The CyberWire Daily Podcast 12.9.22
Ep 1720 | 12.9.22

Cobalt Mirage deploys Drokbk malware. Zombinder in the C2C market. Impersonation scams. CISA releases three new ICS advisories. And criminals prey on other criminals.


Dave Bittner: COBALT MIRAGE deploys Drokbk malware. Zombinder in the C2C market. Impersonation scams - on the cyber front, nothing new. CISA releases three new ICS advisories. Caleb Barlow on attack surface management. Mike Hamilton from Critical Insight explains how state and local governments apply for the $1 billion allocated by the feds for cybersecurity funding. And criminals prey on other criminals.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, December 9, 2022. 

Cobalt Mirage deploys Drokbk malware.

Dave Bittner: Secureworks Counter Threat Unit researchers have been investigating the Drokbk malware, and they published their findings this morning. The malware was found to be operated by a subgroup of Iran's government-sponsored COBALT MIRAGE threat group, which the researchers know as Cluster B. The Drokbk malware was detected in use as early as February of this year, in that case, during an intrusion targeting a local U.S. government network. The COBALT MIRAGE threat group appears to prioritize achieving remote access via the Fast Reverse Proxy tool; while subgroup Cluster A prefers a modified version of the tool known as TunnelFish, Cluster B prefers to leave the tool unmodified. 

Dave Bittner: Cluster B uses GitHub as a dead drop resolver to locate its C2 infrastructure. GitHub allows for these threat actors to fly under the radar more easily. Secureworks principal researcher and thematic lead for research focusing on Iran, Rafe Pilling, put it this way. The use of GitHub as a virtual dead drop helps the malware blend in. All the traffic to GitHub is encrypted, meaning defensive technologies can't see what is being passed back and forth. And because GitHub is a legitimate service, it raises fewer questions. This technique is also interesting, as it is unusual for Iranian malware and represents a departure from past Iranian practice. 

Zombinder in the C2C market.

Dave Bittner: Threat Fabric researchers tracking Android banking Trojans have found a criminal service, Zombinder, that offers to bind such Trojans to otherwise legitimate apps. The researchers say, the latest campaign we identified while writing the blog involving Zombinder was distributing Xenomorph banking Trojan under the guise of VidMate application. 

Dave Bittner: It's another offering being traded in the criminal the criminal market. Threat Fabric draws some larger lessons from the incident, stating, modern threat landscape becomes more and more sophisticated, where actors combine multiple approaches in malware development, distribution, operation as well as and performing fraud itself involving multiple tactics at the same time. New tools appear to make malware less suspicious or more trustworthy for victim, which results in more successful fraud cases. Moreover, targeting multiple platforms, actors are able to reach wider audience and steal more PII to utilize in further fraud. 

Impersonation scams: that's not Ukraine’s Ministry of Digital Transformation.

Dave Bittner: Other criminal groups have made use of the Russian war against Ukraine and the widespread sympathy for Ukraine that war has aroused to mount impersonation campaigns designed to steal crypto assets. A great deal of aid collected from people globally has been delivered to Ukraine in the form of cryptocurrency, and criminals have taken note of the opportunity that presents them. Domain Tools this morning provided an update of their ongoing study of criminal scammers who have sought to steal NFTs and cryptocurrency from retail investors. 

Dave Bittner: The researchers state, Domain Tools observed and continues to track a cryptocurrency scam campaign impersonating Ukraine's Ministry of Digital Transformation as part of a broader effort to steal nonfungible tokens and cryptocurrency from retail investors. Using the ruse of funding urgently needed military equipment and humanitarian supplies for Ukraine's defense against a Russian invasion, a Twitter account began promoting two malicious lookalike domains central to this fraudulent fundraising campaign. These two domains share a host that offers pivots to several different types of cryptocurrency scams, likely operated by the same actor. In addition to showcasing cybercriminal opportunism, this campaign helps illustrate broader themes related to the underlying social engineering methods cybercriminals use to bypass a target's healthy skepticism for illegitimate purposes, as well as the power of pivoting through internet infrastructure to identify and track malicious activity. 

