The CyberWire Daily Podcast 5.4.22
Ep 1571 | 5.4.22

More malware deployed in Eastern Europe. Cozy Bear is typosquatting. CuckooBees swarm around intellectual property. Tracking the DPRK’s hackers. Quiet persistence in corporate networks.


Tre Hester: An upswing in malware deployed against targets in Eastern Europe. Cozy Bear is typosquatting. CuckooBees swarm around intellectual property. Tracking the DPRK's hackers. Quiet persistence in corporate networks. CISA issues an ISC advisory. Caleb Barlow on communications for your business during this period of shields up. Duncan Jones from Cambridge Quantum sits down with Dave to discuss the NIST algorithm finalist Rainbow vulnerability. And hey, officer, honest, it was just a Squirtle.

Tre Hester: From the CyberWire studios at DataTribe, I'm Tre Hester with your CyberWire summary for Wednesday, May 4, 2022. 

An upswing in malware deployed against targets in Eastern Europe.

Tre Hester: There's been an upswing in malware deployed against targets in Eastern Europe. The surge is connected with Russia's war against Ukraine. Google's Threat Analysis Group has been tracking the increased activity, much of it traceable to Russia, and especially to Fancy Bear, Russia's GRU military intelligence service, but some of it involving the more-or-less Russia-aligned Belarussian and Chinese services. Some of Google's key conclusions are, quote, "APT28, or Fancy Bear, a threat actor attributed to Russia's GRU, was observed targeting users in Ukraine with a new variant of malware. The malware, distributed via email attachments inside a password-protected zip file, is a .net executable that, when executed, steals cookies and saved passwords from Chrome, Edge and Firefox browsers." 

Tre Hester: "Turla, a group TAG attributes to Russia FSB, continues to run campaigns against the Baltics, targeting defense and cybersecurity organizations in the region. Similar to recently observed activity, these campaigns were sent via email and contained a unique link per target that led to a DOCX file hosted on attacker-controlled infrastructure. When opened, the DOCX file would attempt to download a unique PNG file from the same attacker-controlled domain." 

Tre Hester: "COLDRIVER, a Russian-based threat actor, sometimes referred to as Callisto, continues to use Gmail accounts to send credential phishing emails to a variety of Google and non-Google accounts. The targets include government and defense officials, politicians, NGOs, think tanks and journalists. The group's tactics, techniques and procedures for these campaigns have shifted slightly from including phishing links directly in the email to also linking to PDFs and/or docs hosted by Google Drive and Microsoft OneDrive. Within these files is a link to an attacker-controlled phishing domain." 

Tre Hester: "Ghostwriter, a Belarusian threat actor, has remained active during the course of the war and recently resumed targeting of Gmail accounts via credential phishing. The campaign, targeting high-risk individuals in Ukraine, contain links leading to compromised websites, where the first stage phishing page was hosted. If the user clicked continue, they would be redirected to an attacker-controlled site that collected the user's credentials." 

Tre Hester: Finally, there's Curious George, who's curious about both sides of the conflict and is prospecting Russian targets as much as any other. Curious George, a group TAG attributed to China's PLA SSF, has remained active against government, military, logistics and manufacturing organizations in Ukraine, Russia and Central Asia. In Russia, long-running campaigns against multiple government organizations have continued, including the Ministry of Foreign Affairs. Over the past week, TAG identified additional compromises impacting multiple Russian defense contractors, manufacturers and a Russian logistics company. The initial approach of all of these groups has tended to be through email phishing. 

Cozy Bear is typosquatting. 

Tre Hester: Recorded Future describes a cyberespionage campaign operated by NOBELIUM, that is, Cozy Bear, Russia's SVR foreign intelligence service. The researchers call the command and control infrastructure the SVR is using SOLARDEFLECTION, and they summarize four key conclusions about the state and prospects of the campaign. 

Tre Hester: Insikt Group is confident that the identified SOLARDEFLECTION infrastructure can be attributed to the threat activity group publicly reported as NOBELIUM. This confidence is based on the use of overlapping network infrastructure previously attributed to NOBELIUM in public reporting, as well as unique variations of Cobalt Strike traditionally used by the group. Broader themes in SOLARDEFLECTION C2 typosquats have included the misuse of brands across multiple industry verticals, particularly in the news and media industries. Cobalt Strike servers related to SOLARDEFLECTION monitoring that were also previously linked to NOBELIUM activity used modified server configurations, likely an attempt to remain undetected from researchers actively scanning for standard Cobalt Strike server features. Finally, NOBELIUM has made extensive use of typosquat domain and SSL certificates and will likely continue to use deceptive techniques, including typosquat redirection when using Cobalt Strike tooling. The SVR's mission is the collection of strategic intelligence. It's believed, CyberScoop points out, to have been the agency behind much of last year's SolarWinds exploitation. Typosquatting involves the creation of a domain name that closely resembles one owned and operated by a legitimate organization. 

