Play ransomware's new tools. A look at what the GRU’s been up to. US Air Force opens investigation into alleged leaker's Air National Guard wing. KillNet’s new hacker course: “Dark School.”

Dave Bittner: Play ransomware has new tools. Fancy Bear is out and about. Updates on Sandworm. Ransomware in Russia's war against Ukraine. The US Air Force opens an investigation into the alleged leaker's Air National Guard wing. The Washington Post's Tim Starks joins us with insights on the Biden administration's attempts to better secure the water supply. Carole Theriault chats with Cisco Talos' Vanja Svacjer about the threat landscape, now and tomorrow. And KillNet's in the education business with a new hacker course.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your cyber wire summary for Wednesday, April 19, 2023.

Play ransomware's new tools.

Dave Bittner: Symantec shared this morning their observation of two new tools the Play ransomware gang is using. The tools include an Infostealer, Grixba, as well as a Volume Shadow Copy Service, or VSS, copying tool. Grixba is a network scanning tool used to enumerate all users and computers in the domain. The tool was developed using a popular .NET development tool for embedding an application's dependencies into a single executable file known as Costura. Also developed using Costura was another executable, a VSS copying tool, that the researchers say embeds the library AlphaVSS into executables. The AlphaVSS library is a .NET framework that provides a high-level interface for interacting with VSS. The library makes it easier for .NET programs to interface with VSS by offering a set of controlled APIs. This tool allows for the threat actors to copy files normally blocked by the OS.

I spy, with (at least two of) my Five Eyes, a Fancy Bear.

Dave Bittner: The GRU's exploitation of vulnerable Cisco routers has drawn a joint warning from UK and US intelligence agencies. The UK National Cybersecurity Center, the US National Security Agency, the US Cybersecurity and Infrastructure Security Agency, and the US Federal Bureau of Investigation are releasing this joint advisory to provide details of tactics, techniques, and procedures associated with APT28's exploitation of Cisco routers in 2021. They assess that APT28 is almost certainly the Russian General Staff Main Intelligence Directorate, GRU, 85th Special Service Center military intelligence unit 26165. APT28, also known as Fancy Bear, Strontium, Pawn Storm, the Sednit Gang, and Sofacy, is a highly skilled threat actor.

Dave Bittner: The vulnerability Fancy Bear has taken advantage of since 2021, at least, is CVE-2017-6742. Cisco announced the vulnerability in June 2017 and issued patches and mitigations. Cisco Talos yesterday published its appraisal of the threat, stating, "Because of the large presence of Cisco network infrastructure around the world, any sustained attack against network infrastructure would likely target Cisco equipment, but attacks are by no means limited to Cisco hardware. In reporting on Russian intelligence contracting documents, samples of which were recently shared with Cisco Talos, it was shown that any infrastructure brand would be targeted, with one scanning component targeting almost 20 different router and switch manufacturers."

Cisco Talos also points out that Russia isn't the only nation-state whose intelligence services are collecting in this manner. China has also been active. "Much of the exploitation," Cisco Talos says, "has been post-compromise, enabled by stolen credentials." Both Cisco and the British and American intelligence agencies who issued the joint warning offer sound advice for reducing risk.

Other GRU activity: more on Sandworm (a.k.a. FROZENBARENTS).

Dave Bittner: Google's Threat Analysis Group this morning published an update on what it's observed recently from Russia's Sandworm, or, as Google calls it, FROZENBARENTS, a well-known group associated with the GRU's Unit 74455. Its activities continue to include intelligence collection, information operations, and leaks of stolen data over Telegram. Google states, "As we described in the Fog of War report, FROZENBARENTS remains the most versatile GRU cyber actor with offensive capabilities including credential phishing, mobile activity, malware, external exploitation of services, and beyond. They target sectors of interest for Russian intelligence collection including government, defense, energy, transportation and logistics, education, and humanitarian organizations." One of FROZENBARENTS's favored modes of gaining access to its targets is exploitation of vulnerable Exim mail servers.

