The CyberWire Daily Podcast 9.22.22
Ep 1668 | 9.22.22

GRU operators masquerade as Ukrainian telecommunications providers. 2K Games Support compromised to spread malware. Developments in the cyber underworld.


Dave Bittner: GRU operators masquerade as Ukrainian telecommunications providers. Another video game maker is compromised to spread malware. Noberus may be a successor to Darkside and BlackMatter ransomware. Robert M. Lee from Dragos explains Crown Jewel analysis. Our guest is Nathan Hunstad from Code42 with thoughts on insider risk events. And threat actors have their insider threats, too.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 22, 2022.

GRU operators masquerade as Ukrainian telecommunications providers.

Dave Bittner: Recorded Future's Insikt Group reports that the GRU has established new infrastructure for cyber-espionage against Ukrainian targets. The threat actor UAC-0113, which CERT-UA thinks is probably associated with the GRU's Sandworm operation, is using dynamic DNS domains as it masquerades as telecommunications providers. It uses HTML smuggling to distribute Colibri Loader and the Warzone remote access Trojan. The objectives of the campaign remain unclear, but Recorded Future thinks it's a Russian combat support effort. The tools deployed in the attacks aren't bespoke tools developed in-house by the intelligence services, but rather are commodity malware publicly available in the criminal-to-criminal market. 

Dave Bittner: Russian telecommunications outfits have indeed established services in territories occupied by the Russian army, but these are overt operations intended to replace Ukrainian providers with Russian ones. WIRED reports that as Russia's battlefield fortunes have experienced reversals, the telcos have retreated with the troops. The point of setting up Russian services to replace Ukrainian ones is at least twofold. It helps normalize the Russian occupation, acclimating the population to accepting it as an accomplished, permanent state of affairs. Equally importantly, it increases the Russian ability to control what Ukrainians say, show, see and hear. 

CISA warns of Iranian cyber activity.

Dave Bittner: CISA has issued a joint warning with the FBI outlining the conduct of the cyber campaign Iran waged earlier this month against Albanian government targets. The warning includes recommended protections and mitigations should the campaign spill over to targets outside Albania. 

2K Games Support compromised to spread malware.

Dave Bittner: A second Take-Two Interactive brand, 2K Games, has sustained a compromise. Spoofed support communications that misrepresented themselves as coming from 2K Games' support desk were found to be spreading the RedLine Stealer. Family-friendly 2K's edgier corporate sister Rockstar Games had seen an intrusion that compromised some games under development. 2K's compromise was in some respects more serious in that it represents a threat to users and not simply a disclosure of intellectual property. 

Dave Bittner: 2K Support tweeted a warning yesterday that explains what its determined about the incident, saying, earlier today we became aware that an unauthorized third party illegally accessed the credentials of one of our vendors to the help desk platform that 2K uses to provide support to our customers. The unauthorized party sent a communication to certain players containing a malicious link. Please do not open any emails or click on any links that you receive from the 2K Games support account. The communication goes on to recommend a range of best practices any affected users might follow to minimize the damage. 

Dave Bittner: The goal of the compromise was distribution of an infostealer. Techradar reports, the attackers would first open up a fake tech support ticket and soon after reply to it. In the reply message they'd share a file named 2K, inviting the players to run it on their endpoints. The file turned out to be RedLine Stealer, a known infostealer that's capable of grabbing passwords stored in the browser, stealing banking data as well as cryptocurrency wallets. Furthermore, RedLine can grab VPN credentials, web browser history and cookies. There's no firm attribution of this second attack on a Take-Two brand, but BleepingComputer speculates on the basis of victimology and the method of approach that this attack, too, is the work of the Lapsus$ Group. 

Noberus: a successor to Darkside and BlackMatter ransomware. 

Dave Bittner: Noberus ransomware looks like it's the successor to Darkside and BlackMatter ransomware, and they seem to have been developed by the same crew. The Symantec Threat Hunter Team this morning released a report detailing the Noberus ransomware, also known as BlackCat or ALPHV. It's believed that Noberus is a successor to the DarkSide and BlackMatter ransomware families, developed by a group tracked by Symantec as Coreid. Coreid provides ransomware-as-a-service, developing the ransomware for affiliates who then give Coreid a cut of the profits. 

Dave Bittner: Noberus was first seen in November of 2021, coded in Rust. This is the first observed professional ransomware strain used in attacks that was coded in the cross-platform language. Due to its cross-platform coding language, Coreid says that Noberus can be used on multiple different operating systems, including Windows, EXSi, Debian, ReadyNAS and Synology. Nobarus appeared shortly after BlackMatter was retired, and Coreid said in the rules that the ransom cannot be used to attack the commonwealth of independent states or neighboring countries, organizations in or related to the healthcare sector, charitable or non-profit organizations, and they added that affiliates are also advised to avoid attacking the education and government sectors. It's an interesting set of exclusions. If we were betting, we'd say the smart money was on the exclusion of Russia and its sphere of influence being the one that mattered. The others are the usual empty posturing as Robin Hoods one so often finds in gangland. 

