The CyberWire Daily Podcast 2.15.23
Ep 1761 | 2.15.23

A look at the SideWinder APT. GoAnywhere vulnerability exploited in the wild. Ransomware rampant. Hacktivism in Russia’s hybrid war. Patch Tuesday notes.


Dave Bittner: SideWinder is an APT with possible origins in India. MortalKombat ransomware debuts. The GoAnywhere zero-day was exploited in a data breach. Belarusian Cyber-Partisans release Russian data. Betsy Carmelite from Booz Allen Hamilton shares an overview of cyber deception. Our guest is Ashley Allocca from Flashpoint with a look at the breaches and malware threat landscape. And notes on Patch Tuesday.

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 15, 2023. 

An APT with possible origins in India.

Dave Bittner: Group-IB this morning released a report detailing the activity of a nation-state threat actor dubbed SideWinder. The SideWinder APT, known also by the names Rattlesnake, Hardcore Nationalist and T-APT4, has been observed since 2012 conducting cyberespionage against governments in the Asia-Pacific region. It's believed to be headquartered in India. Group-IB discovered the group's SideWinder.AntiBot.Script tool in June of last year, in use against Pakistani companies. The researchers were able to piece together a list of potential targets for the group containing 61 government, military, financial, law enforcement, political, telecommunications and media organizations in Afghanistan, Bhutan, Myanmar, Nepal and Sri Lanka. The researchers note that there is significant overlap between what SideWinder has been up to and the past capers for the Baby Elephant APT, and that overlap's enough for them to think that the two groups may be one and the same. 

MortalKombat ransomware.

Dave Bittner: Cisco Talos has been tracking an unidentified, financially motivated threat actor that's using a new strain of ransomware called MortalKombat, as well as the Laplas Clipper malware. The threat actor is delivering both strains of malware via cryptocurrency-themed phishing emails. Laplas Clipper is designed to monitor an infected system's clipboard for cryptocurrency wallet addresses, then hijack transactions by overwriting them with an address belonging to the attacker. Laplas was first observed in November 2022, while the MortalKombat ransomware first surfaced last month. The researchers believe MortalKombat belongs to the Xorist ransomware family. 

GoAnywhere zero day exploited in data breach.

Dave Bittner: Bleeping Computer reports that Community Health Systems says it's been the victim of a data breach compromising the personal and health information of up to 1 million patients. The breach was one in a recent wave of attacks exploiting a zero-day vulnerability in Fortra’s GoAnywhere MFT software. The provider reports no belief that there's been impact on their systems, saying in an SEC filing that there also has not been any material interruption of the company's business operations, including the delivery of patient care. The Cl0p gang, which has claimed responsibility for these attacks, is generally believed to be linked to the criminal threat actor TA505. TA505 has been observed using Cl0p ransomware in the past. 

The long effect of ransomware.

Dave Bittner: Ransomware can have and is having serious effects on its victims. Smaller nations can find themselves struggling when key sectors are taken down. The Pacific island nation of Tonga, for one, is currently grappling with a ransomware attack, The Record reports. Tonga Communications Corporation, one of two telecoms companies in the Polynesian country, warned customers that they might experience slowdowns in service. TCC wrote, ransomware attack has been confirmed to encrypt and lock access to part of TCC's system. This does not affect voice and internet service delivery to the customers. However, it may slow down the process of connecting new customers, delivering of bills and managing customers' inquiries. We are working with security companies to mitigate the negative impact of this malware. Tonga's 171 islands are home to about 100,000 people, and they obviously depend on their telecoms. 

Dave Bittner: In the U.K., according to Computing, LockBit has upped the ante in its extortion of Royal Mail. The gang is now demanding 66 million pounds. Royal Mail says that's outrageous, and it won't pay. 

Dave Bittner: And in the U.S., the city of Oakland, Calif., has declared a state of emergency over its own ransomware attack. The city announced yesterday that Interim City Administrator G. Harold Duffey issued a local state of emergency due to the ongoing impacts of the network outages resulting from the ransomware attack that began on Wednesday, February 8. Oakland continues to experience a network outage that has left several non-emergency systems - including phone lines - within the city of Oakland impacted or offline. The city appeals for patience and cooperation and says it's taking steps to get the help it needs to recover. 