Ransomware in Russia's war against Ukraine.

Dave Bittner: Citing other research by Google's Mandiant unit, Breaking Defense reports that Russia's GRU has increasingly turned to ransomware. This is read as either a sign of weakness or as a possible misdirection, shifting attention away from Russia's military intelligence service and toward conventional, financially motivated criminals.

US Air Force opens investigation into alleged leaker's ANG wing.

The Secretary of the Air Force has directed the service's Inspector General to open an investigation into compliance with safeguards for classified material at the 102nd Intelligence Wing, the organization to which Airman 1st Class Jack Teixeira, the accused Discord Papers leaker, had belonged. Air Force Secretary Frank Kendall appeared before the Senate Appropriations Defense Subcommittee yesterday to explain the ongoing investigation, Air & Space Forces Magazine reports. “There is a full-court press going on about this,” Secretary Kendall said  in his testimony, "There is a full-court press going on about this. We are all disturbed about it and we are working very hard to get to the bottom of it and take corrective action."

KillNet’s new hacker course: “Dark School.” 

And finally, we returned to developments in the cyber phases of Russia's war against Ukraine. The hacktivist auxiliary KillNet says it's been up to more than its now familiar woofing about having paralyzed NATO infrastructure, having taken the war to the Collective West, and so on. The usual busywork of cyberspace, we saw yesterday that they were offering various data for sale, but the information they say they had was apparently kind of a drug on the market, attracting few rubes to KillNet's virtual snake oil show. But they have other things on offer. On April 4, they announced they will be hosting an online hacking masterclass. Applicants are required to pay $500 in cryptocurrency and can expect to learn nine subjects: DDoS, Google AdWords arbitrage, forgery, carding, OSINT, Pegasus, social engineering, methods of cyber warfare, and diversion in the network. The hacktivist auxiliaries have also sweetened the deal. Anyone who buys into their class gets free access to the NATO cyber training materials they stole. In addition to all of the material, they promise private video lessons, written manuals, personal communication with the instructors 24/7 for two weeks. They will also prepare an updated methodology for their courses every thirty days for a year. And membership has its benefits, "You, too, could become a KillNetteer," they say, "particularly active students will be invited to our team." There is no set start date, but KillNet claims the classes will begin when they have reached 2,000 applicants. The course is offered in English, Russian, Spanish, and Hindi. We recommend against signing up, but if you do, be sure to leave a digital apple on the remote teacher's virtual desktop. Teachers like that. Class dismissed.

Dave Bittner: Coming up after the break, The Washington Post's Tim Starks joins us with insights on the Biden administration's attempts to better secure the water supply. Carole Theriault chats with Cisco Talos' Vanja Svacjer about the threat landscape, now and tomorrow. Stay with us.

Dave Bittner: Our UK Correspondent Carole Theriault recently spoke with Vanja Svacjer from Cisco Talos. Here's their conversation.

Carole Theriault: So, listeners, today, we have a veteran, a senior veteran.

Vanja Svacjer: Oh, my god, it came to that.

Carole Theriault: Mr. Vanja Svacjer, Cisco Talos threat researcher, and he's also someone I've known for -- probably forever, like a brother from another mother.

Vanja Svacjer: It's like -- I was just thinking about it yesterday -- 25 years.

Carole Theriault: Wow!

Vanja Svacjer: Quarter of a century we've been in this business. Yes. It's a silver tsunami.

Carole Theriault: I think you worked in the labs the entire time, haven't you?

Vanja Svacjer: More or less. Yes, yes. I started with Sophos and antivirus and threat detection company. Then I moved to Hewlett-Packard. And now I'm Cisco Talos for the last six years. I started as a very junior virus analyst in SophosLabs, so I get to do all sorts of, let's say interesting and less interesting work throughout my career. And then somehow, as you build the experience, then they allow you to get out and present your work and experience to wider audiences.

