Sniffing at the DIB. Sideloading cryptojacking campaign. Nord Stream and threats to critical infrastructure. US Cyber Command describes hunting forward in Ukraine. Fraud meets romance.
Dave Bittner: Data's been stolen from a U.S. Defense Industrial Base organization. There's a major sideloading, cryptojacking campaign in progress - Nord Stream and threats to critical infrastructure. U.S. Cyber Command describes hunt forward missions in Ukraine. Andrew Hammond from "SpyCast" speaks with hacker Eric Escobar about the overlap of traditional intelligence and cybersecurity. Our guest is AJ Nash from ZeroFox with an update on the current threat landscape, and fraud meets romance.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 5, 2022.
Data stolen from US "Defense Industrial Base organization."
Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency released a report yesterday detailing alert AA22-277A. From November 2021 through January 2022, CISA uncovered activity from likely multiple advanced persistent threat groups on a Defense Industrial Base Sector organization's enterprise network. The organization affected isn't named in the report. The APTs used Impacket, an open-source toolkit, to gain access, and then used custom data exfiltration tool CovalentStealer to steal sensitive data. In this case, as BleepingComputer notes, CISA did not indicate who was behind the APTs. CISA says, during incident response activities, CISA uncovered that likely multiple APT groups compromised the organization's network, and some APT actors had long-term access to the environment.
Dave Bittner: The agency reports that some APTs may have gained access to the victim's Microsoft Exchange Server as early as mid-January 2021. BleepingComputer reports that they used the HyperBro remote access trojan and well over a dozen China Chopper web shell samples on the organization's network, as well as exploiting the ProxyLogon collection of Microsoft Exchange Server vulnerabilities. CISA has published, separately, a detailed analysis of both CovalentStealer and HyperBro, the set of tools that figured prominently in the exploitation.
Major sideloading cryptojacking campaign in progress.
Dave Bittner: Bitdefender researchers say they've detected a significant cryptojacking campaign in the wild. It's a sideloading campaign and represents an evolution in criminal cryptojacking technique. Bitdefender explains, this is the case of an active cryptojacking campaign that uses a dynamic library link hijacking vulnerability in OneDrive to achieve persistence and run undetected on infected devices.
Dave Bittner: Cryptojacking, should the term be new to you, is the criminal practice of installing an alt coin miner on someone else's non-cooperating device, where it operates quietly in the background, hogging electricity and other resources to mine coin on behalf of those who installed it.
Nord Stream and threats to critical infrastructure.
Dave Bittner: The kinetic sabotage of the Nord Stream pipelines in the Baltic region remains under investigation. NATO has formally designated the incident sabotage, but it's primly refrained from calling out a perpetrator until the investigation is complete. That said, many others consider the incident a shot across Western bows as winter approaches, a threat to take down energy infrastructure at a time when it will be most needed in the Northern Hemisphere.
Dave Bittner: A Washington Post editorial makes a representative argument stating, this is the kind of capability usually wielded by a state actor. Though NATO did not say officially what everyone suspects unofficially, the author of this strike against Europe's stability and security was Russia. The Post goes on to point out the cyberthreat to infrastructure stating, in April, the Cybersecurity and Infrastructure Security Agency, along with the FBI and the National Security Agency, issued a joint warning about the cyberthreat to critical infrastructure, such as energy and utilities. And so far, Ukraine and its supporters have kept cyber damage to a minimum. That doesn't mean the threat has become inconsequential, and Western governments and utilities are well-advised to remain on alert.
Dave Bittner: An Atlantic Council essay presents grounds for thinking that Norway's oil and gas production platforms in the North Sea may become targets in an expanded Russian campaign against European energy infrastructure. Those platforms experienced unexplained drone flybys last week, which the Council's essay regards as in some ways more disturbing than the sabotage of Nord Stream.
US Cyber Command describes "hunt forward" missions in Ukraine.
