The CyberWire Daily Podcast 11.3.22
Ep 1697 | 11.3.22

“Static expressway” tactics in credential harvesting. Emotet is back. Black Basta linked to Fin7. RomCom hits Ukrainian targets and warms up against the Anglo-Saxons. Cyber cooperation?


Dave Bittner: Leveraging Microsoft Dynamics 365 Customer Voice for credential harvesting. Emotet is back. Black Basta ransomware gang is linked to FIN7. A Russophone gang increases activity against Ukrainian targets. Betsy Carmelite from Booz Allen Hamilton on adversary-informed defense. Our guest is Tom Gorup from Alert Logic with a view on cybersecurity from a combat veteran. And Russia regrets that old U.S. lack of cooperation in cyberspace. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, November 3, 2022.

Leveraging Microsoft Dynamics 365 Customer Voice for credential harvesting.

Dave Bittner: Avanan today blogged about attempts by hackers to abuse Dynamics 365 Customer Voice, a Microsoft product used to gain feedback from customers. Threat actors were found to be using legitimate-appearing links from Microsoft notifications in order to send credential harvesting pages. One of the malicious emails looks like it's from the survey feature from Dynamics 365. It informs the victim that a new voice mail has been received. Another email provides a legitimate customer voice link from Microsoft. But when play voicemail is clicked, it redirects to a phishing link of a lookalike Microsoft login page. The malice is in the button. The actual phishing page doesn't show up until the end of the process. Avanan calls this style of attack the static expressway. Attackers follow the static expressway to leverage legitimate sites in a way that enables them to get past the security scanners that so many organizations use as a vital part of their defense. Avanan explains the logic is this - security services can't outright block Microsoft. It would be impossible to get any work done. Instead, these links from trusted sources tend to be automatically trusted. That has created an avenue for hackers to insert themselves. 

Emotet is back.

Dave Bittner: Criminal groups are protean, but not for the honest world in a good way. An example of their slippery adaptability may be seen in the reappearance of one notorious gang that hadn't been heard from much since police began kicking down doors late last year. Emotet, the notorious gang whose activities have been largely suspended for five months due to disruption by international law enforcement operations, has returned to action, BleepingComputer reports. Cryptolaemus [krip-toe-LIE-muss] researchers found that Emotet suddenly resumed spamming at 4:00 AM Eastern Time yesterday. The crime group is "back in Distro Mode," Cryptolaemus tweeted.  Emotet had been associated with the Conti ransomware gang. But since Conti went into hiding this past June, there have been signs that Emotet was beginning to collaborate with the BlackCat and Quantum gangs. As Cryptolaemus said, looks like Ivan is in need of some cash again, so he went back to work. Be on the lookout for direct attached XLS files and zipped and password protected XLS. 

Black Basta ransomware linked to Fin7.

Dave Bittner: There's similar changeability on display in the case of Black Basta. Researchers at SentinelLabs report finding links between Black Basta ransomware and the Russian criminal group Fin7. The evidence is circumstantial, but regarded as convincing by SentinelLabs who state, we assess it is likely the threat actor developing the impairment tool used by Black Basta is the same actor with access to the packer source code used in FIN7 operations, thus establishing for the first time a possible connection between the two groups. It can be difficult to separate criminal organizations. Their members are opportunistic, their organization fluid, but it seems that FIN7 may be at the very least closely cooperating with Black Basta. 

Russophone gang increases activity against Ukrainian targets.

Dave Bittner: BlackBerry describes the recent activity of RomCom, a threat actor that presents itself as a financially motivated criminal organization but which is more likely to represent a group acting on behalf of the Russian government. BlackBerry had earlier noted the group's use of spoofed versions of "Advanced IP Scanner" to hit Ukrainian military targets. The company's researchers have since found that RomCom has expanded its operations to exploit the brands of SolarWinds Network Performance Monitor, KeePass open source password manager and PDF Reader Pro. BlackBerry explains, in preparation for an attack, the RomCom threat actor performs the following simplified scheme - scraping the original legitimate HTML code from the vendor to spoof, registering a malicious domain similar to the legitimate one, Trojanizing a legitimate application, uploading a malicious bundle to the decoy website, deploying targeted phishing emails to the victims or, in some instances, using additional infector vectors. 

