The CyberWire Daily Podcast 9.29.22
Ep 1673 | 9.29.22

Hackers support Iranian dissidents. Notes on C2C markets. Cyberespionage campaigns. Intercepted mobile calls from Russian troops expose morale problems.


Dave Bittner: Gray-hat support for Iranian dissidents. Selling access wholesale in the C2C market. Novel malware has been discovered targeting VMware hypervisors. The Witchetty espionage group uses an updated toolkit. Deepen Desai from Zscaler has a technical analysis of Industrial Spy ransomware. Ann Johnson of "Afternoon Cyber Tea" speaks with Michal Braverman-Blumenstyk, CTO for Microsoft Security, about Israel's cyber innovation. And Russian troops' phone call revelations.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 29, 2022. 

Gray-hat support for Iranian dissidents.

Dave Bittner: Hacktivists and others are seeking to render aid to Iranian dissidents and protesters, researchers from Check Point report. Much of the activity is directed at facilitating communication and coordination among groups opposed to the regime in Tehran. But there's also some direct hacking of government-related sites and data, with signs of some profit-taking on the side. Check Point says key activities are data leaking and selling, including officials' phone numbers and emails and maps of sensitive locations. 

Selling access wholesale in the C2C market.

Dave Bittner: Cybersixgill has published a report looking at network access for sale on underground markets. The researchers say there are two broad categories of access-as-a-service for sale on the underground - initial access brokers, which auction access to companies for hundreds to thousands of dollars, and wholesale access markets, which sell access to compromised endpoints for around $10. Wholesale access markets are flea markets. The prices are low; the inventory is enormous; and the quality is not guaranteed, as listings could belong to a random individual user or an enterprise endpoint. The researchers found that wholesale access markets have played a large role in providing initial access for ransomware attackers. About a fifth of ransomware attacks are facilitated by initial access markets. 

Novel malware discovered targeting VMware SXi hypervisors. 

Dave Bittner: Mandiant has identified new malware that targets VMware, ESXi, Linux vCenter servers and Windows virtual machines. They're able to maintain persistent administrative access to the hypervisor with all the capabilities that suggests. Mandiant has attributed this malware to UNC3886, suspecting that the motivation is cyberespionage with a possible connection to China. VMware has used the information Mandiant developed to prepare guidance for its users. 

Dave Bittner: Researchers at Securonix Threat Labs have issued a report on a cyberespionage campaign they're calling Steep#Maverick. They call it a covert attack campaign, and they conclude that its targets have been multiple military and weapons contractor companies, including, likely, a strategic supplier to the F-35 Lightning II fighter aircraft. The PowerShell stager the threat actor used isn't particularly novel, but the procedures involved feature an array of interesting tactics, persistence methodology, counter-forensics and layers upon layers of obfuscation to hide its code. 

Steep#Maverick cyberespionage campaign.

Dave Bittner: Securonix describes the phishing email as being similar to one it had encountered in a campaign earlier this year involving North Korea's APT37 threat group. As has become commonplace with cyberespionage campaigns, Steep#Maverick begins with a phishing email, the hook buried in an attached .INK file, with an anodyne phish bait name like company and benefits. Once installed, the malware is unusually persistent. There's no attribution, but one circumstantial detail is suggestive. If the system's language is set to Chinese or Russian, then the code will simply exit, and the computer will shut down. 

Witchetty espionage group uses an updated toolkit. 

Dave Bittner: The Symantec Threat Hunter team released a blog today detailing the Witchetty espionage group, also known as the LookingFrog, and their updated toolset. Witchetty has been seen to be targeting the governments of two Middle Eastern countries, as well as the stock exchange for a nation in Africa. 

Dave Bittner: Witchetty has been using the LookBack backdoor, but it appears new malware has been added to the group's toolkit. A backdoor Trojan known as Backdoor.Stegmap has been seen in use, using steganography, a technique in which malicious code is hidden in an image. The payload can create and remove directories, copy files, move files and delete files, start a new process, download and run an executable and terminate this process, steal local files, enumerate and kill processes and read, create and delete registry keys, as well as setting a registry key value. 

Dave Bittner: Symantec doesn't offer an attribution, but it does quote ESET's association of Witchetty with TA410, a group other researchers have associated with China's Ministry of State Security. 

What Russian troops' mobile phone calls reveal.

