The CyberWire Daily Podcast 11.10.21
Ep 1457 | 11.10.21

Cyberespionage from Tehran. Clopp ransomware operators exploit vulnerable SolarWinds instances. Mercenaries and lawful intercept vendors. Patch Tuesday.


Dave Bittner: Tehran's Lyceum group expands its activities against ISPs and telcos. Clop is going after unpatched instances of SolarWinds. Cyber mercenaries are quietly competing with lawful intercept vendors. NSO Group receives a setback from the U.S. 9th Circuit. Mexico makes an arrest in its Pegasus investigation. Carole Theriault shares her thoughts on the supply chain. Josh Ray from Accenture Security on moving left of the ransomware boom. And notes on Patch Tuesday.

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, November 10, 2021. 

Dave Bittner: Security researchers at Accenture and Prevailion describe the recent activities of the Iranian threat group Lyceum, earlier tracked as Hexane by Kaspersky and as Siamesekitten by ClearSky. Lyceum's recent activity has concentrated on installing backdoors in ISPs and telecommunications companies located in Israel, Morocco, Tunisia and Saudi Arabia. An unnamed foreign ministry in Africa has also been targeted. 

Dave Bittner: Prevailion summarizes the findings as follows - quote, "at least two of the identified compromises are assessed to be ongoing, despite prior public disclosure of indicators of compromise. Domain name system tunneling appears to be used only during the early stages of backdoor deployment. Subsequently, the Lyceum operators use the HTTP(S) command and control functionality encoded in the backdoors," end quote. 

Dave Bittner: The current round of attacks on ISPs and telecommunications providers represents, according to Accenture, an extension of Lyceum's interests. The threat actor has continued to direct its attentions to the oil and gas sector and what Accenture characterizes as sectors of strategic national importance. 

Dave Bittner: Researchers at NCC Group report that the Clop ransomware gang is increasing its exploitation of the Serv-U vulnerability - that's CVE-2021-35211 - to gain access to unpatched SolarWinds instances. Quote, "NCC Group strongly advises updating systems running SolarWinds Serv-U software to the most recent version, at minimum, version 15.2.3 HF2," end quote. The researchers also provide a description of the ways in which Clop has hid unpatched SolarWinds instances as a guide to checking whether an organization has suffered exploitation. 

Dave Bittner: Forbes describes the activities of the RocketHack Russian criminal group, which it characterizes as a cyber mercenary operation specializing in gaining access to targeted individuals' Gmail, ProtonMail and Telegram accounts. RocketHack is described as occupying essentially the same space as lawful intercept vendors like NSO Group. 

Dave Bittner: A researcher at security firm Trend Micro gained insight into RocketHack's operation through an OPSEC failure on the part of the mercenary crew. A website used by RocketHack to monitor its victims was left exposed and unsecured. It afforded the researchers an insight into the group's operations. 

Dave Bittner: Forbes writes, quote, "for the last four years, the Russian-speaking RocketHack crew has quietly infiltrated email and Telegram accounts, PCs and Android phones of as many as 3,500 individuals. The targets range from journalists, human rights activists and politicians through to telecommunications engineers and IVF doctors across a few dozen clinics," end quote. Many of the targets were either prominent politicians or government officials. The countries affected were Belarus, Uzbekistan, Ukraine, Slovakia, Russia, Kazakhstan, Armenia, Norway, France and Italy. Journalists were also targeted. 

Dave Bittner: The interest RocketHack showed in IVF clinics suggests that they were interested in a secondary market for sensitive personal information that could be sold elsewhere. Forbes regards the discoveries about RocketHack as showing that the arguably legal but controversial market for lawful intercept products, the market that's come to be represented by the NSO Group, has a clearly criminal counterpart occupied by mercenaries like RocketHack. 

Dave Bittner: And speaking of the NSO Group, the company's effort to have a U.S. federal lawsuit against it set aside have been rebuffed. In a 3-0 decision rendered Monday, the 9th U.S. Circuit Court of Appeals rejected NSO Group's movement to dismiss a suit brought by WhatsApp and Facebook. According to Lawfare, WhatsApp alleges that NSO Group, quote, "sent malware" - that is, the Pegasus surveillance tool - "through WhatsApp's server system to mobile devices," end quote. 