Dave Bittner: The executive director of U.S. Cyber Command, David Frederick, described U.S. participation in Ukraine's cyberdefense during his presentation at GovCon Wire's Cybersecurity in National Security Summit. He characterized the mission as a series of hunt-forward operations. The U.S. teams from the Cyber National Mission Force were dispatched to Ukraine late last year and worked with their Ukrainian counterparts to assess and secure critical IT and infrastructure networks. Frederick noted that in the course of operations, U.S. Cyber Command gained valuable insight into Russian methods of cyberwar, much of which insight Cyber Command has shared not only with government partners like CISA and the FBI, but with the private sector as well.
Fraud meets romance.
Dave Bittner: And finally, a Georgia man has been sentenced for his role in business email compromise and romance scams. The U.S. Department of Justice has announced that one Elvis Eghosa Ogiekpolor has been sentenced to 25 years for his role in a widespread ring of romance and business email compromise scams. The U.S. Attorney's Office for the Northern District of Georgia says that Elvis opened and directed others to open at least 50 fraudulent business bank accounts that received over $9.5 million from various online frauds, including romance frauds and business email compromise scams. He then laundered the fraud proceeds using other accounts, including dozens of accounts overseas. The BEC operations were pretty routine. He and his five accomplices pretended to be organizational managers, directing employees to transfer money to accounts controlled by fraudsters. The romance scams were catphishing expeditions in which Elvis and his partners set up fictitious social media persona to induce the lovelorn to send him cash. At any rate, Elvis will now receive a sabbatical, courtesy of the Federal Bureau of Prisons.
Dave Bittner: Coming up after the break, Andrew Hammond from "SpyCast" speaks with hacker Eric Escobar about the overlap of traditional intelligence and cybersecurity. Our guest is AJ Nash from ZeroFox with an update on the current threat landscape. Stick around.
Dave Bittner: Cybersecurity and reputation management company ZeroFox recently shared their threat landscape report for the second quarter of 2022, outlining some of the trends they're tracking. AJ Nash is vice president of intelligence at ZeroFox.
Aj Nash: You know, as a result of Russia's invasion of Ukraine and the ongoing conflict and world response to that and sanctions, there's been a real challenge for criminals in getting money. You know, and that's always a bit of a challenge for them anyway. The idea of committing a crime is one thing, but then finding a way to capitalize on that, to convert that into money, is a bit of a challenge, but most of them have systems in place. And thanks to sanctions and thanks to changes in the financial systems that came from those, there's been some real struggle there. And to see that reflected, the see known Russian-speaking actors' frustrations over that and how they've been trying to deal with that I found to be really, really interesting. That's a fascinating thing to watch unfold.
Dave Bittner: Does that create any kind of pivot from them? Do they shift to something else?
Aj Nash: You know, they have been working on that. So one of the pivots we've seen is a shift to just other countries. So Dubai, for instance, in United Arab Emirates is a popular destination now - you know, just setting up accounting over there and trying to move money there and then figure out a way to get back. But the challenge is a lot of these folks want to get the money back into Russia, you know, to support themselves, their families, etc. And it's that transfer that's really, really hard. So you're seeing more peer-to-peer transfers. You know, it's not the same, but it reminds me a bit of the hawala system in the Middle East of just, you know, finding ways to move money that are outside of the standard financial systems, you know, because SWIFT is a problem for the Russians right now, too.
Aj Nash: So, listen, as we all know, criminals are creative. They'll find a way, you know. But it's making it hard for them, no doubt about it. And there's frustrations. And that adds to frustration with their own government and with what's going on. You know, there's plenty of cybercriminals like, you know, criminals anywhere, really. They're not necessarily political. Like, some can be, but a lot just want to make the money. And this is just a real big inconvenience for them, frankly. But yeah, they're working around it. They're finding ways. It's just harder, and it's costing them more money. It's taking more time and energy.
