The CyberWire Daily Podcast 12.12.22
Ep 1721 | 12.12.22

Ransomware updates: TrueBot, Cl0p, and Royal. Iranian cyberattacks. An update on the cyberattack against the Met. Notes on the hybrid war, with a focus on allies and outside actors.


Dave Bittner: TrueBot is found in Cl0p ransomware attacks. Royal ransomware targets the health care sector. Recent Iranian cyber activity. A night at the opera - an update on the cyberattack against the Metropolitan Opera. New Cloud Atlas activity has been reported. Europe looks to the cybersecurity of its power grid. Rob Boyce from Accenture describes dark web actors diversifying their tool sets. Rick Howard explains fractional CISOs. And international support for Ukrainian cyber defense continues more extensively and increasingly overt.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, December 12, 2022. 

TrueBot found in Cl0p ransomware attacks.

Dave Bittner: Late last week Cisco's Talos Group published an overview of recently observed TrueBot activity. The malware is being used by the Russophone gang Silence to distribute Cl0p ransomware. Cl0p attacks are typically double-extortion operations with data stolen before encryption. Talos writes, while investigating one of these attacks, we found what seems to be a fully featured custom data exfiltration tool, which we are calling Teleport, that was extensively used to steal information during the attack. There are some strong circumstantial indications that Silence is associated with the gang better known as Evil Corp and with the financial crime activity Fin11. There's so far insufficient evidence to suggest that the gang is focusing on any particular sectors to the exclusion of others, but Talos has noticed a number of operations against educational institutions. 

Royal ransomware targets the healthcare sector.

Dave Bittner: The Department of Health and Human Services has warned of the threat the Royal ransomware poses to the health care and public health care sector. The Royal ransomware first surfaced in September 2022. It appears to be operated by a single group rather than functioning as a ransomware-as-a-service model. 

Dave Bittner: A report from Microsoft found that the threat actor uses social engineering to distribute the ransomware, stating, the group has been delivering the malware with human-operated attacks and has displayed innovation in their methods by using new techniques, evasion tactics and post-compromised payloads. The group has been observed embedding malicious links in malvertising, phishing emails, fake forums and blog comments. In addition, Microsoft researchers have identified changes in their delivery method to start using malvertising in Google ads, utilizing an organization's contact form that can bypass email protections and placing malicious installer files on legitimate-looking software sites and repositories. A note in disclosure - Microsoft is a CyberWire partner. 

Recent Iranian cyber activity.

Dave Bittner: Researchers are discussing recent activity of Iran-linked threat actors, some of which are using a new data wiper, while others are updating a remote administration tool. Bleeping Computer reports that a new data wiper, Fantasy, has been seen in use by the Agrius APT group in supply chain attacks against targets in Israel, Hong Kong and South Africa. The campaign reportedly began in February of this year and took hold in March, victimizing an IT support services firm, a diamond wholesaler, a jeweler and an HR consulting company. This new wiper is an evolution of the Apostle wiper, seen previously in use by the hacking group, according to analysts from ESET

Dave Bittner: Iran-affiliated threat group MuddyWater has been observed by Dark Instinct researchers abusing a new remote administration tool known as Syncro against target devices, Dark Reading reports. Syncro is a managed service provider platform that replaced the group's other remote administration tool Remote Utilities, which was seen in use in September. The Hacker News says that the software allows for complete control of machines remotely, which allows for reconnaissance, backdoors and the sale of access to outside actors. 

Update on the cyberattack against the Metropolitan Opera.

Dave Bittner: The Metropolitan Opera in New York has sustained a cyberattack that shut down the opera house's website and box office. The Record reports that the attack was disclosed by the opera house on Wednesday evening. A Twitter post from the Met Opera account on Wednesday says, the Met has experienced a cyberattack that has temporarily impacted our network systems, which include our website, box office and call center. All performances will take place as scheduled. The Twitter thread continues on to say that new ticket orders, exchanges and refunds are unable to be processed and directs you to the opera house's site for updates. ABC7 reported that as of Friday, tickets are being sold on the Lincoln Center website and in person at David Geffen Hall. The FBI is also investigating. SC Magazine reports that this attack follows an attack on WordFly in July that victimized cultural organizations, including the Royal Shakespeare Company, Sydney Dance Company and the U.K.'s Old Vic Theatre. WordFly, the Record reports, was a provider of digital marketing services for a range of cultural organizations around the world. 

