A look at Iran’s MERCURY APT. Updates on Russia's hybrid war, including some apparent leaks and some apparent doxing. And notes on cloud security trends.

Dave Bittner: An Iranian APT MERCURY exploits known vulnerabilities. The U.S. investigates apparent leaks of classified information about Russia's war against Ukraine. KillNet claims it has paralyzed NATO websites. More apparent doxing of the GRU. Britta Glade and Monica Koshgarian of RSA Conference talk about content curation. Grayson Milbourne from OpenText Cybersecurity hopes to remove shame from cyberattacks. And finally, some notes on cloud security trends.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 10, 2023.

Iranian APT MERCURY exploits known vulnerabilities.

 

Microsoft threat intelligence described Friday how MERCURY, an Iranian government-linked cyberthreat actor, has begun working with an unidentified organization Microsoft calls "DEV-1084." The two groups seem to be conducting pseudo ransomware attacks and then destroying the data they were supposed to be ransoming, so the incidents amount to wiper attacks. The groups have gained access to onsite resources as well as cloud environments that allowed them to wreak extensive damage to the target's infrastructure.

Dave Bittner: Microsoft assesses that the threat actors attempted several times and succeeded to perform initial intrusion, leveraging exposed vulnerable applications. For example, continuing to exploit Log4j2 vulnerabilities in unpatched systems in July 2022. After access was gained, the actors used Windows native tools to develop the network in an attempt to remain undetected. Microsoft writes, "MERCURY likely exploited known vulnerabilities and unpatched applications for initial access before handing off access to DEV- 1084 to perform extensive reconnaissance and discovery, establish persistence, and move laterally throughout the network, oftentimes waiting weeks and sometimes months before progressing to the next stage." The timeframe across which this operation took place shows the persistence of these groups, while the lack of clear financial gain from this kind of attack seems to indicate that the main goal was denial of service and data destruction.

Dave Bittner: Microsoft says, "DEV-1084 was then later observed leveraging highly privileged compromised credentials to perform en mass destruction of resources, including server farms, virtual machines, storage accounts, and virtual networks, and send emails to internal and external recipients." The attacks would therefore seem to involve sabotage, collection, and battlespace preparation. And we note, as always, in full disclosure, that Microsoft is a CyberWire partner.

US investigates apparent leaks of classified information about Russia's war against Ukraine.

 

Dave Bittner: The U.S. Department of Defense and Department of Justice are both investigating an apparent leak of classified information concerning the war in Ukraine. Neither Department is providing much in the way of information on the investigations, which are ongoing. The material appeared to considerable éclat last week in Russian social media channels, although at least some it may have been in low-key circulation in fringe sites for some weeks: the Wall Street Journal reports that it began among a small group of posters on a messaging channel that trafficked in memes, jokes, and racist talk.

Dave Bittner: The story is still developing, and the authenticity of the documents remains in dispute. Ukraine characterized them as Russian disinformation, The Telegraph reports. US News describes the Russian reaction, which is to publicly denounce the leaks as US disinformation designed to peddle a false story of Ukrainian unreadiness, designed to lull Russian forces into a false sense of security. And, citing analysts at Mandiant, SC reports reasons for thinking that the leaked files, whatever their source, have been altered in the Russian interest. Altered or not, the Pentagon is treating them as apparently genuine, officials tell the Washington Post. Some reports have said they include war planning, but this seems not to be the case.

KillNet claims it has paralyzed NATO websites. 

 

Dave Bittner: The Russian cyber auxiliary KillNet claimed it had conducted a massive attack on NATO infrastructure this weekend. It claimed responsibility for alleged DDoS attacks on various organizations in the energy grid on its Telegram page today. Along with the DDoS attack it also published a list of usernames and passwords for two NATO commands on its website. KillNet wrote, "The personnel are using super secret passwords, the incredibly complex one, two, three, four, five, six, and the more complex one, two, three, four, five, six, seven, eight." If the passwords are legitimate, it shows that at least two people didn't take their cyber awareness training seriously enough. And as if that wasn't enough, a KillNet member also posted an image of an unnamed news source explaining that KillNet had signed 150 unnamed NATO personnel up for various dating websites in Ukraine and Moldova. The image looks bogus, so interpret it simply as a claim by KillNet. The affected NATO infrastructure appears to be a NATO school, an instructional facility in southern Germany, and not any operational or high-level administrative organization. The school's website has been up and down this morning.

