The CyberWire Daily Podcast 11.17.21
Ep 1461 | 11.17.21

CISA and its partners warn of Iranian cyber ops. Cyberespionage in the Middle East with Candiru tools. Belarus connected to Ghostwriter. Facebook boots SideCopy. RAMP recruits members.


Dave Bittner: CISA, the FBI, the ACSC and the NCSC issue a joint advisory warning of an Iranian cyber campaign. A Belarusian connection to Ghostwriter. Candiru tools reported in watering holes. SideCopy's interest in Afghanistan. RAMP shows an interest in attracting Chinese operators. Josh Ray from Accenture Security digs into the Conti playbook leak. Our guest is Matt Keeley from Bishop Fox on fuzzing. And Pompompurin wants to sell you leaked data from Robinhood.

Dave Bittner: From the CyberWire studios at Data Tribe, I'm Dave Bittner with your CyberWire summary for Wednesday, November 17, 2021. 

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency this morning issued a joint advisory with the FBI, the Australian Cyber Security Centre and the U.K.'s National Cyber Security Centre that warns of Iranian-sponsored exploitation of vulnerabilities in Microsoft Exchange and Fortinet. The Fortinet vulnerabilities, which include FortiOS vulnerabilities listed as CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591, have been under active exploitation since March. The threat group has been working against a flaw in Microsoft Exchange ProxyShell, which is CVE-2021-34473, since last month. 

Dave Bittner: The advisory says, quote, "the Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the transportation sector and the health care and public health sector, as well as Australian organizations. FBI, CISA, ACSC, and NCSC assess the actors are focusing on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware and extortion," end quote. The advisory includes advice on detection and mitigation. The most important mitigation is to patch vulnerable systems, since all of the exploits take advantage of known and fixed flaws in the susceptible software. 

Dave Bittner: Mandiant finds a connection between the Ghostwriter campaign, generally regarded as a Russian operation, to Belarus. The company doesn't rule out an additional Russian connection to the threat actor it tracks as UNC1151, but it thinks that Ghostwriter's targeting, its absence of any obvious criminal payoff and the messaging of its disinformation argue for Belarus. It's possible that this represents a distinction without much of a difference, given the close alignment of Moscow and Minsk, much closer than that between Russia and any other former Soviet republic in the Near Abroad. 

Dave Bittner: Candiru, the Israeli company recently subjected to U.S. sanctions alongside the better known NSO Group, has been tracked to a widespread surveillance campaign targeting mostly Middle Eastern organizations. Researchers such as the Bratislava-based security firm ESET have found the company's tools in watering holes designed to attract Iranian and other subjects. 

Dave Bittner: Many of those watering holes were established in compromised news sites. Those sites included the London-based Middle East Eye, Yemeni media outlets including Almasirah - linked to the Houthi rebels fighting the Saudis - websites belonging to Iran's foreign ministry, to Yemen's finance and interior ministries, to Syria's electricity ministry and to internet service providers in Syria and Yemen. Other compromised sites included some belonging to Piaggio Aerospace, an Italian aerospace company, to Hezbollah, and to The Saudi Reality, which is a media outlet operated by Saudi dissidents. ESET thinks it probable that the Candiru malware was delivered to users in a browser exploit. 

Dave Bittner: Candiru has kept a much lower profile than the NSO Group, but according to Computing, to share some investors with the better-known Israeli company. Like NSO Group, Candiru sells its tools to governments. Unlike NSO Group, whose Pegasus software is designed for use against phones, Candiru’s software principally affects desktop computers. 

Dave Bittner: Reuters reports that Facebook - now formally known, since its rebranding, as Meta - tracked a Pakistan-based group, SideCopy, that sought to bring Afghans connected to the former government under surveillance as that government collapsed during this summer's Taliban takeover. 

Dave Bittner: Facebook's head of cyber-espionage investigations, Mike Dvilyanski, told Reuters, quote, "It's always difficult for us to speculate as to the end goal of the threat actor. We don't know exactly who was compromised or what the end result of that was," end quote. 

Dave Bittner: In any case, Facebook ejected SideCopy accounts from its platform in August and published a report on the group’s activity yesterday. SideCopy, which is believed to be operated by, or on behalf of, the Pakistan government, has been mostly associated with espionage operations against Indian targets. 

Dave Bittner: Security firm Flashpoint has observed that the RAMP ransomware forum is back, but that it includes a lot of Chinese-speaking participants. It's not clear what they're up to - does it represent a serious criminal outreach, maybe even a serious privateering outreach, to Chinese actors? Or is it misdirection of the kind Flashpoint discerned earlier this month in Groove, apparently intended simply to darken counsel? 