Carole Theriault: It's cool. Okay. So first, I thought we could hark back to the old days because we have listeners that weren't around or not as old as we are, right? And you have really such a breadth of experience, so if we go back to the early 2000s, like, the landscape changed completely from then. So can you -- can you remember what it was like then? What were the big security considerations of the early 2000s?

Vanja Svacjer: Yes, I think at the time, Windows 2000, Windows XP was just about coming. The biggest threat was between email spreading malware, like using various Word documents to automate Outlook to spread things such as anomalies or ILOVEYOU virus.

Carole Theriault: Yeah.

Vanja Svacjer: And then, of course, they're the one that started exploiting vulnerabilities in Microsoft operating system, which at the time was -- were not very secure. And it was very easy for attackers to find vulnerabilities. So they used those to automatically spread malicious code through as many machines as possible around the world. So I think the last time we saw something similar was with the WannaCry, for example, that -- which was six years ago or so.

Carole Theriault: Yeah. And they used to have a lot of that, but there was a lot of mass mailing problems as well, right?

Vanja Svacjer: Absolutely.

Carole Theriault: Yeah.

Vanja Svacjer: Absolutely. Which kind of hasn't disappeared today, but it's a different approach of -- that the attackers are taking, I think.

Carole Theriault: Yeah, and -- do you -- and I don't remember back then that it was really financially motivated. Well, there were the scams, weren't there? There were the stock scams. That existed then, too. That was big.

Vanja Svacjer: Yeah, there was spam -- there was a pump and dump spam through email where the spammers would buy some really cheap penny stock, and then they will try to send this secret text to let the recipients of the email know that this stock will increase in value. So they will try to artificially inflate the price of the stock. And then they sell it on the higher prices, and then they make money. And now most of the threats are certainly from the cybercriminal world, are focused towards making money for the -- the actors behind them.

Carole Theriault: Yeah, because then the big -- the malware back then seemed to be more about either making a point or trying to distribute as far and wide as you could in a short period of time, almost like cat and mouse games with security firms. Would that be fair?

Vanja Svacjer: Yes, I -- I remember the time when we were all more or less still in one lab, and we had various shifts we had to cover. And so you were to be on call because almost every time during the night or on Friday, of course, during the evening, there was some major outbreak that we would have to contain as soon as possible, and really some updates signatures that will detect them.

Carole Theriault: Okay. What about now? So now the landscape has changed completely. So the biggest threats we're seeing, what would you say they are?

Vanja Svacjer: I would say ransomware certainly is the ones that come to -- to mind as -- as the one that affects most of the users. And it has the most crippling effect to organizations and people in kind of equal way. But the -- the second trend is probably those information stealers that install on the system [inaudible] therefore, try to find confidential data, usernames, and passwords from the user to upload them to the attacker-controlled environment. So, therefore, they can reuse them in some other systems to steal cryptocurrency wallets or maybe get some credentials for, I know, banking, internet banking, or so on. Anyway, that -- that will allow the -- the attackers to -- to make some money from it.

Carole Theriault: And there's also all the phishing scams as well. So when we used to have pump and dump scams, it's now much more about robbery, right? Romance scams and, you know, CEO scams like in whaling and all that kind of stuff.

Vanja Svacjer: Absolutely. The business similar compromise, you know, where the -- the attackers are -- are able to get into one company system, and -- and then they can intercept emails that are sent by the real partners and they respond. As they respond, somebody else will respond from the original company and they instruct them to make some wire transfer to some other bank and a bank account. And -- and then they delete any emails that's coming from the partner paying that money. So that -- that can last for some time. And then those business email compromises can also be detected quite later in kind of -- not in days, but rather in months, usually.

