The CyberWire Daily Podcast 9.9.21
Ep 1414 | 9.9.21

Credential theft at the UN? Intelligence services and privateers. DDoS hits a big multinational. A look at AlphaBay 2.0. Notes on the C2C marketplace.

Transcript

Dave Bittner: A cyberattack is reported at the U.N., with agency data apparently lost to parties and parts unknown. The bears are quieter, but the privateers are up and at 'em. DDoS hits Yandex. Cyberespionage using the SideWalk backdoor. TeamTNT is getting tougher to detect. A SWOT analysis of the newly reconstituted AlphaBay contraband market. The Groove Gang is a new age criminal affiliate program. Caleb Barlow describes attackers leveraging U.S. and European infrastructure to hide in plain sight. Our guest is Brad Thies of BARR Advisory on what the next five years may have in store for cloud security and to irritate your online chums for just 50 bucks a pop. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 9, 2021.

Dave Bittner: The United Nations has sustained a cyberattack by unknown actors. Bloomberg reports that earlier this year, stolen employee credentials - probably purchased online in a criminal forum - were used to gain access to U.N. networks. The credentials were for the U.N.'s proprietary project management software, Umoja. The attackers were able to pivot from there to other places in the network. In the course of the attack, the threat actor obtained data that could be used to target United Nations agencies. The intrusion was detected by the cybersecurity firm Resecurity. 

Dave Bittner: Bloomberg quotes Gene Yoo, Resecurity's CEO, that, quote, "organizations like the U.N. are a high-value target for cyberespionage activity. The actor conducted the intrusion with the goal of compromising large numbers of users within the U.N. network for further long-term intelligence gathering," end quote. Bloomberg reports that U.N. credentials were being sold as part of a patch of dozens of usernames and passwords to various organizations for just $1,000, sourcing the information to security firm Intel 471, which notes that various Russophone cybercriminals have offered the material for sale. Intel 471 CEO Mark Arena told Bloomberg, quote, "since the start of 2021, we've seen multiple financially motivated cybercriminals selling access to the Umoja system run by the United Nations. These actors were selling a broad range of compromised credentials from a multitude of organizations at the same time. In a number of previous occasions, we've seen compromised credentials being sold to other cybercriminals, who have undertaken follow up intrusion activity within these organizations," end quote. 

Dave Bittner: CrowdStrike's threat hunting report out yesterday notes that cyberattacks that can be directly and unambiguously attributed to Russian state actors have declined this year, especially when contrasted with the vigorous activity shown by China, Iran and North Korea, while Russian-speaking cybercriminal activity remains prominent. A certain level of state-run cyber operations continues. But the Russian services' targets have shifted, moving away from commercial organizations and toward think tanks, dissidents and journalists. Presumably, the commercial targets can be left to the privateers, who provide a fig leaf to cover national interest and state policy. Also noteworthy are the number of attacks that look like state-run operations but that can't be clearly attributed. Those, too, are on the rise, whoever's behind them. 

Dave Bittner: Earlier this week, financial services networks in New Zealand were subjected to large and moderately disruptive distributed denial of service attacks, from which they've now largely recovered. But another large DDoS incident has hit a major Russian firm. Yandex is the latest big, commercial organization to sustain a major distributed denial of service incident, Reuters reports. The Russian multinational tech firm says it successfully parried the attack. 

Dave Bittner: Researchers at Broadcom's Symantec unit attribute the campaign using the SideWalk malware ESET described late last month to the Chinese Grayfly cyberespionage group. SideWalk is a modular backdoor that's recently been used against telecom providers. Grayfly is also known as Wicked Panda or APT 41. The recent targets have been in Taiwan, Vietnam, Mexico and the United States. In addition to hitting telecommunications, Grayfly has used the SideWalk backdoor against targets in the IT, media and financial services sectors. AT&T Alien Labs finds that the criminal group TeamTNT is using a difficult to detect version of camera in a campaign of credential theft and crypto jacking TeamTNT is using Chimaera in a number of environments, including Windows and various Linux distributions. The group is also infesting Kubernetes instances. And Alien Labs recommends that defenders pay particular attention to hardening Kubernetes. 

Dave Bittner: Digital Shadows subjects the revived version of the contraband market AlphaBay to analysis and concludes that while there's an underworld opportunity for a revival, the latest edition may have trouble building on the original marketplace's street cred. Potential users suspect the new AlphaBay's admin may be compromised. And they mistrust the absence of exit scam protection. Digital Shadows presents their findings in the form of a SWOT analysis, the summary of strengths, weaknesses, opportunities and threats - familiar to those in the business world. 

Dave Bittner: To summarize, the strengths include street credibility - since hoods have heard of and probably remember AlphaBay - new features, many of which are designed for better security, including an ability to withdraw funds should servers be seized by the police, and new rules to avoid unwanted attention. It's like "Fight Club." Don't talk about it. Don't mention ransomware. And don't wolf about recruiting new members. The weaknesses include the possibility, the suspicion, that the new admin, whose hacker name is DeSnake, has already been compromised and could even be a provocateur. 