Dave Bittner: One general lesson military services have drawn from Russia's war against Ukraine is that the ubiquity of mobile devices and their easy access to the internet have combined to create a new world for OPSEC, for operational security. That is, no one has so far figured out how to keep matters secure when individuals now have communication capabilities that 50 years ago would have been the envy of a national command authority. Local citizens with cellphones taking pictures of deploying Russian units in both Russia and Belarus gave journalists, enthusiasts and lay observers a tolerably complete picture of the Russian order of battle on the eve of the invasion of Ukraine. Now they're affording insight into the state of morale in the Russian forces, and it's not a pretty picture. 

Dave Bittner: Ukrainian intelligence and law enforcement agencies intercepted and recorded many of the calls Russian troops made from the zone of attack beginning in the early days of the invasion, and The New York Times has published an extensive selection of them. The soldiers complain of their leaders' failure to even tell them they were being deployed to combat, of tactical ineptitude, supply failure, and often with horror of the widespread atrocities committed by their forces. A representative call early in the invasion recounted the futility of Russian attempts to take Kyiv in a decapitation operation - the caller stating, we can't take Kyiv, we just take villages and that's it. 

Dave Bittner: Other calls reflected the shifting fortunes of the battlefield as the war turned against Russia. Tanks and armored carriers were burning. They blew up a bridge and a dam. The roads flooded. Now we can't move. Casualties are said to be high. From my regiment alone, one-third of the regiment, one soldier told a family member. 

Dave Bittner: A common view of the war is that it was founded on lies. As one soldier said to his mother, Mom, we haven't seen a single fascist here. The war is based on a false pretense. No one needed it. We got here, and people were living normal lives, very well, like in Russia. And now they have to live in basements. The old lady who lived near us had to live in the cellar. Can you imagine? 

Dave Bittner: There's a great deal more like this. President Putin himself comes in for a great deal of adverse comment. Given the increasingly hands-on role he's played as he's progressively lost confidence in his combat commanders and the military and intelligence establishments generally, that front line odium seems fair enough. 

Dave Bittner: The authenticity of the intercepts seems beyond question. The Times wrote, reporters verified the authenticity of these calls by cross-referencing the Russian phone numbers with messaging apps and social media profiles to identify soldiers and family members, adding that they'd spent almost two months translating the recordings, which have been edited for clarity and length. 

Dave Bittner: All soldiers gripe in every army at all times and in all places. But what's being heard in the intercepted phone calls goes well beyond the soldierly norms of grousing, discontent and the customary sense of being underappreciated and ill-used. Russia's army has a serious morale problem. That problem is rooted in loss of confidence in the chain of command and a recognition that the army's training and logistics have been utterly inadequate to its mission. 

Cyber risk in the hybrid war.

Dave Bittner: And finally, Ukraine has warned that Russia is preparing a fresh wave of attacks. While Russian cyber operations have underperformed in the war, in part because defenses have proved more effective than expected, the U.S. Cybersecurity and Infrastructure Security Agency - CISA - has tweeted a reminder that relaxation of vigilance would at this point be premature. So shields up. 

Dave Bittner: Coming up after the break, Deepen Desai from Zscaler has a technical analysis of industrial spy ransomware. Ann Johnson of the "Afternoon Cyber Tea" podcast speaks with Michal Braverman-Blumenstyk, CTO for Microsoft Security about Israel's cyber innovation. Stay with us. 

Dave Bittner: Ann Johnson is host of the "Afternoon Cyber Tea" podcast. In a recent episode, she spoke with Michal Braverman-Blumenstyk, chief technology officer for Microsoft Security, about Israel's cyber innovation. 

Ann Johnson: Israel has been a long center for cyber innovation, and some of those cutting-edge technology companies come from Israel. So tell us why that's the case. What makes Israel so special? 

Michal Braverman-blumenstyk: So first of all, you are absolutely right. There is a lot of innovation in cybersecurity and in high tech in general that comes from Israel. As a matter of fact, you know, Israel is not a big country. It's only - is less than 9 million people, which is about .1% of the world population. But if we look at the investment in cyber, the investment in cyber are, in Israel, are 38% of all global investments in cyber, which I find amazing. 

Ann Johnson: As we think about then, you know, the wonderful work that you're leading in ILDC and the work that you're doing as the CTO for the cybersecurity business at Microsoft, let's talk a little bit about ecosystem, because I know you spent a lot of time talking to customers, partners, founders, startups, venture capitalists, et cetera. What are you hearing from them now? What do you think some of the trends are? And what are the leaders - you know, what is keeping our security leaders up at night? 