Dave Bittner: What other things in the report grabbed your attention?
Aj Nash: You know, there were some interesting pieces. The initial access broker marketplace, you know, we've been following that. Quarter over quarter, we report on that. And that's been a really big issue. We saw a dip in Q1, and then in Q2, we started seeing a resurrection, not quite to the previous levels, but I suspect we'll continue to see it grow. You know, this is an ongoing tactic that works really well. You know, people get access to organizations, and then they're turning around and selling that to somebody else. You know, it's essentially a middleman. Hey, we'll get access, we'll get in. We're not actually going to do the exploiting and take advantage of it necessarily, but we'll sell it off to somebody else to do it. So that's growing. That's a continuing threat. Some things we saw that you would expect - malware is going to continue to be a problem and has. Ransomware continues to be a problem. These are very effective, you know, ways of causing problems for folks. So we've seen that.
Aj Nash: I think - one of the things that I found interesting personally was, you know, a real notable increase in what we call LNK shortcut files. So an LNK shortcut is a shortcut. LNK is just, you know, Microsoft terminology. So anybody that sees a shortcut, you know, you click on something to get to another document, etc. Seeing those on fake Windows 11 upgrades - which make sense. Any time there's a Windows upgrade, there'll be fake upgrades sent out. But seeing those LNK shortcuts used to deliver malware, you know, is a growing trend that I thought was really interesting because people still have a tendency to just click on things. So if it looks trustworthy, oh, it's just an Excel document. It's just a Word document. It's just something somebody sent me. People still click on those, and, you know, that gained a lot of traction. So, you know, there's been a few really interesting things that have come out of it, you know, and some that you would expect. You know, digital extortion continues to be a problem.
Aj Nash: As I said, ransomware and extortion go together. You know, extortion is a really effective and, frankly, really cheap methodology for an adversary. You don't actually have to do anything. You know, you and I can go into the extortion business. I'm not recommending it, but it doesn't take a lot of effort, frankly. You know, we can put together a form letter. We can send it out to a bunch of people and tell them they have to put money into a Bitcoin wallet or we're going to release all this information we stole from them. And we don't have to steal anything from them. We don't have to be technical. We don't have to be good, you know, but we can send that threat out. And we see, if you do that, people pay. You know, there are people who - you know, the fear is there. And if you set the price point low enough, large companies will say, you know what? Just give them $500. You know, I don't know if it's real or not, but it's too scary to figure out. And you do that at mass, you know, you send out a thousand of those things, you make a lot of money.
Aj Nash: So, you know, I think that's a tactic I find very interesting to watch because it's tough for prospective victims, for people who have been at least threatened a lot of times to understand that they actually have been compromised. You know, a lot of organizations really struggle with that. So when the threat comes in and it's scary and you're worried about having all of your data released and possible brand damage, etc., a lot of organizations just want to pay it thinking that'll solve the problem, which it really doesn't. Either you didn't have a problem to begin with and you're paying somebody for nothing, or you may in fact have a problem and you can't trust criminals not to follow through on, you know, extorting you. I promise, if you pay somebody extortion money, there's a reasonable chance they're going to come back and ask for more. That's been true in all of history for extortion. So...
Dave Bittner: Yeah.
Aj Nash: ...I really enjoy the report. And I really enjoy what the team does because we get into those discussions about actors, specific groups and motivations. And, you know, it's more interesting to me as a nontechnical person than just reading a report after report after report about all these technical things, these IOCs. And don't get me wrong. Those are important, and we have those in there for people that need to take action, too. But I really enjoy, you know, reading about what's going on in the criminal environments and, you know, what motivates actors and what they're talking about and why they're shifting to different techniques. So it makes for a really readable report for pretty much anybody and really useful.
Dave Bittner: Yeah. Well, I mean, based on the information that you all have gathered here, what are your recommendations? What should - how should people respond to the information you all have put out?
