Notes from the hybrid war: nuisance-level DDoS, cyberespionage, and the possibility of financially motivated hacking. US policy on the software supply chain, and notes from the underworld.
Dave Bittner: Nuisance-level DDoS and cyberespionage continue to mark Russia's cyber campaign in the hybrid war. There's a U.S. presidential memorandum on software supply chain security. Webworm repurposes older RATS. Trends in cyber insurance claims. OriginLogger may be the new Agent Tesla. The SparklingGoblin APT has been described. Mathieu Gorge of VigiTrust describes cyber vulnerabilities in the hospitality industry. Dinah Davis from Arctic Wolf explains a PayPal phishing attack. And royal funeral phishbait.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday September 15, 2022.
Nuisance-level DDoS and cyberespionage continue to mark Russia's cyber campaign in the hybrid war.
Dave Bittner: Killnet, the nominally hacktivist outfit that works for Russian intelligence services, counted coup against Japan recently, another country Moscow views as unfriendly. The group claimed last week to be responsible for distributed denial-of-service attacks against some Japanese government websites, Asia News Network reports. The attacks had only minor effects on their targets.
Dave Bittner: This morning, researchers with Cisco's Talos Group reported that Gamaredon - that is, Primitive Bear - has continued its efforts to compromise Ukrainian institutions in a long-running cyberespionage campaign. The technique is phishing, and the phishbait is news about the war. Talos says, we discovered Gamaredon APT activity targeting users in Ukraine with malicious LNK files distributed in RAR archives. The campaign, part of an ongoing espionage operation observed as recently as August 2022, aims to deliver information-stealing malware to Ukrainian victim machines and makes heavy use of multiple modular PowerShell and VBScript scripts as part of the infection chain. The info stealer is a dual-purpose malware that includes capabilities for exfiltrating specific file types and deploying additional binary and script-based payloads on an infected endpoint.
Dave Bittner: As sanctions continue to bite, there's a real possibility that Russian cyber operators will turn to industrial espionage, the Record says, as they attempt to regain access to technology now denied them. In this, they would appear to be following the North Korean model, where making money for the state has long been a central goal of offensive cyber operations.
US Presidential memorandum on software supply chain security.
Dave Bittner: Yesterday, the White House issued guidance for federal agencies' use of software security practices. The memorandum instructs agencies to obtain self-attestation from software providers that their products are in line with NIST's security guidelines. It's advisory and not strongly prescriptive, and some industry observers think it's a further step in presenting best practices.
Webworm repurposes older RATs.
Dave Bittner: The Symantec Threat Hunter Team has released a report detailing the activities of a group they're calling Webworm. Webworm uses three older remote access Trojan RATs - Trochilus, Gh0st RAT and 9002 RAT. Webworm is probably connected with the group identified as Space Pirates, perhaps even being the same group. The group has been active since 2017 and has been seen targeting government agencies, as well as enterprises in industries such as IT services, aerospace and electric power, specifically targeting Russia, Georgia, Mongolia and other Asian countries. Symantec researchers identified an indicator of compromise from observing an operation targeting an IT provider that serves multiple Asian countries. Prior research had determined that the threat actor uses custom loaders hidden behind decoy documents and modified backdoors that have been around for quite some time, which Symantec says is in line with what they've been seeing.
Dave Bittner: The Trochilus RAT is implemented in C++ and has been observed in use by hackers since 2015, with the source code available on GitHub. Symantec says that the capabilities of the Trojan include the ability to remotely uninstall a file manager and the ability to download, upload and execute files, among other things. The 9002 RAT has been around since at least 2009, with state-sponsored threat actors often being users of the malware. The Trojan is used for data exfiltration and has been seen in use by multiple threat actors. The Gh0st RAT's source code has been around since 2008 and has seen continued use by advanced persistent threat groups. Fill out your score cards at home.
Trends in cyber insurance claims.
Dave Bittner: Security and insurance firm Coalition has released a mid-year update to its 2022 Cyber Claims Report and details what claims for cyber losses show with respect to the evolution of cyber trends. Small businesses were found to have become more attractive targets, with the average claim cost for a small business rising to $139,000 in the first half of 2022. This represents a 58% increase over claims for the first half of 2021. The number of ransomware attacks decreased, however, and the dollar amount demanded by ransomware threat actors has also decreased from $1.37 million in the second half of 2021 to $896,000 in the first half of 2022. Chris Hendricks, Coalition's head of incident response, said, organizations are increasingly aware of the threat ransomware poses. They have started to implement controls such as offline data backups that allow them to refuse to pay the ransom and restore operations through other means. As ransomware is on the decline, attackers are turning to reliable methods. Phishing, for example, has skyrocketed and only continues to grow. Phishing attacks have accounted for just over half of reported claims, Coalition says. And they have been found to be the most common trigger for cybersecurity incidents.
