Criminal evolutions, disgruntled insiders, and gangsta wannabes. New wiper attacks hit Ukrainian targets, with less effect than the first rounds early last year. And support your local hacktivist?
Dave Bittner: GOOTLOADER's Evolution. Yandex source code has been leaked, and Yandex blames a rogue insider. New GRU wiper malware is active against Ukraine. Latvia reports cyberattacks by Gamaredon. Russia and the U.S. trade accusations of malign cyber activity. A hacktivist auxiliary's social support system. Deepen Desai from Zscaler describes the LilithBot malware. Rick Howard looks at chaotic simians. And wannabes can be a nuisance, too - LockBit impersonators are seen operating in northern Europe.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, January 30, 2023.
Dave Bittner: Mandiant has published a report outlining notable changes to the GOOTLOADER malware over the course of 2022. The researchers say these changes include the use of multiple variations of the FONELAUNCH launcher, the distribution of new follow-on payloads and changes to the GOOTLOADER downloader and infection chain, including the introduction of GOOTLOADER.POWERSHELL. The malware is also using new techniques for obfuscation. GOOTLOADER is distributed via malicious business-related documents hosted on compromised websites, and defenders should be on the lookout for fresh campaigns.
Yandex source code leaked.
Dave Bittner: Source code belonging to Yandex, the Russian search engine giant, was leaked online. The leak doesn't appear to contain any customer data, BleepingComputer writes, and Yandex says the incident was an insider breach, not the result of an external attack. The files were stolen last July, and a former Yandex executive speculates that the motivation for the leak was political. In any case, the hackers responsible don't appear to have tried to sell the code.
New GRU wiper malware active against Ukraine.
Dave Bittner: Security firm ESET says a new strain of wiper malware they're calling SwiftSlicer has been deployed against Ukrainian networks. ESET Research tweeted, on January 25, ESET Research discovered a new cyberattack in Ukraine. Attackers deployed a new wiper we named SwiftSlicer using Active Directory Group Policy. The SwiftSlicer wiper is written in Go programming language. We attribute this attack to Sandworm.
Dave Bittner: The Sandworm group is operated by Russia's GRU, and SwiftSlicer represents a successor to HermeticWiper and CaddyWiper, both of which the Russian service had deployed against Ukraine in the early phases of the invasion. HermeticWiper was identified in February 2022, during the opening days of the invasion. CaddyWiper was observed the following month. ESET has not identified the organization or organizations affected by SwiftSlicer.
Dave Bittner: The Ukrainian Computer Emergency Response Team, CERT-UA, on Friday reported identifying five distinct strains of wiper malware in the networks of the Ukrinform news outlet. The strains and the systems affected were CaddyWiper, ZeroWipe and SDelete, all affecting Windows; AwfulShred, which is effective against Linux systems; and BidSwipe, which is used against FreeBSD. The Russian hacktivist group Cyber Army of Russia Reborn claimed credit in its Telegram channel for the infestations. BleepingComputer says that two of the strains, ZeroWipe and BidSwipe, represent either novel malware or, if they're existing, known strains that are being tracked under unfamiliar names by CERT-UA.
Latvia reports cyberattacks by Gamaredon.
Dave Bittner: The Gamaredon APT seems to have tried a phishing attack against Latvia's Ministry of Defence last week. The record reports that Latvian officials said the attempts were unsuccessful. The apparent motive is said to have been counterespionage. The group is also known as Primitive Bear and widely believed to be operated out of occupied Sevastopol by Russia's FSB.
Russia and the US trade accusations of malign cyber activity.
Dave Bittner: TASS quotes Russia's deputy foreign minister as saying that the U.S. has been responsible for recruiting and training members of Ukraine's auxiliary IT army, a hacktivist group active against Russian targets. On Friday, Roskomnadzor, Russia's internet agency, blocked Russia's access to the U.S. FBI and CIA sites, Interfax reports. They are run, Roskomnadzor says, by a hostile country, and they aim at destabilizing the social and political situation in the Russian Federation. Blocked, along with the FBI and CIA, is the U.S. State Department's Rewards for Justice site, which offers a bounty for information on four categories of malign activity - terrorism, foreign election interference, malicious cyberactivity and, finally and simply, North Korea.
Dave Bittner: Thursday, shortly after the U.S. Justice Department announced the international operation that disrupted the Hive ransomware gang, Rewards for Justice tweeted the following offer - if you have information that links Hive or any other malicious cyber actors targeting U.S. critical infrastructure to a foreign government, send us your tip via our Tor tip line. You could be eligible for a reward.
Dave Bittner: That is, to gloss the offer, we're looking at you, Russia. Hive is a Russian criminal ransomware operation, and, like most Russian gangs, it has connections with Russia's security and intelligence organs. Information tying Hive to the Russian government could qualify for an award of up to a cool $10 million. A comrade could retire on that, couldn't they?
A hacktivist auxiliary's social support system.