Aj Nash: Yeah, it's a good question. Each of the sections - so our paper, we break it down into individual sections - right? - whether it's vulnerability, exploitation or botnets or initial access brokers. In each section, we do provide recommendations per section. So we give people an opportunity to know, you know, what does this mean and what can you do about it? And in many cases, the recommendations, quite honestly, are about vigilance and monitoring. But in some, there are specific examples of what people can do in terms of, you know, updating policies or, you know, the CVE exploitations, for instance. You know, we name the CVEs and we talk about what they are and what's being exploited and what patches can be put in place to make changes. So for each of the sections, there certainly is some action ability available.
Aj Nash: You know, in some cases, a lot of it is just you really need to understand this. You need to set up monitoring. You need to set up alerting. You know, a lot of times when we talk about what's going on in the cybercriminal dark, you know, the dark web, the underground, the cybercriminal marketplaces, a lot of that comes down to, are you seeing this yourself? But certainly, some of it does come down to you're going to have to have the right resources available, whether it's in-house, whether it's, you know, third-party vendors.
Aj Nash: Some of the discussions in here are about, do you have the resources to know what's going on? You know, the goal of intel, aside from what I just said, the other goal of intel is to be proactive. The goal is to move the needle to the left - right? - in that whole right-left continuum of threats. You want to really get as far to the left as you can. And intel is the only way to get there. Everything else, by definition, is reactive. Something's going happened to you. Something's touched you. And that's fine. We do a lot of that, too. There's no way around it. This is why it matters. This is what you can do about it. Those are the three components we talk about in building intelligence. But a lot of it is long term, what can you do about it - is make sure you have the awareness, you have the people, you have the technologies, you have the accesses to see what's going on, to see these trends and know about what people are talking about and planning before it happens.
Dave Bittner: That's AJ Nash from ZeroFox.
Dave Bittner: Andrew Hammond is host of the "SpyCast" podcast from the Spy Museum. And in a recent episode, he spoke with hacker Eric Escobar about the overlap of traditional intelligence and cybersecurity. Here's a part of that interview.
Andrew Hammond: I was just wondering, just to start off, Eric. So you're a professional hacker. You attempt to compromise all different types of networks from the military through to amusement parks. I guess one of the first questions that I had just when I was thinking about this interview, you've seen quite a lot. Is there anything that keeps you up at night? Is there anything in the wee small hours where you're like, that one really, like, scares me?
Eric Escobar: You know, the ones that really keep me up at night are anything to do with critical infrastructure, which is, you know, obviously Colonial Pipeline and all the havoc that that caused. Those are the ones that really just keep me up at night for a couple of reasons. I mean, really, if you look at any of our traditional, you know, different internet uses, Amazon, you know, Google, Apple, like all these different services, what's the worse that's going to happen? You might lose some files. You know, you might need to recover from a backup. You know, your information might get out there.
Eric Escobar: But with all the critical infrastructure, there's chance and potential for loss of life, which is way worse than anything that can happen in the cyber realm. So those are the ones, like, watching any critical infrastructure get compromised is really the thing that keeps me up at night because, you know, lives are in the balance. Lives are on the line. And we do a lot of testing for critical infrastructure. And I've seen computers and machines that have been online and not been taken offline longer than I've been alive.
Andrew Hammond: At the Spy Museum, we have a shard from the Aurora generator test in 2007, which basically is a test to prove that a piece of code can affect the physical world. And basically, to cut a long story short, they blew up a generator. So something that's intangible can affect the tangible world. So that's ultimately what you're talking about. Is that correct?
Eric Escobar: Yeah. That's my actual job is doing exactly that - not, like, not too dissimilar. A couple of weeks ago, we compromised an oil refinery. So that same exact like, hey, we're able to access, you know, industrial control systems, and if we touch the wrong computer, if we do something wrong, things go boom. And so that's why it's my fear, because exactly that - that code can affect the real world in those you know, in those circumstances.