CuckooBees swarm around intellectual property.

Tre Hester: Cybereason today described CuckoBees, which it characterizes as a massive Chinese cyber espionage effort directed at stealing U.S. firms intellectual property. Cybereason attributes the activity with medium to high confidence to China's Winnti threat group. 

Tracking the DPRK’s hackers.

Tre Hester: Researchers at Trellix reported yesterday that North Korea's army has made another foray into the ransomware market. It's no news that the DPRK has long engaged in financially motivated cybercrime. But Trellix has tied four strains of ransomware - BEAF, PXJ, ZZZZ and CHiCHi - to Pyongyang's Unit 180, also known as APT38 and the Lazarus Group. The New Yorker boggles at the group's incredible rise, but Unit 180 has been known for some time. Trellix speculates that the East Asian target set being prospected in these recent campaigns, and the campaign's relatively small and selective scale, suggests that Unit 180 is seeking to determine whether there's a good chance of profit from a resurgent ransomware effort. 

Quiet persistence in corporate networks.

Tre Hester: Mandiant is tracking a cyber espionage group it tracks as UNC3524 that has taken an interest in corporate email accounts associated with companies engaged in large financial transactions, especially those related to mergers and acquisitions. UNC3524 is noteworthy for its ability to achieve undetected persistence in targeted networks, an ability Mandiant attributes to the novel backdoor QuietExit, which has enabled the threat actor to establish itself for as long as 18 months before being detected. While the researchers find overlaps and technique between the threat actor and both Cozy Bear and Fancy Bear, they so far lack sufficient evidence for definitive attribution. 

CISA issues an ICS advisory.

Tre Hester: The U.S. Cybersecurity and Infrastructure Security Agency, or CISA, yesterday issued an industrial control advisory for Yokogawa CENTUM and ProSafe-RS

Pokémon, in the service of…crime?

Tre Hester: And finally, back in 2017, two LAPD police officers failed to respond to a radio call alerting them to a robbery in progress at a California Macy's in the Crenshaw Mall. They later said they never heard the call because there was loud music blasting over the PA system in the Crenshaw Park, But a review of their digital in-car video system told a different story. According to Graham Cluley of Smashing Security, quote, "the truth was they had deliberately ignored the call for assistance. They weren't interested in catching robbers. They were hunting for Snorlax and Togetics," end quote. That is, they were chasing Pokemon. The officers in their defense in the subsequent investigation say they were only talking about the game, not actually playing it. But the Los Angeles Police Department didn't buy that. Let the one who's never tamed a Charmander cast the first ultra ball. 

Dave Bittner: A substantial amount of research is focused on the realm of quantum computers, systems which take advantage of quantum effects to crunch math problems too difficult for modern conventional computers. NIST is in the midst of evaluating candidates for post-quantum cryptography, trying to strike a reasonable balance between security and interoperability with existing networks. It's what those in the industry refer to as a big deal, and it's not easy. I checked in with Duncan Jones, head of cybersecurity at Cambridge Quantum, for a bit of a reality check. 

Duncan Jones: It's a huge task, to be honest, and it worries me a little how much work lies ahead, because we have to tear out, you know, the guts of almost every cybersecurity system and then change to something that is a bit different. You know, it has different properties, behaves slightly differently, different sizes of keys and things. It's not a completely trivial replacement. And what we've discovered in the past when people have tried to do far simpler migrations - so, for example, you know, we've seen cryptographic hash functions fall out of favor over recent years. And despite, you know, five or 10 years of awareness that something like MD5 is broken, we still see it in use. And that's because people - it takes a lot of effort to make these changes. And usually for a company, the first challenge is to establish even what they are using today and where they're using it. 

Duncan Jones: So I think the next, you know - the most important task companies we'll be needing to focus on in the next few years is just understanding their estate. You know, where are they actually using cryptography? What type of cryptography are they using? What data is being protected? - because companies are going to have to prioritize the way that they perform this transition. You can't do everything at once. And so you're going to have to evaluate where are you most at risk and focus your efforts there. And on top of that, speaking to vendors - and that's really important because many companies will have some combination of the things they build themselves and the things they buy in. And those conversations with the vendors need to be starting now - or they should have already started - to really grill them and say, well, what is your strategy for moving your product from where it is today to something that is quantum safe? 