Byelarusian Cyber-Partisans release data taken from Roskomnadzor.

Dave Bittner: Turning to the cyber phases of Russia's hybrid war against Ukraine, the Belarusian Cyber-Partisans - dissident hacktivists opposed to both the Lukashenko regime in Belarus and to Russia's war against Ukraine - have released a 335 gigabyte dump of emails and other files obtained from Roskomnadzor's General Radio Frequency Center Division. Cyber Cybersecurity Connect reports that the hacktivists claimed credit in a Twitter thread and promised that more was to come. They stated, do you want to know who in Roskomnadzor was preparing reports on protests in Ukraine and Kazakhstan for the leadership of the Kremlin? We published these reports and contact info of the RKN employees in our TG channel. The data obtained from Roskomnadzor were posted to Distributed Denial of Secrets. 

Dave Bittner: Roskomnadzor is the Russian Internet Governance Authority. It's recently been involved with working to scrub derogatory references to President Putin. The reports that the agency is using AI tools to combat memes that portray Mr. Putin in a less than favorable light. Reuters describes Oculus, one of the principal systems Roskomnadzor is deploying to identify dissent and shoo away trolls. Reuters states the Oculus system will be able to read text and recognize illegal scenes in photos and videos, analyzing more than 200,000 images per day at a rate of about 3 seconds per image, the Interfax news agency reported. 

Patch Tuesday notes.

Dave Bittner: Patch Tuesday, of course, was observed yesterday. This month's patches saw fixes from Microsoft, Apple, SAP, Citrix, Mozilla and Adobe. Microsoft issued patches for 77 flaws, including three zero-days that were being actively exploited in the wild, BleepingComputer reports. The zero days affect the Windows graphics component, Microsoft Publisher and the Windows Common Log File System Driver. 

Dave Bittner: Apple has issued an emergency patch for a vulnerability affecting iOS, iPadOS and macOS, Tom's Guide reports. The vulnerability affects WebKit and can lead to remote code execution on the device if the user visits a malicious web page. Apple says it's aware of a report that this issue may have been actively exploited. 

Dave Bittner: Adobe has fixed vulnerabilities affecting Photoshop, Illustrator and After Effects, SecurityWeek reports. The company stated this update addresses critical security vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user. 

Dave Bittner: Citrix has patched four high-severity vulnerabilities affecting Citrix Workspace Apps, Virtual Apps and Desktops, according to CISA. 

Dave Bittner: Mozilla has released several security patches for Firefox 110 and Firefox ESR 102.8

Dave Bittner: SAP has issued 26 fixes, including one for a vulnerability that could allow an authenticated non-admin user with local access to a server port assigned to the SAP Host Agent service to submit a specially crafted web service request with an arbitrary operating system command. As always, check your systems and, as CISA would put it, update per vendor instructions. 

Farewell, Mr. Inglis.

Dave Bittner: And, finally, today is the last day in office of Chris Inglis, the first U.S. Cyber Director. It was a fitting milestone in a long and distinguished career that took him from NSA to the Executive Office of the President. He created and filled the new role to widespread respect and bipartisan approval. Thank you for your service, Mr. Inglis, and our best wishes for you as you embark on the next stage of your life. 

Dave Bittner: Coming up after the break, Betsy Carmelite from Booz Allen Hamilton shares an overview of cyber deception. Our guest is Ashley Allocca from Flashpoint with a look at the breaches and malware threat landscape. Stay with us. 

Dave Bittner: Security firm Flashpoint recently released their 2022 Breaches and Malware Threat Landscape report, tracking the most targeted sectors and geographic areas. Ashley Allocca is an intelligence analyst at Flashpoint. 

Ashley Allocca: So this year, our top targeted sectors that we saw were government, financial and retail. And we describe government as any sort of data set that might include government-issued IDs, you know, driver's license, passports, but that certainly also includes databases or certain data sets from government departments, local governments, foreign ministries. So consistently, those types of data sets are pretty profitable within these illicit communities. Financial and retail, those are also heavily targeted because of their financial information, obviously. You know, credit card information and other financial data points are, you know, consistently going to be profitable for these threat actors within these illicit communities. 