Dave Bittner: That suit will now proceed, and The Daily Beast writes that NSO Group is likely to be required to disclose much about its controversial dealings with governments who have abused the company's intercept tools. NSO Group has sought to have the case dismissed on the grounds that it should enjoy sovereign immunity. The 9th Circuit rejected that claim. Quote, "whatever NSO's government customers do with its technology and services does not render NSO an agency or instrumentality of a foreign state, as Congress has defined that term. Thus, NSO is not entitled to the protection of foreign sovereign immunity, and that is the end of our task," end quote. 

Dave Bittner: In another case related to the NSO Group, Mexican prosecutors have made an arrest in the course of an investigation of alleged abuse of its Pegasus surveillance software. The AP reports that Mexican authorities took a businessman, Juan Carlos Garcia Rivera, into custody on November 1. He's accused in connection with the installation of spyware on a journalist's phone. The AP quotes a member of the activist group Article 9 as saying that Garcia Rivera is a technical employee of a private company that was an intermediary for NSO in Mexico and benefited from illegal spying on public figures, but that does not represent the end of those responsible. 

Dave Bittner: That last sentence alludes to allegations of improper use of Pegasus by Mexico's government. Citizen Lab's Pegasus Project has reported that official users of the intercept tools within Mexico's government include the defense ministry, the attorney general's office and the national security intelligence service. President Andres Manuel Lopez Obrador has said, according to Security Week, that these agencies no longer place journalists or opposition figures under surveillance and that the tools are only used against criminals. 

Dave Bittner: Microsoft addressed 55 vulnerabilities in yesterday's Patch Tuesday. KrebsOnSecurity says that two of the bugs are undergoing active exploitation in the wild. CISA yesterday released advisories on eight industrial control system vulnerabilities, along with information on patches and mitigations. 

Dave Bittner: Before the pandemic, many of us had grown accustomed to living in an on-demand world. Order it today, and it will be here tomorrow. Then COVID hit, and everything from toilet paper to automobiles were left in short supply. The supply chain crisis continues, and commentator Carole Theriault wonders where else it may lead. She offers this report. 

Carole Theriault: So today I learned that there is an actual degree in supply chain management or logistics. I'd never really thought about people actually studying it, but, of course, it makes total sense. Supply chains are big business. Think about all the devices in your home or your place of work, all those electronics. They have components from a whole host of different manufacturers from around the world. These components often run software from different coding houses or organizations all around the world. And they're all wrapped up, tied with a bow and made into the thing you now have in your home, which perhaps you bought directly from the manufacturer, but more likely you bought from a distributor or a vendor or secondhand. 

Carole Theriault: It is absolutely dizzying to think about how many people and technologies are involved in all the little devices we depend on, from key fobs to headphones to IoT devices. Think about all the logistics involved in getting bits from a dozen places on time and to spec. 

Carole Theriault: Now, why are we talking about this? Well, the pandemic is hitting the supply chain hard, and the impact is already being felt. Some of COVID's hardest-hit countries are those that manufacture key components in these devices we rely upon. According to Bloomberg, the supply chain crunch that was supposed to only be temporary is now looking like it will carry on impacting businesses for some time to come. 

Carole Theriault: Now, in short, the message is that organizations are not getting components they need to make their slightly more complex components. Plus, when they are ready to ship, they can't get access to shipping containers. Oh, and the costs have skyrocketed. Even mighty Toyota Motor Corporation is affected. The automaker recently warned that it will suspend output at 14 plants across Japan and slash production by 40% due to supply disruptions, including chip shortages. 

Carole Theriault: And then, of course, on the other side of the planet, companies in the U.K., for example, are grappling with record-low levels of stock, and retail selling prices are rising at the fastest pace since November 2017. Of course, this is a problem that hits all industries, not just tech. We've got retail, food, health - you name it, and the logistics will have been hampered by COVID. 

Carole Theriault: But for tech, where all these components need to be regularly tested and checked at every stage to ensure that there are not vulnerabilities lurking inside the code or the components, that users are not left wide open to attack due to a human oversight - these tests that help assure quality and resiliency are important. And with companies now hit by staff reductions, higher costs and increased demand, how many are going to be tempted to skimp on the testing in order to get their component out the door? 

Carole Theriault: So the takeaway is this. As a home user, I'd advise you know what devices are in your home and accessing your networks. Set up a Google alert for the device name so that you can get an early warning should the device be impacted in a negative way. And as an organization, be you a manufacturer or distributor or somewhere in between, be as diligent and rigorous on testing as you can. But also hammer those components in your supply chain because your reputation is built on theirs as well. The reason is simple. You're less likely to be caught with your proverbial trousers around your digital ankles. 

