The CyberWire Daily Podcast 9.8.22
Ep 1658 | 9.8.22

Bronze President shows both enduring interests and adaptability. Iranian threat actor activity reported. Cybersecurity and small-to-medium businesses.


Dave Bittner: BRONZE PRESIDENT shows both enduring interests and adaptability. Iranian threat actor activity's been reported. Cybersecurity and small-to-medium businesses. An initial access broker repurposes Conti's old playbook for use against Ukraine. Johannes Ullrich from SANS on scanning for voice over IP servers. Our guest is Ian Smith from Chronosphere on observability. And Kyivstar as a case study in telco resiliency.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 8, 2022. 

Bronze President shows both enduring interests and adaptability.

Dave Bittner: Secureworks Counter Threat Unit researchers have discovered a PlugX malware campaign targeting government officials' computers in Europe, the Middle East and South America. The malware is embedded in RAR archive files that require the user to click a Windows shortcut file. The decoy documents are political in nature, suggesting that the targets are all government officials. This campaign can probably be attributed to the BRONZE PRESIDENT threat group that is likely to be operated by the Chinese government. BRONZE PRESIDENT has shown an enduring interest in such Chinese neighbors as Vietnam and Myanmar, but it's also been responsive to developing crises and emergent requirements, as seen in the interest it's taken in Ukraine as Russia's invasion has developed. The researchers state, BRONZE PRESIDENT has demonstrated an ability to pivot quickly for new intelligence collection opportunities. Organizations in geographic regions of interest to China should closely monitor this group's activities, especially organizations associated with or operating as government agencies. 

Iranian threat actor activity reported.

Dave Bittner: Two reports, one from Mandiant, the other from Microsoft, outline Iranian cyber operations. Mandiant's report describes activity by APT42, stating, we estimate with moderate confidence that APT42 operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization based on targeting patterns that align with the organization's operational mandates and priorities. APT42 engages in credential harvesting with a view toward establishing surveillance over its targets, principally through installation of Android mobile malware. The initial access is often achieved through closely targeted and protracted spearphishing efforts. APT42 also engages in the development of its own malware. It's not entirely dependent upon commodity tools available in the C2C market. 

Dave Bittner: Mandiant summarized the group's targeting as follows, stating, the targeting patterns for APT42 operations are similar to other Iranian cyber-espionage actors, with a large segment of its activity focused on the Middle East region. However, unlike other suspected IRGC-affiliated cyber-espionage groups that have focused on targeting the defense industrial base or conducting large-scale collection of personally identifiable information, APT42 primarily targets organizations and individuals deemed opponents or enemies of the regime, specifically gaining access to their personal accounts and mobile devices. The group has consistently targeted Western think tanks, researchers, journalists, current Western government officials, former Iranian government officials and the Iranian diaspora abroad. 

Dave Bittner: There are some connections to, or at least overlap with, the Iranian Phosphorus subunit Microsoft describes in its own report. DEV-0270, or Nemesis Kitten, is interesting for the ways in which its activities don't obviously align with any Iranian strategic interests. This leads Microsoft to speculate, with low confidence, that Nemesis Kitten is moonlighting, deploying ransomware in what amounts to either privateering or, perhaps more likely, an APT side hustle. Microsoft concludes, judging from their geographic and sectoral targeting, which often lacked a strategic value for the regime, we assess with low confidence that some of DEV-0270's ransomware attacks are a form of moonlighting for personal or company-specific revenue generation. These reports come after Albania's decision earlier this week to sever diplomatic relations with Iran over Iran's disruptive attacks against Albanian government infrastructure. Iran has denied any involvement in offensive cyber operations against Albania or anyone else and protested that it's the real victim here. 

Cybersecurity and small-to-medium businesses.

Dave Bittner: Security firm Vade today released its 2022 SMB Cybersecurity Landscape Report, a survey of 500 IT decision-makers. It found that 79% of those surveyed have agreed that cyberattacks on their organizations have increased, with 87% agreeing that email threats to cybersecurity should be taken more seriously. Ninety-one percent of respondents said that they are using an MSP for security, with 92% of organizations outsourcing some of their IT operations to an MSP. Ninety-four percent of those surveyed have high levels of confidence in their organization's ability to defend against cyberattacks, with 51% saying they are completely confident. But 68% agree that their security posture could be more advanced. 