Dave Bittner: Is there a target date that people should focus for? Is there a realistic timeline on this? 

Duncan Jones: So there's two ways to look at that, I think. There is no one agreed date that everybody says, yes, that is the point where we're going to be at risk. And estimates vary widely. I think most people are now starting to settle on 10 or 15 years as a pretty reasonable timeframe. Now, one thing, though, that people need to consider is that's maybe the point in time where somebody is going to be sat there with a quantum computer ready to break the data that you're sending around. But something that really concerns some companies is the idea that the data that they are sending today is potentially being recorded patiently by attackers who know this is a long game. But they know that in 10 or 15 years, they can break into the stuff that they recorded today. And so for some companies, that's quite concerning, because they know they're sharing data that will still be sensitive and valuable in 10 years. And this is something that is known as a hack now, decrypt later attack. And for that reason, people need to be doing these threat assessments and deciding where are they exposed to that type of risk? - because in those scenarios, they need to move really fast because they may already be too late. 

Dave Bittner: You know, in a world where cryptography is fairly routine these days - you know, we encrypt the contents of our mobile devices, our hard drives, our - you know, it is routine. We have hardware built into our devices to handle these sorts of things. Is it at all an issue that post-quantum cryptography could be computationally expensive? Is - have we outstripped that issue? Do we have the computational power that that's not going to really cost us anything? 

Duncan Jones: I think for the most part, yes. I think these algorithms are being selected with the understanding that we're going to have to be able to execute them on the equipment that we have. Some specialist equipment is built to speed up these algorithms. And obviously, everything that's in the field right now has been geared towards speeding up RSA, for example. That has particular mathematical operations that you have to do, and people have figured out how to do that blazingly fast. So they will - at a hardware level, there will need to potentially be some changes. We'll have to accelerate different types of mathematical problems. On the whole, people have gone into this with their eyes open. They know that it's not going to be a successful selection process if we end up with algorithms that we just can't use in our day-to-day lives. 

Dave Bittner: Are you optimistic that people are giving this the attention it deserves? 

Duncan Jones: I'm a little nervous. I think people are underestimating both the hack now, decrypt later part of that. I think that's being underestimated or being perceived as kind of science fiction and not a thing that will actually happen, whereas I think we will genuinely see examples of that happening. And I think they are underestimating or being optimistic about how long it's going to take to to perform this migration. So I guess I'm - lightly pessimistic is where I'd place myself at the moment. 

Dave Bittner: That's Duncan Jones from Cambridge Quantum. 

Dave Bittner: And I'm pleased to be joined once again by CyberWire contributor Caleb Barlow. Caleb, always great to welcome you back to the show. You know, we are in this period of what CISA is calling shields up, a heightened sense of awareness in security when it comes to cybersecurity things. And I wanted to touch base with you about what this means in terms of strategies for organizations to sustain themselves should the worst happen. 

Caleb Barlow: Well, one of the things we have seen, largely not in the U.S., but certainly, you know, the NotPetya, WannaCry, even, you know, the Shamoon attacks that went across oil-producing Gulf states is when a destructive attack occurs, sometimes even in the case of ransomware, one of the impacts that businesses often see is a loss of communications, right? So loss of email systems, loss of IT and networks, which also often means loss of phones because the phones are usually voice over IP now. So, you know, this can be of rather material secondary impact that a lot of organizations aren't prepared for. And I think as we think about what it means to be shields up, one of the conversations is to think about, what are our emergency communications? And how do we get in contact with key employees or key locations, both to give direction, but also to get ground truth of what's really going on? 

Dave Bittner: You know, I'm old enough to remember growing up with things like Little League baseball. And we had phone trees, you know, where if there was a question as to whether the game was going to be canceled because of weather or something like that, you know, you had a phone tree. And this person would call this person or call this person, and it just kind of worked. What's the modern equivalent of that? Is there such a thing? 

Caleb Barlow: Well, I think we've moved beyond phone trees, although I definitely do remember those, even though I don't want to date myself. 

Dave Bittner: Right. 

