The CyberWire Daily Podcast 8.1.22
Ep 1631 | 8.1.22

KillNet threatens hack-and-leak op against HIMARS maker. Online investment scams hit Europe. Microsoft associates Raspberry Robin with EvilCorp.


Dave Bittner: KillNet threatens a hack-and-leak operation against the maker of HIMARS. Online investment scams hit Europe. Microsoft associates Raspberry Robin with EvilCorp. Rick Howard previews season 10 of the "CSO Perspectives" podcast. Our guest is Nate Kharrl of SpecTrust on deploying fraud detection at the gateway. And a heartfelt farewell to a woman whose inspiration lives on.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 1, 2022.

KillNet threatens hack-and-leak operation against Lockheed Martin.

Dave Bittner: The HIMARS rocket artillery system the U.S. has provided Ukraine apparently has aroused some concern in the Russian command. There have been reports of apparent provocations in which Russia has blamed some of its own strikes on wayward Ukrainian HIMARS rockets. At the very least, Russian refusal to allow International Red Cross inspectors into a prison camp that Russia claims was hit by a HIMARS suggests a guilty mind, one with something to conceal. There have also been claims, so far unsubstantiated, that Russia had developed a cyberweapon that's capable of disrupting HIMARS in some unspecified fashion, perhaps through interference with its fire direction system. 

Dave Bittner: One action in cyberspace is aimed, if it actually comes off, at Lockheed Martin, the U.S. defense and aerospace giant that produces HIMARS. KillNet, a nominally hacktivist threat actor aligned with and in all likelihood controlled by the Russian government, says it's going to strike a blow against Lockheed Martin on humanitarian grounds, needless to say. The Kremlin media mouthpiece Sputnik tells the story from the side of the KillNet. The Kremlin outlet quotes KillMilk, the group's leader, stating, "starting today, defense industry corporation Lockheed Martin will be a target of my cyberattacks. I am against weapons. I am against merchants of death." Newsweek quotes another statement by the group. 

Dave Bittner: As KillNet puts it, "the notorious HIMARS multiple launch rocket systems supplied to Ukraine by the aforementioned military industrial corporation allow the criminal authorities of the Kiev regime to kill civilians, destroy the infrastructure and social facilities of the still temporarily occupied Ukraine." KillNet has been talking their campaign up for some time. On July 22, the group said, we are using a new type of attack. We have no equal in this area. This is a new technology that we are using for the first time against the world's largest arms manufacturer, Lockheed Martin. Sputnik says the operation will be a hack-and-leak campaign. And the KillNet has invited other groups to participate. So it's to be a crowd-sourced effort if KillNet is to be believed. 

Killnet's leader departs, probably to form a new group.

Dave Bittner: To stay with KillNet for just a moment, the group may be undergoing a reorganization or at least a change in leadership. SC Magazine reports that the threat actor's founder and leader, known by his hacker name KillMilk, has said he intends to leave KillNet to form a new group. He'll be succeeded by someone with the unlikely hacker name BlackSide. BlackSide is said to be the administrator of a criminal special access forum hosted on Tor. He's supposed to be a specialist in ransomware, phishing and theft from European cryptocurrency exchanges. KillMilk's departure is said to be connected to his group's threatened campaign against Lockheed Martin. But observers are skeptical that KillMilk, even assuming he's a natural person and not an office somewhere in the Russian organs, is motivated by any selfless desire to spare his colleagues the wrath of law enforcement. KillMilk does say he's actively recruiting members for his new group, so we shall see. 

Investment fraud campaign in Europe.

Dave Bittner: A complex and ambitious investment scam has used more than 10,000 domains to induce speculators to give up not just funds but personal information, as well. Researchers at Group-IB describe the campaign as one that proceeds through several distinct stages. It begins with ads placed on social media or with pages displayed in compromised Facebook or YouTube accounts. The come-on invites prospects to learn more about an investment opportunity, enticing them with bogus celebrity endorsements and - always a warning sign - promises of guaranteed returns. Should the prospect click through to learn more, they find that for an initial investment of roughly 255 U.S. dollars, they'll receive a personal investment counselor who will guide them through the process. And they'll also receive a dashboard they can use to track their investment's progress, which itself feeds them inducements to invest more. 

