The CyberWire Daily Podcast 4.18.23
Ep 1804 | 4.18.23

Iranian threat actor exploits N-day vulnerabilities. Subdomain hijacking vulnerabilities. The Discord Papers. An update on Russia’s NTC Vulkan. And weather reports, not a Periodic Table.


Dave Bittner: An Iranian threat actor exploits N-day vulnerabilities. CSC exposes subdomain hijacking vulnerabilities. More on the Discord Papers. And update on Russia's NTC Vulkan. Joe Carrigan on the aftermath of a $98 million online investment fraud. Our guest is Blake Sobczak from Synack, host of the podcast, WE'RE IN! And threat actor nomenclature: a scorecard and a periodic table, no more.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, April 18, 2023.

Iranian threat actor exploits N-day vulnerabilities.

Dave Bittner: Microsoft this morning reported that the group it tracked as PHOSPHORUS, and will henceforth refer to as Mint Sandstorm, has developed a specialty in weaponizing N-day vulnerabilities, that is, vulnerabilities for which a fix or mitigation is available, but which some organizations have failed to patch. It's also been known mostly for reconnaissance and cyber espionage, but that may be changing, as there are signs the group is turning its attention to critical infrastructure. Microsoft writes, "Mint Sandstorm is known to pursue targets in both the private and public sectors," Microsoft writes," including political dissidents, activist leaders, the defense industrial base, journalists, and employees from multiple government agencies, including individuals protesting oppressive regimes in the Middle East." Activity Microsoft tracks as part of the larger Mint Sandstorm group overlaps with public reporting on groups known as APT35, APT42, Charming Kitten, and TA453. Over the past two years, the group has been observed carrying out attacks against infrastructure. And Microsoft states, "Given the hardline consensus among policymakers in Tehran and sanctions previously levied on Iran security organizations, Mint Sandstorm subgroups may be less constrained in carrying out malicious cyber activity." And of course, we note in full disclosure that Microsoft is a CyberWire partner.

CSC exposes subdomain hijacking vulnerabilities.

Dave Bittner: CSC released its subdomain hijacking vulnerabilities report in which it shows that over 21% of the 400,000 DNS records it queried were likely vulnerable to subdomain hijacking. Subdomain hijacking occurs when threat actors take over a subdomain and use it to host their malicious content, which could lead to further threats like phishing or hosted malware. The report also showed that 63% of the query DNS records showed a "404 Not Found" or "502 Bad Gateway Error." CSC explains, "DNS records housekeeping is historically one of the most frequently neglected tasks due to a long history of different owners, policies, and vendors."

The Discord Papers.

Dave Bittner: The US Department of Defense has decided that the Discord Papers leaks are unlikely to affect relations with allies. The Department is also working to make future leaks of this kind less likely, and less troublesome. The Secretary of Defense has directed "a comprehensive review of DoD security programs, policies, and procedures," with a report due in 45 days. This study is in addition to ongoing daily attention to investigating and mitigating the Discord leaks.

Dave Bittner: Two big questions have arisen in the Discord Papers case. The first involves opportunity. How did the alleged leaker have so much access to highly classified information? Vice argues that, "Expanded access as a result of the US assessment, that excessive compartmentalization and poor information sharing led to the intelligence failures that enabled the 9/11 terrorist attacks. Increasing information sharing was neither pointless nor necessarily ill-advised, but in this case, at least, supervision and proper control appear to have been lacking. Inside Defense reports that the Pentagon is tightening up access to classified information.

The second question involves motive. Why did the alleged leaker do what he allegedly did? Politico reports that investigators are looking, so far in vain, for some foreign connection that would make the incident a familiar, if regrettable, instance of espionage. But it seems, increasingly, likely, that the leaker was motivated by social media cache, not by cash, or conviction, or compromise. It's all apparently just the frenzy of online renown.

"The FBI has the blogger and podcast host, Sarah Bils, under investigation," The Wall Street Journal reports. Miss Bils appears to have been involved in spreading the information from the Thug Shaker Central Discord community to the broader but still fringy internet. A US official told the Journal, "She is actively under federal investigation, but the circumstances of the content of the investigation are unclear at this time." Miss Bils says she's the victim here, and the Bureau is investigating death threats made against her. She said to the Journal, "I have been forthright and honest with the FBI and NCIS in regards to what my clearances were and what I had access to, which was literally nothing. I didn't leak the documents, and they've never even been in my possession."

An update on Russia’s NTC Vulkan: SIGINT, EW, and cyber ops.