Dave Bittner: Military auxiliaries exist within a social context that provides both moral and sometimes even financial support. Consider benign examples that will be familiar to readers in the U.S., like the Civil Air Patrol and the Coast Guard Auxiliary. They function as civic organizations in a civil society, at least as much as they operate as auxiliaries of the Air Force and the Coast Guard. The same seems to be true, to a limited extent, with hacktivist organizations serving as security and intelligence service auxiliaries. Radware describes the support system that's grown up around Russia's Killnet group, stating, it's not common for analysts to have the opportunity to study the social circles of criminal organizations. But occasionally, a group emerges that is more transparent than others. Examining a criminal organization's social presence can give analysts valuable insights into the structure and operations of the organization, as well as the relationships and connections between its members and the community around them.
Dave Bittner: Killnet is the sort of group that lends itself to such analysis, and Radware describes three organizations that have been prominent in their support of the hacktivist mission. First, Infinity Music, a music label whose star rapper, Kazhe Oboyma, has published a song called "KillnetFlow (Anonymous diss)." This isn't financial support. Rather, it's support in the form of bad boy street cred 'cause if you know Khaze Oboyma, you know he's always been official. Second, HooliganZ jewelry, a Moscow-based designer of street-inspired jewelry, is selling Killnet-branded drip. And it's worth noting, in passing, how much both Infinity Music and HooliganZ jewelry owe to American pop culture. Their street cred is derivative, and that's something the Kremlin can't be entirely comfortable with. Third, Solaris marketplace - and here we're on more familiar ground. Solaris is a darknet criminal marketplace and it's made financial contributions to Killnet.
Dave Bittner: Radware concludes, from financial contributions, to active participation in illegal activities, to passive support through art and entertainment, the social circles of Killnet demonstrate the complexity of criminal organizations' relationships, connections and structure. And, we might add, the seductive power of American popular culture - not that that's a good thing or a bad thing. It's just a thing.
LockBit impersonators seen operating in northern Europe.
Dave Bittner: And finally, Security Affairs reported Saturday that the LockBit locker malware has been seen in use, targeting small and mid-sized businesses in northern Europe. Though this malware is primarily operated by a group bearing the same name, these attacks don't appear to originate from the gang. Rather, they seem to be the work of copycat actors who procured a leaked version of the gang's malware. One instance, targeting a Belgian company, was observed in which a swath of internal files was encrypted by the faux LockBit offenders. Fortunately, the company was able to resume normal operations after restoring their network from a backup, though the damage that can be wrought, even by unseasoned, unaffiliated wannabes, as Security Affairs affectionately calls the operators, remains considerable.
Dave Bittner: Coming up after the break, Deepen Desai from Zscaler describes the LilithBot malware, and Rick Howard looks at chaotic simians. Stick around.
Dave Bittner: And joining me once again is Rick Howard. He is the CyberWire's chief analyst and also our chief security officer. Rick, it is always my pleasure to welcome you back.
Rick Howard: Hey, Dave.
Dave Bittner: So over on our CyberWire Slack channels this week, you have been talking about this thing called chaos engineering. I'm slightly familiar with that term, but I'll admit I don't know a whole lot about it. What are we talking about here, Rick?
Rick Howard: So it's a phrase that describes a disruptive and, some would say, radical idea in the area of cybersecurity resilience.
Dave Bittner: Well, if I'm remembering correctly, resilience is one of your key first principles strategies, right?
Rick Howard: Yeah, that's right. And while we've been watching that lane of research for the past couple of years, we noticed that a handful of Silicon Valley tech giants have been using this technique since the late 2000s to ensure that their worldwide system of systems never goes down.
Dave Bittner: So what makes chaos engineering so radical?
Rick Howard: Well, these chaos engineers run experiments on their production systems - and that's the key phrase, their production systems, right? They're designed to discover systemic weaknesses in their system design, and that's a really fancy way to say that they intentionally destroy - I guess they would say they seriously degrade it - but pieces of their production network to observe if their deployed resilience systems handle the situation the way they designed it to.
Dave Bittner: My recollection of this is that it was kind of made famous by the folks over at Netflix a couple of years ago. Didn't they have a - it was a software module they called Chaos Monkey.
Rick Howard: Yeah, I love that name, right? So - and these days, Netflix has deployed an entire suite of these chaos engineering resilience tools, something they call the Simian Army. How cool is that, right? And they have really cool names like Latency Monkey and Conformity Monkey and Doctor Monkey, just to name three, so.
Dave Bittner: King Kong (laughter).
Rick Howard: I know. That's what comes to mind when I thought about it, too.
Dave Bittner: Yeah.
Rick Howard: So in this week's "CSO Perspective" podcast, over on the CyberWire Pro side, we talk about the history of chaos engineering and how this is an advanced technique that maybe not everybody should use. But if you're a large Fortune 500 company or maybe even a gigantic government institution that absolutely has to keep your systems running 24 by seven, then this is probably a technique you should consider.
