Twitch is breached. MalKamak: a newly described Iranian threat actor. Chinese cyberespionage against India. SafeMoon phishbait. The ransomware threat. What counts as compromise.
Dave Bittner: Twitch is breached. A newly discovered Iranian threat group is described. A Chinese cyber-espionage campaign in India proceeds by phishing. SafeMoon altcoin is trendy phishbait in criminal circles. As the U.S. prepares to convene an anti-ransomware conference, Russian gangs show no signs of slacking off. Betsy Carmelite from Booz Allen Hamilton on artificial intelligence and machine learning in cyberdefensive operations. Our guest is Adam Flatley of Redacted with recommendations from the Ransomware Task Force. And observations on what counts as compromising material.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 6, 2021.
Dave Bittner: Twitch, the live-streaming service that focuses on serving gamers, has sustained a major data breach. The Video Games Chronicle reports that an anonymous hacker - and that's anonymous with a small a - posted a 125-gigabyte torrent stream to 4chan this morning that's said to include Twitch's source code and user payout information in addition to other material that the report says amount to basically everything.
Dave Bittner: What's the motivation for the attack? The anonymous hacker wrote that the dump's intention was to foster more disruption and competition in the online video streaming space because their - that is, Twitch's - community is a disgusting, toxic cesspool.
Dave Bittner: Twitch confirmed that there had indeed been a breach, tweeting, "we can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us," end quote. The story is developing. We observe that the comment thread below Twitch's tweet is unhelpful.
Dave Bittner: Security firm Cybereason has updated its account of Operation GhostShell, a cyber-espionage campaign the firm's researchers described in July of this year. Among the discoveries they regard as particularly noteworthy are GhostShell's association with a hitherto unknown threat group, MalKamak, believed to be operating in the interests of Iran, and MalKamak's deployment of the novel ShellClient remote access Trojan - a RAT, as such things are called. MalKamak has been operating since 2018 at least.
Dave Bittner: Some of MalKamak's techniques suggest connections to other Iranian threat groups, notably Chafer APT, or APT39, and Agrius APT. But there were enough differences to warrant identifying it as a new threat group. MalKamak abused legitimate cloud services - notably Dropbox - for command-and-control. It's been evasive and stealthy. Using those cloud services, for example, helped its command-and-control traffic blend into the unobjectionable background of the traffic that ordinarily transits those services, which is how it escaped notice for three years.
Dave Bittner: There were also, Cybereason says, some code similarities with tools used by Russian threat actors. A Yara rule, for example, seemed to allude to the Russian group known as Turla. But the researchers concluded that, as attractive as it might first appear in a search for clues - low-hanging fruit, Cybereason called it - this amounted to an incidental and wasn't grounds for any attribution to any Russian group.
Dave Bittner: Where MalKamak fits into Tehran's org chart isn't clear. Cybereason doesn't rule out that they could be a contractor or a mercenary group. Whatever MalKamak may be, Cybereason's researchers describe them as both capable and stealthy. Their recent campaigns have displayed an interest in the aerospace industry in Europe and North America and a very strong regional interest in the Middle East.
Dave Bittner: Blackberry's research and intelligence team has linked China's APT41 to an ongoing campaign against espionage targets in India. The campaign is noteworthy for its use of COVID-19 or income tax-themed phishbait as it prospects its targets. Blackberry credits earlier research by FireEye - now Mandiant - Positive Technologies and Prevailion with setting them on the right track. APT41 has gone by many names, including Double Dragon, Barium, Winnti, Wicked Panda, Wicked Spider, TG-2633, Bronze Atlas, Red Kelpie and Blackfly. We really do need a naming committee, don't we?
Dave Bittner: This most recent report includes a set of indicators of compromise.
Dave Bittner: It's unsurprising that a cyber-espionage campaign would make use of phishing to gain access to its targets. And it's also unsurprising that it would use topics of current interest as its phishbait. What is noteworthy, BlackBerry says, is the infrastructure employed. Their report says, quote, "with the resources of a nation-state-level threat group, it's possible to create a truly staggering level of diversity in a threat infrastructure. And while no one security group has that same level of funding, by pooling our collective brainpower, we can still uncover the tracks that the cybercriminals involved worked so hard to hide," end quote.
