Cyberespionage, straight out of Beijing, Teheran, and Moscow. Developments in the criminal underworld. Indictment in a dark web carder case.

Dave Bittner: An ABT41 subgroup uses new techniques to bypass security products. Iranian cyberespionage group MuddyWater is using managed service provider tools. Wipers reappear in Ukrainian networks. Meta observes and disrupts the new NodeStealer malware campaign. The City of Dallas is moderately affected by a ransomware attack. My conversation with Karin Voodla, part of the US State Department's Cyber fellowship program. Lesley Carhart from Dragos shares Real World Stories of Incident Response and Threat Intelligence. And there's been an indictment and a takedown in a major dark web carder case.

Dave Bittner: I'm Dave Bittner with your CyberWire intel briefing for Thursday, May 4th, 2023.

APT41 subgroup Earth Longzhi uses new techniques to bypass security products. 

Dave Bittner: We begin with a rundown of some developments in cyber espionage. Researchers at Trend Micro have discovered a new campaign by the Earth Longzhi subgroup of ABT41. The attacks used are a relatively novel technique the researchers call stack rumbling. Stack rumbling uses image file execution options, typically a denial of service method, to disable security products. The researchers state, "We've noticed that this campaign installs drivers as kernel level services by using Microsoft remote procedure call instead of using general Windows application programming interfaces. This is a stealthy way to evade typical API monitoring." Trend Micro notes that the campaign tends to exploit public-facing applications, Internet information services, and Microsoft exchange servers. Earth Longzhi is also using forged Windows defender binaries to launch a new variant of crox-loader and SP highjacker, which can disable security products. Earth Longzhi has been seen targeting government, healthcare, technology, and manufacturing organizations in the Philippines, Thailand, Taiwan, and Fiji. The researchers assess that Vietnam and Indonesia are probably the next countries Earth Longzhi will target.

Iranian cyberespionage group MuddyWater using Managed Service Provider tools.

Dave Bittner: ESET has reported a new campaign by MuddyWater, a cyberespionage group linked to Iran's government. The group's use of Simple Help, a legitimate managed service provider tool was of special interest. ESET says, "We discovered that when Simple Help remote support software was present on a victim's disk, MuddyWater operators deployed Ligolo, a reverse tunnel, to connect the victim's system to their command and control servers. While this campaign continues, MuddyWater's use of Simple Help has, thus far, successfully obfuscated the MuddyWater's CNC servers. The commands to initiate Ligolo from Simple Help have not been captured." ESET reached out to the MSP that owned the tools used, but so far the timing of the attack and the methods it used to obtain the tool remain unknown. ESET writes, "MSP's require both trusted network connectivity and privileged access to customer systems in order to provide services." This means they accumulate risk and responsibility for large numbers of clients. Importantly, clients can also inherit risks from their chosen MSP's activity and environment.

Roar, bat, roar: wipers reappear in Ukrainian networks.

Dave Bittner: CERT-UA warns that the threat group UAC0165, almost certainly Russian and probably the GRU's sandworm, has deployed RoarBat wipers against networks in Ukraine. They state, "It has been found that the performance of electronic computing machines such as server equipment, automated user workplaces, and data storage systems was impaired as a result of destructive influence carried out using the appropriate software." The nominally hacktivist group Cyber Army Russia of Reborn in January of this year claimed a similar attack against the Ukrinform news service. CERT-UA points out that organizations can take measures to protect themselves against RoarBat . CERT-UA states, "Please note that the successful implementation of the attack was facilitated by the lack of multi-factorial authentication when making remote VPN connections." The lack of network segmentation and filtering of incoming outgoing and intersegment information flows.

Meta observes and disrupts new NodeStealer malware campaign.

Dave Bittner: Meta yesterday detailed a new malware campaign that targets social media accounts by advertising ChatGPT services. NodeStealer, first identified in January, has been targeting several platforms including Dropbox, Google Drive, Mega, MediaFire, Discord, Atlassian Trio, Microsoft One Drive, and iCloud in addition to Meta platforms. Meta claims to have blocked over 1000 unique ChatGPT themed malicious URL's on its platform. They write, "These actions led to a successful disruption of the malware. We have not observed any new samples of malware in the NodeStealer family since February 27th of this year and continue monitoring for any potential future activity." NodeStealer favors disguising its malware which arrives as an executable as Microsoft Office file or PDF's, both very commonly used formats. Meta explains that, "When executed, the malware first establishes persistence to ensure that it continues to operate after the victim restarts the machine. The malware uses the auto launch module on node.js to do so. The malware is designed to steal browser data like passwords and cookies, and it works against users of Chrome, Opera, Microsoft Edge, and Brave browsers." Meta has also shared indicators of compromise and other information about NodeStealer's operation to promote a stronger collective defense.

