The CyberWire Daily Podcast 7.15.21
Ep 1375 | 7.15.21

Luminous Moth or Mustang Panda, it’s the same bad actor (probably). Updates on other cyberespionage and ransomware campaigns. Rewards for tips on cyberattacks.


Dave Bittner: A Chinese APT is active against targets in Myanmar and the Philippines. Cyber-espionage campaigns suggest that there's a thriving market for zero-days. MI5 warns against spying, disinformation and radicalization. REvil continues to lie low, and the Kremlin hasn't seen nothing. CISA offers ransomware mitigation advice. Bogus Coinbase sites steal credentials. Ransomware attacks on old SonicWall products are expected. Daniel Prince from Lancaster University looks at getting into the industry and whether a degree is worth it. Our guest is Kurtis Minder from GroupSense, tracking three divergent ransomware trends. And Rewards for Justice offers a million bucks for tips on cyberattacks.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, July 15, 2021. 

Dave Bittner: Kaspersky outlines the activities of a Chinese APT, tracked as LuminousMoth, engaged in cyber-espionage against Southeast Asian targets. Myanmar and the Philippines are receiving most of the group's attention. 

Dave Bittner: LuminousMoth, Kaspersky says, has an affinity with HoneyMyte, the threat actor better known as Mustang Panda. The current campaign, which began with operations against Myanmar but has since shifted to the Philippines, and is unusual in that it combines high volumes with highly targeted approaches to a relatively small number of targets - "Sweeping Attacks for the Chosen Few," as Securelist's headline puts it. The attacks have typically begun by spear-phishing and then subsequently spread through malicious payloads carried by infected USB drives. 

Dave Bittner: Post-exploitation, the operation relies on a bogus Zoom application to identify and exfiltrate data of interest. Some of the victims were also infected with a Chrome cookie-stealer. 

Dave Bittner: Google's Threat Analysis Group yesterday blogged about four campaigns it's found in the wild that exploited zero-days. One extensive campaign, targeting mostly European government officials and believed to be the work of a Russian intelligence service, used LinkedIn spam to push malicious links. Three other campaigns, including some deployed against Armenian targets, appear to have been sold to various unnamed governments by a zero-day broker. 

Dave Bittner: While Google's estimation is that a single broker was behind the sales, CyberScoop sees Google's report as also exposing a growing market for zero-days in which many of the buyers are nation-state security and intelligence services. 

Dave Bittner: According to Sky News, Ken McCallum, the head of Britain's MI5 counterintelligence service, warns that private persons remain targets for recruitment or manipulation by hostile intelligence services. He thinks that collection is happening at scale, and Sky News paraphrases his warning as saying that this activity takes place in a gray zone that sits deliberately under the threshold of what would normally be considered an act of war but can be just as dangerous if ignored. Russia, China and Iran are particularly called out, and his warning deals as much with disinformation as it does espionage. 

Dave Bittner: Not all of the threat is foreign. The BBC reports that McCallum sees indigenous racism as driving recruitment of younger subjects in particular into more-or-less organized extremist activity. 

Dave Bittner: The REvil ransomware gang remains in the wind, gone from its customary haunts on the web. TASS says Russian authorities know nothing about REvil's vanishing act, which if one takes it at face value would suggest that REvil hasn't been closed down by Russian security or police agencies. 

Dave Bittner: News outlets, including Germany's Spiegel and the English-language Moscow Times, review the three leading  lines of speculation about the disappearance - a Russian enforcement action, an American takedown or simply REvil's going on the lam, but little new light has been shed on the matter. Consensus holds, however, that relaxing vigilance against ransomware attacks would be unwise. Not only are there other gangs out there, but it would require a Panglossian optimism to think that REvil is down for the count. 