Dave Bittner: That's CyberWire U.K. correspondent Carole Theriault. 

Dave Bittner: And I'm pleased to be joined once again by Josh Ray. He is managing director and global cyberdefense lead at Accenture Security. Josh, always great to have you back on the show. 

Dave Bittner: You know, I know you and your colleagues at Accenture recently collaborated with some folks from Carbon Black on some security research. What can you share with me here? What was the goal of the research? 

Josh Ray: Yeah, Dave, this is awesome. I'm really excited about this and this broader partnership we have with VMware. And I think, you know, one of the things that we really wanted to do as part of this partnership is address this notion of ransomware kind of head-on. So as you mentioned, we focused on some research that really, I think, is looking at the tactics used by cybercriminals to not only infiltrate but move around a company's network prior to the ransomware deployment. And this is paying very close attention to this notion of Time-to-Ransom, like TTR. 

Dave Bittner: Well, can you go through some of the highlights for me? What are some of the key findings here? 

Josh Ray: Yeah. And I think, you know, one of the things that makes this research kind of interesting and unique is that we were able to really leverage multiple collection sources. So as an example, for this research, we looked at a little over about 10 to 15 incident-response investigations. We managed to leverage our dark web collection and monitoring capabilities. And then we also combine that with the Carbon Black endpoint telemetry from their Carbon Black Cloud. So as you can imagine, we're - now we have, like, multiple sources and a very holistic look. And then we mapped all of our findings against the MITRE ATT&CK framework. 

Josh Ray: So for instance, a few highlights - and I'll just go through those briefly because I want to encourage folks to read this more in detail on the blog. But say for initial access, we really identified that remote-access RDP vulnerabilities was one of the primary methods for initial access being used by ransomware actors. And this was, of course, followed very closely by socially engineered phishing emails. And you know, the emails will, obviously, you know, contain a concealed dropper, and they'll drive a first-stage download payload. But these are the tools that really help the threat actor gain access and perform a variety of different functions. 

Josh Ray: From an execution standpoint, both the essential security and the TAU from VMware continue to observe actors' living-off-the-land techniques, but they're also using a lot of these off-the-shelf tools. A lot of our dark web collection and research has indicated that some of these operators now are actively recruiting pen testers because they're very experienced with these commodity tools like Cobalt Strike Platform. And then other threat actors, you know, are really starting to sell these and release these cracked versions of Cobalt Strike, further lowering this notion or this barrier of entry for this tool that's incredibly versatile. 

Josh Ray: If we look at persistence, we see attackers using PowerShell activity to modify the Windows Registry and startup files. And this is really one of the predominant methods of gaining persistence on the endpoint. And then, you know, without going too far down the rabbit hole of MITRE here, but from a privilege escalation, credential access standpoint, attackers are really using Mimikatz predominantly to harvest credentials and then using the Mimikatz binaries, which remains really one of the highest detections related to credential harvesting that Carbon Black has historically observed. Those are just kind of the highlights from just the report itself, but there are some positive takeaways here. 

Dave Bittner: What are some of the positive things that we can take from this? You know, for me, I'm struck by the collaboration here, which I think is important. But what are some of the highlights for you? 

Josh Ray: Yeah. I mean, collaboration is obviously key, right? But you know, really, what the team found as part of this research is that security practitioners have the opportunity - there's actually several opportunities - to disrupt criminal behavior prior to the ransomware executing and that at each stage of the attacker's cycle, there's really a number of different opportunities to detect and remove the threat. So remember, it really - it only takes one solid mitigation to break the criminal's kill chain. And in doing so, you're driving up that cost and increasing your ability to detect and respond to these threats more effectively. 

Dave Bittner: Is it effective to essentially make yourself not be the low-hanging fruit? I mean, how - in the real world, how helpful is that - just checking off all those basics, making sure you're not the easy target on the block? 

Josh Ray: Yeah. I think that speaks to basically becoming a resilient organization, right? I think if you're able to do all of the things that are necessary to, from a hygiene standpoint - but then as you really start to move, again, kind of left of boom and get a little bit more proactive in your approach and look for specific things to break - again, break that kill chain of the threat, you're going to do more to really, I think, effectively not only drive the resilience, but lower your overall risk posture. 

Dave Bittner: All right. Well, the blog is titled "Moving Left of the Ransomware Boom." Josh Ray, thanks for joining us. 

Josh Ray: Thanks so much, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.