City of Dallas moderately affected by ransomware attack.

Dave Bittner: The city of Dallas has reported that it was affected by a ransomware attack yesterday. The effects seemed to be limited amounting to a nuisance. The city says less than 200 of the city's thousands of devices are impacted, but if any city device is at risk, it will be quarantined and blocked by IT services. The Dalla Police Department has experienced a disruption of its computer network that's requiring 911 dispatchers to take notes and pass the information directly to police officers. The city courts were forced to close yesterday and today. A ransom note researcher Brett Callow obtained and tweeted indicates that the attack may have been carried out by the Royal Ransomware group.

Indictment, takedown in dark web carder case.

Dave Bittner: US, Austrian, and German authorities have taken down the Try to Check service, a dark web platform on which criminals could run checks on the validity of stolen credit cards. Bleeping computer  writes that Try2Check is believed to have been in operation since 2005. The C2C platform's operator, Russian citizen Denis Gennadievich Kulkov, was also indicted  in the US on charges related to access device fraud, computer intrusion, and money laundering. Mr. Kulikov is presently living, if not exactly living it up in Russia, and so, is out of reach of US law enforcement, but the feds will be watching for him to slip up and leave his relatively safe life in Russia for more appealing precincts. The US Secret Service and state department have announced a $10 million reward under the Transnational Organized Crime Rewards Program (TOCRP) for information leading to his apprehension.

Obligatory Star Wars reference…

Dave Bittner: It's World Password Day. Talk among yourselves about all the obituaries and valedictions being pronounced on the password as such. But more importantly, may the 4th be with you, and don't get cocky, kid. Do or do not. There is no try. And finally, our CyberWire associate producer Liz Irvin was with us for the first time at the RSA Conference this year, and she shared her mic with conference goers walking the show floor. She files this report.

Liz Irvin: We're here in the beautiful San Francisco at the RSA Conference for 2023. My name is Liz Irvin, and this is my woman on the street walk and talk with cyber professionals around the world. So, starting off, have you ever been to RSA before?

Jim Popel: First time RSA.

Emily Tianshi: This is my first time at RSA.

Brian Kanoski: The company's been here. It was here last year, but this is my first time here.

Liz Irvin: So, what are you finding that you like so far, and how is it going?

Rodolphe Bitaud: First of all, I was really impressed by the marketing effort of everyone. I loved the possibility to interact with, uh, other technology vendor. So it's a really good way to, let's say, interact and meet the people you are not used to work with or not used to exchange with.

John Cassel: I thought it was going to be overwhelming and as much as it's very busy, it's actually very comfortable. I like the atmosphere. I'm learning a lot about not so much from a competitive basis but goes around that we can work, you know, with for better symbiosis as well.

Divya Ganesan: It's honestly inspiring. It's kind of gotten me out of an academic rut thinking more about how I see myself in the cyberworld in the future.

Liz Irvin: The theme this year is called stronger together. What do you think and how do you feel about that theme for this year?

Kyla Guru: I can definitely see the theme of stronger together kind of bringing off of every room in this conference too. And I think more than that, there's strategy within cyber and the vision that people have is definitely a whole of society approach. There's a real recognition that everyone here has something to bring to the table.

Ameesha Patel I definitely think that that is a theme that is really important, and a theme that I've been seeing a lot, not just only in the US but also in the UK. I think it's so important no matter if you're a competitor or if you're part of the same team, it's always so important to do knowledge sharing because that's how we grow, and ultimately we also just need to protect --

Damien Lewke: Fundamentally cybersecurity is a team sport, and we are stronger together. To use an old systems engineering adage, the whole is truly greater than the sum of its parts.

Liz Irvin: So, last question. Do you know what RSA stands for?

Rodolphe Bitaud: Absolutely not.

Regina Menezes: I don't. That's so bad.

