The CyberWire Daily Podcast 9.23.22
Ep 1669 | 9.23.22

Privateers seem to be evolving into front groups for the Russian organs. Unidentified threat actors engaging in cyberespionage. Catphishing from a South Carolina prison.


Dave Bittner: The GRU's closely coordinating with cybercriminals. An unidentified threat actor deploys malicious NPM packets. Gootloader uses blogging and SEO poisoning to attract victims. Metador is a so-far unattributed threat actor. Johannes Ullrich from the SANS Technology Institute on resilient DNS infrastructure. Maria Varmazis interviews Anthony Colangelo, host of spaceflight podcast "Main Engine Cut Off," about the iPhone 14 emergency SOS via satellite feature. And having too much time on your hands while doing time is not a good thing.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, September 23, 2022. 

The GRU's close coordination with cyber criminals. 

Dave Bittner: Russia has long tolerated cyber gangs, afforded them a territorial safe haven from which they could work with impunity as long as their operations worked generally to the detriment of Russia's international rivals. A report in this morning's Wall Street Journal, citing research by Google's recently acquired Mandiant unit, describes the unprecedented ways such sufferance and toleration have evolved into active coordination and direction. The relationship has apparently developed well beyond the familiar permissive privateering the gangs have been encouraged to undertake. 

Dave Bittner: Mandiant's report on this development, released this morning, focuses on the GRU, which is organizing the activities of nominally hacktivist groups and supplying them with GRU tools to attack Ukrainian networks. Mandiant says, we are tracking multiple self-proclaimed hacktivist groups working in support of Russian interests. These groups have primarily conducted distributed denial-of-service attacks and leaked stolen data from victim organizations. Although some of these actors are almost certainly operating independently of the Russian state, we have identified multiple so-called hacktivist groups whose moderators we suspect are either a front for or operating in coordination with the Russian state. Killnet, which has surfaced as the moving group behind DDoS attacks against European states deemed by Russia to be too cozy with Ukraine, is among the more prominent hacktivist front groups mentioned in dispatches. 

Cyber mercenaries.

Dave Bittner: SentinelLabs yesterday published an update on the Void Balaur cyber mercenary group. The hack-for-hire operation, which has operated in the criminal-to-criminal market since 2016, has expanded its activities. Sentinel Labs says, new targets include a wide variety of industries, often with particular business or political interest tied to Russia. Void Balaur also goes after targets valuable for prepositioning or facilitating future attacks. Its infrastructure is described as sprawling, and its methods are called careless, but Void Balaur's volume is up. It's not generally clear who the group's customers are, but SentinelLabs points to some indications that a Russian security service may be among them, stating, a unique and short-lived connection links Void Balaur's infrastructure to the Russian Federal Protective Service, a low-confidence indication of a potential customer relationship or resource sharing between the two. 

An unidentified threat actor deploys malicious NPM packets. 

Dave Bittner: In yet another instance of a software supply chain attack, ReversingLabs researchers outline the placement of a malicious NPM package in a widely used components library. ReversingLabs discovered a malicious NPM package posing as Material Tailwind, a components library for Tailwind CSS and Material Design. ReversingLabs says, these types of software supply chain attacks can be spotted almost daily now. In most of these cases, the malware in question is fairly simple JavaScript code that is rarely even obfuscated. Sophisticated multistage malware samples like Material Tailwind are still a rare find. 

Dave Bittner: In this case, the complexity of the malware tactics leads to a conclusion that sophisticated actors could be behind this attack. For now our analysis of the situation tells us that Material Tailwind's stage two payload can be classified as a fully functional Trojan malware. It uses a lot of techniques to complicate reverse engineering. Additionally, IP redirection using a file hosted on a legitimate service like Google Drive is also performed before the communication with the actual C2 server. The researchers add that the threat actor did quite a good job at making the package description as convincing as possible. The threat actor took special care to modify the entire text and code snippets to replace the name of the original package with Material Tailwind. The malicious package also successfully implements all of the functionality provided by the original package. ReversingLabs researchers situate the campaign in the larger context of the rising trend in software supply chain attacks. 

A large-scale pay card theft operation.