Since the end of March, the media have reported on activities of NTC Vulkan, a corporate operator working against OT systems under contract to the Russian government. The Vulkan Papers, as the leaks are being called, revealed that Vulkan is engaged in supporting a full range of offensive cyber operations, espionage, disinformation, and disruptive attacks intended to sabotage infrastructure. On Monday, Dragos released a study of what the Vulkan Papers mean for that last class of activity: infrastructure disruption. Dragos took as its point of departure the coverage in the Washington Post, and its researchers focused in particular on one of Vulkan's tools, a malware suite known as Amesit-B. The researchers found four key takeaways. First, the papers represent genuine leaks. Dragos assesses with moderate confidence that the documents reviewed are legitimate and were leaked or stolen from a Russian contracting repository. Second, it is unlikely that these tools and platforms are exclusively used for testing or training purposes. They represent a real operational capability. And finally, Amesit-B represents a clear potential threat to the rail transportation and petrochemical sectors. Dragos says, "Modules contained in the Amesit-B platform could allow for a range of impacts in rail and petrochemical environments, which could result in physical consequences, including damage to physical equipment or creating unsafe conditions where injury and loss of life are possible. And what Amesit-B seems designed to do comes from a familiar Russian military intelligence playbook. As Dragos puts it, "The capabilities described are consistent with previous attacks attributed to various units of the Russian Military's GRU, with tactics, techniques, and procedures overlapping with multiple identified threat groups." The Amesit-B platform shows an interesting convergence of cyber operations with traditional signals intelligence and electronic warfare operations. And it's very much a combat support system intended for battlefield use by a combatant commander.

Threat actor nomenclature.

Before we leave you today and let those of you who are just getting around to it to get back to filing those tax returns that are due before midnight, not you, of course, but those other people, let's return to threat activity nomenclature. Why change from PHOSPHORUS to Mint Sandstorm as Microsoft has just done today? It's a shift in the way Redmond names threat actors. The company is moving away from giving them elemental names, and toward giving them meteorological ones. Henceforth, they'll name them as follows: "Blizzard" will mean Russia. "Sleet," henceforth, stands for North Korea. "Typhoon" represents China. "Sandstorm," as in this first usage, will designate Iranian activity. "Storm" will be used for groups and development. "Tempest" denotes financially motivated groups. "Tsunami" will be reserved for a private sector offensive actor. And finally, "Flood" will denote an influence operation. So you'll be able to tell the players by the scorecard without reference to the periodic table.

Dave Bittner: Coming up after the break, Joe Carrigan on the aftermath of a $98 million online investment fraud. Our guest is Blake Sobczak from Synack, host of the podcast, WE'RE IN! Stay with us.

Blake Sobczak is Head of Communications at Synack, Editor in Chief of the newsletter, README, and host of the podcast titled WE'RE IN! I spoke with Blake about the goals of the podcast and, of course, how they came to choose the title.

Blake Sobczak: I mean, you've seen many cheesy hacker movies, I hope, right? And I feel like once you had that seminal line we're in, you get that moment when you've breached the network, you're into it. And so the goal of the show is really to get inside the brightest minds of cyber security. And so the name was kind of a riff on that. But we did consider a number of alternative names, and WE'RE IN! was declared favorite. So the goal is really to interview newsmakers, innovators, government officials, anybody really making waves in the cyber security industry. And we want a good mix of people on the show. So we're not just going for those sort of InfoSec household names, although, they are more than welcome and have a period on the show. But also, lesser-known folks like Hudney Piquant, who's our Solutions Architect at Synack, who have a lot of insights to share but maybe don't always get to seize the main stage.

Dave Bittner: And what is in it for Synack here to support your efforts? What's the benefit?

Blake Sobczak: That's a great question. And Synack definitely has, I would say some unique, what I call brand publishing initiatives, really. And I'm Editor-in-Chief of README, which is a cyber security publication that covers from an independent basis, editorially, independent from Synack, just the top happenings of the day, right? So we have our Changelog newsletter. We have our cyber security publication. And WE'RE IN! is really an extension of that, right? It's a way to kind of give back to the cyber security community, and actually offer some insights, and really share all of the knowledge amassed in our huge diverse community. And so that's kind of where Synack's stake in this is, is really a chance to give a platform to more people, and again, build that community. And it's not like -- it's not like Synack marketing vehicle where we're always trying to hock Synack products or share the next big Synack's solution or something. To the contrary, really, we're trying to draw newsmakers, right, people like, you know, the head of the NSA's Cyber Security Collaboration Center, officials from DHS. We had Nicole Perlroth on the show recently, known as a, you know, renowned author and former New York Times journalist. And so that's really the goal, is to kind of give back to the community, really increase everybody's knowledge, and lift all boats. And I think that's just so important in cyber security, as you well know, at the CyberWire.

Dave Bittner: And it sounds like that, really, is the value proposition here. I mean, there's no shortage of cyber security shows and lots of shows where folks interview each other. I take part in a few of them myself. What do you suppose sets you apart when you're -- when you're convincing folks that they should give a listen?