Dave Bittner: So far, Ukraine has been the primary target of the latest RomCom campaign, but there are signs pointing to some targeting of Anglophone countries, especially the United Kingdom. BlackBerry concludes, RomCom RAT, Cuba Ransomware, and Industrial Spy have an apparent connection. Industrial Spy is a relatively new ransomware group that emerged in April 2022. While RomCom has sought to cloak itself in crime, the group seems to be working under the direction of a hostile intelligence service. BlackBerry says, given the target's geography and characteristics combined with the current geopolitical situation, it's unclear if the real motivation of the RomCom threat actor is purely cybercriminal in nature. BlackBerry doesn't go this far, but it's difficult to resist the inference that RomCom is working for the Russian organs.

Russia regrets US lack of cooperation in cyberspace.

Dave Bittner: And finally, there is a look at how Russia sees cyberspace or more accurately, how Russia wants the rest of us to think it sees cyberspace. Newsweek interviewed Artur Lyukmanov, acting director of Russia's Department of International Information Security, on Russia's views concerning international norms for the use of information communication technologies. Mr. Lyukmanov says that Moscow stands for goodness here, stating, Russia insists on the principles of justice, sovereign equality of states, noninterference in internal affairs and peaceful settlement of conflicts. These are the principles of the U.N. Charter. 

Dave Bittner: In practice, this has meant central Russian control over the information accessible to its subjects. Sovereign equality and noninterference in internal affairs means Russia's ability to control the information its population receives. Mr. Lyukmanov went on to argue that international norms in cyberspace should involve joint inquiry into cyberincidents, saying, we are striving to reach such an understanding that governments and their competent agencies could directly investigate cyberincidents, putting aside unsubstantiated assessments. A demand to show us the evidence has long been the customary Russian response to accusations of misbehavior. He continued, ideally, ICTs should be used for their intended purpose as a means of communication, storage and transfer of useful and creative knowledge, for development, not destruction. Failure to reach an accommodation over such norms is all too likely, he said, to result in mutual destruction. 

Dave Bittner: We leave an assessment of Mr. Lyukmanov's words as an exercise for the listener. In the meantime, if you're listening, U.S. Cyber Command, we've got just two words for you. Good hunting. 

Dave Bittner: Coming up after the break, Betsy Carmelite from Booz Allen Hamilton on adversary informed defense. Our guest is Tom Gorup of Alert Logic with a view on cybersecurity from a combat veteran. Stick around. 

Dave Bittner: Tom Gorup served six years in the U.S. Army with the 10th Mountain and 101st Airborne divisions in Iraq and Afghanistan respectively, during which he earned several medals, including the Purple Heart. Tom is currently vice president of security operations at Alert Logic. I was curious to know how his experience as a combat veteran has informed his approach to cybersecurity. 

Tom Gorup: My experience on the battlefield really helped translate into the digital world when I started to make connections on how I was securing forward operating bases, how I was securing battle positions. So I was in the infantry, and it wasn't uncommon for me to have to set up battle positions on top of a mountainside or, you know, even on - in land in Iraq. And when I was setting up these battle positions, we typically looked at - we used a tactic called OCOKA - observation and field of fire, cover and concealment, obstacles, key terrain and avenues of approach. 

Tom Gorup: When we were using these tactics, we were typically - we had found over the years that we were typically evaluating kind of three key pillars there. We're looking at visibility. We're trying to understand what these battle positions can see. We're looking at exposures. We're trying to identify where the weaknesses are. And then when we come under attack, we want to see how that attack is pointing out flaws or weaknesses within our battle position and adjust it accordingly. So once I started making those connections, I realized that it's no longer - these tactics and techniques that I learned while in the military directly applied to digital space. I just had to learn my tools. I was no longer using claymores or machine guns. I'm using antivirus and firewalls. So making those connections was huge in my transition. 

