The CyberWire Daily Podcast 7.1.21
Ep 1366 | 7.1.21

Large-scale GRU brute-forcing campaign in progress. IndigoZebra in Afghanistan. A ransomware gang scorecard. A cyber most-wanted list. Are the phone lines open?


Dave Bittner: U.S. and British authorities warn of a large-scale GRU campaign. Reports of a major cyberattack on German critical infrastructure. IndigoZebra uses Dropbox in ministry-to-ministry deception aimed at the Afghan government. Currently active ransomware groups are profiled. A cyber most wanted and priorities in a U.S. Treasury campaign against money laundering. Malek Ben Salem looks at supply chain security. Our guest is Brandon Hoffman of Intel 471 with insights on China’s data underground. And hey, it’s Dmitri from Yurga, long-time listener, first-time caller.

Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Thursday, July 1, 2021. 

Dave Bittner: NSA and its U.S. and British partners late this morning released an advisory detailing a Russian campaign they describe as almost certainly ongoing to brute-force access to cloud and enterprise environments. The campaign is global in scope, NSA says, but focused on American and European targets. 

Dave Bittner: The sectors being prospected for collection or disruption amount to a familiar list - government and military, defense contractors, energy companies, higher education, logistics companies, law firms, media companies, political consultants or political parties and think tanks. Attribution is specific - the threat actor is placed on the GRU's org chart as the 85th Main Special Service Center. 

Dave Bittner: The Advisory summarizes the implications of the campaign - quote, "This brute force capability allows the 85th GTsSS actors to access protected data, including email, and identify valid account credentials. Those credentials may then be used for a variety of purposes, including initial access, persistence, privilege escalation and defense evasion. The actors have used identified account credentials in conjunction with exploiting publicly known vulnerabilities, such as exploiting Microsoft Exchange servers using CVE 2020-0688 and CVE 2020-17144, for remote code execution and further access to target networks. After gaining remote access, many well-known tactics, techniques and procedures are combined to move laterally, evade defenses and collect additional information within target networks." 

Dave Bittner: While brute-forcing isn't new, the GTsSS's approach is. It's uniquely leveraged software containers to easily scale its brute force attempts. 

Dave Bittner: The Advisory comes with indicators of compromise, and NSA urges Department of Defense, National Security Systems and Defense Industrial Base system administrators to immediately review them and apply the recommended mitigations. 

Dave Bittner: Responding to a screamer in German tabloid newspaper Bild about a massive Russian cyberattack on German infrastructure, the country’s federal information security service, the BSI, says it never happened. Instead, some criminal activity was thwarted, Bloomberg and Golem report. Bild had cited unnamed Western intelligence services as its sources and variously named the purported Russian threat actor Fancy Bear and Fancy Lazarus. The outlet also associated the attack that wasn’t with tensions arising over Belarus and the airliner it forced down so it could take a dissident into custody. 

Dave Bittner: If you believe NSA, the NCSC, the Secret Service and the FBI, the GRU has certainly been up to no good in European and North American networks. But this case doesn’t appear to be one of those misdeeds. It was apparently an ordinary and not particularly successful attempt at cybercrime. 

Dave Bittner: Researchers at Check Point have observed a Chinese-speaking threat group tracked as IndigoZebra engaged in a long-running cyber-espionage operation against the Afghan government. IndigoZebra used Dropbox to gain access to the Afghan National Security Council and then used that position to phish their way further into the government. The goal is to access desktop files, deploy scanner tools and execute Windows built-in networking utility tools. 

Dave Bittner: The Hill reports that Check Point is struck by IndigoZebra’s effective use of ministry-to-ministry deception, since the messages staged through Dropbox appear to originate at the highest levels of government. 

Dave Bittner: The latest targets may be in Afghanistan, but IndigoZebra has, according to Check Point, long shown an interest in Central Asian governments since at least 2014, pursuing targets in Kyrgyzstan and Uzbekistan. 

Dave Bittner: Security firm Domain Tools has published a useful guide to the most common ransomware operations presently active. The accounts of the individual gangs and their tools are interesting, but so is the overarching warning Domain Tools offers up front - quote, "All of these groups make alliances, share tools and sell access to one another. Nothing in this space is static, and even though there is a single piece of software behind a set of intrusions, there are likely several different operators using that same piece of ransomware that will tweak its operations to their designs," end quote. 

Dave Bittner: Among the more prolific, rapacious and successful ransomware-as-a-service operations out there is REvil. AT&T’s Alien Labs, working from a tip it received from the MalwareHuntingTeam, has been tracking new samples that indicate the gang’s expansion into new fields of activity. 