Caleb Barlow: You know, but think of it this way, right? A great example of this was when NotPetya hit Maersk - and this is public - their executives were communicating via WhatsApp because it's the only thing that worked. Imagine that. A company that size, and you're now reduced to WhatsApp. So first thing, you need a method of communications that's not on your IT and not on your network. I personally think Slack is a great backup for this. But here's the other point. Make sure that whatever you're using for single sign on, which probably is dependent on your IT infrastructure, is not what you need to log into that emergency communication system. 

Caleb Barlow: You want to have an alternative directory that's not on your company's infrastructure. No, you cannot get to SharePoint and your Active Directory when it's all down. So that can be as simple depending on the size of a company of having a spreadsheet that you print out and put in your underwear drawer with everybody's cell phone number. Right? Or it could be something more complex where, you know, you've got a secondary site that has maybe a copy of your Active Directory in another form so you can get to it if you need to. A lot of companies are using emergency communication systems, you know, similar to what you might have at a school for an active shooter or snow day, where you can reach out to anybody, home, office, cell, it all rings at the same time to say, hey, you know, there's been a cyber incident at work. We need you to get on this, you know, emergency Zoom call. Here's the number. 

Caleb Barlow: You want to make sure you remember those passcodes. Like, I can't tell you how many I - you know, I used to love doing this in kind of like cyber range scenarios where, you know, I'd read their pre-plans. And there would always be, oh, well in event of an emergency, we'll get on the emergency Zoom meeting. Great. What's the password to that? I have no idea. Like, all right. Well, your plan suddenly doesn't work, right? Because you've got no way to give everybody the new number to dial in to. The other thing, Dave, is there's something from the Department of Homeland Security called the Government Emergency Telecommunications Service. You can sign up for this if you are a critical infrastructure provider. You can also sign up for it through InfraGard. This will allow you to bypass the phone system, you know, particularly the cellular network, in order to get access in a 9/11-level incident where, you know, everybody's trying to call everybody. 

Dave Bittner: Right. You get priority access to set-aside frequencies, right? 

Caleb Barlow: Correct. It's - well, or at least access to the network. It's basically a little credit card you carry with you. It doesn't cost anything unless you use it. Now, the advanced class on this, which I've used before, you know, if you have critical sites that you need ground truth on, satellite phones are super cheap now. I mean, you know, you can buy a satellite phone with a ridiculously high rate per minute. You don't care if you actually use it. Put a satellite phone at a couple of your locations, and you know that's going to work on even when everything else is down. And the last thing 

Caleb Barlow: I'll give you is the most extreme example I've ever seen, which was, you know, the geeky side of me thinks it's pretty awesome. But there was this large bank I was working with that moved, you know, gazillions of dollars every day. And their concern was in the event of a major catastrophe, they needed ground truth. Now, that could be everything from a weather event to an explosion to a cyber event. They put a vehicle about 16 - at an employee's house about 16 minutes away from their major sites. And the deal was, if we can't get to the site, you're to get in the car and drive there and tell us what's going on. And that car had, you know, satellite communications, runbooks. Now, this was a little expensive, but if you're moving gazillions of dollars a day, you need immediate ground truth to know, do I need to start making decisions? And it kind of gives you the extreme of where you can take this. 

Dave Bittner: Yeah. As a friend of mine puts it who was in the insurance business, he said, imagine a wily coyote smoking hole in the ground. You know, you got to know if that's what you're up against or not, right? 

Caleb Barlow: Well, and the point from this bank was, look, if there is a wily coyote hole in the ground, we know what to do. You know, we know how to start moving operations to different locations, but we don't want to start that process if it's, oh, somebody hit a telephone pole outside of the business and the power will be back up and running in 20 minutes. Those are two very different decisions. But if you don't have ground truth, you don't know what to do. And for them, spending, I don't know, 50 grand on a Ford Explorer to get the information was a drop in the bucket relative to the cost of making the wrong decision. 

Dave Bittner: Right. Right. You hope you never need it, but if you're in that situation, boy, that's the last point in time when you want to be trying to make those decisions - right? - in the heat of the moment. 

Caleb Barlow: Well, and my point here is, if you can't communicate, you can't put it together. I mean, that's the most basic thing here is you can put a lot together just, you know, kind of rolling with it if you can communicate. If you can't communicate, you're just, you know, you're fish in a barrel. 

Dave Bittner: Right. Right. All right. Well, certainly food for thought. Caleb Barlow, thanks for joining us. 

Tre Hester: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Tre Hester, filling in for Dave Bittner. Thanks for listening. See you back here tomorrow.