Dave Bittner: The good news, Domain Tools says, is that the relative quick exposure of the scams has limited their effectiveness, and the hoods appear to have turned to other impersonations and other forms of phishbait. But continued wariness and skepticism remain in order. If there's the prospect of making some quick altcoin, the scammers won't hesitate to revert to saying that, no, really, take it straight from us, friend. The way to help suffering Ukraine is to click here.

On the cyber front, nothing new.

Dave Bittner: Meanwhile, on the cyber front of Russia's hybrid war against Ukraine, there seems to be little new. Low-level incidents have been reported in Finland and Denmark but without attribution to Russia, indeed, without attribution to anyone. There is an a priori likelihood that the attacks may represent nuisance operations by Russian auxiliaries, but that's, at best, circumstantial. 

CISA releases three ICS advisories.

Dave Bittner: CISA yesterday released three industrial control system advisories. Operators should consult the advisories for appropriate remediations and then read them and heed them.

Scammers scamming scammers.

Dave Bittner: And finally, what happens when crooks rip off other crooks? Big deal, right? Actually, it's interesting, even if your sympathies, like ours, are entirely against the hoods, the goons, the other assorted no-goodniks and predatory losers who cumber the Internet. So here's what Sophos researchers are telling everyone about this particular corner of the underworld. It's a bigger business than we would have imagined. First, Sophos says it's big business, a sub-economy in itself. How big, you ask? Well, this big - over the past year, crooks have lost more than two and a half million U.S. dollars in just three criminal forums. It's become such a problem that the forum administrators have established what they're calling arbitration rooms where aggrieved crooks can seek redress of grievances against their fellow. Second, while it's often about the money, that's not always the case. Chest-beating, score-settling, scrambling for place in the criminal pecking order, all of these are just as common as direct theft. Think of it as competition for underworld market share. 

Dave Bittner: Third, the scams being run against the scammers aren't just the crude smash and grab stuff one might expect. Sophos says, we saw referral cons, fake data leaks and tools, typosquatting phishing, alt rep scams, the use of sock puppets to artificially inflate reputation scores, fake guarantors, blackmail, impersonated accounts and backdoored malware. And the victims look for payback. As the researchers put it, we even found instances where threat actors got revenge by scamming the scammers who scammed them. Fourth, some of the criminal-on-criminal crime is of long duration and requires patience and extensive preparation. There are, for example, what Sophos calls tentative links between 19 scam sites targeting other criminals and one active dark web drug pusher. 

Dave Bittner: So again, who cares? Sophos thinks that anyone interested in threat intelligence about the workings of the cyber underworld should care. They say that cybercriminals are often cagey users of good opsec, but being scammed throws them off their game. And when they feel someone has done them wrong, they drop their guard in those arbitration rooms and reveal more about themselves than they otherwise might. So, Sophos concludes, this hidden sub-economy isn't just a curiosity. It gives us insights into forum culture, how threat actors buy and sell, their tactical and strategic priorities, their rivals and alliances, their susceptibility to deception and specific, discreet intelligence about them. The researchers plan to follow up with further reports on this aspect of the underworld over the coming weeks. And we'll be watching with interest. Coming up after the break, Caleb Barlow on attack surface management. Mike Hamilton from Critical Insight explains how state and local governments apply for the $1 billion allocated by the feds for cybersecurity funding. Stick around. 

Dave Bittner: The U.S. federal government has set aside $1,000,000,000 in cybersecurity funding for state and local governments as part of the bipartisan Infrastructure Improvement and Jobs Act. Mike Hamilton is CISO of cybersecurity firm Critical Insight, and he's been working directly with state and local governments to apply for their share of the money. 

Mike Hamilton: Every state is going to do this a little differently, first of all. What they want to do is have states establish committees, and those committees will be made up of state and local government officials, public health folks, education folks. What that committee will do - they've been given a little bit of funding. For example, Washington state, I think they have $3.7 million, and that's to conduct a year of planning. OK? So the states are being funded to come up with a plan that looks broadly across the entire jurisdiction. 