Dave Bittner: REvil has hitherto concentrated on attacking Windows machines. But Alien Labs has confirmed, with at least four samples, that REvil has branched out into the Linux world. In this, REvil is following the lead of other ransomware outfits, notably DarkSide. The first confirmed REvil activity against Linux systems appears to date to this past May. 

Dave Bittner: The U.S. Secret Service has revived its most-wanted list of suspected cybercriminals. As suits a remit narrower than the FBI's, the Secret Service's list is confined to cases of financial fraud under investigation by its Cyber Fraud Task Forces. They welcome tips. If you've got any, you can email them at Two of the wanted come with a million-dollar reward for information leading to arrest and conviction. 

Dave Bittner: In a related development, the U.S. Treasury Department has published a revised set of anti-money-laundering guidelines, the Wall Street Journal reports. The Department's Financial Crimes Enforcement Network yesterday gave cybercrime a prominent place among its priorities. FinCEN said, quote, "The Priorities identify and describe the most significant AML/CFT threats currently facing the United States. In no particular order, these include - corruption, cybercrime, domestic and international terrorist financing, fraud, transnational criminal organizations, drug trafficking organizations, human trafficking and human smuggling and proliferation financing," end quote. 

Dave Bittner: Finally, in the it’s Dmitri from Yurga, long-time listener, first-time caller department, Russia’s President Putin seemed this week to engage in a bit of security theater, principally for domestic consumption. His annual, four-hour call-in TV show, a kind of ask-me-anything session with Russian citizens on the state-run Rossiya 24 network, featured a caller from the southwestern Siberian region of Kuzbass who complained, our digital systems are right now facing attacks, powerful DDoS attacks. The president replied, are you joking? Seriously. Turns out we have hackers in Kuzbass. 

Dave Bittner: SecurityWeek says that the large Russian telco Rostelecom confirmed that unknown parties were indeed conducting cyberattacks and that steps were being taken to block these illegitimate activities. No attribution was offered, but hey, give 'em a call. Maybe by now the phone lines are open. 

Dave Bittner: Researchers at Intel 471 recently looked into the sale of datasets in online dark web forums by Chinese insiders with access to big datasets. Brandon Hoffman is chief information security officer at Intel 471, and he joins us with their findings. 

Brandon Hoffman: Yeah, so what's happening essentially is - let's just take, for example, a service provider, right? A service provider has a lot of data about individuals, a lot of data about what they do on the internet and probably personal information. This data gets aggregated. And there's legitimate reasons, even here in the U.S. and across other parts of the world, where people aggregate this data, and they sell packages to advertising and marketing firms, and they broker this data out for legitimate purposes. 

Brandon Hoffman: But what's happening here essentially is there is somebody who's kind of running maybe a syndicate or a group that deals with selling this type of data or derivatives of this data for nefarious purposes. They enlist somebody like an insider or potentially, you know, a threat actor, maybe a hacker, if you want to use that term, to go and gather up this data, extract, you know, large sets of information. Then they push that data through middlemen on the cybercrime underground or, what some people will say, maybe the dark web. We don't really use that term. And they sell that to threat actors who want that data, who are running scams. Maybe it's a phishing scam. Could be a malware campaign to target specific type - specific people. So essentially, just to cover the process very quickly, you know, somebody - there's a group of people who deal in selling this type of data. They'll go and enlist somebody to get a set of information that they want from, let's say, like, a service provider who has a giant data lake of information. They extract the pieces they want. They push it through a middleman to the actual threat actors who will monetize that data through a variety of different types of scams. 

Dave Bittner: And is this primarily Chinese organizations focusing on the data of other Chinese nationals, or are they - you know, is our data from other people around the world - is that being looped into this as well? 

Brandon Hoffman: Yeah, I mean, in the specific example of the research we're doing, this is all pretty well-contained. I think there is data probably - you know, because of the advent of, you know, the Chinese technology - as you would say, diaspora - you know, across the world... 

Dave Bittner: Yeah. 

Brandon Hoffman: ...You know, certainly there is some data from outside of China in there, and it's very, very likely that this is taking place - this same scenario is taking place in other parts of the world. But in this particular report, in this case, it was focused almost completely on inside of China. 

Brandon Hoffman: It's an interesting time to have a report like this because, at least with a lot of people I talk to, you know, the notion of all the data being gathered on us as individuals and what it's being used for, how it's being monetized, even legally, is seemed to causing - be causing a lot of heartburn, you know, with many people, even in the lay public, right? And so it's interesting to see this report come to light that not only is it used for legal profiteering, but also illegal profiteering. Really doesn't come as a surprise to most of us, but it's just kind of interesting timing, I guess, is all I'll say. 