Dave Bittner: ReasonLabs have discovered a Russophone gang using bogus dating and customer support sites to induce its marks to cough up pay card details. Researchers at ReasonLabs describe a major online credit card scheme that's been active since 2019. The threat actor has used at least 200 phony dating websites and 75 fake customer support sites to trick users into signing up for fraudulent subscriptions. The dating sites inform users that the credit card statement will be unrelated to the adult industry in order to be discreet. The researchers believe the campaign is being run by an organized crime group based in Russia. They say, we estimate the scheme has amassed tens of millions of dollars in fraud from tens of thousands of families and individuals. We estimate it is operated by a crime syndicate and found evidence that it originated in Russia. The scam seems to abuse several security brands such as McAfee and ReasonLabs to execute fraudulent credit card charges. The infrastructure is built on top of Amazon Web Services and uses GoDaddy to circulate hundreds of domains. The fraudsters' strategy includes operating a massive fake network of dating and adult websites with functional customer support capabilities. Once the sites are live, the scammers coerce payment providers to gain the ability to accept credit card payments. At this point, the fraudsters search the darknet and acquire thousands of stolen credit cards and charge them to their fake websites' services. 

Gootloader uses blogging and SEO poisoning to attract victims.

Dave Bittner: Deepwatch describes how GootLoader uses well-planned and targeted blogs in a search engine optimization poisoning campaign. The operators appear to be trawling for users interested in topics related to government, legal, health care, real estate and education. Geographically, many countries are targeted, but most attention seems to be paid to the Five Eyes - Australia, Canada, New Zealand, the United Kingdom and the United States. The operation looks like one run on behalf of a nation-state intelligence service, but Deepwatch so far has insufficient grounds to offer an attribution. 

Metador: a so-far unattributed threat actor. 

Dave Bittner: SentinelLabs yesterday reported another threat actor that looks like the work of a nation-state. Metador is described as targeting telecommunications, internet service providers and universities in several countries in the Middle East and Africa. It's not known who Metador is nor whom the group is working for, but they show a high degree of operational security and situational awareness of the environments in which they operate. The report says traces point to multiple developers and operators that speak both English and Spanish, alongside varied cultural references, including British pop punk lyrics and Argentinean political cartoons. Researchers say the evidence is consistent with Metador being either an intelligence service or a mercenary group working under contract. 

Too much time on your hands while doing time.

Dave Bittner: And finally, have you heard the saying, busy hands are happy hands? We have. A gentleman serving 25 years in South Carolina for voluntary manslaughter and attempted armed robbery, one Darnell Khan, has been convicted in a U.S. court on federal sextortion charges. Mr. Khan obtained an illegal smartphone - something he as a prisoner is not supposed to have - and used it to set up a fictitious woman's dating profile online. He would strike up a relationship with lovelorn U.S. servicemen, catfishing them into sharing their own not-safe-for-work selfies, and then reveal the fictitious line that the person they thought was an adult woman was, in fact, an underage girl and that the person they were now communicating with was either the catfish's father or a private detective. If the victim failed to wire money to Mr. Khan, they would face prosecution and a dishonorable discharge, or so Mr. Khan's persona said. He is believed to have victimized 40 servicemen between January and July of 2017. The Stars and Stripes reports that sextortion seems to have become something of a cottage industry in South Carolina prisons, and Mr. Khan isn't alone in pursuing this particular line of crime. The catfishing is no joke. At least one suicide has been traced to it. If this were Russia, Mr. Khan would make a good candidate for recruitment by the Wagner Group. But this is America. And so we wish the wardens good hunting in tracking down the illegal devices and in sending the cons back to the license plate shop. 

Dave Bittner: Coming up after the break, Maria Varmazis on the iPhone 14 emergency SOS via satellite feature, Johannes Ullrich from SANS on resilient DNS infrastructure. Stay with us. 

Dave Bittner: We are excited to welcome the newest member of the CyberWire team, our space correspondent Maria Varmazis. She will be making regular contributions to our programs, covering the security of all things where no one has gone before. Here's Maria. 

Maria Varmazis: At its product unveiling on September 7, Apple announced that its upcoming iPhone 14 will have a, quote, "vital new safety feature we hope you'll never need." That feature is called emergency SOS via satellite, which lets iPhone users text for help via satellite when there's no Wi-Fi or cell phone signal available. Now, experienced travelers and hikers likely know that satellite phone tech has been around for a long time, including SOS beacons you can buy for just this kind of off-grid emergency situation. But they're slow, and they involve a big, bulky phone with an antenna up top - nothing that looks anything close to the typical iPhone design. 

Maria Varmazis: But Apple figured out that by directing users to physically point their phone to a satellite up in space instead of casting the wide net a typical satellite phone antenna might and by having the emergency message be only a compressed text message, it can get the job done - no bulky antenna needed. This new iPhone feature is a major step in bringing satellite communications to the masses. And certainly, consumers will be seeing a lot more of it, with T-Mobile and Google actively working on similar features for their own phones. So for more on what it all means, I spoke with Anthony Colangelo, host of the spaceflight podcast "Main Engine Cut Off" and expert on satellite technology and Apple apps as well. 