Dave Bittner: Coreid also highlighted the features that make the ransomware stand out from the competition, stating that each advert is provided with an entrance through its own unique onion domain. The affiliate program architecturally excludes all possible connections with forums. Even if a full-fledged command line shell is obtained, the attacker will not be able to reveal the real IP address of the server and encrypted negotiation chats that can only be accessed by the intended victim. Updates to Noberus have been continuous since release, researchers report. 

Dave Bittner: An updated version of the Trojan.Exmatter data exfiltration tool was observed being used alongside Noberus in August 2022. Exmatter was designed to steal specific file types and route them to an attacker's server prior to the deployment of ransomware. Information-stealing malware, Infostealer.Eamfo, has also been observed being used alongside Noberus and is designed to steal credentials from backup software. 

Threat actors have their insider threats, too.

Dave Bittner: And finally, even threat actors have their insiders and, therefore, their insider threats. The builder for LockBit's new encryptor, version 3.0, or LockBit Black, released just this past June in the criminal-to-criminal market, has been leaked online, BleepingComputer reports. Researcher 3xp0rt tweeted early this morning that unknown person, @ali_qushji, whose account has been temporarily restricted due to unusual activity, said his team has hacked the LockBit servers and found the possible builder of LockBit Black ransomware. LockBit says it was an insider leak and not an external attack. 

Dave Bittner: After 3xp0rt's tweet, vx-underground reported that someone using the hacker named protonleaks contacted them on September 10. Protonleaks, at that time, showed them a copy of the builder. It's unclear whether a protonleaks and @ali_qushji are one person or two people, or whether, perhaps, their name is really legion. LockBit reached out to vx-underground to deny that they'd been hacked - that the leak was the work of a disgruntled developer unhappy with LockBit's leadership. 

Dave Bittner: The story is interesting in a number of ways, and especially in the way it reveals the way a criminal enterprise apes many of the functions that one finds in a legitimate business. LockBit Black had been tested for two months before its release, and it sported novel modes of extortion and anti-analysis capabilities. Its release was also accompanied by a bug bounty program. And the ransomware-as-a-service gang maintains a support representative, LockBitSupp, who serves as the public face of the outfit. It was LockBitSupp who contacted vx-underground to explain that LockBit had experienced an insider breach, not an external hack. What had upset the leaker - or leakers - enough to motivate the leak is unclear, but evidently LockBit has some unresolved HR issues. Too much PowerPoint in the breakroom, we'll bet. We feel for you. 

Dave Bittner: Coming up after the break, Robert M. Lee from Dragos explains Crown Jewel Analysis. Our guest is Nathan Hunstad from Code42 with thoughts on insider risk events. Stay with us. It is National Insider Threat Awareness Month. And the CyberWire is proud to be a media partner for the upcoming Insider Risk Summit, September 27 through the 29. I spoke with Code42 deputy CISO Nathan Hunstad about how security teams think about and approach investigations for insider risk events. 

Nathan Hunstad: Compared to times in the in the past, even as recently as a few years ago, the landscape is one of increased insider risk, and that's due to a few reasons. One of them is that a lot of people do things like the great resignation and so on, are changing jobs more frequently. And we find that when people leave a job to go to another job, they tend to take data with them because they believe it's going to be valuable to them in their new role. And obviously, that presents a risk to an organization, when you have sensitive data like that that's walking out the door, possibly even to a competitor. 

Nathan Hunstad: Another reason that the risk landscape is different these days is because people are working remotely. They're no longer all in the office - you know, where you could put a perimeter firewall around your network and call it good. They're all remote. They're working from home. Or they're working from - you know, like at the coffee shop. And because the people are distributed, it's just harder to keep tabs on what they're doing with data. 

Nathan Hunstad: Finally, data is much more likely to be widely distributed, similar to how people are distributed. Because companies are working - or moving to SaaS tools, like online collaboration tools, like Google and Microsoft Office 365, the data is also moving outside of the office and the file server that was on prem. And again, because the data is distributed, it's just a lot harder to keep tabs on where that's moving. So those are some of the reasons that the risk of data and the risk of insiders taking data is higher than ever before. 

Dave Bittner: You know, we mentioned that it's Insider Threat Awareness Month. And I know you and your colleagues at Code42 prefer to refer to it as insider risk. There's some nuance there. Can you explain the difference? 