Dave Bittner: Group-IB writes, the main goal of these fake investment schemes is to convince the victims to repeatedly transfer funds to the fake investment portal. The victims are usually promised huge returns on their investments and are shown how-I-got-rich stories featuring celebrities. 

Dave Bittner: The campaign's success depends on volume. The mix of online social engineering and live phone scamming is a distinctive mark of an otherwise conventional con job. 

Microsoft associates Raspberry Robin with EvilCorp.

Dave Bittner: At the end of last week, Microsoft updated its research. Originally published on May 9 of this year on Raspberry Robin. Microsoft researchers also observed that FakeUpdates malware was being delivered through existing Raspberry Robin infestations. On July 26, 2022, Microsoft researchers discovered the FakeUpdates malware being delivered via existing Raspberry Robin infections. The Microsoft 365 Defender Threat Intelligence Team and the Microsoft Threat Intelligence Center also looked at the payloads the group delivered and saw a significant pattern. And it points to EvilCorp. The researchers say, these payloads have, in numerous instances, led to custom Cobalt Strike loaders attributed to DEV-0243. DEV-0243 falls under activities tracked by the cyber intelligence industry as EvilCorp. The custom Cobalt Strike loaders are similar to those seen in publicly documented Blister malware's inner payloads. In DEV-0243's initial partnerships with DEV-0206, the group deployed a custom ransomware payload known as WastedLocker and then expanded to additional DEV-0243 ransomware payloads developed in-house, such as PhoenixLocker and Macaw. 

Dave Bittner: The group seems to have used LockBit 2.0 as misdirection, buying the ransomware-as-a-service tool to conceal EvilCorp's presence. The researchers state, around November 2021, DEV-0243, that is EvilCorp, started to deploy the LockBit 2.0 ransomware-as-a-service payload in their intrusions. The use of a ransomware-as-a-service payload by the EvilCorp activity group is likely an attempt by DEV-0243 to avoid attribution to their group, which could discourage payment due to their sanctioned status. 

Dave Bittner: BleepingComputer explains why sanctions drive the misdirection, stating, after being sanctioned by the US government in 2019, ransomware negotiation firms refused to facilitate ransom payments for organizations hit by EvilCorp ransomware attacks to avoid facing legal action or fines from the U.S. Treasury Department. Using other groups' malware also allows EvilCorp to distance themselves from known tooling to allow their victims to pay ransoms without facing risks associated with violating OFAC regulations. 

An arrest in a stalkerware case.

Dave Bittner: The Australian Federal Police announced late last week that they'd charged a Brisbane man, Jacob Wayne John Keen, 24 years young, with creating the Imminent Monitor remote access Trojan and selling it to those who wished to use its camera hacking and key logging functionality as stalkerware. Mr. Keen allegedly sold Imminent Monitor for $35 a pop in an underworld market. His secret, like the secret of the hoods currently running the investment scam in Europe, was volume. The Australian Federal Police say he sold it to more than 14,500 people, pulling in somewhere between 300 and $400,000. Many of his clients are thought to have been domestic abusers. Mr. Keen got his start early. The police say he started offering the code at the tender age of 15. We'd say, boy, boy, you'll break your mother's heart, except alas, in this case, the Australian Federal Police think mom was in on it with him, which is just kind of sad. 

Rest in peace, Nichele Nichols.

Dave Bittner: And finally, we note in sadness that another star has fallen from the firmament of the original "Star Trek" series. Nichelle Nichols, who played the Enterprise communications officer Lieutenant Uhura, passed away Saturday at the age of 89. Well-Remembered by all who visited the Starship Bridge via television, Ms. Nichols will be missed, as all who've gone where no one has gone before, are. So hail and farewell, Nichelle Nichols. And if we may address you by your creation's name, Lieutenant Uhura, greet Bones, Scotty and Spock for us. Rest in peace. 

Dave Bittner: Lately, security and fraud prevention teams have been seeing value in deploying tools at the gateway, out at the edge of an organization's online infrastructure. IT folks have had access to these capabilities for a while now, but it's newer for fraud prevention teams. And that reality brings with it a number of interesting challenges. Nate Kharrl is co-founder and CEO of fraud prevention security firm SpecTrust. 