More apparent doxing of the GRU.

 

Dave Bittner: The Ukrainian hacktivist group InformNapalm has released more information on Lieutenant Colonel Sergey Alexandrovich Morgachev, the GRU officer believed to lead Russia's APT28, known as "Fancy Bear," consisting of officers of the 85th Main Special Service Center of the GRU, Military Unit 26165. The group states, "Ukrainian hacktivists from the Cyber Resistance team handed over a complete dump of Morgachev's correspondence and personal files for publication so that all interested parties from the FBI to journalists, experts, and members of the public could independently investigate the facts set forth in this publication and find other information that may be useful for further investigations."

Dave Bittner: And finally, Skyhigh Security this morning released its study, “The Data Dilemma: Cloud Adoption and Risk Report," which highlights challenges in cloud data security. The report found that 90% of organizations have experienced at least one cybersecurity breach. The report also found a rapid increase in cloud adoption with use of public cloud services increased to about 50% between 2019 and 2022. Twenty-six percent of respondents have been found to have a distrust for private cloud providers compared to 9% in 2019. Shadow IT, or employee-commissioned cloud services without IT approval or involvement, has seen a reported 25% increase from 50% in 2019to 75% in 2022. The report also shares that cloud access security brokers are used by 42% of organizations surveyed while secure web gateways are used by 28% of organizations. Rodman Ramezanian, Global Cloud Threat Lead at Skyhigh Security, said, "Today data is everywhere, traversing devices, cloud applications, the web, and infrastructure, so it comes as no surprise that one of the biggest challenges organizations face is securing their vital data."

 

Dave Bittner: Coming up after the break, Britta Glade and Monica Koshgarian of RSA Conference talk about content creation. Grayson Milbourne from OpenText Cybersecurity helps to remove shame from cyberattacks. Stay with us.

Dave Bittner: We are merely two weeks away from the annual RSA Conference where security professionals from all over the world will be descending upon San Francisco to catch up on the latest and spend time with friends and colleagues. The CyberWire is an RSA media partner, and for behind-the-scenes insights on how the conference plans and organizes hundreds of sessions, meetings, and learning opportunities, I spoke with Britta Glade, Vice President of Content and Curation at RSA Conference, and Monica Koshgarian, Program Director for the Efraud Global Forum. Britta Glade starts us off.

Britta Glade: So RSA Conference has over 500 sessions that are -- that are published and publicly available for our attendees. They range from, you know, small group, birds of a feather type sessions to large group keynote to everything in between, as well as some very interesting closed-door, Chatham House Rule, invitation-based sessions for specific audiences, and we work with a extensive program committee. Gosh, we have over 150 different people who are involved in, you know, domain experts who are involved in the individual specific programs to really look at submissions that come in as well as what belongs on the stage at RSA Conference, and those folks, you know, debate and discuss and battle it out for what the final sessions will be that appear on the RSA Conference stage.

Dave Bittner: Well, Monica, I know you head up the Efraud program there. Can you take us into some of the things that you'll be offering up this year when it comes to that?

Monica Koshgarian: Oh, absolutely. Yeah. So I just wanted to clarify, so EFG is closed-door, invitation-only, so we very closely monitor who is in the room, and the reason why that's important is because everything that we do is under Chatham House Rule, and again, the reason why that's important is because we want to create an environment where there's a lot of open and candid conversations between the participants, so it's not only learning from experts, but I always say we also learn from each other. Everybody in that room is an expert on

something, and everybody in the room really is a practitioner, and it's at a level of vice president, director, or above, so they are fraud prevention, fraud detection leaders from all over the world and they're there to really exchange best practices with each other, so everything that we do from a content perspective is very much, what do they see in their day-to-day environment? What is it that are the key challenges? What are the same -- the key solutions? We stay away from vendor sponsorships or vendor discussion and we really talk about what works and what doesn't work, best practices. So the -- most of the agenda is either panel conversations or presentations that take place in front of the audience, and our audience is fairly small. We target about 125 to 140 fraud leaders, and a lot of interaction. It is designed to be very, very conversational. Again, everybody wants -- we want to hear what everybody -- what works for everybody else so that we can learn from each other. Our goal from every single one of our sessions, whether it's to the entire audience, 140 people, or in the breakout sessions, we also have these elective sessions that they can choose one of four sessions, both in the morning and the afternoon, and all of them are designed to give everybody the ability to walk away with a lesson learned, something that they have learned that they can then implement in their own environments to be better fraud fighters.