OriginLogger: the new Agent Tesla.
Dave Bittner: Palo Alto Network's Unit 42 has released a report detailing OriginLogger. On March 4, 2019, well-known keylogger Agent Tesla shut down, but not without first recommending in its Discord server another keylogger known as OriginLogger, saying, if you want to see a powerful software like Agent Tesla, we would like to suggest OriginLogger. OriginLogger is an AT-based software and has all the features. OriginLogger is a variant of Agent Tesla, sometimes tagged as Agent Tesla version 3, which means that tools meant to detect Agent Tesla should also detect OriginLogger.
Dave Bittner: Jeff White, writer of the report and a researcher at Unit 42, says the functionality of the malware is fairly standard and mirrors other Agent Tesla variants. White said, just as the threat actors' advertisements state, the malware uses tried-and-true methods and includes the ability to keylog, steal credentials, take screenshots, download additional payloads, upload your data in a myriad of ways and attempt to avoid detection. Commercial keyloggers have historically catered to less advanced attackers, but as illustrated in the initial lure document analyzed here, this does not make attackers any less capable of using multiple hooks and services to obfuscate and make analysis more complicated. Commercial keyloggers should be treated with equal amounts of caution as would be used with any malware.
SparklingGoblin APT described.
Dave Bittner: Researchers at ESET warn that the Chinese APT SparklingGoblin is using a new Linux variant of its SideWalk malware. ESET states, this variant was deployed against a Hong Kong university in February 2021, the same university that had already been targeted by SparklingGoblin during the student protests in May 2020. We originally named this backdoor StageClient but now referred to it simply as SideWalk Linux. We also discovered that a previously known Linux backdoor, the Specter RAT, first documented by 360 Netlab, is also actually a SideWalk Linux variant, having multiple commonalities with the samples we identified.
Dave Bittner: The researchers add that the Linux variant of the malware isn't as evasive as its Windows counterparts, stating, the Windows variant of SideWalk goes to great lengths to conceal the objectives of its code. It trimmed out all data and code that was unnecessary for its execution and encrypted the rest. On the other hand, the Linux variants contain symbols and leave some unique authentication keys and other artifacts unencrypted, which makes the detection and analysis significantly easier. The name SparklingGoblin sounds pretty festive, but still, it's bad mojo.
Royal funeral phishbait.
Dave Bittner: As is usually the case with any high-profile event that touches many people, the funeral of Queen Elizabeth II has been exploited by criminals who are using it for phishbait. In a tweeted series of posts, Proofpoint describes a credential phishing campaign in which messages that misrepresent themselves as coming from Microsoft invite recipients to visit an artificial technology hub established in Her Majesty's honor. The URL redirects to a credential-harvesting site. The threat actors are using the EvilProxy phishing kit.
Hearings continue on Capitol Hill.
Dave Bittner: Not to be outdone by the Senate Judiciary Committee, having heard from Mudge, the Senate Homeland Security Committee has heard from a range of present and former executives at Twitter, Facebook, TikTok and other social media platforms. We're watching to see how things develop. But in the meantime, did we say yesterday by mistake that Senator Klobuchar was from Michigan? We think we may have, and we blame the editors. An alert listener from the Land of Ten Thousand Lakes, the North Star state of Minnesota, pointed out that we'd slipped. And of course, that's right. Senator Klobuchar represents the sovereign state of Minnesota. And our apologies to her and the entire Gopher State. We blame, as I said, editorial carelessness. Our political desk is fine with states whose names begin with M-A, like Maine and Maryland, but they get hazy when they leave the Eastern Seaboard for the M-I states, like Michigan, Minnesota, Missouri, Mississippi. Too many Garden Staters on that desk. Forget about it.
Dave Bittner: Coming up after the break, Mathieu Gorge of VigiTrust describes cyber vulnerabilities in the hospitality industry. Dinah Davis from Arctic Wolf explains a PayPal phishing attack. Stick around.
Dave Bittner: The hospitality industry seems to have a target on its back lately, with news stories of hotel chains and resorts falling victim to a variety of cyberattacks and data breaches. Mathieu Gorge is founder and CEO of VigiTrust, an integrated risk management SaaS provider. I reached out to him for insights on the particular challenges organizations in the hospitality sector face.