Nate Kharrl: And generally, when you think about how people look for fraud in an application, these are things that have built over coming out of a finance concern. So it's in the back office. They're looking at a stack of login requests or account sign ups or payments and then looking for bad activity. What that means is that for the people who are looking for bad actors who are on their platform, they only get the data that is given to them by the experience teams. It's usually not a lot in their ability to drive feedback in. It's pretty terrible, as opposed to in the security world, where you are out of the gateway so you can think about your web application firewalls, you know, and your DDoS protection. That's out there at the edge, collecting 100% of the information, keeping what's relevant, you know, and then obviously dropping the rest. Fraud teams never have access to that, meaning that they don't have all the information they need to make those decisions, and they don't have a great information sharing bridge to go between themselves and security teams because there's a lot of really great potential for collaboration. So when we talk about deploying at the gateway, we're really talking about deploying fraud detection and prevention the same way that security solutions are deployed today. 

Dave Bittner: And why don't the fraud teams have access to that type of information that security teams have grown accustomed to? 

Nate Kharrl: They're generally not technical, right? For a growing business, their first fraud manager might be somebody inside of customer service. So for them, getting access to this type of technology, they often don't know to ask for it. And even in larger enterprises, their fraud team may be a finance concern. It may be a legal concern. It may roll up to the business unit. It's a rarity that we find a fraud team that rolls up to the CISO. And as a result, the type of solutions, the sophistication of the solutions has been - you know, lag behind how security solutions typically rule the market. 

Dave Bittner: So what does this look like? From a practical point of view, somebody looking to deploy something like this, how does it work? 

Nate Kharrl: So the way that these type of solutions work is they will deploy out similarly to the way a CDN might or a web application firewall. The main difference is they're going to be looking at Layer 7 traffic and stitching that together into a stateful representation of what a single digital identity did on the property over a longer period of time. So instead of looking at packets or instead of, you know, looking at a - you know, maybe a single request at Layer 7, it's about stitching that together from end to end and being able to trigger workflows and automations off of that. 

Nate Kharrl: Why that's big for security teams is, like, now their fraud teams have a way to really kind of build that bridge between, hey, you know, the security team may be specifically watching, you know, post requests to an application, looking for bots or, you know, credential stuffing attacks. But now the fraud team can see the on-platform behavior, look for things that have happened where they're trying to abuse the platform, you know, abuse the application, and then feed that back into the security team as an upstream. Today, fraud teams largely don't consider their security teams in upstream when they just clearly are. 

Dave Bittner: Yeah. It strikes me that there's really an opportunity here for a lot of potential collaboration. 

Nate Kharrl: It's crazy. Like, there is so much that goes into where a security team might be making decisions, you know, thousands, hundreds of thousands decisions a day on who to allow access to - like, these critical piece of these consumer-facing applications. And none of that trickles downstream as the people on the fraud teams are trying to build risk assessments for digital identities. And none of what actually happens, like, the actual loss, you know, streams upstream, which I think security teams that, you know, that we've talked to love that because oftentimes it's hard to justify ROI for security investments. But, you know, your fraud teams, it's so close to the money, it makes it really, really easy for you to, like, really understand the impact of your investments and be able to communicate that to get the buy-in you need inside of your organization. 

Dave Bittner: Now, if you're intermingling the fraud component and the security component, are there any concerns there in terms of privacy? 

Nate Kharrl: From a fraud and security component, no. Most of the carve outs that you'll see in things like GDPR or CCPA for the purposes of cybersecurity apply to fraud exactly the same way, so - in terms of being able to move that across. Most fraud solutions will actually work with pseudo-anonymized digital identities. So you won't necessarily be looking at customer PII. You'll be looking at a tokenized version of that. 

Dave Bittner: Is there a cultural component here as well of, you know, establishing trust between these two established teams? 

Nate Kharrl: What we have seen is it really comes down to the leadership on the security end of the house. The security end of the house, typically, they can decide if account security is inside their remit or not. And some of them say no. Some of them are like, hey, if we're shipping good code and if we have addressed major vulnerabilities and, you know, the application doesn't allow unsecure access, you know, then we've done our job. If people abuse that, then that's fraud's concern. Where we have seen CISO step in and just show a lot of leadership around, like, no, we're going to keep the entire customer experience secure, you know, become the yes people of, yes, you can work with safe payment instruments; like, yes, you can allow, you know, one-click checkout; yes, you can move into these these new areas - that has really unlocked a bunch. Fraud teams typically aren't going to fight more engagement from CISOs because what they lack is engineering support. They lack technical support, which security teams typically have consistently more than fraud teams do. And then it really just becomes like a one-plus-one-equals-three type of situation. 