Mike Hamilton: Step one is to construct the committee that's going to develop that plan, and then local governments must consent to the state plan in order to receive funds for items, services, capabilities, activities, things like that. And the plan has to hit specific elements and be measurable. So in a nutshell, that's what we're looking at. And, you know, like I say, states are going to do this differently. They may have local governments all assess themselves and come up with, you know, here are my gaps that I need to be filled. But because it is fairly prescriptive, you know, the state is going to have to say, OK, as a state, here's how we're all going to do this. And there's likely to be pushback from certain places. 

Dave Bittner: Where do you suppose there'll be pushback? 

Mike Hamilton: Well, so yesterday I was at a conference in a state and in speaking with the people there, they thought that this would not work well in their state - in fact, I'll just say it's Idaho - because kind of the center of gravity in Idaho is Boise. And listening to Idahoans, Boise gets all the funding at the expense of a lot of the other jurisdictions. And they really don't like Boise. You know, I mean, there's kind of this, you know, anti-government subcurrent running there. And so it's going to be more difficult for Idaho, for example, to have a, you know, consolidated plan - here's how we're all going to do this. Some of them are just going to tell them to pound sand. 

Dave Bittner: Wow. It also strikes me that obviously, you know, not every state is created equal or of the same scale. I mean, California operates at a different level than, say, North Dakota does. How does this take into account that, in terms of what they'll be willing to distribute, the various amounts? 

Mike Hamilton: Yeah. So the funding is scaled to state population. And so, for example, the small amount that's been allocated right now just for this year of planning - you know, New Hampshire got a lot less than Washington state, for example. 

Dave Bittner: Mmm hmm. Is this just a one-time funding opportunity, or is there any expectation that this could become an ongoing thing? 

Mike Hamilton: I believe this billion dollars is to last four years - three or four years. And I don't think there's anything after this, so. And that raises an interesting question, too - right? - of sustainability. And, you know, so, for example, let's say that, so every - we got to monitor all the networks - right? - at the network and user level. That's one of the things embedded in here. And because there are no human resources to, you know, act as analysts out in some of these rural places, managed services are the only way they're going to be able to do this, right? So the state committee is going to have to take that into consideration. So, you know, you contract a managed service for the three- or four-year duration of this grant, and then what, you know? So there needs to be a then-what that comes after this. And, you know, is that going to fall on the state? Is that going to fall on the locals? I don't think we know. 

Dave Bittner: No, I mean, it reminds me, you know, of a small community gets a grant to buy a new snowplow, and that's great. But now they've got to maintain the snowplow. 

Mike Hamilton: Yeah, it's O&M. Yeah. 

Dave Bittner: Right. Right. What about the talent issue here? I mean, having enough people and being able to, you know, pay them what they're used to - but I'm thinking particularly in rural areas, as you mentioned, that's going to be a challenge of its own. 

Mike Hamilton: It is. And there is - there's a very interesting part of the - you know, you have to hit these metrics here. And one of them is they need to align with the NIST NICE framework, which is all about education. So, you know, it's like, you know, one of these things is not like the others, right? You use the National Initiative for Cybersecurity Education workforce framework for cybersecurity developed by NIST. There's a whole lot of fed speak in this thing. But so I think there is an opportunity there for novel solutions. For example, I don't know if you and I - I think we've talked about the Pisces project that... 

Dave Bittner: Mmm hmm. 

Mike Hamilton: ...We started, which is monitoring small local governments for free in return for collecting data from those networks and using it as live-fire curriculum for universities. And so we're going to be, you know, speaking with state representatives all over the place, because we can set that up in a state. That is more sustainable, and what it does is it creates the bench of the people that you need going forward while you're providing this stopgap, you know, analyst service that's based on students. So in a longer term, you know, that should move the needle. It should increase the bench strength, you know, here in the United States. 

Dave Bittner: Are there any opportunities with this for states to team up? 