Maria Varmazis: Now, Anthony, I know we haven't been able to get our hands on this feature yet, but based on what Apple has shown us so far, let's do a little dive into how this feature works. Apple mentioned that they had to create a compression algorithm specifically for these messages. Now, what kind of bandwidth are we talking about with this kind of satellite communication? 

Anthony Colangelo: I'm not sure on the exact bandwidth, but the other aspect is it's not just bandwidth, it's connectivity as well, right? If you are in a completely open sky at the top of a mountain, you can probably maintain a full connection with that satellite. But if you have any inclement weather, foliage coverage, you know, things that would happen when you're off the grid hiking through a national park, it's going to be, you know, very in-and-out coverage. And then you not only have to figure that out, but these satellites are orbiting, so they're moving. So if somebody's hands jiggling a little bit, the satellite's moving the other direction, and they lose contact for a second. It needs to be resilient to those kind of changes in the environment as well. 

Anthony Colangelo: A new satellite's coming over the horizon, so you've got to switch to that satellite. The way this works on the back end is that this is going up to this Globalstar satellite. It's then coming down to one of the gateways on Earth, which, you know, there are tens of around the world. I think they're building out 10 new ones as part of this partnership as well. And that's going to relay on to the emergency services that are most helpful to you. It's a kind of weird architecture, where you're jumping up to a satellite, down to a gateway station, over to a relay center who eventually gets you to emergency services. 

Maria Varmazis: You know, in an emergency situation, people are probably not thinking about the security of their messages necessarily. But I can't help but wonder, do we have any sense at all about how secure these messages are? Or is that just not even going to be on the radar in a situation like this? 

Anthony Colangelo: I think it would probably be one of those cases where you're relying on the nature of the satellite industry today to provide that, right? You think of the satellites that are up there in orbit. You've got DirecTV. You've got, you know, TV broadcasts around the world - things that they probably don't want you to be able to pirate, right? They are particularly concerned about the privacy and the security of these things. Now, that said, there are satellites that have been up there for decades that people have figured out how to decode. And certainly, there's a huge arm of the U.S. government and governments around the world that build satellites to go up and snoop on different satellite communications. It's not a perfectly secure world up there, but then again, in this particular kind of use case, I don't really know if I, at a functional level, would be concerned that somebody was snooping on my emergency relay message as long as they might also be able to help out. Like, I don't care if they overhear that. So maybe it's not the worst thing in the world. 

Maria Varmazis: And admittedly, the part of the announcement that got a bit more of my attention was sort of a footnote. And this was the addition of sending your location via satellite with the Find My app. And it's an opt-in feature, which means the user has to manually tap to update their location via satellite each time they want to do that. Now, obviously, GPS has existed for a long time, but I'm just wondering... 

Anthony Colangelo: Different kind of thing. 

Maria Varmazis: Different kind of thing, right? So we're introducing a whole new thing, a whole new piece of hardware to a phone. I just can't help but wonder about risks there. 

Anthony Colangelo: Yeah. And this may be a scenario where Apple's architecture with special hardware that is very directional is a positive, right? I don't think it's something that your Find My location is always going to be sent up to these satellites without you specifically doing it because, again, you need to be in that very directional pointing mode - right? - where it's telling you where the satellite is. And that's the difference in architecture here. The other satellites that are going up from Link and AST Mobile and eventually Starlink - if they are connecting to your phone just like a cell tower, then yeah, there're surreptitious connections going on all the time between you and a satellite, whereas this is a very intentional interface. So, you know, in that same vein, could somebody track you because of the locations that you've sent up specifically? Yes. Could they do it without you knowing that you've provided a location somewhere? No, based on what I'm understanding right now. 

Maria Varmazis: Thanks so much, Anthony, for that valuable context. And it should be noted that emergency SOS via satellite won't be available immediately with the iPhone 14. Apple has it slated to begin working no earlier than November 2022. So hikers and Apple early adopters, please take note. For the CyberWire, I'm Maria Varmazis. 

Dave Bittner: And joining me once again is Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the ISC StormCast podcast. Johannes, it is always a pleasure to welcome you back. 

Johannes Ullrich: Thanks for having me, Dave. 

Dave Bittner: So today we are talking about DNS, and I'm going to give you the honors here of - what's the old chestnut about DNS? 

Johannes Ullrich: Yeah, the good and famous DNS haiku that always has to be mentioned when you're talking about DNS - it's not DNS. There is no way it's DNS. And it is DNS. So... 

Dave Bittner: (Laughter) Right. Exactly. 

Johannes Ullrich: ...If you have a problem, DNS is often the reason behind it... 

Dave Bittner: Yeah. 

