, 6%; the United Kingdom, 5%; the Netherlands, 5%; and Russia, 4%," Check Point researchers say. The most targeted industry sector has been government and military, with 23% of all exploit attempts, followed by manufacturing, banking and financial services, software vendors and health care.
Dave Bittner: Exploitation of Exchange Server also offers considerable opportunity for fraud and a more plausible kind of fraud than one sees in crudely executed phishing expeditions. The social engineering experts at KnowBe4 have seen a corresponding rise in account impersonation attempts. Quote, "account impersonation is incredibly dangerous because the recipient of the email believes that they are speaking to the trusted party via email, so they are much more likely to click on a malicious link or open an infected email attachment. Ransomware is another one of the potential cybersecurity problems that threaten the operational capabilities of businesses that have not patched their systems yet due to this exploit. For any organization using Microsoft Exchange Servers, it is recommended to patch immediately," end quote.
Dave Bittner: The US Cybersecurity and Infrastructure Security Agency has updated its advice on dealing with Microsoft Exchange Server exploitation to include notes on China Chopper web shells being used against victims. The UK's National Cyber Security Centre, like its counterparts in the US, Germany, and elsewhere, has urged all organizations, both public and private, to apply Microsoft's patches as soon as possible. They also recommend that all organizations look for signs of compromise by threat actors, whether Chinese intelligence services or criminal gangs.
Dave Bittner: To return to CISA's advice, the agency stresses that its most recent list of seven China Chopper web shells isn't necessarily exhaustive. They also have a useful summary of what a web shell is and what it can do.
Dave Bittner: CISA explains, quote, "a web shell is a script that can be uploaded to a compromised Microsoft Exchange server to enable remote administration of the machine." Threat actors use them "to harvest and exfiltrate sensitive data and credentials, to upload additional malware for the potential of creating, for example, a watering hole for infection and scanning of further victims, to use as a relay point to issue commands to hosts inside the network without direct internet access and to use as command-and-control infrastructure, potentially in the form of a bot in a botnet or in support of compromises to additional external networks. This could occur if the adversary intends to maintain long-term persistence."
Dave Bittner: Patching Exchange Server is obviously necessary, albeit not sufficient to protect against the ongoing attacks. Microsoft itself has continued to update its guidance on protecting on-premise Exchange Servers from attacks. Just yesterday, the Microsoft Security Response Center released a new, one-click mitigation tool to help users secure both current and out-of-support versions of Exchange Server. The tool will be of particular use to smaller organizations that may lack a dedicated security team.
Dave Bittner: Vice has a disturbing first-person account of how an SMS marketing tool by Sakari can be accused to redirect messages to a third party. It's not an exotic hack. All the bad actors would need to do is sign up for the service - it's only 16 bucks, a bargain as these things go - falsely claim to be the owner of your number and then have your messages redirected to a number under their control.
Dave Bittner: It's not that Sakari is deliberately marketing to criminals, but rather, to judge from Vice's account, that the method of verifying that the number you want to have forwarded is, in fact, a number that belongs to you too close to the honor system. And as you all know, there's no honor among thieves. And, of course, you don't need to be a technical sophisticate to be a successful cybercrook.
Dave Bittner: Ross Rustici is global head of security, architecture and threat intelligence at ZeroFOX. He joins us with an update on what he and his team have been tracing in terms of the evolution of ransomware.
Ross Rustici: So ransomware is one of these unique attributes of the criminal underground where you've seen several evolutions over the last, really, five years or so. And, really, what was noteworthy in 2020 and coming into this year in 2021 is really the cat-and-mouse game that we're seeing between security professionals and the operators of ransomware.
Ross Rustici: It's not necessarily that the malware itself is getting more sophisticated or we're seeing radical changes in what they're doing or how they're doing it in terms of the technical implementation, but rather, their operating model is changing as more and more companies are getting better about having backups, being able to basically recover from the initial intrusion without necessarily paying the ransomware operators.
Ross Rustici: They're looking for new monetization ways. And so they've started doing a much broader exfiltration of data and trying to hold that data hostage with the threat of public exposure and doxxing rather than just the traditional model that we had seen for the longest time where they would encrypt the files and hope denial of access was enough to get that monetization aspect.
Dave Bittner: And where do we stand when it comes to whether or not folks are actually paying the ransoms these days?
Ross Rustici: That is a complicated question to get good statistics on. The general impression, I think, of a lot of defenders is more often than not, you will see companies pay the ransom. And that's because of the fact that it's simply cheaper to do so than to go through the expense of rebuilding the network, especially if you don't have secure backups.
Ross Rustici: I think what we saw in kind of the 2019, early 2020 phase of things is more and more companies were moving towards secure backups, getting better at some of your traditional defenses, and thus reducing that payout. And that's why you saw the reaction from the ransomware authors. And now that they've created this new wrinkle in the operation, it's forcing companies to make that hard choice again, and you're seeing them go back to paying the ransom because, again, it's easier, and it reduces their overall exposure.
Dave Bittner: Yeah. You know, we mentioned at the outset that there's kind of been these waves of evolution in this. Does it seem like we're kind of in an equilibrium state right now, where it's hard to imagine, you know, what the next wave is going to be, if changes are on the horizon or, indeed, you know, the malware operators see a necessity to make any changes?
Ross Rustici: Yeah, I think right now the move's really with the network defenders. We got really good at trying to foil the traditional ransomware operation, make the availability of data not as painful for the corporation and as such, not pay as often. We saw the ransomware move to - it was the doxxing. It was exfiltrating data. It was causing pain in a different way.