Carole Theriault: And I guess -- I guess my big question like now that you've shown, like you knew what happened, you know, 20 years ago, you know what's happening now, what's the future? Like, you know, like, I kind of think -- part of me thinks like way back 20 years ago, we didn't have very secure systems, but the threat landscape was much more innocent than today. You know, there was a lot less players and actors because there wasn't the money angle that was strong. And today, we've got threats everywhere. But there's loads of security products everywhere. Do you think we're, like, safer now and we will be safer in the future, you think? Do you think this is going to carry on?

Vanja Svacjer: I -- I think despite all this news that we are hearing, overall, that we are safer. And I think when -- when you look at the volumes of malicious files coming in, they're on a really slow, slow decline. And there will be repeating, you know. There will be skilled actors, skilled actor groups, even state-sponsored malware spreading around, but I think we'll probably be more and more secure as we develop new methods of say multiple-factor authentication, all the systems that you allow you to not just prevent malware but also detect it within your environment when something like that happens. So I think that the security has increased overall despite all the bad news we've been hearing over time.

Carole Theriault: There we go. A rainbow in the sky that is cloudy with threats. Vanja Svacjer, Cisco Talos threat researcher, thanks so much for talking.

Vanja Svacjer: Thank you.

Carole Theriault: Grandpa. This was Carole Theriault for the CyberWire.

Dave Bittner: It is always my pleasure to welcome back to the show Tim Starks. He is the author of the Cybersecurity 202 at The Washington Post. Tim, welcome back.

Tim Starks: It is always my pleasure to return to the show.

Dave Bittner: Thank you. In today's 202, you write about some pushback that the Biden administration through the EPA is getting in their attempts to secure some cybersecurity elements of our water supply. Unpack what's going on here, Tim.

Tim Starks: Yeah. So this is -- this is pretty noteworthy because, you know, one of the constant themes of -- of the newsletter and that you and I have talked about a lot is -- is the -- the difference of the Biden approach on cyber and wanting to be more regulatory, or, you know, depending on how they're -- how they're talking about it. More minimum baseline standards or -- or things that sound -- sound less scary to Republicans. And so they had put in place in March this memo, the EPA did, saying, we now expect you to -- when you're doing these sanitation surveys under the Safe Drinking Water Act, we expect you to include cyber assessments. And this was controversial with industry. It was certainly controversial with at least some of cyber official -- some cyber industry types. By industry, the first case I mean, you know, the people who are working in the water business. And now we've seen the other shoe drop, which is that there is an actual attempt in court to stop this by -- by a trio of Republican state attorneys general. They say this intrudes on states' rights. They say it also -- interestingly enough, it takes away their power but also puts too much in their own hands. It's sort of an interesting argument that they use there. I'm not -- I'm not being facetious about the argument. It's just an interesting contrast. And, like, it's taking things away from them and giving them things they don't want at the same time. So, you know, it's not necessarily surprising this was going to happen. I think probably the administration anticipated it even if they didn't say so. I think it's something that they were expecting. I don't know -- I don't have a good sense of --of how the court might rule on it. You know, it's a -- it does seem like they've taken their interpretation of a law and -- and -- and been more liberal about how they're applying the law. In this case, the administration has. So it'd be -- it'd be entertaining to see what -- what's going to happen here.

Dave Bittner: Yeah. Is the pushback from the states primarily coming from a -- kind of an unfunded mandate point of view?

Tim Starks: Well, that's another one of the things they brought up, yeah. And -- and I think this is not, again, not to cast aspersions on anybody, but some of these attorneys general have been somewhat more of an activist variety than -- than I think of when I think of some attorneys general. They -- they have pushed things like -- a lot of things at the Biden administration has been -- has been a bugaboo for the Republicans [inaudible]. So things like, you know, they're -- they're -- they're -- they -- I think the -- the lead party, and this is the Missouri State Attorney General, he's been one of the lead -- he's been the lead guy, if not one of the lead guys, on the allegations that they're trying to pursue, that the Biden administration has been censoring Conservatives on social media platforms. Just to give a sense of some of the -- approach of some of these attorney general.