Nathan Hunstad: So we like to talk about insider risk as opposed to insider threat because when you just think about the threat part of it, that assumes that the insider has already moved to, like, a malicious posture, where they're doing something wrong. And instead, we need to kind of shift left and think about the risk that all of the users in the organization may present before they kind of take that malicious step, or even if they do something that isn't necessarily malicious at all. They could be mishandling data in an attempt to get their job done. And they're not acting maliciously. They're just not handling the data in the way that they should be per, you know, like, your corporate sanctioned tools on your policies. So we think that if you just focus on the threats and the people that are already malicious and doing the bad things, you're missing that broader risk picture - because most of the time people who may have access to data, they never move to the threat phase. They don't become actively malicious. 

Dave Bittner: How much of this is setting expectations? - you know, that - making sure that people know, if you move on to another job, well, it's not really good for you to take your Rolodex with you. We're not OK with that. 

Nathan Hunstad: Yeah, absolutely. And one of the foundations of a good insider risk management program is education and setting those expectations with your users. If people aren't educated as to what - the right way to collaborate with trusted vendors, for example, or what data you're allowed to take with you when you leave versus the data you're not allowed to take you with you when they leave, then users will substitute their own judgment for that. And, you know, let's be honest. Users don't always have the correct judgment when it comes to those questions. So you have to educate, educate, educate on a constant basis. And the best way to do that is not only doing it, like, when somebody is onboarded or through your annual or periodic security training, but in response to things that actually represent true risk. So if they do accidentally share something in a way they shouldn't have. If you can educate them immediately, then that message is going to last. 

Dave Bittner: What are your recommendations for organizations who want to do a better job of this for - you know, for taking inventory on the things that they're doing and the places where they can improve? 

Nathan Hunstad: Yeah. So one of the best recommendations I can give is to not directly treat this as you would another kind of, like, psych ops or blue team exercise because we think that dealing with risks like malware and ransomware and some of the things that blue teams and SOCs typically handle is not the way to go about it. An insider risk management program has to have the right kind of expertise and the right people doing those kinds of business-focused and empathetic investigations to really understand how the business works, how people are trying to get their job done and making sure that they are using the proper tools to get their job done and collaborate versus taking a kind of an adversarial approach where you're looking for reasons to tell users no. 

Dave Bittner: Yeah, that seems so critical to me. You mentioned empathy, and I think particularly in a technology realm, that can be a place where people come up short. But it really is important here. 

Nathan Hunstad: It absolutely is because, again, going back to the insider risk versus insider threat, most people don't become, you know, the malicious, you know, angry, disgruntled employee looking to harm the organization. They're simply trying to do their jobs. And they may not have the tools or just be aware of the tools to do it in the way that the security team wants them to do it. And so if you take that empathetic approach and you try to understand what the users are trying to accomplish and what their business objectives are, then you can guide them, again, educating as you go towards the right way of doing it and kind of shepherd them away from the risky behavior they may have been involved in before. 

Dave Bittner: That's Nathan Hunstad from Code42. The Insider Risk Summit is coming up September 27 through the 29. You can find out more on their website 

Dave Bittner: And joining me once again is Robert M. Lee. He is the CEO at Dragos. Rob, it's always great to welcome you back to the show. I want to touch today on something that I saw some of your colleagues were actually blogging about over on the Dragos website. This is this notion of a crown jewel analysis when it comes to your security assets. What exactly are we getting at here? 

Robert M Lee: Yeah. I mean, at the basic level, it's an understanding of what's most important to your business for the functions that you're most concerned with. So as an example, a lot of infrastructure sites have hundreds, if not thousands, of sites, right? A power company, as an example - they have 2 or 3,000 substations. A global manufacturer could have 500 manufacturing facilities. And then the question - even if you only get five, the question is always going to be what's actually most critical. And at a macro level, the critical sites really should be something that's done in cooperation with the executives. Look at the disaster recovery plan, business continuity. You know, consider revenue, regulatory requirements, health and safety, etc. And there should be kind of this top-to-bottom list of those infrastructure sites because you may have one global corporate IT network, but you've got hundreds of little OT networks. And you're going to want to know, especially in an incident, what's the most critical. 

Robert M Lee: But once you get from that macro level, that's really once you get inside the environment. Then you're kind of identifying what are the crown jewels in that environment. And it shouldn't just be some arbitrary thing, the same way that you shouldn't look at security controls as morally good or morally bad. It's like, look. Does this one actually help us with the scenario of risk that we care about? So there should be some definition of, what do we care about as a business? What are two or three or four scenarios that we've got to be able to deal with, like ransomware or, you know, or electric transmission outage from Ukraine-style attack that we've seen before if you're a power company? Like, what are those scenarios? And then on those scenarios, what actually is in scope? 