Dave Bittner: I'm curious, as a veteran yourself and indeed a combat veteran, is there a particular mindset that you find that other folks who've been through the same sorts of things that you have have within them? 

Tom Gorup: Absolutely. I think the mindset brought on from the military world into the - especially IT security space is the, you know, take any mountain type attitude. One of the toughest things I had to adjust to or at least better understand as I transitioned from military world to civilian world was, oh, we can't do that. Or that's impossible. Often got those types of response from all sorts of people, from IT to desktop support, etc. And that's not a mentality a soldier has, right? Our objective is to take a mountain, and we're going to take that hill, or we're going to take that mountain any way, shape or form. We're going to figure it out and get creative in solving that problem. I think that discipline and that rigor, that work ethic that comes from being in the military is extremely valuable in especially IT security. It's a nonstop industry, right? We're constantly seeing new attacks. We're seeing evolution of old attacks. So you have to stay diligent. You have to stay diligent, and you have to stay disciplined and constantly keeping up with the trends. I believe the military - especially in the infantry - teaches you those skill sets. 

Dave Bittner: And what is it like to translate that mindset to folks who have not had that experience? How do you pass that on in a way that normal folks who aren't veterans can understand? 

Tom Gorup: Great question. The way we can transfer that type of knowledge, I believe, is mainly by leading by example. I guess a great way to look at it is when I'm going to hire people, I can't often teach people to be motivated. If they really want to be in the security space, they'll show it on the front end of that hiring process. On the other end, it's, how can I take that motivation and bring it forward? The drive, the discipline, is something that, sometimes, people need to - that those that are motivated could have the drive but don't know where to put it. The military and, I think, that experience allows me to lead that by example and showing that with my team. Here's how I execute, and here's how I move things forward. I always think that leading by example is the best way to transfer that type of knowledge. 

Dave Bittner: What are your recommendations, then, for organizations who want to take this sort of approach? How do they get started? 

Tom Gorup: Yeah. So organizations that really want to take hold of their security posture, make it easier to communicate - is really to break out their work and break out their environment into those three categories. Visibility - you need to start gaining an understanding of your environment. I can't count how many customers that I've worked with over the years that have come to me with spreadsheets. And that's their asset inventory, and they manage it all manually. But when a new asset is spun up or, I don't know, some other tools is put within their environment, they're not aware of it. So visibility is critical. It was important on the battle space, and it's just as important in the digital world. So starting off from looking at our visibility, what can we see? What can't we see? Do our vulnerability scanners touch all of our environment? Do we have agents deployed everywhere we would expect them to be? But then going a little bit further and knowing when drift happens. 

Tom Gorup: So we want to understand when new assets are spun up, and they don't meet the security controls - right? - these things all fall into the vulnerability - or - excuse me - the visibility bucket. The word exposures there is intentional, right? We want to elevate that conversation and bring it to not only talking about out-of-date software, you know, your typical vulnerabilities. We also want to understand where misconfigurations are in the cloud and overprivileged IAM roles or exposed S3 buckets. These are common, common problems, but it isn't easy for us to identify these issues. And then threats. How am I being attacked? What are the types of attacks that I'm experiencing? What assets are under attack? And how can I use that to inform other parts of my environment? One thing that security tools, security services are often really good at is pumping out work, right? They're work-producing 

Tom Gorup: engines. You turn the wheel. You get more work. Hey, a visibility gap is here. You have vulnerabilities and exposures there. You have these threats going on in this part of the environment. The tough part here is now, how do I prioritize that work? And when we can break it out into visibility, exposures and threats, we can more effectively prioritize our work. What's the next most important thing you should be working on? And that's the objective here - is to break them out, categorize them and then prioritize them based on where your risks are. 

Dave Bittner: That's Tom Gorup from Alert Logic. 