Dave Bittner: So perhaps looking for a fight here beyond the actual policy itself.

Tim Starks: Oh, yeah. I think that's -- I think that -- I don't even think that they would probably deny it if you ask them that.

Dave Bittner: Yeah.

Tim Starks: I think they -- I think they're quite said in some of their press releases on some of these issues that they want to take the fight to the Biden administration.

Dave Bittner: And what sort of timeline are we on for this playing out?

Tim Starks: Oh, gosh. You never know with the courts, right? Could be years.

Dave Bittner: Okay.

Tim Starks: You know, I will say, you know, that -- that there has been some relatively swift progress in that -- that lawsuit I just mentioned before, as it pertains to the social media and Biden administration and their actions. They've gotten a lot of people into court to talk about these things. And I think -- I think they consider some of -- some of these steps a success even if they don't win the lawsuit. You know, they -- they considered a big victory that they -- that they had -- Biden administration officials and social media company officials testify in court. So I think if -- if they end up with some of that, and -- and it -- it makes the administration look bad, I think they'll be happy with it. And they've gotten some of that, out of that -- that personal [inaudible].

Dave Bittner: Before I let you go, I would love to get your take on the story that we covered yesterday, where Microsoft has updated their naming system for threat actors. Microsoft says that this is going to provide more clarity, more intentionality, I suppose. Do we need more ways to name threat actors because that -- that seems to be a common react -- reaction to folks in the industry?

Tim Starks: Yeah. I mean, I think -- okay. So let me -- let me give Microsoft the slight benefit of the doubt on this. You know, they -- they're at least not confusing issues with their -- with their past names. I mean, they're switching naming systems. They're not adding names on top of. And of course, that's a whole new thing that people have to understand. You -- if anybody was used to Microsoft calling it Phosphorus, they're going to have to be like, "Wait, what is it called again?" And I'll have to note -- add a note in every single one of these things. This is -- this is a big source of frustration for -- for reporters, at least myself, because you want to give readers a sense of who you're talking about. And every time I -- every time I write about one of these threat groups, I have to give five or six names, also known as.

Dave Bittner: Right. Yeah. It's same -- same here.

Tim Starks: I would -- I would love to be able to give readers the, you know, the -- this is -- this is this group, and that's it. But, you know, I think there's a somewhat plausible explanation. First off, there's the -- there's the less generous approach, which is to say that this is just about marketing. Everybody wants to use their names and they want their names in the media. The second thing to say that I think is at least somewhat accurate -- and Microsoft mentioned this to me this week and they've mentioned it in past stories, as have some other cyber companies when they've been asked about this is they -- they don't know exactly what everybody else is seeing. They can look at what -- what the other companies are saying and they can see how much it overlaps. But sometimes they have different insights into who's doing what and they'll say something like, you know, APT35 is approximately Phosphorus. They won't, you know, that -- you won't necessarily say that they're 100% the same. And the fact that there are subgroups within subgroups also makes things complicated. You know, Lazarus Group is more of an umbrella name, the Charming Kitten, aka -- what are they now? Mint Sandstorm.

Dave Bittner: Right. Right.

Tim Starks: They have subgroups, you know. They have subgroups too. So you know, I -- you get it -- I get it to a certain degree, but I really wish it wasn't this way.

Dave Bittner: Yeah. I can't help wondering if -- if this would be something that we could perhaps turn over to CISA and let them head -- head the charge. So that it wasn't an organization that had a marketing component in play.

Tim Starks: Yeah, that might be nice, and there is a, you know, there are groups that combine into membership some of these cyber threat researchers, so maybe they could, you know, smash their heads together and make them come together, like, you know, put them in the room and say, "Hey, only one name comes out alive."

Dave Bittner: Right. One name to rule them all. All right. Tim Starks is the author of the Cybersecurity 202 with The Washington Post. Tim, always a pleasure. Thanks for joining us.

Tim Starks: Yeah, thanks for having me.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.