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency - CISA, the nation's risk adviser, as it calls itself in the announcement - has released advice for managed service providers and small-to-medium businesses on how they might harden their systems against ransomware and cyber-espionage. The advice is familiar but useful, brief and well-founded. Its overarching advice about how to think about the threat, whether criminal or state directed, is to understand that, quote, "these actors can exploit trust relationships in MSP networks and gain access to a large number of the victim MSP's customers. Compromises of MSPs can have globally cascading effects and introduce significant risk, such as ransomware and cyber-espionage, to their customers," end quote. 

Dave Bittner: Security firm INKY reports that the value Bitcoin has assumed in the marketplace has driven a rise in impersonation scams in which criminals mimic the appearance of the widely used Coinbase exchange. 

Dave Bittner: The scams begin with phishing emails, some of which INKY finds relatively well-written, a cut above the run-of-the-mill subliterate criminal hack work. Should the recipients be unwise enough to follow the invitation to, say, restore access to your Coinbase account, they'll be taken to a credential-harvesting site. And from there, matters will proceed in the usual unfortunate way. 

Dave Bittner: Two-factor authentication remains a good idea and best practice, but INKY points out that it won't always protect you. Some of the Coinbase imposters use Evilginx, a man-in-the-middle framework that proxies a real website with an Nginx HTTP server that intercepts data, including two-factor authentication tokens. 

Dave Bittner: SonicWall has warned its users that some of its older appliances are expected to become victims of an imminent phishing campaign making use of stolen credentials. The Secure Mobile Access 100 series and Secure Remote Access products that still run unpatched and end-of-life 8.x firmware are the products that carry the risk. The vulnerability SonicWall expects to be exploited has been patched in more recent versions of these products. 

Dave Bittner: The U.S. State Department's Diplomatic Security Service this morning offered a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyberactivities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act. The announcement particularly calls out cyber-espionage and cyber sabotage, although not under those names, and the related threat of ransomware. The offer is being tendered under the State's Rewards for Justice Program, which the department has operated since 1984. 

Dave Bittner: Rewards for Justice, the State Department says, has paid more than $200 million to over a hundred tipsters since its inception. Most of the rewards have gone for tips that help prevent terrorist activity. The program's use against ransomware is significant in that it marks the seriousness with which the U.S. government seems to be treating ransomware. Providing tips can be risky, and the State Department knows this. To help ease the minds and secure the safety of potential informants, State writes, quote, "commensurate with the seriousness with which we view these cyberthreats, the Rewards for Justice program has set up a dark web Tor-based tips reporting channel to protect the safety and security of potential sources. The RFJ program also is working with interagency partners to enable the rapid processing of information as well as the possible relocation of and payment of rewards to sources. Reward payments may include payments in cryptocurrency," end quote. So if you've got a tip and it pans out, State promises to take care of you. 

Dave Bittner: And finally, Peter Levashov, the Russian national who in September copped a guilty plea to U.S. federal charges addressing his role in the creation and operation of the Kelihos spam botnet, is now up for sentencing. The Government Memorandum in Aid of Sentencing recommends that the U.S. District Court for the District of Connecticut follow sentencing guidelines in the case, making no case for unusual leniency or stringency in the matter with Mr. Levashov. Those guidelines call for imposition of a sentence of between 12 and 14 1/2 years. 

Dave Bittner: Kurtis Minder is CEO at GroupSense, a cyber-reconnaissance, digital risk, ransomware strategy and negotiation firm. He and his team have been tracking divergent trends in ransomware, a topic I recently spoke with him about on the "Hacking Humans" podcast. Here's an excerpt from that conversation. 

Kurtis Minder: On the threat actor side, Dave, it's chaos. As you've seen in the news and the media, we've seen higher- and higher-profile cases. Those are the ones that we know about. There's a lot that we don't. We've also seen, because of those high-profile cases, the threat actors changing tactics, changing names, changing brands (laughter). So there's a lot going on. Even in the last month, we've seen quite a bit of change in the activity level and also the tactics that the threat actors are using. 

Dave Bittner: Well, there are some specific things that you all are tracking here. Let's go through them one by one. What's the first thing that's on your radar? 