Blake Sobczak: That's a great question. And honestly, being here, interviewing with you is a little bit intimidating in some sense because you do obviously such a fantastic job with your show. But it's great to be here. And you know, I will say that I do have quite an extensive background in journalism. You know, before joining Synack, I worked actually at Politico as an editor, and before that, covering cyber security for a publication called E&E News, short for energy and environment, where I covered a lot of critical infrastructure cyber security issues. So I think that's, that knowledge base, and what I bring to the show as host and trying to keep things, both conversational, but also drawing on that knowledge of reporting and just asking even tough questions of our -- of our guests, it really does set the show apart from some of the -- some of the others, but I won't say from yours. We'll just leave it there. I've only been in the podcast business for a little bit here. So --

Dave Bittner: Oh, you're very kind, Blake. You're very kind. So are there any particular conversations that have stood out to you, things that, perhaps, were unexpected or exceptional?

Blake Sobczak: Well, I will say one unexpected moment was when a red-tailed hawk landed on the window of Proofpoint Senior Threat Intelligence Analyst, Selena Larson, in the middle of our conversation, which was kind of funny. She's like, "Wait a minute, that is a hawk!" I'm sure you've experienced your fair share of podcasts interruptions from various parts --

Dave Bittner: Oh, yes. Typically, it's chainsaws, jackhammers, and leaf blowers are our natural enemies, [inaudible].

Blake Sobczak: Oh, yes.

Dave Bittner: I don't know that I've had a -- well, you know, I have dealt with people who've had cages full of birds in the room that they're trying to record in. So that's always fun.

Blake Sobczak: That is not advisable I would say when you're recording a podcast. But yeah, I try -- I try to keep my orange tabby in the other room when I'm -- when I'm recording. But on a serious note, I will say from a content perspective, you know, one of the memorable conversations that I had was with -- was with WIRED journalist, Andy Greenberg. And you know, he had a new book just come out, which I actually encourage everybody to check out. It's just a fantastic read called Tracers in the Dark, really documenting this history of crackdowns on cryptocurrency, and actually, managing to follow the money back to some of these, absolutely, abhorrent kingpins and cybercriminals, using what they thought were anonymous cryptocurrencies, and I'm using air quotes here. "But in fact, actually, with the right mix of expertise and government intervention, could be traced back to where it all started, and actually round up with some multilateral, international law enforcement takedowns for some of these sites," which was really -- it's really riveting stuff. And so I really enjoyed that conversation with Andy.

Dave Bittner: Well, Blake, the show is called WE'RE IN! and we are thrilled to have it join us here at the CyberWire network. Any final thoughts before we wrap up today?

Blake Sobczak: Well, I actually, I wanted to ask you a question. We always ask of our guests something that we wouldn't know about them just from reading their LinkedIn profiles. So I'm actually curious if you could share something that we wouldn't know about you, Dave, from reading your LinkedIn profile.

Dave Bittner: Oh, gosh! I would say this all started with a puppet show when I was a wee child. I believe the first puppet I ever got was a Cookie Monster puppet for Christmas, you know, from Sesame Street. And I started doing puppet shows for anybody, my poor suffering parents, friends, family, neighbors. And that led to, actually, someone realizing that I could do voiceover work when I was about eight or nine years old. And decades later, here we are. So thank you, Sesame Street. Thank you, Cookie Monster. Who knew, right?

Blake Sobczak: Who knew? That is a fun fact. I don't know if we'd find that on your LinkedIn. But maybe you should put it, because honestly, puppet show skills underrated, I think, in the -- in the scheme of things here.

Dave Bittner: Yeah. It's generally not something you'd lead with at a cocktail party, but also, you know, no shame in it either.

Blake Sobczak: No, no absolutely not. Well, I really appreciate you having me on the program, Dave. It's great talking with you. And yeah, I hope -- I hope some of your listeners will consider checking out the WE'RE IN! podcast. It's available on all your -- all your go-to podcasting platforms.

Dave Bittner: All right. Well, Blake, thanks so much for joining us.

Blake Sobczak: Thank you.

Dave Bittner: That's Blake Sobczak from Synack. He is host of the podcast, WE'RE IN! You can find it wherever all the fine podcasts are listed.

Dave Bittner: And joining me once again is Joe Carrigan. He is from Harbor Labs and the Johns Hopkins University Information Security Institute, and also my co-host over on the Hacking Humans podcast. Hello, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: So interesting story here from Bleeping Computer, I suppose some good news. This is an article titled Five Arrested After 33,000 Victims Lose $98 Million to Online Investment Fraud.

Joe Carrigan: Right!

Dave Bitner: What's going on here, Joe?