Mike Hamilton: There's more of an opportunity to do this broadly across a single jurisdiction, where that jurisdiction is defined as the state. But there is some wording in here about how states could get together. There's a matching - a funds matching requirement in here. And to avoid the matching requirement - that's what they say - you need to get together and do things, you know, en masse. And so, you know, there may be some states that try to work across state lines together. Which states are friendly with each other, you know? 

Dave Bittner: Right. 

Mike Hamilton: It's hard - I don't know that's going to work out. 

Dave Bittner: Right - the Dakotas, the Carolinas, the - Virginia. 

Mike Hamilton: Exactly. 


Mike Hamilton: New Hampshire and Vermont. 

Dave Bittner: Right. Right. 

Dave Bittner: That's Mike Hamilton from Critical Insight. There's a lot more to this conversation. If you want to hear the full interview, head on over to CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews. 

Dave Bittner: And joining me once again is Caleb Barlow. He is the founder and CEO at Cylete. Caleb, it's always great to have you back. I want to touch today on attack surface management. It's getting a lot of attention lately. And I know you have some thoughts here. What do you have to share with us today? 

Caleb Barlow: Well, attack surface management is officially the new most-overused term on the RSA show floor. And that's an official stat. 

Dave Bittner: Has it surpassed artificial intelligence and machine learning? 

Caleb Barlow: Oh, without a doubt, without a doubt, right? 

Dave Bittner: All right. OK. Fair enough. 

Caleb Barlow: And, you know, I think the point here is we need a little clarification with it. So first of all, this is an extremely important concept. And the basic idea is, do you understand your attack surface, both what's coming from your own data centers, but also what's in your cloud? And you really need to understand that attack surface both external to the world as well as internal the world. You know, common scenario - let me pick on a hospital as an example, right? 

Dave Bittner: Yeah. 

Caleb Barlow: And, you know, in my prior company, we used to go do these assessments. You go in, and the hospital will tell you, oh, well, we have 1,527 medical devices. How do you know that? Well, that's what our system tells us we have. So we need you to go audit those. OK, great. We go off, spend a week or two. We come back. Actually, you have 6,528 medical devices. 

Dave Bittner: (Laughter) Of course. 

Caleb Barlow: And I'm not exaggerating on the ratio here, right? 

Dave Bittner: Yeah. Yeah. 

Caleb Barlow: And then you kind of have this, oh, no, because, what are they? Where are they? What do they do? How did they get here? And, you know, a hospital's a great example of, you know, kind of the world's worst scenario of BYOD because a lot of these things were plugged in by different medical practices working in the hospital, or, you know, a doctor gets a new medical device and it connected to the Wi-Fi, or they - or whatever, right? You've got to understand your attack surface, both internally and externally. Now... 

Dave Bittner: Right. 

Caleb Barlow: ...Here's where the problem comes into play. There are fundamentally two ways in which this is being done. So this involves identifying your IP space and then scanning it - scanning it for ports, scanning it for devices, scanning it for servers... 

Dave Bittner: Right. 

Caleb Barlow: ...And trying to enumerate what those are and where they are. Well, most of the companies out there today are doing this from your logs, meaning that their tool goes and taps into, let's say, your SIM or Splunk or something like that, and pulls those logs and says, hey, what is every IP address that I see? In some cases, they take it to the next step, and they go and they scan, you know, kind of network traffic and say, OK, what are all the IP addresses that seem to appear inside your network? And those things are great. 

Caleb Barlow: But the - and, you know, there's all kinds of great traffic lighting and pretty charts and reports. But the problem with those approaches is that, in theory, that's the stuff you should already know about 'cause it's already in your logs, right? What we're really after is the stuff you didn't know was in your environment. And that's where you've really got to look at tools that scan. 

Caleb Barlow: And there are kind of two types of scanners out there - one that you can kind of point at your IP space and say, scan this. And what you really want to be doing is scanning it on a regular basis because you're not just interested in the server that appears there that, oh, yeah, I forgot about that test server that - you know, we need to get that locked down. You've also got to be scanning constantly for the cloud instance that got stood up or the server that maybe got rebooted, and when it rebooted it was misconfigured, right? So the idea here is you want to be constantly scanning that attack surface to say, wait a second, where did this new device or this new cloud environment come from, and was I expecting it? 