Dave Bittner: That's Nate Kharrl of SpecTrust. 

Dave Bittner: And it is always my pleasure to welcome back to the show Rick Howard. He is the CyberWire's chief security officer and also our chief analyst. Rick, great to have you back. 

Rick Howard: Hey, Dave. 

Dave Bittner: So if you are on the show today, that means one thing. It means we've started another season of "CSO Perspectives." I have to say, I can hardly wait to see what you have in store for us. 

Rick Howard: Yeah. You can't get away from me, Dave. We come back like a bad rash. OK? That's me. 

Dave Bittner: There you go. 


Rick Howard: So season 10 starts today, and we have an entire rack of cool and interesting things to talk about from the fintech ecosystem, privilege escalation, crisis planning and a whole thing on risk forecasting. So I'm really looking forward to that. But today, we're talking to the folks over at MITRE Ingenuity about two new and free tools - and, you know, I love free - that they released this year, in 2022, designed to make working with the MITRE ATT&CK framework easier. 

Dave Bittner: Well, I have to admit, I'm glad you're talking about this, Rick, because, you know, sometimes when I tune into your segments, I find myself saying, yes, Rick, we all know how great the MITRE ATT&CK framework is. But you know what? I mean, if you look into it, you're absolutely right. There is great information in there. But also, I think - I mean, is it fair to say that it's not for the casual user, that it can be hard to use? 

Rick Howard: I think that's absolutely true. And by the way, Dave, I get that same reaction from my family, so you're not the only one. 


Rick Howard: So these new tools from MITRE Ingenuity were tailor-made for people like you who are kind of casual users. Right? One is called MITRE's Powered Suit. It's a Chrome browser extension that when you're reading the cyber news items of the day, like from the CyberWire or from some latest, you know, report from a security vendor, you can easily look up the tactics, techniques and procedures associated with it without having to go back and forth and doing deep dives from the MITRE wiki. So it kind of streamlines that entire operation. 

Dave Bittner: Nice. 

Rick Howard: And I use it every day now. It's really good, so I highly recommend it. The other is called MITRE Attack Flow. And this is a really interesting idea. It's a visualization tool that allows you to map the latest attack sequence, say, from Panda Bear, you know, in a visually pleasing way. And then you can also layer in the detection and prevention controls your organization has in place to counter those attacks. So I'm looking forward to playing with that a little bit more. 

Dave Bittner: Well, that is over on the Pro side of the CyberWire house, over on the subscription side. On the publicly available side, you've also been releasing some of the older "CSOP" episodes - classic episodes - for folks who are not already subscribed. 

Rick Howard: (Laughter) The deep tracks. 

Dave Bittner: That's right. That's right. They're not reruns. They're classics. 

Rick Howard: No, no, they're classics. 

Dave Bittner: If you haven't heard it, it's new to you. So these episodes are from last year. What can people look forward to there? 

Rick Howard: So that podcast is called "CSO Perspectives Public," and you can search for it wherever you get your podcasts. And it's free with ads. And this archived episode is all about how to orchestrate the security stack on your various data islands. So like we said before, if you're trying to stop Panda Bear from running around your networks, how do you make sure that your anti-Panda Bear security controls are consistent in your data center, in your cloud deployments and your SaaS services and on your mobile devices? So we'll give that a run and see what we come up with. 

Dave Bittner: All right, sounds like good stuff. Before I let you go, the other podcast you work on is called "Word Notes," and these are little five-minute deep dives into some of the words that pop up in the news. What is this week's word? 

Rick Howard: In this week's show, we're talking about pseudo ransomware. I didn't even know it was a thing until we put the show together, right? So we'll give you a little definition, a little history and a little nerd reference from the 2008 movie "The Dark Knight." So it doesn't get any better than that. 

Dave Bittner: (Laughter) OK. Firing on all cylinders. Rick Howard - he is the host of "CSO Perspectives" that vis part of CyberWire Pro. You can check that out on our website, Rick, thanks for joining us. 

Rick Howard: Thanks, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bitner. Thanks for listening. We'll see you back here tomorrow.