Dave Bittner: Flashpoint’s conclusion acknowledges the difficult of sorting out the motivations. Quote, "While it is possible that Russian-speaking ransomware operators may be seeking alliances outside of Russia - cooperative cybersecurity talks with the U.S. are currently underway - it remains unclear whether RAMP efforts to woo Chinese-speaking threat actors are in fact legitimate or simply a smokescreen. In late October 2021, the Groove ransomware gang called on other ransomware operators to jointly attack U.S. entities. Once this generated media attention, the operator of Groove’s public blog claimed that it was a media hack. It's certainly possible that RAMP’s overture to Chinese-speaking threat actors is part of a similar strategy," end quote. 

Dave Bittner: And finally, not content with goofing on the FBI and other grown-ups like security researcher Vinny Troia, hacker Pompompurin is offering the low-grade content of the Robinhood stock-trading platform for sale, SecurityWeek reports. The big, five-million figure quoted is for the most part simply user emails - about 310 had more data stolen - but even theirs fell short of fullz (ph), including as they did name, date of birth and zip code. It's not clear whether Pompompurin has the goods - inconclusive, SecurityWeek's sources say - nor is it clear how valuable those goods would be in any case. 

Dave Bittner: The use of fuzzing by security researchers and software developers is growing as teams find innovative ways to apply the technique. I checked in with Matt Keeley, security analyst at Bishop Fox, to get a better understanding of what exactly fuzzing is and how best to use it. 

Matt Keeley: In essence, fuzzing is a technique that was originally developed by security researchers but now is starting to get more into the hands on the software development side. But what it allows you to do is to perform black-box analysis on a given program. And some of these programs can be things like binaries, network protocols, web applications, any of that jazz. 

Dave Bittner: And so where does the fuzz in fuzzing come from? 

Matt Keeley: So the fuzz in fuzzing is more of the input that you are sending to the program. So what the fuzzer will do is it will take and generate a lot of arbitrary inputs and then sort of throw things at the wall or at the program until something sticks. So the goal of fuzzing is to try to make the program act in in a way that the program normally wouldn't act in. And it does that by fuzzing. The fuzz is the arbitrary inputs that it's sending to the fuzzer, and then the fuzzer will send it to the programmer, to the application. 

Dave Bittner: So while it's doing its thing in an automated way, it's logging the results. And then if something interesting happens, that gets reported back. 

Matt Keeley: There's two types of fuzzers. There's dumb fuzzers, and there's smart fuzzers. And so the dumb fuzzers don't necessarily know what the output of the program is. So if it sends something to the program, it doesn't necessarily know if the program has crashed or not, which is why it's called a dumb fuzzer. But a smart fuzzer, essentially, it can record the data that's sent, and it can record the output that - or it essentially records events that happen on the server side of things as well. And then it uses that data to create new test cases. 

Dave Bittner: You know, just as an aside, I think I'm going to start using that as an insult and a compliment. You know, that guy is one dumb fuzzer. 

Matt Keeley: (Laughter). 

Dave Bittner: Oh, boy. That's - what - that is a - that guy is - boy, talk about a smart fuzzer. Wow. 

Matt Keeley: Yeah. 


Dave Bittner: So where do we find ourselves today in terms of the state of the art and how people are applying this in the security realm? 

Matt Keeley: So in the security realm, where I see it the most is it's more being developed now into the development pipeline. So DevOps is using this to sort of do a fuzz as you commit to the GitHub repos. So every time you commit to your GitHub repo, the fuzzer that's developed with the harness - essentially, what the harness does is it gives you a little more flexibility and allows you to specify exactly what you want to fuzz. But it's being integrated there, so every time you commit code to your database, they're running the fuzzers in that aspect. 

Matt Keeley: Something pretty recent and new that's come out as well is the DOE is actually doing fuzzing but for simulations - DOE as in Department of Energy. So they're fuzzing their critical infrastructure to see, essentially, if we give you a scenario - so a power line goes down. A squirrel eats a cable. There's an earthquake in California. Given that scenario, they fuzz their critical infrastructure with the scenarios in mind. And then, using a simulated process, essentially, they see how that reacts after the fuzzer has sent the input in. 

Dave Bittner: Are there any potential pitfalls here, any shortcomings when it comes to implementing these sorts of things? 