Caleb Barlow: You know, the other form of scanner are these tools - you know, and there're kind of only two out there that really do this at scale. And that's, you know, Censys and Shodan. And they scan the entire internet space, right? 

Dave Bittner: Right. 

Caleb Barlow: And those are very valuable tools when you combine them with something like Maltego to go in and say, hey, what am I connected to? What else is out there that I'm working with? And that's where attack surface management really needs to head, is not only, what do I look like from, you know, kind of an independent scanner looking at this, but also, what's all that stuff connected to? 

Dave Bittner: How do you keep this process from spinning out of control - you know? - 'cause - I'm thinking an - like a hospital, you know, something running at that scale. There are constantly going to be things being plugged in and disconnected. And a printer breaks, and we buy a new printer. And, you know, how do you keep from chasing your tail? 

Caleb Barlow: Well, if you're not organized, that's all you're doing. And I remember, oftentimes the feedback from clients would be, hey, we don't actually want to do this scan because we're going to find this stuff, and then we're going to have to deal with it. And, you know... 

Dave Bittner: Yeah. 

Caleb Barlow: ...You kind scratch your head and go, all right, that's probably not the right answer. But, you know, what you really should be doing is when a new device appears in the network - and there are lots of tools that will do this - before it gets connectivity, you got to fill out some forms and answer some questions, right? So more advanced companies, you know, if you bring a new tablet or a laptop in, the first thing that happens is that thing can't go anywhere until you fill out the form. Who is it? Who owns it? What is it, you know? And then, now all of a sudden, you've got a registered asset, right? 

Dave Bittner: Right. 

Caleb Barlow: And you know who to go to when it needs to be updated or patched or what have you. So that's where you really want to head. But, you know, where I think this is headed as an industry is to look at attack surface beyond just your company and start to look at attack surface of your suppliers and where things are connected, right? You know, it's one thing to say, hey, I've got you know, I get services from supplier A, and supplier B is my backup, you know, so I've got redundancy, which sounds great until you find out that supplier A and supplier B - both run out of the same data center on the same infrastructure. And then you realize, actually, you have no redundancy at all. And that's the type of thing that a lot of companies are really starting to look at, is the critical aspects of their supply chain. You know, there's - and this is where AI and ML come into play, right? If I know that, you know, this particular path of my supply chain is absolutely critical, where are their lacks of - lack of redundancy, for lack of a better term, in that - you know, in that path that I maybe didn't know about? And attack surface will tell you that. Or, hey, where are there huge vulnerabilities, and does my supplier realize this? 

Dave Bittner: And is this a case of not relying on self-attestation from your suppliers? - trust but verify, or... 

Caleb Barlow: Hundred percent, right? Now - well, actually, let me say that in two ways. There are companies out there that do this without the involvement of the company they're scanning. And the reality with those scenarios - you know, these are often used by insurance companies for underwriting - it's really nearly impossible to get an accurate result because you've got so many false positives. I mean, I remember at a prior company, we had many deception honeypots out there. And one of these companies would enumerate our honeypots all over the place. Oh, your - this - you know, your security posture is terrible. Look at all these vulnerabilities. Yeah. We're just going to leave those vulnerabilities there. 

Dave Bittner: Right. Right. 

Caleb Barlow: You know, so there's a lot of false positives in that space. But, you know, ideally, it's interactive. Right? But yeah, there is a bit of an aspect of trust but verify here. 

Dave Bittner: Yeah. All right. Well, Caleb Barlow, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at Be sure to check out this weekend's "Research Saturday" and my conversation with AJ Nash from ZeroFox. We're discussing the cybersecurity threats, including social engineering attacks, surrounding the Qatar 2022 World Cup. That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brendan Karpf, Eliana White, Puru Prakash, Liz Urban, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yellin, Nick Veliky, Milly Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoshide (ph), Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.