Dave Bittner: Cybercriminals continue to follow niche fads. ESET describes how the currently shiny reputation of the new and highly volatile SafeMoon altcoin has prompted criminals to use it as phishbait in a campaign designed to get the marks to download the Remcos RAT. Remcos itself occupies an increasingly familiar gray area. It has legitimate uses, but it's also widely employed by criminals for stealing credentials from a range of browsers, keylogging, webcam and microphone hijacking and downloading further malware.
Dave Bittner: ESET concludes with some cautions about the skepticism you should bring to any unsolicited communications. Their summation is worth quoting. "When it comes to investing in cryptocurrencies, you need to proceed with caution, and not just because the market is rife with investment fraud, fake giveaways and other scams. But surely you know the drill by now," end quote. And part of that drill is realizing that phishbait will follow the fads.
Dave Bittner: As the U.S. prepares to organize multinational discussions of ransomware and what to do about it, U.S. officials say they've seen no decrease in ransomware. General Nakasone, director, NSA, said at Mandiant's summit yesterday that ransomware is a national security issue and that he expects it to remain such for the foreseeable future. The Hill quotes General Nakasone as saying that he expects the U.S. to come under ransomware attack "every single day."
Dave Bittner: Deputy National Security Advisor for Cyber and Emerging Tech Anne Neuberger said, Nextgov reports, that the 30-nation meeting the U.S. intends to convene will focus on ways of improving resilience, on increasing visibility through anti-money laundering efforts in particular, on holding nation-states accountable for harboring cybercriminals and on helping to build capabilities in other countries.
Dave Bittner: What about those other nations who harbor cybercriminals? In particular, what about Russia? CISA Director Jen Easterly told a Washington Post Live event yesterday that the gangs' Russian enablers have shown no signs of backing off, whatever they may have told President Biden when he complained to them during his summit with Russian President Putin.
(SOUNDBITE OF ARCHIVED RECORDING)
Jen Easterly: I have not seen any significant material changes. We have seen ransomware gangs that seem to have gone offline for a period of time. That's not that terribly unusual. We've seen that in the past, where infrastructure will come down, and then it will reemerge. The ransomware gang will be renamed.
Jen Easterly: This is a difficult, complicated problem. And I think to your point about the president's conversation with the Russians, I think this really has to be a whole-of-government effort. You know, with respect to where CISA is, we are all on what I would call a focus on left of boom. We are in the space of helping build resilience to ensure that everybody - businesses large and small, critical infrastructure owners and operators - understand the steps that they need to take so that they are not a victim of ransomware. We, of course, help to respond. We can assist in recovery, and then we share that information to prevent future victims.
Dave Bittner: That's CISA Director Easterly at the Washington Post Live.
Dave Bittner: A former adviser to former U.S. President Trump, Fiona Hill - no particular admirer of her former boss - had told Congress it was highly unlikely Russia had any compromising material on the ex-president. So no salacious dirt, apparently. Such psychological ascendancy as President Putin may have achieved was what we might call open-source, a sense that his American counterpart would be susceptible to flattery. And there's no kompromat necessary for that. Attention to the tabloids in the supermarket checkout aisle could have told the SVR that. And no elaborate espionage, cyber or otherwise, would have been required.
Dave Bittner: Speaking of President Putin and the oligarchs who circulate in Russia's circles of power, where were they in the Pandora Papers, that big leak of information about the use of offshore accounts and shell companies by prominent people around the world? Sure, they were in there, but not nearly as much as one might have expected. An essay in Bloomberg thinks this is a sign that the oligarchs have de-offshored, that the lessons of the earlier Panama Papers leaks have been learned.
Dave Bittner: But there's something there, apparently, or at least The Washington Post thinks so. The Pandora Papers connect a swell luxury apartment in Monaco with one Svetlana Krivonogikh, a St. Petersburg native of humble origins who's believed, the Post says, to have been in a long-term discreet relationship with Mr. Putin.
Dave Bittner: Quote, "previously undisclosed financial records combined with local tax documents show that Krivonogikh, 46, became the owner of the apartment in Monaco through an offshore company created just weeks after she gave birth to a girl. The child was born at a time when, according to a Russian media report last year, she was in a secret, years-long relationship with Russian President Vladimir Putin," end quote.
Dave Bittner: Now, that's some kind of kompromat, and, come to think of it, it's probably available in the checkout line. We'll take a look the next time we hit the local supermarket.
Dave Bittner: Adam Flatley is former director of operations at NSA and currently director of threat intelligence at cybersecurity company [redacted]. Adam also serves on the Ransomware Task Force, a group assembled by some of the top names in the industry. They delivered their 81-page report to the Biden administration in April.