Dave Bittner: There's also the track record - criminal comebacks are rarely successful. They're like Hollywood sequels. Have "Sharknado 2" through 10 really lived up to the artistic standards of the original? We don't think so either. Although, Robert Herjavec's cameo in "Sharknado 4" did give us hope for the future. And the user base will be slow to grow because of what Digital Shadows calls a mix of skepticism and traditional criminal reluctance. All those new square rules will also be a downer. 

Dave Bittner: Finally, there is no exit scam protection. That was a big problem with AlphaBay Version 1. And there's no sign it's been addressed in Version 2. There are also opportunities. The new AlphaBay offers the prospect of reuniting the community - that is, the criminal community - under one roof. People like to buy their contraband in one big, convenient market. And they miss that. There may also be an untapped market, particularly a market for cybercriminal tools. The old AlphaBay was heavily into illicit drugs, and its successor still is. But there are opportunities elsewhere. 

Dave Bittner: And of course, there are the threats. Mr. DeSnake's reputation is, as they say fragile. Law enforcement remains a perennial threat. And the authorities have upped their enforcement game since they took apart the original AlphaBay. And in the end, there's plenty of competition in this C2C market. They're unlikely to roll over with all four paws in the air. We'll watch AlphaBay's progress with interest. If they start selling "Sharknado 7," we might even consider becoming a customer. We're kidding, of course, about AlphaBay, not "Sharknado 7." 

Dave Bittner: Zoho has patched its ManageEngine ADSelfService Plus against an authentication bypass vulnerability that's currently being exploited in the wild. CISA urges users to apply the fix.

Dave Bittner: Researchers at McAfee and Intel 471 jointly describe a shakeup in the criminal-to-criminal ransomware affiliate market being led by the Groove Gang. Whereas earlier ransomware-as-a-service programs had prioritized control over the code and a systematically hierarchical organization of the affiliates, the Groove Gang is proving more fluid and opportunistic. It prizes not the affiliate's skills but, simply, their networks. 

Dave Bittner: And last but not least, Avast describes a new underworld offering Instagram bans as a service. If you are too dull or lazy to irritate people yourself, you can outsource the harassment for as little as 50 bucks U.S. What does this say about the quality of temptation nowadays? As Baudelaire put it a century and a half ago, you know, this delicate monster, it's ennui - or, as a prominent recent U.S. president would tweet it, sad. We're confident that Baudelaire wouldn't have been on AlphaBay. Now, Verlaine or Rimbaud? Well, maybe. 

Dave Bittner: Brad Thies is founder and president of BARR Advisory, a security and compliance firm with specific expertise in cloud computing. I caught up with Brad Thies recently for his insights on the challenges and opportunities of the continuing migration to the cloud. 

Brad Thies: The pros are it reduces cost, increases agility and, you know, elasticity. There's - it's DevOps friendly. And you do have improved uptime, you know? So security is also reliability. If you have security and reliability, I think those go hand-in-hand. And so those are the improvements of just the resiliency of pushing data into the cloud. I, you know, personally, being in the cybersecurity space, I think you are more secure as you push information into a cloud environment. So I don't think it's really the cloud that's insecure. I think it's an education piece, of some of those traditional lenses of cybersecurity in the perimeter don't really hold itself true in the cloud environment. So it's more of a fear of the unknown of, as I'm pushing information into this more public cloud adoption, you know, what should I be doing differently? 

Dave Bittner: You know, I think it's easy to focus on some of the high-profile data breaches that we see that I think are associated with the cloud, you know, someone leaves an AWS bucket wide open for the world to see. Is that - I guess, to what degree is that still a serious, ongoing problem relative to the amount of attention it gets is, I guess - where I'm getting at is, are the tools and practices in place that we're heading towards a time when that particular sort of thing is a thing of the past? 

Brad Thies: Well, that's where the tooling comes in. And so, you know, if you look at it from - yeah, you hear these fear things that happened on - oh, my S3 bucket was exposed to the internet. That's going to happen all the time. But that goes back to the human element. And it's a mind shift in security. It's everybody's responsibility. You can't just think from a centralized view of cybersecurity. Same concept of the analogy of - I'll use the car analogy, you know? You have - it's not just one person's responsibility, not just the safety and reliability expert. The seats have to be designed to handle a car crash. Windshields have to crack safely or shatter - not shatter when a rock hits, headlights, seatbelt integrity, et cetera. It's everybody's responsibility. 

Brad Thies: And so looking at the tooling - going back to the tooling factor, that's just getting into visibility. And so that's where I think we'll see more proliferation of cloud CASBs - or cloud service access brokers - that gives you some of that visibility into open S3 buckets, all the way to more security and compliance automation platforms that start to automate some of these testing and starts to give us a little bit greater visibility on what's going on in our environment to allow, I think, from a board level and executive level and cybersecurity expert level, greater focus on how quickly our threat models are evolving over time by pushing data into a cloud. 