Michal Braverman-blumenstyk: It's interesting that when I look at the ecosystem and our customers and partners, I find that they become more and more educated on cyber threats and on cybersecurity in general. And the more they become educated, the more worried they are, the more sleep they lose at night. And for - and I understand that. And let's focus on some of the trends that batter the ecosystem. So, first of all, attacks are becoming more sophisticated. They're becoming more sophisticated not only because the attackers are technology savvy and they have the most amazing technology. As a matter of fact, it's almost a mirror picture of the technologies that we are using in the good part of the industry. But they're also leveraging sophisticated business models. And they create their own ecosystem. So it's really a whole - very sophisticated industry. 

Ann Johnson: Part of that role, I know, is looking into the future and determine what technology and engineering investments Microsoft needs to make, how to empower our customers, how to keep our customers successful. So what has you excited? What technology are you thinking about right now? 

Michal Braverman-blumenstyk: So, first of all, cybersecurity is very exciting. The reason it's so exciting, it's like playing chess. You have an opponent. When you just develop software, you don't have an opponent. You just have to develop good software. However, when you develop and design cybersecurity products, you always - you have - you always have to be one step ahead of your opponent. 

Dave Bittner: You can hear more of this interview, and indeed, the entire library of "Afternoon Cyber Tea" podcasts, right here on the CyberWire podcast network. 

Dave Bittner: And I'm pleased to be joined once again by Deepen Desai. He is the chief information security officer and VP of security research and operations at Zscaler. Deepen, always great to welcome you back to the show. I want to touch base with you today about some research that you and your colleagues have posted. You all had an eye on the Industrial Spy ransomware. What's going on here? 

Deepen Desai: Thanks, Dave. So Industrial Spy is a relatively new ransomware group that emerged in April 2022. In some instances, when the team was tracking this group, it appeared that they were only exfiltrating and ransoming based on the data, while in some of the other cases, they were actually going through the file encryption, exfiltration and then demanding ransom. Now, if you look at the history of this group, the industrial spy started as a data extortion marketplace where criminals could buy large company's internal data. They actually promoted this marketplace using a readme.text file that were downloaded using malware downloaders disguised as cracks, adware. And after these initial promotional campaigns, what we're now starting to see is the threat group has introduced their own ransomware to create these double extortion attacks. 

Dave Bittner: That's interesting. What are some of the key things that drew your attention to this group? Any particular ways they stand out? 

Deepen Desai: Yeah. So I think the change in the tactic I already outlined where they started with only focusing on data to going full-blown, you know, ransomware, double extortion attacks. We also noticed that before they released their own version of ransomware, they briefly tried Cuba ransomware family and probably ended up deciding - having to code their own payload in May of 2022. The threat group does exfiltrate and sells data on their darkweb - right? - as I mentioned. 

Deepen Desai: So they already have the infrastructure for the selling of data and monetizing that piece. Ransomware utilizes a combination of triple DAS and RSA to encrypt the files on the victim machine. We did notice that, you know, industrial spy lacks many common features which are present in modern ransomware families. And that's where, again, I'll clump this into in-development malware family. Many of the commonly seen anti-analysis and obfuscation techniques are missing. So it was relatively easy for our analysts to reverse and, you know, dissect the payload that was observed. 

Dave Bittner: What sort of velocity does it seem as though they're running here, or are they a particularly active group? 

Deepen Desai: Yeah. So in terms of payloads, we're not seeing that many new payloads. There are very few payloads we've seen so far. I mean, we're tracking all the public sources, as well, like things like VirusTotal and - as well as things that we're seeing in the cloud. The number of new unique payloads are fairly low, but we're still noticing the group is consistently adding two to three new victims every month on their data leak portal. So they are enjoying success in terms of successfully infiltrating some of these organizations. 

Dave Bittner: It's interesting to me that they decided to, you know, roll their own ransomware here. And particularly when you think about how many ransomware-as-a-service offerings are out there to take the effort to do this, I mean, does that strike you as interesting, as well? 

Deepen Desai: Yeah. It is interesting. But then, again, in this case, because these are - this group appears to know the in and out of the operations already. So they're trying to control their own destiny by holding the source of the ransom and adding updates and features that match their operations style. So we do expect this threat group will continue to stay active, at least in the near future, with more updates and features getting added in the payloads. 

Dave Bittner: All right - interesting stuff. Well, Deepen Desai, thanks so much for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.