Initial access broker repurposes Conti's old playbook for use against Ukraine.

Dave Bittner: Google's Threat Analysis Group has discerned a pattern in Russia's war against Ukraine, stating, as the war in Ukraine continues, TAG is tracking an increased number of financially motivated threat actors targeting Ukraine whose activities seem closely aligned with Russian government-backed attackers. Specifically, it's one threat actor, and its activities overlap with the group that CERT-UA tracks as UAC-0098. Google says, based on multiple indicators, TAG assesses some members of UAC-0098 are former members of the Conti cybercrime group repurposing their techniques to target Ukraine. So the pattern is a familiar one - Russia using criminal groups for cyber combat. In conclusion, Google TAG writes, UAC-0098 activities are representative examples of blurring lines between financially motivated and government-backed groups in Eastern Europe, illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests. TAG also gives due credit to other researchers. Its results are consistent with a report IBM published in July and with earlier observations CERT-UA offered in April. 

Conti remnants attract DDoS attacks.

Dave Bittner: Other Conti remnants have attracted counter-fire, perhaps from hacktivists or criminal rivals or security services. Servers the gang had used to distribute Cobalt Strike payloads have been subjected to DDoS attacks that displayed anti-war anti-Russian messages, including, be a Russian patriot, 15,000-plus dead Russian soldiers, stop Putin and stop the war. BleepingComputer reports that the operators behind the DDoS campaign are unknown, stating, it's unclear who is behind these messages. It could be anyone from a security researcher to law enforcement agencies to a cybercriminal with a grudge for siding with Russia. But it looks like they are keeping the threat actor busy. 

Kyivstar as a case study in telco resiliency.

Dave Bittner: Kyivstar, the Ukrainian telecommunications provider that serves some 26 million customers, has come under both cyber and kinetic attack and has had to cope with both hijacking and shelling, Politico reports. As much as 30% of the company's infrastructure has been damaged, yet capacity has actually increased during the war. Kyivstar credits, in part, disruption of Russian offensive operations by groups like the IT army of Ukraine. Kyivstar CEO Alexander Komarov told the press, part of our success is because we are forcing Russians to defense, explaining that the IT army is creating this hassle on the Russian side, and it's making them more weak because of this. 

Dave Bittner: Coming up after the break, Johannes Ullrich from SANS on scanning for voice over IP servers, and our guest Ian Smith from Chronosphere explains observability. Stick with us. 

Dave Bittner: There is growing interest in cybersecurity and the notion of observability, being able to keep tabs on what your systems are doing, being aware when things go wrong and finding problems in order to fix them. Sounds easy enough, but given the explosive growth of cloud-based infrastructure over the past few years, observability can be a daunting task. For a better understanding of what exactly observability is, I reached out to Ian Smith, field CTO at Chronosphere. 

Ian Smith: Generally collecting a lot of information about the way your applications are performing and also the underlying infrastructure - so it's particularly relevant for companies who are building and operating their own software to serve their customers, whether they be commercial customers or general consumers. And so the ability to collect that information, interpret it, visualize it, and also learn on it so that you can, for example, react to, let's say, an incident where you have a bad performance issue affecting a lot of your customers, or maybe you're looking at things from a longer-term perspective, or if you need to understand capacity planning so you can plan out, say, your infrastructural rollouts as your business continues to grow. 

Dave Bittner: Can you give us some use case examples here? I mean, how do folks actually go about implementing this? 