Dave Bittner: Do you suppose this is enabling a lot more people to have a higher level of security than they would otherwise have, you know, sort of by taking it out of their hands, it's protecting them against the things they don't even know they should know? 

Brad Thies: Yeah, because again, you can't centralize security. And, yes, you can put a culture in place. But those - that decentralization of it - even though we talked about earlier with the cloud being that centralized aspect, it's enabling more of this decentralized view of how we protect the internet. And getting to those more decentralized architectures and - allows us to feel more safe because you have smaller teams being able to push changes more quickly versus the traditional way of everything has to go through a change advisory board - or a CAB. And that old model doesn't work well because you can't assume that some centralized authority has every bit of understanding that maybe some of these smaller team sets might have, and more intimately, as you're looking at it from a cybersecurity lens. 

Dave Bittner: That's Brad Thies from BARR Advisory. 

Dave Bittner: And I'm pleased to be joined once again by Caleb Barlow. He is the CEO at CynergisTek. Caleb, always great to have you back. You know, we've been seeing some attackers who've been leveraging infrastructure in both the U.S. and in Europe kind of hiding out in plain sight. I wanted to get your take on this. What's going on here? 

Caleb Barlow: Well, you know, I mean, you and I both have had young kids, Dave. And you know when the kid was always scared that there was a monster, like, in the attic or whatever? In this case, the monster is, indeed, under the bed, right? 

Dave Bittner: (Laughter). 

Caleb Barlow: It's really close. And they've realized that hiding under the bed is a better place than hiding in another country. 

Dave Bittner: Yeah. 

Caleb Barlow: And there's a couple of reasons why, which is we've built legislation to protect them if they hide under the bed and hide in our own backyard, right? 

Dave Bittner: Right, right. 

Caleb Barlow: I'll give you a great example of where GDPR far just goes sideways, right? So, you know, if a bad guy takes over systems inside of Europe - and usually they'll choose infrastructure in Germany - a company cannot easily go in and deploy security solutions because those security solutions have privacy ramifications. So they actually have to get permission from a works council to go deploy things like EDR. I've literally seen it happen where you've got a server that you are pretty sure is infiltrated, and it's going to take a month or two to get EDR on it, where in most environments you go deploy it in the next hour - right? - because you've got to get permission because that tool can gather data. And the bad guys know this. Literally they're sitting there going, oh, OK, you found us. Great. It's going to take you 30 to 60 days before you can get rid of us, so we're just going keep doing what we're doing. 

Caleb Barlow: I think also, in the case of - you know, if we look at SolarWinds, if you look at the Microsoft Exchange breach - you know, granted these examples also came kind of with that Trojan horse method of getting inside companies, but they also gave adversaries, you know, environments in which to operate inside the U.S., where intelligence agencies are less likely to look at them; law enforcement has to jump through a whole bunch of hoops to get there. I mean, if you're, let's say, the FBI, and you need to go get a search warrant on a particular server or server farm, it could take weeks to months to be able to execute on that search warrant. And the bad guys are starting to realize this. There's protection in hiding under the bed. 

Dave Bittner: What's the solution here? I mean, is this a matter of proper legislation or rolling back regulations? What direction do you think we should come at this from? 

Caleb Barlow: Well, I mean, there's two pieces to this, right? One is we've all got to realize that like every - we talk about this all the time. We've got to actually pay attention to our defenses and realize that a strong defense not only protects our own organization but protects us from becoming the beachhead to attack somebody else. But the second piece of this is we really do need to look at our legislation to allow capabilities for information security and to ensure that we're protected. And the place we often run awry with this is privacy, right? 

Caleb Barlow: But here's the point. You cannot have good privacy without having good security. You can have really great security and have really lousy privacy. And we have to keep that in mind, right? Our privacy regulations cannot be built and done in a vacuum. We have to recognize that they need to have the corresponding security component not only to ensure defense but also to allow proper security research along the way. 

Dave Bittner: Is there anybody doing this right? I mean, if we compare ourselves to the Europeans with GDPR, are they in better shape than we are? 

Caleb Barlow: Actually, and I've said this many times before, I actually believe that GDPR has caused some of the biggest security failures for a variety of reasons. One, it gives the bad guys a place to hide out. But the second thing is that GDPR really took away our ability to access DNS records, which is one of the primary tools for security investigations. And, you know, what's unfortunate is this issue has been well publicized, but nobody's fixed it yet because it's a different swim lane. So, you know, honestly, Dave, I don't really think anybody's doing this right yet. But I do have hope because I think people are starting to realize that this is a problem. And we have to enable legitimate security researchers and law enforcement to do their job. 

Dave Bittner: All right. Well, Caleb Barlow, thanks for joining us. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. If your company would like to reach a quarter million unique listeners every month, send us a note at thecyberwire.com/sponsor. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.