Adam Flatley: I think that the most important recommendation that was made was that ransomware be treated as a national security issue instead of just a criminal issue, and that is what's going to be the real game changer here because ever since the administration accepted this recommendation and then implemented it, they are now able to pull all kinds of tools off the shelf that were not normally turned against cybercriminals because the priority has raised up. It's now on the national security priority, and now they can engage other parts of the government besides normally what you would expect are things - like actions from the Treasury and actions from law enforcement. But now they can really reach out into the full capabilities of the government to tackle this problem.
Dave Bittner: So what went into that specific recommendation? How did you and your colleagues come up with the notion that ransomware should be considered a national security issue?
Adam Flatley: Well, there was a couple of things. The problem has been growing exponentially over the past year and a half to two years. And we've started to see that this indiscriminate targeting is starting to have real-world impact. So it's not just loss of money, but they are hitting hospitals in the middle of the pandemic, shutting down systems that are, you know, life-saving systems. They're also going after things like the food supply, the power supply, all kinds of critical infrastructure that they're targeting just without any type of morality whatsoever. Even the ransomware groups that claim that they don't do it, we see them totally continue to go after these critical things. So these operations aren't just about, you know, the U.S. losing money anymore. It's about actually causing threat to life in some cases and causing, you know, real problems for our national security.
Adam Flatley: As you saw with the Colonial Pipeline, that was shut down for a relatively short amount of time, and you saw how much panic-buying there was and how much that the, you know, whole eastern seaboard was kind of shaken by that event.
Dave Bittner: So now that the government has adopted that particular recommendation that it be treated as a national security issue, you mentioned that that puts some more tools at their disposal. What sort of things do they have available to themselves now?
Adam Flatley: So some of it is going to be increased priority within the organizations that were already working ransomware, so groups like CISA, FBI, Secret Service, Treasury. You know, they've all been working this problem really hard, but they didn't have all the resources that they needed to really amp it up and go after it. So they're going to be able to get more resources because of the raised priority.
Adam Flatley: And then there are other pieces of the government that just were not engaged in cybercrime which can now be brought to the table. So think about our intelligence agencies and other capabilities that can now shift their focus to look at these cybercrime actors when before they weren't even on their target deck.
Dave Bittner: And what's next for the task force itself? I mean, is there - is it continuing? Is there more work ahead?
Adam Flatley: Yeah, absolutely. We are providing a lot of consultation to government and private industry organizations who - they like the recommendations and they want assistance or to want to understand it a little bit better. So that - we're doing a lot of work behind the scenes to sort of help people who want to do the right thing.
Dave Bittner: And is that, you know, the whole range of government, in terms of options that are on the table? - you know, everything from sanctions through the military itself.
Adam Flatley: Yeah. I mean, everything that we do needs to obviously be proportionate and reasonable. But there are a lot of things that can be done that used to be off the table which can now be on the table because of that national security designation. And that can really be the game changer if we have the real will to do it.
Dave Bittner: That's Adam Flatley. He's director of threat intelligence at [redacted] and a member of the Ransomware Task Force.
Dave Bittner: And I'm pleased to be joined once again by Betsy Carmelite. She's a senior associate at Booz Allen Hamilton. Betsy, it's always great to have you back. You know, I wanted to touch base with you when it comes to AI and ML in cyber operations, particularly defensive operations. You know, I think for a while, we certainly went through a round of having AI and ML being hot buzzwords. And I - it seems to me like we've settled into more of a rational place with these technologies - more practical than perhaps we were before. What is your take on this? Where do we stand when it comes to cyberdefensive operations and AI and ML?
Betsy Carmelite: Sure. I wanted to really talk about the requirement for augmenting traditional cyber operations with the use of AI and ML. And that's, without question, very much needed. Just look at the past year of attacks, our attack surface expansion and our understanding of cyber mission challenges as a result. Obviously, attacks are more sophisticated, targeted and frequent. Secondly, we're seeing organizations and agencies rely on cybertools that fail to integrate, and they depend on siloed network data for alerts. And this is where we're seeing AI come in to help. And then third, rapid streaming analysis and analytic approaches aren't offered in a vendor-agnostic platform. So the end result in defensive cyber operations is delayed analysis and delayed detection.
Dave Bittner: Does the AI and ML serve as a way to sort of stitch together various products that people might be using and do it in a very automated sort of way?