Ian Smith: Sure. Yeah, so a real - a common approach is to have various sets of data. So commonly, people might be familiar with metrics - so numbers about performance. How much CPU am I using? How much memory is being used? How fast is my application responding? You also have logs - you know, the individual things that might be happening inside those applications, things happening at the network level. And then also, traces are starting to become a lot more prevalent as well, particularly in distributed environments where you may be moving from, say, service-orientated architecture into something more akin to cloud native, where you have a lot of microservices that are all backing one user experience. So for example, you logging in, you need to understand, what are all the dependencies, what are all the databases, what are all the different services that might lead to that simple interaction of you logging into your internet banking? And you can imagine, for someone like an internet bank, if there was a performance problem where, say, a large portion of their customers were having difficulties logging in or were experiencing slow performance, you want to be able to use the observability data and the tooling that you have with that data to understand why and how to resolve it, perhaps, you know, what caused it in the first place. Was it a bad deployment? Was it an issue with, maybe, my underlying provider, like an AWS or GCP? And then also when you apply a fix, being confident that you actually resolve the issue as well. 

Dave Bittner: Yeah, that's interesting. So I mean, I can imagine that, you know, if you have a customer who's having performance issues, you know, you coming to them and saying, you know, we've detected there's an issue here and we're working on it, you know, rather than waiting for them to come to you, I mean, that's a good thing in the relationship. 

Ian Smith: Correct. And then obviously, it sort of feeds into the overall reliability and, you know, whether you're beating expectations of the customer. So if you are a - particularly a SAS vendor in today's world, you're providing your software as a service, whether it be to individual consumers or to businesses themselves, you need to be reliable. Everyone thinks about SLAs. Everyone thinks about uptime. And so being able to provide that reliability and convincingly back that up and be proactive can really be very business impacting. 

Dave Bittner: And how does an observability platform, you know, get its hooks into the system that it's integrated with? 

Ian Smith: Yeah, that's a great question. So in the past, this would have been, you know, very much a manual effort. I mentioned before, you know, logging - if you think about the developer just writing code and manually just logging out particular things and thinking about those individually as they go along - just like with the advancements in, say, middleware, where you have libraries and packages, those libraries and packages will have come with, you know, additional pieces of what we call instrumentation, so the generation of new data. For example, if you're using a database package, as you generate a new database query, maybe it's automatically logged. Maybe it automatically counts the number of queries that you're making and makes that data available. And of course, it depends on what you're using and so forth. But the industry in general has been moving towards adoption of open standards where there's sort of a consistency about the instrumentation of the data as much as possible, and you're less reliant on, perhaps, the observability solution to have a very strong opinion on generating that data itself. 

Ian Smith: So if we maybe use an example, APM solutions, which are a form of observability solution that, you know, became very popular in, say, the, you know, the mid-2000s, they generated all of the data for you. They basically said, hey, take this little application, put it next to your application, and it will figure out what to collect for you, and we'll present that data to you in a way that we believe is the best. In today's world, what we're really seeing is, just like a lot of open-source adoption, there are open-source standards for this data collection where you can say, OK, well, I'm going to use something like OpenTelemetry, and it's going to be very consistent. It's going to generate the data, and then I, as an engineering organization, can pick and choose where to send that data based off which solution gives me the best - most value out of that data. And I'm also owning that instrumentation. If I make changes to it, if I enhance it, I'm not doing this for one particular solution. I'm doing it for any solution I may choose to put that data into. And so there's a greater sense of ownership and a greater flexibility for engineering organizations today as compared to what has traditionally happened in monitoring observability. 

Dave Bittner: That's Ian Smith from Chronosphere. 

Dave Bittner: And joining me once again is Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the ISC Stormcast podcast. Johannes, always great to welcome you back. 

Johannes Ullrich: Thanks for having me again, Dave. 

Dave Bittner: So we are talking today about voice over IP servers. What's the latest here? What have you been looking into? 

Johannes Ullrich: Well, I've actually ignored it for a long time. I used to run - sort of run my voice over IP phones here in the office. But lately, everybody has unlimited free calls in their cellphones so, you know, why bother, basically. But what I kind of noticed is sort of - particularly when I looked at our DShield, the Internet Storm Center data - these persistent scans for voice over IP, basically, UDP port 5060, the SIP protocol that's oft being scanned for. So I figured, hey, I mean, let's have some fun and set up a voice over IP server just to see what'll happen, and... 

Dave Bittner: (Laughter) You couldn't help yourself, could you? 

Johannes Ullrich: I couldn't help myself, no. 