Joe Carrigan: So this starts off with a very simple social engineering ploy that we talk about frequently over on Hacking Humans. And it's from organizations, it doesn't really name them. But I'm going to go ahead and say this in here, good old organizations like Google, and Facebook, and Trade Desk, and all these other places that have ad networks. One of the ways these guys make money, and they don't do this deliberately, but it does attract this kind of person, is they sell ads to people that are running fraudulent businesses. So there were ads on social media talking about, "Opening an account with us will make you huge returns." And people would open accounts with this business that didn't really exist. And the first thing they do is deposit 250 euros into the account. My hunch is that, immediately, that money is gone. But once they gave you -- once you gave them all the information, someone would call you then. Because when you open a bank account, pretty much anywhere in the world, in the industrialized world, you need to provide a bunch of information, and bank say, "Hey, it's part of our know your customer requirements. We need your name, we need your address, we need your phone number."

Dave Bittner: Right.

Joe Carrigan: So all that is, has to be legit. And then these guys call them, pretending to be financial advisors, and they promised even higher profits on bigger investments, right? You know how much money you'll making with that little 250 bucks you put in? Once you put in like 2,000, $3,000 --

Dave Bittner: Take it to the next level.

Joe Carrigan: We'll take you to the next level.

Dave Bittner: Right, right.

Joe Carrigan: They were dealing in something called binary options. I had to look this up. I've never heard the term before. And it doesn't really happen in the US a lot, but basically, in -- a regular option is the right to buy or sell a stock at a particular price.

Dave Bitter: Yeah.

Joe Carrigan: And when you buy that option, you lay down cash in order to secure that right. If the stock goes up, and you have the right to buy it at the low price, then whatever the difference is between the option price and the price that you can actually sell it at, that's kind of your profit.

Dave Bittner: Right.

Joe Carrigan: The binary options don't work like that at all. Binary options, you don't have any right to buy or sell the stock, right? You have -- all you have is the right to -- or all you do is you bet the stock price is going up. It's a kind of like -- I would liken this to almost placing a casino bet based on a stock price movement. So you buy an option for 40 bucks, the price goes above the option, you get 100 bucks, make 60 bucks profit. If the price doesn't move above that strike price, you just lose your initial investment.

Dave Bittner: Okay.

Joe Carrigan: And that's how these guys were getting money out of these folks. I don't know if they were saying, "Hey, you won today. Here's your 60 bucks. Look, it's in your account. Don't you want to make a big -- a big purchase on the next -- on the next option? I think this one's going to go high. Oh, I was wrong about that. Sorry." I don't know what kind of social engineering attacks were going on inside, but they were running illegal call centers out of Sofia in Bulgaria. They also had call centers in Ukraine and in Cyprus. And they were taken down in a joint operation a little while ago. And now, they have just arrested five more people, which is really interesting. One of the things that the article talks about, it says, "Today's announcement comes after Ukraine's cyber security police and the Europol identified and arrested five key members of another international investment fraud ring behind an estimated losses -- behind estimated losses of more than 200 million euros annually." So it's 93 million euros that was lost over a three year period, small potatoes compared to these other 200 million euros every year that these guys were making.

Dave Bittner: Yeah. I mean, I wonder to what degree are the social media platforms responsible here? Or --

Joe Carrigan: The social media platforms and the ad brokers

Dave Bittner: Like yeah.

Joe Carrigan: You know --

Dave Bittner: Exactly. That's where I was going with this, is that --

Joe Carrigan: I think -- I think, I would argue that ethically and morally, they have more culpability than they might think they do. But legally, they probably don't have very much at all.

Dave Bittner: Right.

Joe Carrigan: Right. They probably just have to demonstrate they're putting forth a good faith effort to not let this kind of stuff come onto their platform. And they're probably doing the bare minimum legal requirements to keep this stuff off. But in the end, Dave, it's still money that they make. If they -- if they thought this was fraudulent, they go, "No, no that's fraudulent," they're walking away from a sale. And there's a real -- I don't even know if I'd call it a conflict of interest on their part, but it's a social conflict of interest here.

Dave Bittner: Yeah, like perverse incentive.

Joe Carrigan: Yeah, there is a perverse incentive. That's what I'll say. That's a good word. That's -- [inaudible] would love it, right, they coin that phrase. Or maybe it wasn't them, they just use it a lot.

Dave Bittner: Okay.

Joe Carrigan: And that's where I read it.

Dave Bittner: Yeah. All right. Well, as we say, it's nice to see some good news here --

Joe Carrigan: Yeah.

Dave Bittner: To find some folks facing justice.

Joe Carrigan: Hopefully, these guys will enjoy some time away in a nice, comfortable European prison cell.

Dave Bittner: There you go, there you go. All right. Well, Joe Carrigan, thanks for joining us.

Joe Carrigan: It's my pleasure.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cyber security teams and technologies. This episode was produced by Liz Irvin, and senior producer, Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.