Dave Bittner: Yeah, when it's sort of laid bare there, you know, I guess it confirms a lot of people's suspicions - one more bit of data to put in your bin. 

Brandon Hoffman: Yeah, I guess it kind of follows the old adage that nothing in life really is free, right? 

Dave Bittner: (Laughter) That's right. That's right. 

Brandon Hoffman: It's usually one way or the other (laughter). 

Dave Bittner: That's Brandon Hoffman from Intel 471. 

Dave Bittner: And I'm pleased to be joined once again by Malek Ben Salem. She is the technology research director for security at Accenture. It is always great to have you back. I wanted to talk to you today about some work that I know you and your team have been focusing on. And this is the remediation of vulnerabilities but using artificial intelligence. What can you share with us today? 

Malek Ben Salem: Yeah, so we noticed that a lot of our clients are struggling with remediating vulnerabilities that are found through the different application security tests that they perform. We know that application development teams are responding just to highly critical vulnerabilities that are found through these tests and that they cannot find the time to remediate all of the vulnerabilities. So we wanted to assist them and look at the use of machine learning and AI in general to help them with this task. 

Malek Ben Salem: We've worked with one of our clients, and we've taken basically all of their - the vulnerabilities in their environment and identified, you know, the most frequent ones and started looking at how can we automatically generate and suggest remediated code for them so that the development teams can take the remediated code and just review it and apply it or include it in their code. 

Malek Ben Salem: And that has - you know, that went pretty well. So we've been working at this for a few months now. And, you know, we've performed a field test with this client. And we found that we were able or the AI is able to automatically remediate 60% of the vulnerabilities, of the Java vulnerabilities, within their environment just using a few of the AI models. So this was very encouraging for us. I think what we will do is expand that to other Java vulnerabilities and expanding that AI also to handle vulnerabilities in other programming languages as well. 

Dave Bittner: Is there an adjustment period that developers have to go through when interacting with a system like this? I mean, I can imagine folks, you know, not naturally responding in a generous way when an AI tells them that they need to make some adjustments to their code. 

Malek Ben Salem: Yes, absolutely. I think deploying something like this within a development environment will take some adjustment time, which is why we've taken a phased approach to this. In our first field test, what we've done is generate these suggested outer mediations and send them to the application development team so that they can review them and that they can gain, basically, trust into the AI and its recommendations. 

Malek Ben Salem: And the response we've received is outstanding. They all - the application teams that we've been working with have been thrilled to get these remediations because they save them a lot of time. I think as more confidence is gained, as more trust is going into these recommendations generated by our AI system, we can move on into automatically deploying these remediations and integrating them with the code so that we can perform the unit tests and move on with the development pipeline. 

Malek Ben Salem: So, yes, I think it takes time. But so far, the response we've received is great. Some of our metrics show that just generating these remediations save the development teams two hours per vulnerability - so, you know, that time researching what is the vulnerability about and how can I remediate it, et cetera. So it saves them... 

Dave Bittner: Wow. 

Malek Ben Salem: Yeah - per vulnerability. That is amazing. Knowing that, you know, there are hundreds of thousands of vulnerabilities that these application teams have to deal with, that's huge. And automatically deploying the remediation to the code - that will save five hours of development - of developer and tester time. So there are even more savings to be gained if this entire process can be completely automated. 

Dave Bittner: So where do you suppose this is heading? I mean, what's the - I guess I'm trying to imagine the point of equilibrium. When this is up and running, ideally, what do you have in your mind's eye? 

Malek Ben Salem: Well, when this is up and running, I think this will save development time so that the developers can really focus on what they do best - right? - and what's generating more value for the company, which is, you know, developing code and working on their applications as opposed to running around, fixing vulnerabilities. So that is the purpose. And also, by the AI generating these, you know, remediations for the developers and code, we - our intent is that they will learn, right? By looking at these, you know, the right code or the non-vulnerable code, they will learn the way to write code in a secure manner. So over time, not only are we fixing vulnerabilities, but we're also teaching the developers on how to write secure code. 

Dave Bittner: And then the proper code goes in their library, goes into their bag of tricks. 

Malek Ben Salem: Exactly. 

Dave Bittner: Yeah, yeah - fascinating stuff. All right. Well, Malek Ben Salem, as always, thanks for joining us. 

Malek Ben Salem: Thank you, Dave. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. If your company would like to reach a quarter million unique listeners every month, send us a note at 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.