Robert M Lee: You know, if we're - if we look at the safety system-focused scenario from the 2017 Saudi Arabian case where an adversary tried to kill people targeting safety systems, well, the safety system, the injury workstation and all the support systems around it are those crown jewels in that scenario. So going into a refinery and cleaning up the DMZ and being like, yeah, we secured the refinery, is disingenuous at best in terms of what you're actually trying to accomplish. But if you do the crown jewel process correctly, it can also really guide you so that you're not overspending. You're not trying to gold plate all of these sites, which you just don't have the resources for. It's, what are the important sites, and what's most important in those sites? Let's start there. You can always expand after that, but that level of focus and prioritization is something most companies struggle with. 

Dave Bittner: Is there a level of diplomacy that goes with this as well? - because I can imagine as you go around and, you know, pull people at your various locations, they're all going to say that what we're doing here is of the utmost importance. 

Robert M Lee: Are you asking me how the DHS got 17 critical infrastructure sectors? No. 

Dave Bittner: Go on. 


Robert M Lee: Everything is critical to everybody. 

Dave Bittner: Right. 

Robert M Lee: This gambling infrastructure is really critical. You know, you're 100% correct. And that's actually exactly the issue - is a lot of our government agencies and similar will set out, here's what we want to do. But then people cry to them, but we're also critical. And then it's hard to tell people no. And you're like, OK, you're critical, too. And you just get into this mess. So to answer your question more thoughtfully, there is. But it's also - it's kind of a tactic for the security team as well. I don't want to play games when you're on the security team, but it is a fundamental and fair tactic, in my opinion, of - based on the various programs that already exist - right? - your disaster recovery, business continuity, whatever. You rank-stack the 500 facilities or whatever you have. Put it in front of an executive group - not those sites - and say, hey, is this the right order? Let them have that debate. You can foster the conversation, but it's not a security discussion anymore. It's just about the sites. 

Robert M Lee: And then you look at the risk scenarios and go, is this what we think the risk scenarios are? And I go, yeah. And you go, OK, well then this is the security package. The executive committee - the board - doesn't have the expertise to govern that. So once you agree on the scenarios - once you agree on the list of the sites, then here's what the security team feels is the security package per site. And here's the budget you gave us. Therefore, we're going to get down the list this far. And so that the diplomacy that happens is usually the head of operations or somebody else going, whoa, whoa, whoa, whoa - you stopped at site 20 out of 300. What about the next 20? And you're like, well, we don't have the budget for that. So either we need to decide not to accept certain risk - or to accept certain risk scenarios below the 20 and have a less tailored package, or we should actually get more budget to do the things that you're asking us to do. 

Robert M Lee: So I normally see CSOs and CIOs and others, like, argue about how budgeting is hard, and they don't have the budget. But, actually, most executive groups don't understand what you're trying to accomplish now that you historically haven't been doing. And so they think, well, why would I need to increase it more than 5% or 10% annually? We're doing the same work. Yeah, but you never digitally connected up or digitized your plans before, and now you are. Now we've got to do all that OC security work. It needs a net new budget, not a 5% or 10% increase. And that process and that structure and that prioritization and that diplomacy, as you would call it - all of that is what's working really effectively for a lot of companies around the world. 

Dave Bittner: And it sounds like it's also in your best interest, as you go into this sort of process, to give everybody a heads-up that there's likely to be a few aha moments here. 

Robert M Lee: Oh, absolutely. And that's where, when I get in front of customers, I always tell them, like, don't just roll out everything everywhere. Don't do a peanut butter spread 'cause my most critical site should not be fully protected at the same time as my last critical site. Instead, let's start with the top 25% to 30% of your organization. Those are going to be crown jewels regardless. Like, those sites - guaranteed, your top 25% to 30% of your sites are pretty critical to the company. Let's look at those sites, design up the security package that makes sense. It's probably not all the stuff you're doing in IT. You know, you've covered mentions before. I've talked about the five critical controls for ICS security. Like, there's probably five they want to start with. They'll go put those five and the vendors and things you choose for it together at, let's say, six or, you know, some reasonable amount of that 25% or 30%, depending on how many sites you actually have. Let's say six to 10 to 15 sites, if you have that many - go roll it out in completion there. 

Robert M Lee: Learn to operationalize it, not just get through deployment like it's a Gantt chart, you know? Actually get going. And what you'll do is you'll end up finding a lot of aha moments not only on used cases that are valuable to justify for the other sites, but maybe this product doesn't work with this product as well as you thought it was, or this doesn't do the thing it was supposed to do. Like, learn those things before you try to have this giant rollout. And if you get it right at kind of your critical sites and you design out what right looks like and you show success, that's going to be your best argument as well to continue to go. 

Dave Bittner: All right, well, good insights. Robert M. Lee, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.