Mathieu Gorge: Hotel chains obviously have employees, so they've got employee data. They've got trade secrets and so on. They've got banking information for their suppliers. They've got list of suppliers. From a consumer perspective, when you go into a hotel, you can expect to provide some sort of ID - so PII - a credit card, so credit card holder data. And let's say that you're going to use the spa or you're going to use any type of a service. You may even provide some protected health information. So part of the major challenge for the hospitality industry is that some of the services within a hotel may actually be subcontracted to someone else. For instance, the spa could be operated by a third party. Some of the restaurants might be operated by a third party. The gym might be operated by a third party and so on. But from a user perspective, what you want to be able to do is you want to be given one card or one app that allows you to roam about within the property and use all of the different services. And so therein lies the challenge from a data perspective. All of those systems need to be interconnected, and so they are interdependent and become each other's weak points in terms of security. So you need to secure the overall chain and the overall ecosystem and chain of custody.
Mathieu Gorge: The second challenge for the hospitality industry is that most large hotel chains operate on a mixed model, where they have properties that they own and manage, property that they don't own, but manage, and also properties that might be franchised out. And then the third challenge is that there are some franchise operators that will operate brand A, brand B and brand C in order to have a mix of properties within a certain region, so they end up having to deal with lots of different systems, dealing with the data. But at the end of the day, they are responsible for the overall data.
Dave Bittner: You know, I know you and your colleagues there at VigiTrust do a good amount of work within the hospitality sector. What are the differences that you see between the hotel chains that are successful here and - but then, at the other end of the spectrum, we have some chains - even big ones, well-known ones - and we keep seeing their names pop up over and over again as having been breached?
Mathieu Gorge: The - one of the characteristics of the property market within the hospitality industry is that there's a lot of buying and selling. So you might have a chain that one day will belong to Hilton, one day will belong to Accor, and then will move to Marriott, for instance. So they keep buying stuff from each other, depending on their regional strategies and other criteria that they may have. The problem comes within the integration of what they buy and what they sell into the overall security strategy because their systems, particularly the domain system - the PMS might be different. The payment terminals might be different. And the overall security strategy might be different from one brand to the other.
Mathieu Gorge: So what you want to do is you want a strategy that protects to the data at global level, at regional hub level and then within each property. And so the most successful chains are extremely careful when they sell a chain of hotel or a group of hotels because what we do is we make sure that no residual data can come back to hit them afterwards. And they're even more careful when they integrate new properties with new systems. And those integrations, you have to remember, could take months, maybe a couple of years. And it's - there's been issues in the industry where a large chain bought a big group of hotels from another one, and there was a breach within that timeframe. And that can happen, you know?
Mathieu Gorge: I think that the solution or the best practice for chains of hotels, or for franchisers that have multiple properties across one brand or several brands, is to really start by mapping the ecosystem and looking at the low-hanging fruit. The low-hanging fruit in the hotel industry, in my humble opinion, is that you can use PCI DSS as the minimum standard of security you need to have in your properties. And that gives you your very minimum benchmark. And none of it is unachievable. It's all within the realms of reality for any company. And so the other quick one is security awareness training. Security awareness training is mandated by GDPR, by CCPA, by PCI, indeed, for anybody that has access to sensitive data. And then, based on that, you can create a very effective program that allows you to essentially fight against social engineering attacks, phishing attacks and all of those low-level attacks that, unfortunately, end up being the root cause of most of those breaches within the retail and hospitality industry.
Dave Bittner: That's Mathieu Gorge from VigiTrust.
Dave Bittner: And I am pleased to welcome back to the show Dinah Davis. She is the VP of R&D operations at Arctic Wolf, and she is also the founder of Code Like a Girl. Dinah, great to have you back. You saw some interesting phishing attacks - mention of such - that seem to be targeting PayPal here. Unpack what's going on here for us.
Dinah Davis: Yeah, this one was so interesting to me. It's a - I found it on a Twitter thread, and it's about a phishing email with PayPal. And the user is @0xdf. I tried to figure out what that meant. Like, I tried to do some like, you know, figuring out with hackers and stuff.
Dave Bittner: Right, leet speak and all that stuff, yeah (laughter)?
Dinah Davis: Yeah. And I didn't - I don't know.
Dave Bittner: (Laughter) OK.