Dave Bittner: All right. Well, that is over on the Pro side. So what do you have for us over on the public side?
Rick Howard: For the public side, we unvault those old episodes from the "CSO Perspective" archive. And this week's show is a Rick the Toolman episode from May of 2022 about how single sign-on works.
Dave Bittner: Now, if I remember correctly, single sign-on is a key component to identity and authorization management, right?
Rick Howard: Yeah, that's right, and - which makes it a key tactic to consider for implementing your zero trust first principle strategy. So in this show, we explain how single sign-on standards, like OAuth - and that stands for open authentication - and SAML, for Security Assertion Markup Language, how they all work together, and how you might use them to the benefit your own enterprise.
Dave Bittner: Well, before I let you go, what is the phrase this week for your "Word Notes" podcast?
Rick Howard: This week's word is NIST, for the U.S. National Institute of Standards and Technology. And did you know, Dave - here's the trivia question for you - that the authority to create the NIST back in 1901, when it was called the National Standards Bureau, was taken from Article I, Section 8 of the United States Constitution?
Dave Bittner: Wow, all right. Well, there's some "Schoolhouse Rock!" I can get behind.
Rick Howard: Absolutely.
Dave Bittner: All right. Well, Rick Howard is the CyberWire's chief security officer and also our chief analyst. Thanks so much for joining us.
Rick Howard: Thanks, Dave.
Dave Bittner: And I'm pleased to be joined once again by Deepen Desai. He is global CISO and head of security research and operations at Zscaler. Deepen, it's always a pleasure to welcome you back to the show. I want to talk to you today about the LilithBot malware, which I know is something you and your colleagues have had an eye on lately. What can you share with us today?
Deepen Desai: Hey, thank you, Dave. So LilithBot is a multifunction malware family that team discovered through our cloud security platform. And this is something that we flagged in our sandbox environment. And once we saw the payload, you know, we started analyzing it. And the team was quickly able to associate this with a Russian Jester Group. It's also known as Eternity Group, which runs by the project Eternity Project. And it has been active since January 2022, so fairly new. But one of the key highlights over here is this group has been known to use as-a-service subscription model to distribute several types of payload. LilithBot is just one of them on the underground forums.
Dave Bittner: Can you run us through the things that they're offering?
Deepen Desai: Yeah, they offer a wide variety of malware - right? - starting with infostealers, which is what we're talking about right now. It may have additional functionalities like coin mining, you know, full-blown bot CNC modules, ransomware, worm droppers, right? So something that allows the threat actor to propagate within the environment as well. And then it also goes on the destructive side of the house where they're able to support and distribute DDoS bots.
Dave Bittner: So it's really kind of one-stop shopping for folks who are out looking for this sort of stuff.
Deepen Desai: Absolutely.
Dave Bittner: Yeah. What are we talking about here in terms of cost? Is this an expensive provider or are these things comparatively affordable?
Deepen Desai: Yeah, so they basically have a subscription model, right? It's basically a malware - as-a-service membership fee is what, you know, the threat actors will be paying here. And what you're paying for is these type of groups that run the malware as-a-service model has already incorporated all kinds of advanced checks, like anti-debugging, anti-VM. They will already have figured out how to securely perform CNC communication, how to offer, you know, buying purchase platforms and things like that. So if you're someone new on the horizon, you could basically pick one of these payloads up. And honestly, it raises your malware's ability to evade detection significantly because you're already relying on someone that has done all the work for you.
Dave Bittner: Well, let's talk about the detection side then. I mean, how easy are these tools to detect, and what are your recommendations for people to do so?
Deepen Desai: Yeah. So these type of tools - so LilithBot in particular, what we saw was it was, you know, using various types of fields like license key and coding key, go in - I mean, and Global UID, which is encrypted via AES. And it decrypts itself at runtime. It steals information. It uploads itself as a zip file. So all the stolen information from the system gets zipped up, and then it's sent to the remote command and control server.
Deepen Desai: So when you think about detection, I mean, you - the very first component that plays a very important role in flagging these type of evolving, you know, continuously changing payloads, is your cloud sandboxing solution, right? Having the ability to detonate the payload and observe the behavior and use that to flag the file as malicious plays a very important role over here. If you rely just on static signature-based approach - the part that I mentioned earlier, malware as a service, they have some of these things already automated. So they're able to get around those static detection. So sandbox - very, very important to flag and block that initial payload from entering your environment.
Deepen Desai: The second aspect that you should always prepare for, what if my endpoint were to get compromised by this for whatever reason, right? And that's why the CNC communication and the data XFlow comes into play. So whether you need to have ability to inspect TLS-encrypted traffic, perform DLP inspection and then apply your CNC detection as well, when the goal is to block the communication from happening between the compromised endpoint and the attacker control infrastructure.
Dave Bittner: All right. Well, good guidance as always. Deepen Desai, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.