Johannes Ullrich: ...And in part, though, because people sort of ignore DNS. DNS is thought about as protocol that just works for the most part. It's actually, I think, one of the huge success stories when it comes to protocols. If you think about it, I remember my very first networks - like the - must've been late '80s, early '90s - we still had these host files where you got from a university a list of all of the on the internet in one file. 

Dave Bittner: Right? And how quaint. 


Johannes Ullrich: And DNS solved this problem. And, of course, it scaled tremendously, if you think about it, from sort of a few million to a few billion entries. So really great product. I don't really want to talk down on DNS. Lots of people criticize it. But it has its tricks. And it's not an easy protocol to manage and really get the resilience that you need. These days, a lot of people move DNS to the cloud, which, of course - let someone else worry about it. That's a little bit the attitude here. But you may lose something with this. 

Johannes Ullrich: When I teach intrusion detection, one of the biggest things I always point out is, hey, if I can get one set of logs from the environment, I'll always take DNS logs because everything that happens in network reflects itself in DNS - what websites people are visiting, what command control service a malware connects to. That's all in DNS. So if you're moving it to the cloud, make sure you retain that visibility into your DNS traffic so you have it available to search for indicators of compromise, which is very quick and simple and really sometimes quite successful. The other part that you may not realize you're losing is a little bit resiliency - now, you know - like the cloud kind of because the cloud tends to be fairly resilient until it's not. 

Dave Bittner: Right. 

Johannes Ullrich: And then of course, it's not just down, but you can't even go down to the basement and kick that server because it's summer in Seattle or whatever, and it's a long walk. So... 


Johannes Ullrich: ...And they don't let you kick those servers either, kind of. 

Dave Bittner: Right. 

Johannes Ullrich: So keep that in mind. And one thing I want you to look at a little bit out here with cloud providers - cloud providers have the tendency to hold you hostage. It tends to be difficult to move from one cloud provider to another if you are using a service like DNS with them. Try to find a way how to synchronize your data between different cloud providers. Now, I say synchronize here. I don't say replicate because DNS actually has replication built in. But that's a feature that these cloud providers often don't really support, in part because they don't want you necessarily to leave easily or to easily switch over to another cloud provider. So try to find some way here to get that working across Cloudpress, usually not expensive. These DNS servers are fairly cheap, so setting up a second cloud provider should really not break the bank, and it gives you that additional piece of mind resiliency when it comes to DNS. 

Dave Bittner: Is this a situation where, you know, if you have multiple providers then you'll have kind of automatic fallback - if one goes down, then the other picks up and kicks into gear? 

Johannes Ullrich: Yeah, and that's the nice thing about DNS. DNS is sort of designed around this. So for your domain, if I talk, like, about an authoritative name server here, you can advertise multiple name servers that are authoritative for this particular domain. And DNS servers - when they're trying to look up one of your hostnames, they try the first one. It doesn't respond. They try the next one. So that's all built into a DNS. So now you just have to make sure that you advertise DNS servers that are located with different cloud providers. Then, you know, also when you're setting this up, set up a little bit - rig it around how you manage DNS. Another problem once you move it into the cloud is then, of course, credentials get easier compromised, and you may have someone else mess with your DNS. There are a lot of interesting attacks if people add mail servers to your DNS records, for example. Now they'll receive your email, and I can tell you, they will not filter your spam. They will just read it and pass it on to you. 

Dave Bittner: What about, you know, some of the DNS providers who are there to just, you know, try to make things easy and also a bit more secure? And I think, like, four nines - you know, those kinds of providers. What are your thoughts on them? 

Johannes Ullrich: Yeah, I kind of like that idea. Now, these are recursive DNS servers, so you would use them to look up other people's hostnames. Again, you can set up multiple of these providers. You don't have to limit yourself to one. So the way I usually like to configure it is, I set up internal my network, a small recursive resolver that all it does is it forwards queries to these public DNS servers because they tend to be quite fast. And then I still have to - I still have the logs in my DNS server. I gain some speed because the popular websites - someone else probably already visit them. And these DNS servers now have that information cached, and it comes in faster. So that works. And of course, they - some of them - you know, like, OpenDNS is famous for that such - they also offer some filtering. Now, as part of their commercial solutions, they may also offer you some extended logging. And that's, of course, a useful tool gained inside your network. 

Dave Bittner: Right. Right. All right, well, good information, as always. Johannes Ullrich, thanks for joining us. 

Johannes Ullrich: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at Be sure to check out this weekend's "Research Saturday," and my conversation with Gafnit Amiga from Lightspin. We're discussing her team's research - "AWS RDS Vulnerability Leads to AWS Internal Service Credentials." That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.