New Cloud Atlas activity reported.

Dave Bittner: Both Check Point Research and Positive Technologies report renewed activity by Cloud Atlas, an APT of uncertain provenance that's also known as Inception. There is a general consensus that Cloud Atlas is engaged in cyber-espionage and that it's at present collecting against targets related to Russia's war against Ukraine, notably in Russia and Belarus, who Cloud Atlas is working for or what strategic interests the ABT serves remain unclear. Neither Check Point nor Positive Technologies offer any attribution. In 2016, Kaspersky, writing in Virus Bulletin, reported very tentatively that there were circumstantial signs of Chinese activity behind Cloud Atlas, but it could equally well be evidence of code borrowing or false-flag operations. 

Dave Bittner: DomainTools took up the question in February of 2021, and their researchers also threw up their hands, stating, based on the observed activities, lures and likely geographic targeting, DomainTools assesses with high confidence that the campaigns in question form part of an unspecified espionage operation. While further speculation on particular attribution is possible, insufficient technical evidence exists that would allow DomainTools to attribute this activity to any distinct entity or country. 

Europe looks to the cybersecurity of its power grid

Dave Bittner: The Wall Street Journal reports that kinetic attacks against Ukraine's power grid have motivated European authorities to look to the cybersecurity of their own grid. Ukraine has disconnected its grid from Russia's and connected it to Europe's. And while there's concern about that new exposure and managing an expanded attack surface, the EU seems also to be concerned about a shortage of qualified cybersecurity operators who could be employed in safeguarding its grid. 

International support for Ukrainian cyber defense.

Dave Bittner: The Hill describes the scope of U.S. Cyber Command hunt-forward operations. U.S. teams have conducted 35 operations while deployed to 18 countries, including Croatia, Estonia, Lithuania, Montenegro, North Macedonia and Ukraine. The U.K. and other NATO members have also rendered cyber assistance to Ukraine and Eastern European countries at risk of Russian cyberattack. Assistance is also arriving in Ukraine from the private sector. AFR reports that Canberra-based security firm Internet 2.0 has signed a memorandum of understanding with Ukraine's Ministry of Digital Transformation to provide cybersecurity training to Ukrainian veterans. 

Dave Bittner: After the break, Rob Boyce from Accenture describes dark web actors diversifying their tool sets. Rick Howard explains Fractional CISOs. Stay with us. 

Dave Bittner: And joining me once again is Rick Howard. He is the CyberWire's chief security officer, also our chief analyst. But more important than any of that stuff, he is the host of the "CSO Perspectives" podcast right here on the CyberWire Network. Hello, Rick. 

Rick Howard: That was a brilliant introduction. I'm going to take that to the bank, sir. 

Dave Bittner: (Laughter) Thank you. Thank you very much. 

Rick Howard: (Laughter). 

Dave Bittner: You know, I was thinking recently about you and I when we were back at the RSA Conference this year, way back in June. And you came into our broadcast studio, and you were all wound up about this new thing, something called fractional CISOs. So for our audience, what the heck is a fractional CISO? 

Rick Howard: Yeah, you're - no kidding. So before the RSA Conference, I'd been aware of a few of my friends - these are former CISOs - hanging their shingles out to come in and advise CEOs about how to think about cybersecurity in terms of business risk or to come in and help them stand up their first InfoSec program while they were looking for their first CISO or even to come in after a breach to put their fingers in the dikes until more permanent measures could be established. And I was calling them virtual CISOs, and they were more like advisers or contractors. But at RSA, I was talking to another friend of mine, a veteran in the cybersecurity space, Todd Inskeep. Have you ever met him, Dave? He was one of the... 

Dave Bittner: Yeah, yeah. I've interviewed him, yeah. 

Rick Howard: Oh, sure. He was one of the key players when we created the Cyber Threat Alliance a few years ago. And today, he's the founder and senior managing director at Incovate Solutions, a company that provides these kinds of services. But he has a much better name for it. He called them fractional CISOs. So here's Todd explaining it. 