Dave Bittner: Now, in terms of people being able to put this on their schedules, this is -- is this exclusively happening at the RSA Conference, or are there opportunities beyond that as well?

Monica Koshgarian: Yeah, the key event for EFG does take place during RSA Conference, and that takes place on Tuesday, of RSA Conference, and it's a whole day. It's basically we start early, 7:15. We kick off the day with a networking breakfast and we end late. We work until about 6:00. There's a lot of interaction, a lot of conversation. It is -- it's hard work, but it's also very, very -- it's fun. It's educational. Again, it does -- because it is a community -- and that's a really important point. This is the fraud leaders from all over the world that behave and come together as a community to learn from each other.

Britta Glade: The other thing I will insert here that is super valuable, as Monica said, super tight-knit group, wonderful community here that also recognizes the importance of the entire RSA Conference community benefiting from these conversations, benefiting from this knowledge. So while this event takes place at conference under closed doors, we have a fraud prevention track that's part of the public RSA Conference proceedings that many of these same folks help make the selections of what goes there. We've blended and threaded elements from that closed-door, you know, highly, highly confidential conversation into what benefits the group at large. This is done for this fraud community, as Monica's talking about. We also have another program called "ICSF," International Cybersecurity Forum, which are the -- these are the lead folks that make cyber decisions for governments across the globe. And then we also have programming specific for CISOs. We have one ICSF for Fortune 1000 CISOs, and then we have our CISO Boot Camp for emerging CISOs. So RSA

Conference has tried to be very, very deliberate with nurturing some of these key audiences and providing these high-value, closed-door, highly trusted environments, and then also taking learnings from that, benefit from that key conversations and putting it in our public-facing programming. So it's a very dynamic process.

Dave Bittner: You know, Britta, you mentioned that there are over 500 sessions at RSA Conference this year. How do you recommend people sort that out and plan their schedule to be able to balance out attending the sessions they want to see, but then also having time for some of the other things, being on the show floor, the other sessions that there are? Any words of wisdom there?

Britta Glade: Yeah, super, super important question where, you know, plan ahead, right? So if you go to the website, there's several different filters that are available to you. You can filter by topics and tracks. You can filter by level of session, meaning general, intermediate, advanced. There are some that you can look at, you know, what's a hands-on kind of a thing, i.e., the lab environment, the sandbox experiences versus a traditional presentation. So I would spend some time, know what's of interest to you, spend some time on the website, plot some things out, reserve a seat if it's something that's super, super important to you, and then, you know, do block out that time for the expo floor. Black out the time for networking. Again, that's the power of getting together physically. We all had certainly reinforced to us even more during the pandemic time. You know, face-to-face communication and conversation is important. So have an attack plan. Look through the site and plan some sessions of value to you.

Dave Bittner: And wear comfortable shoes.

Britta Glade: Wear comfortable shoes and hydrate, yes.

Dave Bittner: That's Britta Glade and Monica Koshgarian from RSA Conference. 

Dave Bittner: And I'm pleased to be joined once again by Grayson Milbourne. He is the Security Intelligence Director at OpenText Security Solutions. Grayson, it's always great to welcome you back. You know, I think there's a saying that I hear bandied around a lot and that's "don't blame the victim," and I want to get your take on that when it comes to cyberattacks because, you know, so many times I think it's easy to have that reflex, but we got to resist that.

Grayson Milbourne: Yeah, you know, I think I was with -- I like that, that saying of "don't blame the victim," but I don't know that it holds as true when we think about cyberattacks impacting, you know, large companies and small companies together. I know certainly companies themselves look at being a victim of an attack as something that, you know, they're somewhat shameful of, and I think that has a lot of consequences in today's threat ecosystem, particularly with ransomware and the ability for government agencies and law enforcement to

understand, you know, the real biggest threat and to use their resources to go after and disrupt these, you know, this kind of plague on digital business today.