Dave Bittner: OK. 

Johannes Ullrich: You know, those poor kids scanning... 

Dave Bittner: (Laughter). 

Johannes Ullrich: I can't - I have to give them something back for all of their effort. 

Dave Bittner: Sure, sure. 

Johannes Ullrich: So basically just, you know, what's going to happen there? And it was really amazing. I set up a voice over IP server. I didn't really configure it, so you couldn't really do anything with it. It didn't have, like, an uplink connectivity, so you couldn't really make phone calls with it. But immediately, the number of scans kind of exploded that I had, sort of from, like - and it looked like a little bit of larger network here, but from, like, you know, 50 or so an hour, it went all the way up to 500, 5,000 scans an hour that hit that server. And what was sort of interesting, there was two types of attacks. Some just tried to make phone calls. And that sort of showed us a little bit why people are still scanning for it. For example, the number two number that they tried to call was with the Palestinian territories. And that's, of course, an area of the world where a lot of Western, in particular, phone companies don't necessarily have sort of relationships. So if you have, like, a free international plan, that may be excluded. So cost really still matters in those areas. So that was one number. And then, of course, now, if it's Palestinians, the next number up was Chicago. That's, I guess, the Palestine of U.S. or... 

Dave Bittner: Right. 

Johannes Ullrich: That's, then, scammers, most likely because these are the other people that really matter. They don't really care about the cost, necessarily, but they are caring about the - getting kicked off different voice over IP services because then people complain about scammers, and then a voice over IP service that hosts a lot of scammers is getting a bad reputation with phone companies, not just getting problems getting service at a reasonable price. So by just using compromised voice over IP servers, they get some anonymity, first of all. And then, of course, if they get kicked off one, well, apparently there are plenty others out there that they can use. So those are kind of the two big motivations here. And just to put in perspective, like, I mentioned how the number of scams went up. I also looked... 

Dave Bittner: Right. 

Johannes Ullrich: ...At password brute-forcing. They're not trying to use your voice over IP server. They're trying to basically register their extension with your voice over IP server. And typically, they need a username and password. There were about 20 million attempts during the two days where I ran these experiments, so... 

Dave Bittner: Wow. 

Johannes Ullrich: It's a huge amount of attacks there. Of course, once they register their extension, then they're also able to impersonate your organization because now, you know, as far as caller ID is concerned, they're using your phone number to originate a call from. And that, of course, you know, makes them appear as coming from your organization, which can be used, then, also for more sophisticated attacks, like social engineering. If you get a call now from your network security department, caller ID checks out on your internal voice over IP system - well, you may actually give them your password. 

Dave Bittner: Right, right. What do you make of how the scans exploded that way? I mean, does that - in my mind, that indicates that somebody was sharing this somewhere, like, hey, hey, everybody, we got a hot one, or - is there anything to that line of thinking or not? 

Johannes Ullrich: That's possible. But I really more think is that once I started sending responses back, now these particular hackers just kept sending follow-up requests. And since it's... 

Dave Bittner: I see. 

Johannes Ullrich: ...All UDP, it's very fast, so you don't really need a lot of system, a big botnet in order to send 20 million attempts. 

Dave Bittner: I see. OK. So what are your recommendations here for folks who are running their own voice over IP server? What kind of stuff should they make sure they're doing? 

Johannes Ullrich: Well, definitely make sure it's secure, you know, that password brute-forcing. Monitor if new extensions are being registered. They typically use sort of, what I would consider default extensions, like 100. And 101, I think, was another very common one that they used. So they may more be looking for unused or sort of idle voice over IP servers, which is another big problem. You know, we often have this device being set up. And hey, they sound like a great idea for a while. And then you realize, hey, it's not really worth the trouble to maintaining it. So you forget about it, but you never really turn it off. 

Dave Bittner: Yeah. 

Johannes Ullrich: That's a common problem in security - this sort of inventory that these ghost devices you have sort of haunt your network for years after they have no longer been used. 

Dave Bittner: All right. Well, it's interesting stuff. Johannes Ullrich, thanks for joining us. 

Johannes Ullrich: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.