Ross Rustici: Now, it's really up to us as defenders to figure out how you minimize that. And I think we're going to see kind of another year cycle here, where 2021, you're still going to see a lot of doxxing, the security community is going to finally come up with a response and start slowing down the amount of payments. And then it's going to take another four to six months for the ransomware operators to find the next new thing for everybody to gravitate to.
Dave Bittner: That's Ross Rustici from ZeroFOX.
Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, also my co-host on the "Caveat" podcast. Ben, great to have you back.
Ben Yelin: Good to be with you, Dave.
Dave Bittner: So you and I have been following with great interest the ongoing developments with the fallout from the January 6 insurrection at the U.S. Capitol building. And an article came by here that you actually brought to my attention about the FBI and their confidence in some of the cell tower dumps that they've gotten. Bring us up to date here. What's on your radar?
Ben Yelin: So this is from the website emptywheel.net, which is run by Marcy Wheeler, a prominent independent journalist who covers surveillance, privacy, security topics. And she wrote a piece on how the FBI must have confidence in the granularity of their Capitol cell tower dumps. And what she did is she went to the - through the affidavits of three individuals who have been arrested in connection with the insurrection and how cell location information obtained from data dumps and from geofencing has helped lead to the prosecution of these individuals.
Ben Yelin: So in the first case she discusses, some of the rest of the evidence seems rather inconclusive and a little bit flimsy. This person posted on social media, but when they posted on social media, they were outside the Capitol, which is, you know, not illegal at that point. You could be outside the Capitol...
Dave Bittner: Right.
Ben Yelin: ...Without breaking the law. And there was kind of a blurry picture that seemed to maybe show this person inside the Capitol but might not have been convincing to a judge or a jury. So they're relying on this data dump from AT&T, which asserts that this person's cellphone pinged one of the AT&T cellphone towers or whatever they were using inside the U.S. Capitol.
Ben Yelin: And there are a couple of other cases that they follow, including one case dealing with a prominent member of the Oath Keepers, which is a militant group with associates potentially high up in the Trump world, the Trump administration. And they're relying on these data dumps in that case, too. And in that case, it really matters because if you're not able to secure a prosecution of this individual, you're potentially not going to be able to get this person to flip on the higher-ups.
Ben Yelin: So in one of these cases, they had just a really interesting map showing how this actually works in practice. So this is actually for a third criminal defendant. They found his Gmail by looking at his Instagram account, which he put his Gmail on his Instagram account - first mistake.
Dave Bittner: (Laughter).
Ben Yelin: And through Gmail, they were able to obtain data from Google, who did its own geofencing data dump on the day of the insurrection.
Ben Yelin: And what Google says is they have these little radii of, you know, at each individual location, depending on your proximity to a cellphone tower, how much of a radius they can be confident that you as an individual are in. And if you look at the diagram they drew, they have three circles based on the pinged locations of this device. Most of those three circles, the vast majority of them fall inside that Capitol building. But a small portion of one of the circles falls outside the Capitol building, which if I'm a defense attorney, that would be a nice way to show that there might be reasonable doubt...
Dave Bittner: Right, right (laughter).
Ben Yelin: ...In this case.
Dave Bittner: Right. My client was merely peering inside the windows from outside.
Ben Yelin: Yeah, exactly. He just wanted to see what was going on - yeah.
Dave Bittner: (Laughter) Right, right. Sure.
Ben Yelin: What's also interesting is Google says that these radii themselves are only about 68% accurate. So if I'm a defense attorney, you know, I'm running with that. I put the Google representative on the stand and say, you know, how accurate are these representations, are these projected radii? And if they say 68%, I'm looking straight at the jury, you know, and saying, 68% seems to me to fall short of that threshold where you're beyond a reasonable doubt.
Dave Bittner: Yeah.
Ben Yelin: So it's just really interesting how the FBI is relying on these data dumps and geofencing. But, you know, when you have this really key distinction here between being outdoors, which is legal, and being indoors, which is illegal, the importance of granularity really comes into focus.
Dave Bittner: Yeah. I've just put on my RF nerd hat for a bit, something in a former life I had some familiarity with. And by the way, we get into detail in this case over on the "Caveat" podcast, so if you want more coverage of that, do check that out.
Dave Bittner: But one of the interesting things that's brought up in this article and in the comments as well is how it is important what the Capitol building is made out of, that it is made out of thick stone and it has a metal roof. And all of those things are unfriendly to the radio frequencies that are used for cellular communications.
Dave Bittner: And what that leads to is a conclusion that it is highly likely that there are cell towers, cell, you know, access points within the building itself because it's hard to get signals into the building, and it's hard to get signals out of the building. So that would increase the accuracy as well, if it is, in fact, the case. And these folks seem to think it's highly likely that there are these very small beacon points for other communications within the Capitol itself, which is another fascinating point that sort of plays against the folks who might be trying to keep their locations or identities anonymized.
Dave Bittner: And as you pointed out over on "Caveat," a big part of the Capitol building's underground.
Ben Yelin: Absolutely. So you're not going to be getting reliable cellphone service there, so you have to put in those access points.
Dave Bittner: Right.
Ben Yelin: There are basements and subbasements in that building, if you ever ridden the elevators there, as I have. So...
Dave Bittner: Yeah.
Ben Yelin: Yeah, I mean, the infrastructure is there. Obviously, it was put there not to detect insurrectionists, but that happens to be a side benefit of it.
Dave Bittner: Right, right. No, it's a fascinating story. Again, it's over on emptywheel.net. It's titled "FBI Seems Confident in the Granularity of Their Capitol Cell Tower Dumps." More on this topic over on the "Caveat" podcast. We hope you'll check that out. Ben Yelin, thanks for joining us.
Ben Yelin: Thank you.
Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Best eatin' in town, up and down and all around. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.