Betsy Carmelite: Well, yes. You can use products that are existing. I want to really focus this more on, like, some of the components and the services and the capabilities that AI and ML can offer because product integration is something that can come, really, after you come up with a strategy and look at what you need to address. But two components that you can apply to the cybersecurity setting where AI and ML come in - and this is especially interesting to me and my career as a threat intelligence analyst because this really - these are really game changers in helping operations.
Betsy Carmelite: First, we see AI and ML addressing the challenge of real-time adaptability. In security operations, ideally, you're seeking immediate analytic insights and not retrospective views or delayed insights. With AI systems, data feeds are processed in motion at the edge and across all data sources. So if you think about the volume of data and data sources that are pulled from network and endpoint sensors, logs, the millions of assets in a large organization - you're thinking of terabytes of data. So analyzing that data at the point of ingest before it's funneled into a sim so that raw data normalization occurs closer to the point where the data is generated is key because you create a common data model earlier. And that common data model means better data for analysts and faster response time because analysts aren't manually pulling the data together from a sim. This reduces their time to be doing that heavy lift. This does require, however, security analysts, business strategists and data scientists all talking together so that there's an understanding of how data needs to be used in that security use case.
Betsy Carmelite: And then the second way AI can be used in this operations model is to enrich data analysis also at the point of ingest. The common data model that I just mentioned brings multiple data feeds together. So in the enrichment process, the event data that's coming from sensors and logs - so, like, right off of your network - is fused with nonevent data. So maybe that's threat intelligence or vulnerability data. And that brings meaning to occur in circumstance for the operations team. With the AI-driven integration of this data at the edge prior to sim filtering, analysts are given the time to complete more complex tasks around the analysis and how they need to respond - so as opposed to the time-consuming data fusion across multiple feeds, dashboards and reports.
Dave Bittner: You know, that's fascinating. The whole notion of having the AI be out on the edge - I mean, it kind of reminds me of - you know, you're - the human nervous system. You know, if you touch a hot stove, your hand gets yanked away before your brain really knows what's happening, right? You know, your nervous system says, there's danger here; we need to make an adjustment. And only later do look and see, oh, I was touching a hot stove. I mean, it seems like a similarly effective protective use case here.
Betsy Carmelite: Yeah. And basically, like, to your hot stove - you're detecting that hot stove a lot earlier. You're detecting things that you weren't able to detect previously. So one example to really illustrate this that comes to mind is how AI and ML could possibly have helped attack detection in the detection of the SUNBURST malware used in the SolarWinds Orion software supply chain attacks. The use of AI and the detection of patterns, specifically how SUNBURST used the domain-generation algorithm, also known as the DGA, to generate and change the command-and-control channels could have determined the anomalies of the malware's behavior.
Betsy Carmelite: And to be clear, we're not talking about pinpointing whether the activity is malicious but rapidly identifying the DGA behavior patterns that would help an analyst and reduce that analyst's reliance on multiple tools, multiple data sources and identify those previous and expected behaviors earlier. And it'd also reduce false positives in those detections.
Dave Bittner: Right. So the AI can come to the human analyst and say, hey, there's something here that I think may deserve your attention.
Betsy Carmelite: Yes. Yeah. And this actually improves the workforce experience and is one of the benefits of AI integration in cybersecurity. We often recommend that cyber operators and analysts really look at how their SOPs and their manual activities are impacting their work. Like, I spend a lot of time with my analyst team looking at the attack surface of organizations. And AI-enabled data and enrichment processes could really reduce that cumbersome correlation time of data inputs when you really need to be getting the core threat analysis and threat modeling out there.
Betsy Carmelite: There are other increased cost savings because of the improved response time and activities for preventing breaches of malicious attacks. That also leads to improved brand reputation for an organization and increased consumer trust, knowing that the organization has, you know, improved security protocols.
Betsy Carmelite: So there's a lot of education that probably needs to be done for an organization to look into applying AI to their security operations, learning about the breadth of AI use cases for cybersecurity for both government and commercial missions. And again, knowing your - knowing the challenges of the workforce and executing their cyber missions as practitioners, AI in this case can very much augment security operations, the defensive posture that organizations take to stay out of attacks and produce better results.
Dave Bittner: All right. Well, interesting insights, for sure. Betsy Carmelite, thanks for joining us.
Betsy Carmelite: Thanks, Dave.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.