Ashley Allocca: The retail sector specifically, we see a lot of exploitation of small- and medium-sized businesses because actors are targeting content management systems that they're using, certain web applications that are known to be vulnerable. And from there, you can - the threat actor's hope is to scrape sensitive information like financial data, but some of these accesses allow actors to actually get in there and change payment information so they can receive payments from customers. They might be able to change content on the website. So year over year, we see these emerge as popular sectors just because of, even solely, the financial payoff that they have for these actors. 

Dave Bittner: I see. So in terms of the geographic distribution of the folks who are being targeted here, what are you tracking there? 

Ashley Allocca: So the United States pretty consistently is the top targeted region. This - it's also important to note that a lot of the communities we take a look at are English speaking, or at least the ones that we take a look at for this report. So that certainly could inform why the United States is one of the top targeted regions. We also do see certain chatter where actors prefer - especially those seeking out financial information prefer to target the United States, certain parts of Europe, for financial information. So it's sort of just, you know, somewhat informed by our collections, and we also see discussion as to why the United States might be of particular interest to specific actors. With tax season coming up, it's always, like, high season for actors targeting the United States, especially those that are financially motivated. So we pretty consistently see specific reasons why an actor might be interested in targeting the United States. So overall, we see the U.S. as the top - as one of the top targeted regions. 

Dave Bittner: Yeah. As you make your way through the data, was there anything unexpected or surprising, anything that caught your eye from that point of view? 

Ashley Allocca: You know, it's always interesting to see how the language of some of these advertisements and posts change. From my perspective, something important that I like to take a look at while I'm doing this report is how can I assess an actor's credibility? Sort of - you know, this report is - we put it out on a weekly cadence, and then obviously, it informs the annual report, but we like to try to do, as best as we can, our credibility assessment along with the data that we're posting about. 

Ashley Allocca: So something interesting that I've - we've seen this year when trying to assess actors' credibility is that they'll use an intermediary, and that is becoming more and more popular in these postings. So that - like, while it helps the actor, I guess, prove that they are credible because they're willing to use some sort of middleman service, it also helps us take a look at - you know, this actor possibly is more credible because they are willing to use some sort of intermediary when facilitating a transaction. We see a lot of actors share Telegram handles or Tox IDs, which indicates to us that a lot of these transactions, while they may be happening on certain forums or marketplaces, a lot of possibly the negotiation or maybe even the transaction itself is moving to other platforms like Telegram. So it's pretty interesting to track those changes year over year. So it also helps us decide - or it, you know, prompts us to take a look at those for next year's reporting. 

Dave Bittner: So based on the information that you all have gathered here, what are your recommendations? You know, for the folks who are out there defending their organizations, what are the take-home lessons here? 

Ashley Allocca: So we always try to plug, you know, multifactor authentication. A lot of these data sets - you know, social engineering is - and phishing attacks are some of the top vectors used by actors. You know, it's kind of, like, low-level stuff to initially infiltrate some sort of system. So make sure you're using some sort of multifactor authentication. We're also taking a look at some actors - I think I mentioned this - will - some actors are kind of hesitant to say how they got their information. Some actors will freely share it. We see a decent amount of posts of actors saying that, you know, they got this data set because they were opportunistically scraping some sort of exposed storage bucket for a specific cloud service provider. So make sure that you're configuring your storage objects as best as you can and not just leaving default settings. 

Ashley Allocca: You know, actors will opportunistically target these resources to scrape this data that you might not realize is publicly exposed to the internet. Additionally, implementing some sort of consistent patching cycle is key. Actors will commonly exploit disclosed vulnerabilities, preying on the fact that their victims possibly have not yet updated their systems at all. So getting out in front of some sort of patching cycle is really key here. 

Dave Bittner: That's Ashley Allocca from Flashpoint. 

Dave Bittner: And joining me once again is Betsy Carmelite. She's a principal at Booz Allen Hamilton. Betsy, it is always great to welcome you back to the show. I want to talk today about this whole notion of cyber deception with you. I know this is something you and your colleagues keep an eye on. Can we start off with just some basics here? When we say cyber deception, what do we mean? 