Todd Inskeep: We've seen over the years the idea of a fractional chief financial officer, a fractional chief information officer, information technology officer. And the next step is obviously to think about it from a security perspective. We've seen the SEC and others put more emphasis on cybersecurity as part of the governance of a publicly traded company. It's clearly in the headlines with ransomware and other threats all the time. And so companies are starting to think about, how do I get some cybersecurity expertise that's focused on business as opposed to the IT technology team that's thinking firewalls, configuration controls, all the details that matter for cybersecurity but don't really translate into business terms? 

Dave Bittner: All right, so why not just hire a CISO? Why are contracted CISOs attractive to CEOs? 

Rick Howard: That's the question I asked him. But there are basically two reasons for this, I think, right? First is that CISOs are expensive. You know, the average salary is just north of $200,000, and the more experienced CISOs go for a lot more. But the second one, and probably the more important one, is business experience. You know, newly minted CISOs are likely coming in from the tech side of the house or rising up from the infosec ranks. They don't have a lot of business experience yet. So with a fractional CISO, you can get the advice of a seasoned pro, someone who's been there and done that. Especially for small- to medium-sized organizations that don't have a lot of resources and don't know where to start, a fractional CISO is a viable alternative. So on this week's "CSO Perspectives" episode, I interview Todd about this new fractional CISO development, and then we talk about the evolution of the CISO job and where it might go in the future. 

Dave Bittner: All right. Well, that is on the pro side, the subscription side of the house. What's the episode that you're sharing over on the public side? 

Rick Howard: Yeah. So each week we pull an episode from the "CSO Perspectives" archive and make it available to everybody in the public feed. This week's show is one of my favorites, Dave. It's from March of this year. It's about intrusion kill chain models, and you've heard me flap on about this over and over again. 

Dave Bittner: Yeah. 

Rick Howard: But most listeners are probably familiar with the Lockheed Martin kill chain model and the MITRE ATT&CK framework. Some are even aware of the DoD's Diamond Model. But I would guess that most think those are three distinctive and completely different models. But that just isn't true. They're all pretty much in the same vein. One is a strategy document - Lockheed Martin. One's an operational construct for defensive action like MITRE. And one is a methodology for cyberthreat intelligence teams - the Diamond Model. So in this show, we'll talk about how they all work together and how they can work in your own organization. 

Dave Bittner: All right. Well, before I let you go, what is the phrase of the week over on the "Word Notes" podcast? 

Rick Howard: Yeah, we had a little fun this week with this one. The word is SSIDs, or service set identifiers. These are the names of Wi-Fi networks we connect to, you know, when we're at the local Starbucks, our hotels and our homes. So we explain what SSIDs are and even review the top five funniest neighborhood SSID names. And I'll give you a hint, Dave. The SSID I use in my home router, the name that all my neighbors see when they are connecting to their own Wi-Fi routers, is FBI surveillance van No. 37. 

Dave Bittner: (Laughter) Yes, I was just going to say FBI surveillance van. I think that is practically a cliche. My other favorite is Abraham Linksys. 

Rick Howard: (Laughter) There's about a few thousand websites that list all these great names. So I highly recommend them. 

Dave Bittner: Right, right - absolutely. All right. Well, Rick Howard, again, is the CyberWire's chief security officer, also our chief analyst and the host of the "CSO Perspectives" podcast. Rick, thanks for joining us. 

Dave Bittner: And joining me once again is Robert Boyce. He is the global lead for cyber resilience and an advisory board member at Accenture. Rob, it's always great to welcome you back to the show. I want to touch base with you today on some of the things that you and your colleagues are tracking when it comes to dark web actors and some of the toolsets that they're using. What can you share with us? 

Rob Boyce: Yeah. Thanks, David. I'm happy to be back as always. You know, I think there is probably an understanding to some level of the tools that threat actors use in general for - to complete their missions. And, you know, I think a lot of people probably have the perception that there's a lot of free tools that they're using, underground tools and also tools that they're making. And, yes, those are all true. But what maybe a lot of people don't realize is that there's also a lot of commercially available tools that the attackers are using. And these tools are typically targeted towards, you know, the white hat hackers who are doing pen tests and checking for vulnerabilities, similar to what Accenture does for our clients - you know, just making sure that we're being able to simulate what a threat actor would do. 