Andrew Hammond: When did it dawn on you that, you know, this is somewhere where you could distinguish yourself?
Eric Escobar: You know, I don't think it has yet.
Andrew Hammond: OK. That's good.
Eric Escobar: Have you ever heard of imposter syndrome? Everybody feels like - I feel like - they're an impostor to a degree. And for those in your audience listening, imposter syndrome is where you feel as if, like, man, is somebody going to figure out that I don't know what I'm doing? There was one time my wife, you know, she walks in my office. And she's like, are you just Googling how to do something for your job? And I'm like, absolutely. And she's like, what if your coworkers, you know, found out or, you know, like - and so really, to answer your question, like, I - like, some people might look at me and be like, wow, Eric is a great hacker. He compromises and breaks into all these large companies. And then I have the people that I look up to, I'm like, oh, my gosh, like, you could never call me a hacker compared to, you know, these individuals that I've met and these individuals that I know. Like, they're the real deal.
Andrew Hammond: One of the things that I was - that I'm interested in is, you know, with this field, you know, like, "SpyCast" on the CyberWire network now. And we've tried that. We've done traditional intelligence espionage. And people kind of get that more or less. OK, that's over here. And then they sort of get cyber. They're like, OK, that's computers. That's over there. I'm increasingly interested in the places where they overlap. And it seems that, you know, a lot of people are like, OK, well, the NSA, like, that's an area where, you know, both of them overlap. And other than that, it gets a bit fuzzy. And I'm not sure about it.
Andrew Hammond: But, you know, when you hear the term infosec, like information security, I mean, that's what a lot of what intelligence agencies do or when you were speaking about, like, breaking in without using malware at state intelligence agencies as well, they - I mean, sure, you can do some kind of brute force attack and get information. But if you scream out that you've just done something, then they're going to go in and change all the codes and do a whole bunch of countermeasures to try to protect themselves against what you've just committed against them. So I don't want to say that both of them collapse into one another, but it just seems really interesting to me, all of the places that they overlap. And I don't know if I've ever read a book or something that adequately explains the overlap, but do you have any thoughts about that?
Eric Escobar: Well, it's interesting when you think about it. You know, so you mentioned, you know, ways that they overlap. Really just information - you know, if you're a spy agency, if you're a nation-state and you're trying to discern information, there's a lot of guesswork - a lot of educated guesswork that goes into that. And so an example that I always kind of like to think about realistically, if you look at, say, the United States political landscape - totally not hot-button issue. If you are a foreign, you know, nation and you're trying to understand, hey, what - you know, what are the political parties, you know, angling to do? What's going on here? Well, think if they were able to break in to, say, the, you know, manufacturer of, like, flags - right? - of little American flags that would get waved around at campaign rallies.
Eric Escobar: Well, if you knew how many orders of each of those flags were going to respective, you know, different political campaigns and parties and all that stuff, well, now you've built up, just with that information of orders of flags, if you're able to compromise a small manufacturing place, now you know all the ordering, all the processing information of how that goes, typically logistics of who, how, where and why those flags are going to be in that position. You typically know how many are in the war chest or how many people they're expecting at a campaign rally, right? And so there's - it's one of those things that - it's information security 'cause you don't necessarily know how the information is going to be used.
Eric Escobar: You know, you might have a threat actor that breaks in, trying - to that same flag company, trying just to steal, you know, email addresses so that they can send out, you know, phishing emails just willy-nilly. Or you might have a nation-state trying to compromise that same flag factory for the purpose of trying to divine, what does the political landscape look like in the United States for the upcoming midterms? There's a lot of hypotheticals, and then there's a lot of, like, oh, you know, where things actually overlap, like you said, with NSA and other intelligence agencies.
Dave Bittner: That's Andrew Hammond from the Spy Museum and host of the "SpyCast" podcast. You can hear the rest of this interview on the "SpyCast," here on the CyberWire network.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.