Dave Bittner: Is there a middle ground here? I mean, I'm thinking of, you know, so many organizations, if they get hit by some kind of attack or breach, that the first thing you'll hear from them is, you know, "We got hit by sophisticated actors," or the new nation-state attacked, "There was nothing we could have done," and I think that's often, you know, a bit overstated.

Grayson Milbourne: Yeah, I mean, I definitely think there are -- a lot of attacks are definitely of opportunity and it's not necessarily a zero day or some, you know, very novel exploit that was used to compromise. You know, we do see that perhaps more on like the larger compromises, you know, things that typically make the news, but these are, you know, that's a far outlier compared to, I think, the meat of the problem that focuses on much smaller businesses, and I think what happens there is that businesses, you know, don't want to suffer the consequences of a breach beyond just what happens to their data, but to their customer relationships, to the confidence in their business, you know, of their customers and of their partners, and so I think, you know, and this is why I think ransomware continues to be so successful is that, you know, the majority of people who get hit, especially in the small and medium business space, end up paying because it's the fastest way to get back to business as usual, and, you know, the unfortunate reality of that is it only further motivates cybercriminals to participate in this type of attack. And then, again, if you don't share your experience, you know, attribution is more difficult and others then make the same mistake that you've made or, you know, in the case that it is, you know, perhaps you're using out-of-date software that was exposed to the internet and there was a known vulnerability. You know, this is one of the most common things we actually see here are, you know, widely used tools that are accessible to the internet, but then a vulnerability is discovered. And I'm just trying to get -- it's skipping my mind at the moment, but there was one just released this last week for mas -- what is it Masterminds? In any event, you know, like several thousand internet-connected environments, I think they found already 7,000 that were vulnerable to, you know, some new type of attack. And so, you know, it's not necessarily always your fault, but being aware of how attacks are happening and being mindful of these things can enable you to, you know, take the right steps to prevent an easy access type of reach.

Dave Bittner: Do you have any advice in terms of the sharing itself? I mean, who, you know, who should you be reaching out to? Who are the important people to share that information with?

Grayson Milbourne: Yeah, so CISA, the government agency CISA, but they like to call it "Sissa, is a great place not only just for information about best practices and bulletins to the effect of recent cybercriminal activity and things to be on the lookout for, but they also have a way that you can share your experience, and if you are

dealing with a threat actor or ransomware, they have some resources they can assist you with, and even if you ended up paying, letting them know that you are a victim still allows them to attribute the volume of attacks based on different threat actors, and I think this is really one of the, like, the blind spots that we have today is that, you know, we only have what people are willing to tell us, and also some from what we see from our detections and preventions and environments, but we know a lot of businesses are not disclosing this, and we see that in several ways through surveys, and ultimately, you know, the continued plight of this -- of ransomware and what it's doing to digital business. And so what I would love to see is for businesses, and for consumers as well, because I think this is partially a consumer-based problem in that, you know, when a vendor gets breached and your data gets lost, you know, we often look upon that negatively, and rightfully so, in some cases, where if the vendor was breached six months ago and you're just now telling me about it, you know, that's a disservice to myself. And so I think there's two things that have to go into the solution and one is it sort of de-shamifying incidents that the business has suffered, you know, especially with due diligence has been taken into consideration, but two is, you know, there needs to be better transparency and acknowledging when these incidents happen to the most impact people, which are your customer, customers and their data, because, you know, those are the people who suffer, and we've seen actually, you know, law enforcement punishing businesses who, you know, who are not as transparent as they should be, and most recently, we saw this with Uber, and Uber has like a long history of these cybersecurity incidents that they've downplayed at the cost of the customer's data that they've lost. And so I think improving that relationship will improve the amount of trust and we can then start looking at cybercrime and ransomware. These types of attacks is something that impacts all of us and not just those who are unlucky or ill prepared.

Dave Bittner: Yeah, all right. Well, interesting insights. Grayson Milbourne, thanks for joining us.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment called "Security Ha." I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. The CyberWire Podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe where they're co- building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.