Matt Keeley: It's not a - you know, it doesn't always find everything, and that's sort of the state of security in itself. It tends to throw things at the wall, but one of the big downfalls with fuzzing is the code coverage that it can get. So it doesn't necessarily get full code coverage of the application, meaning you can't sometimes hit some of the really intricate functions inside of a program just because of the way that the fuzzer is set up. That's kind of where harnesses come in, though. So harnesses take away that problem in some aspect, but it does require human intervention. 

Dave Bittner: I see. So the - does the harness sort of allow you to specifically target what you want the fuzzing to be turned loose on? 

Matt Keeley: Yeah, absolutely. It sort of bridges the gap between how the fuzzer expects that input to occur and how it actually occurs. 

Dave Bittner: So in your experience, the people who are successful at implementing this - are there any common threads there, things that the successful people are doing? 

Matt Keeley: Not particularly. I think the biggest success is people actually implementing fuzzing into their pipelines, whereas running the fuzzer, you know, once in a blue moon or once a year type deal doesn't work as well as you think it would. But if you're continuously running it on every commit, on every push, you tend to find a lot better results in that aspect. 

Dave Bittner: That's Matt Keeley from Bishop Fox. 

Dave Bittner: And I'm pleased to be joined once again by Josh Ray. He is managing director and global cyberdefense lead at Accenture Security. Josh, always great to have you back on the show. You know, I really wanted to touch base with you today about the Conti ransomware group. And recently they had a little - well, they had a little leak, didn't they? 

Josh Ray: Yeah, they did, Dave. And thanks for having me back on the show. This is a really interesting topic that I think will help the listenership better understand ransomware operations. As many of the folks know, you know, Conti has been around since about June of 2020. And in this particular instance, you know, our CTI analysts, you know, observed that a member of the group - just to show kind of the displeasure, essentially, of how the Conti administrators reward their affiliates - again, an alleged member leaked manuals and procedures that the ransomware gang shares with the new joiners of their group. Yeah. I know. It's kind of neat because this leak actually offered some rare insight into the current methodologies that the group employs, and our team did a complete breakdown of this playbook and really solidified a lot of our thoughts around the complexity of the criminal ecosystem. But now defenders can use this playbook to really support detection and tracking of future ransomware operation. 

Dave Bittner: So what were some of the things that the leak revealed? 

Josh Ray: Yeah. Now, keep in mind that this is a criminal organization. 

Dave Bittner: Right. No honor among thieves. 

Josh Ray: Yeah. But it's interesting to draw some parallels between normal security practitioners, right? So the leak really helped shed light on not only the operations and the organized structure that a new process, a new hire essentially goes through in demonstrating their skill and capabilities. And one of the fascinating things to me was that much like, you know, white-hat security professionals, the Conti playbook highlights that, really, there's this huge importance on continuous learning and sharing, especially around, like, cybersecurity certification material of their members, which I thought was, you know, fascinating. Like, I mean, it's - continuous learning is important for the good guys and the bad guys, right? And this - and the playbook really also confirms how operators of really any technical skill set shift from this notion of malware authoring to really quickly into the acquisition of more aggressive and impactful capabilities that are really focused on compromising the internal and external network infrastructure, really with the ultimate objective to quickly exfiltrate data. 

Dave Bittner: Yeah. It's fascinating to me how we seem to see a continued professionalization of this and even, you know, specialization - that different folks are taking on different parts of these tasks. 

Josh Ray: Yeah. It's exactly true. And I think that just speaks, you know, to the profession at large, right? And as you have folks that are transitioning out of, you know, intelligence community and defense organizations that, you know, might be drawn into criminal gangs, you know, we're probably going to continue to see this. But maybe one of the biggest takeaways, you know, for me was first that this is really making tracking and attribution a lot more difficult for folks that are - especially folks that are focused on cybercrime research because there's just a tremendous amount of partnership and collaboration now and, as you mentioned, specialization across these groups. And it's almost like tracking different business entities rather than, you know, threat groups. But I will say a really positive thing - and this is one thing I want to make sure that kind of we foot stomp here - is that, you know, you can adapt this playbook to really kind of your hunt operations - right? - to really specifically look for pre-ransomware TTPs and get a notion of the types of attacks and tactics that are revealed in this playbook because they're absolutely almost identical to other notable big-game ransomware hunting operations that we've seen. 

Dave Bittner: Yeah. No, it's a fascinating look inside the organization. Josh Ray, thanks so much for joining us. 

Josh Ray: Thanks, Dave. Really appreciate it. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.