Betsy Carmelite: Yeah. Thanks, Dave. So, in simple terms, we are taking a page out of the malicious actors' playbook to use strategies that enable faster detection and faster intelligence collection. But it is so much more. So really, it's at its core a proactive cyberdefense methodology, and it puts the defender in the driver's seat. It enables defenders to lead the attacker and then gather intelligence about the adversaries' tools, methods and behaviors through a system of honeypots, lures, trip wires and other technologies as we deploy them. And it's also a strategy that cyber professionals use to gain the upper hand in operations against attackers, ultimately decreasing dwell time. And it allows them to obtain valuable cyberthreat intelligence to mitigate data loss. 

Dave Bittner: Well, it sounds to me like the folks who do this, you know, they benefit from getting a lot of data, as you say, on their potential adversaries. Are there other parties who benefit here from going at this this way? 

Betsy Carmelite: Yeah, that's right. I would say you're a good candidate to deploy cyber deception strategies if you have existing cybersecurity solutions, such as EDR tools, endpoint detection and response tools, advanced security operation centers, SOCs, and systems that require high-fidelity alerting - so systems that are finely tuned in terms of alerts and have properly configured rules. Also, teams with threat intelligence capabilities that can conduct analysis, produce reports and shape security postures are helpful. And so we're really looking at more mature security operations. And the methodology requires a team with resources to address alerts in a timely manner. So we're looking at a recommended strategy that would probably require a dedicated team. So we might not even recommend this for a large enterprise environment if it doesn't have that team because you need to manage the deception, right? Deception can get pretty tricky in general in the kinetic world, as we say. But layer on, you know, the interplay and engagement in the cyber domain, and it gets really tricky, and you need some eyes on it. 

Dave Bittner: What are your recommendations in terms of deployment? You know, how - what are some of the options that folks have for going at this? 

Betsy Carmelite: Yeah, so a few topics here. So back to the resource need. Staffing a highly skilled and experienced team with those who have worked in blue team or red team environments is key. So that training and experience helps these teams deploy high-interaction decoys and other services that will entice the threat actors, and for an even stronger approach, having, logging and alerting solutions that help the team respond to those trip wires in a timely manner will make all the difference. So really, you have to be there and know where to respond quickly to gather the intelligence. And then on the technology front, as I mentioned before - honeypots, breadcrumbs, lures, Canarytokens, which are resources monitored for access. So that could be, like, an API key or a file. So once those are accessed, an alert is triggered. All of those are crucial tools to trip those high-fidelity alerts to identify threat actor activity. 

Dave Bittner: And how do folks typically come at this? Are we talking about, you know, developing something like this in house, or do I engage with the vendor? Is it a spectrum in between those two things? 

Betsy Carmelite: Yeah. I think there - those are the two ways you can - we've seen this deployed. So at its core, the deception tactics work by simulating critical infrastructures, services and configurations so that you get an attacker interacting with those false IT assets. So there are commercially available products out there. Or you can develop your own approach and use in-house skills. So if you're - couple of recommendations. If you're using a commercially available product, it's critically important to start with a plan that considers what comes with that product. Take time to fully know it. Establish what you can do and can't do with it. And then if you're going to do an initial pilot, then prioritize a strategy around your high-value assets if your organization really isn't ready for a full enterprise deployment. 

Betsy Carmelite: It's really key to understand where within your environment stakeholders are comfortable using these products because if your leadership is not comfortable with a full, robust deception strategy, consider possibly at least ceding false administrative credentials to defend against that common threat vector. If you don't want to use a commercially available product, the deployment plan would include similar preparation around knowing what you're getting into and who's comfortable with it, but you would replace the product with in-house experience and tools. And so you would develop your own server, services, shares in a manner that would be enticing to an attacker, while still being able to alert immediately when they are triggered or interrogated. You'd need to deploy and manage multiple sensors to feed back to an operation center. And then finally - back to the resources train - train and enable those network defenders to be able to respond in a timely manner. 

Dave Bittner: So there's a lot to it, but seems like it's achievable for the organizations for whom it would be appropriate. 

Betsy Carmelite: That's right. And again, we're talking about those more sophisticated, highly funded and probably have a lot of security investments around their security operations. 

Dave Bittner: Yeah. All right. Well, Betsy Carmelite, thanks for joining us. 

Betsy Carmelite: Thank you, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at the The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.