Dave Bittner: And joining me once again is Betsy Carmelite. She is a principal at Booz Allen Hamilton, also their federal attack surface reduction lead. Betsy, it is always a pleasure to welcome you back to the show. I want to touch today on this notion of adversary-informed defense, working on that offense to defense cycle and innovation and those sorts of things. But can we start with some basics here? And help me understand, when we say adversary informed defense, what exactly are we talking about here? 

Betsy Carmelite: Sure. We're looking, Dave, at how our adversaries also look at our national cyber ecosystem. It's one battle space. So standing in the shoes of an adversary and looking at that battlefield, what do they see? That's exactly how we should be looking at our defense and offense approach to that battle space, as well. Comes at no surprise to you that our nation's adversaries are dedicating significant resources to honing tactics and executing cyber operations that threaten our national and economic security. For this, the United States needs to develop policies, plans, programs and activities for a whole-of-nation, one battle space-focused effort on full-spectrum cyberactivities and actors. So where we're talking about using offense to inform defense and vice versa, also really a whole-of-nation change of management exercise as to how we look at the adversary. So that's what we're focusing on here. 

Dave Bittner: To what degree are we functioning in this mode, and to what degree is this an area open for innovation? 

Betsy Carmelite: So this is definitely an area open for innovation. I'm going to talk about one of the ways that we've - at Booz Allen have brought a lot of our knowledge and diverse thinking about how offense and defense come together. But the U.S. really must better integrate and synchronize the way it conducts cyber offense and defense with a refreshed national strategy. And we're seeing a lot of this in some of the policies that have come out in the last year or so. Related policies hold government operating models. It sounds maybe, you know, overstated, but the siloed way that we approach with just looking at offense and looking at defense really needs to come together. Doctrine that goes beyond military minutiae or merely a military-focused approach needs to change. And greater clarity and deconfliction around roles and responsibilities are important. 

Betsy Carmelite: So it's very important when paying close attention to the adversary and its techniques, technologies and tactics to remember this is a long game. It's really easy to overinvest on technical controls and then underinvest in cyberdefensive operations. And here's why - knowing the adversary can take years. So this is where our cyber analysts have brought their knowledge about offensive defense and brought that together to scale a solution. And so one of these that we developed is called SnapAttack. And this is a cloud-based software solution that brings together threat intelligence and hacker tradecraft to proactively detect and defend against cyberthreats. And one of its hallmarks, it also enables community collaboration around threat intelligence and attack emulation and detection analytics to help organizations identify vulnerabilities and risks before threat actors attempt similar techniques. And this library is really quickly becoming one of the largest libraries of documented attacker behavior in the world. 

Dave Bittner: And so this is a collaborative sort of thing? I mean, this is a - is this a public/private thing, or is this staying within Booz Allen? How does it work? 

Betsy Carmelite: So SnapAttack was developed and launched publicly by Booz Allen's DarkLabs. This is a multidisciplinary elite team of security researchers, threat hunters, penetration testers, reverse engineers, network analysts and data scientists dedicated to stopping cyberattacks before they occur. And they built this based on years of experience in the commercial and nation-state-level cyber operations and cyberdefense, otherwise known as blue teaming, as well as in cyberoffense, known as red teaming. And so last year, Booz Allen announced it had spun out SnapAttack to a standalone company. The product development team will continue to be led by SnapAttack's original developers, both of whom began their careers at Booz Allen, and really exemplify how we innovate and grow cutting-edge technology at scale. And so we're looking at this to be - and it's currently, really, a game-changer in that purple teaming space where you're seeing the red and the blue teams combine. 

Dave Bittner: And what is the ultimate goal here? I mean, as you move forward with these sorts of efforts, what are you looking towards the horizon? 

Betsy Carmelite: We are still very tied to this innovation solution, and we're making investments, such as in our carrier-grade 5G lab and our IoT incubator investments, so that we can incorporate those types of threat detection capabilities within that. And obviously, always looking for continued, you know, public partnership with how we can enhance that really robust detection library and library of threat analytics. 

Dave Bittner: All right. Well, Betsy Carmelite, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.