Kurtis Minder: We're obviously intimately involved in the actual ransomware cases themselves. So we're doing a lot of the negotiations on behalf of the victims. So we're tracking, you know, the metrics associated with those negotiations - which groups are most prolific, which groups are using which malware components successfully, also what amounts are being asked for and/or paid in those exact negotiations. But on top of that, we're actually tracking the individual threat actors themselves and their - sort of their track record and history in the space. 

Dave Bittner: I see. Now, one of the things you're tracking are what you describe as crypto brokers, these folks who manage the crypto payments. Can you describe that to us? What's going on here? 

Kurtis Minder: So we're - I wouldn't use the word tracking. We have relationships with and are well acquainted with the brokers that basically take, you know, the standard currency - in this case, a lot of times it's U.S. dollars - and convert that into cryptocurrency for the purposes of doing a cryptocurrency transaction. In this case, that transaction is often paying, you know, a threat actor or ransom payment. 

Kurtis Minder: There's - there are specific operational and financial security measures that you have to take or - obviously, you don't have to, but it is advised that you take (laughter) in doing a transaction like this. And so, you know, we've worked with a number of brokers that help us facilitate those processes. And I can't go through those specifically. But the idea is, you know, the threat actor, when you're actually making the payment, cannot easily trace back to, you know, the victim's bank. That's - yeah. So there's a whole infrastructure there that that helps protect the reverse tracing of the transaction. 

Dave Bittner: Where do you suppose we're headed? I mean, what are the trend lines? Are we on a trajectory where, you know, this can't continue - there's going to have to be some sort of disruption here? 

Kurtis Minder: Yeah, I think - I hope that we're getting to a point where we can start curbing this. And there are several ways to do that. There's a technology approach which, you know, we've got, you know, myriad companies trying to solve this. How do we protect companies better from ransomware? There's a - sort of a policy and best practices approach, which, by the way, is highly effective. And what I mean by that is just following some basic security hygiene on the front end will make - or basically remove a company from being the low-hanging fruit. So that's probably one of the cheapest ways (laughter) to address that. And then the third way is legislation and government support. And I - that's something like, for example, the ransomware task force is making recommendations around, how can the government help the victims that are in these scenarios without facilitating a ransom payment? 

Kurtis Minder: And so the net outcome from this would be that the threat actors no longer get paid for what they do. Now, what I will - what I'll add to that is, they will find another angle (laughter). And we're... 

Dave Bittner: Right. 

Kurtis Minder: ...Already seeing, you know, threat actors pivoting off of pure ransomware and creating - for example, Marketo created a - by the way, this is not the same as the marketing company Marketo. There is a threat actor group called Marketo, which is a little bit confusing and unfair to the marketing company. 


Dave Bittner: Right. 

Kurtis Minder: The threat actor group Marketo, for example, has already pivoted to just selling stolen data in packages rather than doing the ransomware deployment themselves. So they just exfiltrate data. And then they've got a stolen data marketplace that they've created. So we're seeing them get creative about changing their approach. So that's - we're going to see that regardless of what we do on the specifics of the ransomware problem. 

Dave Bittner: That's Kurtis Minder from GroupSense. You can listen to the rest of our conversation over on the "Hacking Humans" podcast. 

Dave Bittner: And I'm pleased to be joined once again by Daniel Prince. He's a senior lecturer in cybersecurity at Lancaster University. Daniel, always great to have you back. You know, I realize this is a - the business that you're in, this is a bit like asking a barber if you need a haircut. But (laughter) I'm wondering what your take is these days in terms of folks who are looking to get into the industry. How valuable is a degree? Is it necessary? Is it worth the investment? 

Daniel Prince: Well, I'm sure some of my colleagues will probably shoot me, but I think the answer is, it really depends on the individual. 

Dave Bittner: Hmm. 