Dinah Davis: But the person runs a blog called "The Hackbox." They're quite prolific on GitHub. They have a whole profile there. So they seem to be, like, potentially a legit researcher. In any case, this is interesting, and it looks like it could really happen. So they got an email that appeared to be from PayPal. And I have PayPal. I - they've got screenshots in this Twitter thread. It all looks pretty legit to me. It's from the PayPal domain. The email claimed to be an invoice update, and they're asking the user to pay $1,000, U.S., to the billing department of PayPal. So specifically, it says, invoice updated. Billing department of PayPal updated your invoice. Amount due $1,000. View and pay invoice. So, wow, OK. And then there's, like, a note from the billing department there where you can call. And there's urgency to this because it says you need to log into PayPal within 24 hours to avoid getting charged. So you have to, like, click the link or the number and do it right away. And so, you know, the interesting part is when you click the link, you're taken to a legit PayPal site. So that doesn't even compute. It's like, what? How did this happen? Like, what is going on here?
Dave Bittner: Right.
Dinah Davis: Well, what's going on is another PayPal user is asking them to pay $1,000. And they happen to manage to get the username Billing Department of PayPal. Right?
Dave Bittner: OK. Yeah, I'm just...
Dinah Davis: Right?
Dave Bittner: You're hearing me react to this in real time, in both horror and admiration for the cleverness, but (laughter).
Dinah Davis: That's what I'm saying. Like, this is pretty clever.
Dave Bittner: Yeah.
Dinah Davis: And so, you know, yeah. So you actually do get paid - sorry - you actually do get taken to a legit PayPal site. And, you know, at the top, on the right-hand side is the pay $1,000. Now, if you scroll down a bit, it says it has a itemized list of what the items are. And the item is a Walmart e-gift card. And that should be where your flag goes - what?
Dave Bittner: Right, right (laughter).
Dinah Davis: Like, this - why am I paying somebody $1,000? Like, why am I paying the PayPal billing department for a $1,000 Walmart e-gift card, right? So - OK. There is a tell here. There is a tell, right? The other thing is, you know, they were able to get that. Now, my guess is that that particular user has been shut down now. And...
Dave Bittner: Yeah.
Dinah Davis: Hopefully, maybe PayPal goes and looks at the usernames people are picking, and that's going to be a bit better. But what's the lesson here, right? So don't pay for anything on PayPal unless you know it's a legit transaction. Anybody can send you an invoice. It doesn't even need to be, like, this fake kind of user. Anybody can send you an invoice on PayPal. They just need your email address, right?
Dave Bittner: Right.
Dinah Davis: So always double-check what it's coming in for. Like, even yesterday before I read this, I had one that was like, Apple is charging you $16. I'm like, for what? I don't remember paying anything. And, you know, I had to go through my old emails, find the receipt. Oh, I paid for Duolingo in Spanish for my daughter. OK, so fine. Good. And then I could know that that was all right and that the transaction was fine. But you got to do that research, right? Don't click on links and emails ever. Don't call the phone numbers you get in the emails ever. And when I went to go and check about my Apple receipt, I went to my Apple account, and I went to my PayPal directly. I didn't click any of the links in any of the emails. I went and logged in myself and double-checked that things were there. Another interesting thing - so to do that, maybe you would have typed in - you know, you see this come in. You're like, oh, I want to go to my PayPal page. And you type in PayPal and Google. Maybe you don't remember the whole URL. And it pulls up the responses. Do not click on the first Google searches that are ads, ever, for anything because there's a lot of phishing that is happening just on those searches with the Google ads. So somebody can create a fake PayPal site. And maybe the L is actually a one. And they can pay for ads that pop it up to the top of the search results. And when you click on it, it looks like you're going there. It feels like you searched it and did the right thing.
Dave Bittner: Right.
Dinah Davis: But you've now logged in some place wrong. So I never, ever, ever click the ads for anything. I always go down below the ads, scroll past them, and then hit the first real link that is there.
Dave Bittner: Yeah.
Dinah Davis: So that's another little tidbit around this.
Dave Bittner: Yeah. Do you suppose the folks who are behind this particular phishing attack, that they're just looking for the inattentiveness of, you know, an accounting department or something like that?
Dinah Davis: A hundred percent, that's totally true. And these are really easy to create in PayPal 'cause you just create an invoice. Like, you need a business account to be able to pull this off. And I don't know what the hoops are that you have to go through to get a business account. Maybe those need to be checked by PayPal a little bit more closely. But yeah, it's just creating an invoice and being able to do something like this.
Dave Bittner: All right. Well, fascinating. Absolutely. Dinah Davis, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.