Rob Boyce: And there have been a number of these tools, probably most famously Cobalt Strike, that threat actors love to use as well. And so, you know, when we are in the field doing a lot of our incident response, we often see Cobalt Strike as part of the, you know, command and control framework that the attackers are using. And we have seen, you know, threat actors on dark web marketplaces selling access or selling codes or selling licenses or cracked versions of the software for threat actors to be able to use. And so it's becoming a well-known tactic of threat actors. What we've started to see is that a lot of - some of the other additional commercially available tools are now also being targeted for use by threat actors. 

Rob Boyce: So, you know, we're seeing them just look for other commercial tools similar to Cobalt Strike. Brut Ratel C4 is one that comes to mind now that we're starting to see in the field. Again, this is a commercially available product, and now we're starting to see, you know, threat actors sell licensing or cracked versions of this software as well, which is also super-interesting to me as starting to pivot - you know, pivot from one tool to another to try and help avoid detection. 

Dave Bittner: Yeah. I was going to ask you about that. I mean, when folks are using legitimate tools here, tools that legitimate pen testers use, is it likely that those tools have a better chance of getting in or may not raise the same level of alert as some sort of illicit tool? 

Rob Boyce: That shouldn't be the case, right? There should be - you know, detection strategy should be in place comprehensive enough to be able to detect the commercial tools and the underground tools. But what I do see is, you know, these tools are just convenient. You know, they're packaging up what you would have to, say, use four to five or six different bespoke tools or homemade tools into one package. So it just makes it a little bit easier for them to be able to operate against their - you know, their mission. 

Rob Boyce: What we are seeing is a lot of defenders now that - you know, say, Cobalt Strike, for example, is a well-known tool for attackers. They do start to over-pivot to look for, you know, indicators that - of that tool set. And so other tools that are like, you know, Brut Ratel or Nighthawk or others that are commercially available products may be - because they may be newer or they have different evasion techniques, they're not as easily to be detected in the infrastructure of a lot of organizations today. So, you know, being able to move from one tool set to another is allowing them to avoid detection for longer periods of time. 

Dave Bittner: You know, I can't help thinking that - we hear the stories about, you know, cracked versions of commercial software often having malware within it. And I can't help wondering if some of these folks on the dark web who are going after these cracked versions of these tools, you know, find themselves being victimized by some other people in the ecosystem. 

Rob Boyce: Yeah, that's an interesting thought. I have not heard of that happening. 

Dave Bittner: Yeah. 

Rob Boyce: But that is actually very interesting. But I got to tell you, like, I think I've never ceased to be surprised or amazed of really how ethical the underground community is in the dark web because, you know, if you do not follow through with your commitment or you're selling something that may have embedded malware in it, you know, you're probably not going to make another sale. So it is always surprising to me, you know, just how - I mean, maybe ethical is not the right word, but... 

Dave Bittner: Honor among thieves, right? 

Rob Boyce: Yeah, honor among thieves - exactly right. 

Dave Bittner: So in terms of what folks can be doing about this, any words of wisdom there? 

Rob Boyce: Yeah, absolutely. You know, I think one thing that I have found - that a lot of organizations are heavily reliant on endpoint telemetry now - leveraging their antivirus, leveraging their EDRs, which are great, and they should be. But when we're thinking about things like data exfiltration as well as command and control frameworks, we need to be looking at the network level as well. And so what I'm finding is there's just been an over-rotation to endpoint telemetry and not enough focus on network telemetry. 

Rob Boyce: So it really will be important for organizations to truly understand, you know, what type of network telemetry from the devices they have will help them identify things like command and control frameworks and then, of course, start doing some proactive hunting for those. And sometimes the only way to identify these is through a proactive threat hunt because there may not be telemetry that's sufficient to be alerting on the presence of these. And you may need to go and look for them, which is why we're always, you know, recommending organizations not just sit back and hope that their detection rules are sufficient but to also go out and proactively look for indicators of C2 and other frameworks like that. 

Dave Bittner: Well, Rob Boyce, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. 

Dave Bittner: The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Milly Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoscheit, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.