Daniel Prince: So the way that I see it, the - as the industry's grown, so has the number of entryways into the industry. And specifically, you know, if we go back - again, 10 or 11 years, when we set up the MSc program at Lancaster, you know, we didn't have all of the wonderful and terrible YouTube videos explaining certain attacks and how things operate. And we certainly didn't see as much information available on the internet at large. And so the universities did what they did best, which was act as an aggregator of that information, a curator, if you like, and then down selected what they felt was appropriate with guidance from industry and taught that particular knowledge. 

Daniel Prince: But as they - again, as the industry's grown, as it's increased in maturity, that information is now largely, again, available online. And there are some very good tutorials, there's some very good information, and there are some very good industry qualifications that you can go and get. So it depends on what you actually want to do in the industry because the other thing that's changed is the type of roles that are available. You know, it's not just the guy that works or the girl that works in the IT department. There are a number of roles that work across the business. 

Daniel Prince: So is a degree worth it? And the answer is typically, as always, it depends. But the role of the university, I think, is - any university is an important one because we act as that curator of knowledge but also a key developer of knowledge. And we try very hard, along with a number of other universities, to ensure that we provide that knowledge that we are generating into our degree programs. So perhaps unlike, you know, your standard qualifications, industry qualifications, you're getting an extra bit of special sauce, if you like, with a university degree because you're getting access to that cutting-edge research, which you can then take into industry, which would help differentiate you from other people. 

Dave Bittner: Is my perception accurate that part of what a university degree brings to the table is the notion that someone's going to come out of there well-rounded? You know, they will have - because of the requirements of the degree, not only will they have knowledge in their area of specialty but supporting areas as well. 

Daniel Prince: Yeah, that's certainly true. So one of the things that we have to do when we're designing modules, for example, which not a lot of people do, is we have to talk about the knowledge subject-specific areas. So, you know, talk about digital forensics, the tools, the techniques, the approaches that you have to apply. But then we also have to design the program to say, well, how does teamwork play into this? And what are the other kind of - what would - yeah, effectively professional skills do we have to teach as part of this? 

Daniel Prince: And one of the things that I've noticed within our degree - because it's a multidisciplinary program where we have modules, technical modules, but we also have law, criminology, international relations and management within that - we're teaching all those other disciplines. But also, we're teaching how to synthesize the approaches across all those disciplines to round people out. And one of the things I observe is that when you get a computer science graduate, their thinkings tend to be very black-and-white. You can either build it, and it works, or you can build it; it doesn't work. It's a very - as you would expect, a binary solution... 

Dave Bittner: Right. 

Daniel Prince: ...Whereas when you get, you know, some of these other disciplines, you know, where it's about discourse, it's about discussing the grey issues and then taking a position, bringing that into cybersecurity and security in general, which is a - you know, generally a grey subject - how much security is enough? Well, it depends. Having that ability to host that discourse, to be able to build that into your day-to-day approach is vitally important. So one of the other things, as you rightly point out, that I firmly believe in in the role of a university is to not just provide that knowledge and skills but also, you know, producing professionals and improving the professional skills that sit around our graduates and our students. 

Dave Bittner: Is there a message here as well to the folks who are doing the hiring that - you know, that they need to be careful to not be filtering out folks who don't have a degree? 

Daniel Prince: Yeah, definitely. I mean, the degree's now not the only good route into cybersecurity. And I've spoken about this in the past. Degrees and universities work for some people, but they don't necessarily enable you to access all the talent that we desperately need into the industry. And so if you're only focusing on, do they have an undergraduate computer science degree, have they done a master's degree in cybersecurity, or some combination of that, then you're going to lose the younger people who perhaps don't have the potential opportunities that people like myself have had to go to university. 

Daniel Prince: But they are still passionate. They still have a keen interest. They still have keen intellect to be able to work in this particular field. And we need to find ways to encourage that pathway into cybersecurity and give them the options. There are lots of very good self-taught individuals out there. And so it's vitally important that we support them to get into the industry, like I say, to get the talent that we need to deal with some of these really complex problems that we have faced day to day. 

Dave Bittner: All right. Well, Daniel Prince, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Eliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.