Ameesha Patel: I know that it's the last three letters of the three founders of the company, of the tradeshows.

John Cassel: RSA is, I believe, an acronym for I don't know how to pronounce all three names, but there are three individuals that started crypto algorithm I believe in the 70s and now it's pretty much just RSA. I have no idea what their last names are though.

Emily Tianshi: It stands for three last names that I cannot pronounce.

Liz Irvin: I got you.

Dave Bittner: That's Liz Irvin, our N2K networks associate producer reporting from the show floor of last week's RSA conference in San Francisco.

Dave Bittner: Coming up after the break, my conversation with Karen Voodla, part of the US State Department's Cyber Fellowship Program. Lesley Carhart from Dragos shares real-world stories of incident response and threat intelligence. Stay with us.

Dave Bittner: Lesley Carhart is director of incident response at Dragos, and it is my pleasure to welcome them to the show. Lesley, great to see you again. Show going well for you so far here at RSA conference?

Lesley Carhart: It's going fantastic. I've done the hard part of giving my talks so now it's easy from here.

Dave Bittner: Well, let's talk about that. You were part of a keynote panel this morning. Can you share some insights? What was that all about?

Lesley Carhart: It was on incident response, and it was a rockstar panel I was very privileged to be a part of with Wendy Whitmore and Katie Nickels and Lily Newman. Just a phenomenal group of people talking about incident response and what's going on in that space and what's in the store in the future in that space.

Dave Bittner: Can you share with us some of the highlights? What were some of the insights that the group shared?

Lesley Carhart: So, we talked a lot about the evolution of threats and how ransomware attacks and criminal actors are changing their tactics, as well as what state actors are up to these days. But we also talked a lot about the challenges that we face in incident response as a profession. So, that's everything from mental health and burnout to hiring pipelines. It's very challenging to get new people into the field. And also, things like planning for incident response and how to share information and how to make hard risk decisions about what to do in incidents. So, it was a wide array of important topics that are challenging it depends kind of questions.

Dave Bittner: Yes, I'm really interested as a leader in that space. When you're looking to bring people onto your team, what are the personality elements that make for a good incident responder?

Lesley Carhart: You have to have a couple of different important skillsets. So, first of all, you have to be a good investigator. That doesn't necessarily mean you have to have all the technical skills right away, but you have to have a good investigative methodology and mindset. So, you need to be able to understand the scientific method for building a hypothesis and find or disprove it and understand that you have to have evidence before you jump to conclusions, and corroborating evidence. So, we talked a lot about skepticism. So, it's important to be skeptical about incident response and what's potentially happening in an environment. A lot of us come into environments where everybody is panicking, and we have to do a lot of crisis management. So, that becomes a second important skillset for incident responders. We also have to be very good at being the common voice in the room. We equated it to being a therapist or being a parent. You have to exude confidence and calm in a situation where everybody is upset. So, you have to be able to do both of those things, but in terms of investigative mindset you have to understand that you can't jump to conclusions. Everything that you are finding has to be corroborated and sometimes you're trying to disprove something instead of prove it. Everybody else is certain that the crisis is being caused by a particular state or cyber caused it all, and you're coming in saying, "Well, let's get evidence, and what if it isn't?" Let's try to disprove that actually being what happened. That's how you do good science and good investigation. So, you have to have both of those skillsets, which is a challenging combination sometimes.

Dave Bittner: Is diplomacy a part of it too, your interactions with the folks? You're the outsider coming in, right?

Lesley Carhart: I sometimes call my job marriage counseling, in fact, and that's especially applicable to industrial incident response, which is a different beast in a lot of different ways. But in industrial incident response we have even more personality management. We often have the engineers and the operators who do the important process work. They are the bread and the butter of their organization, and then you have a cybersecurity team as well who's doing important work to protect that process space, but they speak a different language, and they step on each other's toes. Sometimes there's been a decade or two decades of hostile relationship between those groups. Between IT people not understanding the process and not understanding that they can't just bring systems down to patch them. That's problematic for safety reasons, for life and safety reasons, and those miscommunications over time have built this animosity where sometimes our team just has to come in and sit at a table for them to have a conversation. We just have to sit there. We don't have to say a lot. We come with some doughnuts, and we sit at the middle of the table and then they'll finally talk to one another, which they haven't done in years. But yes, incident response is a lot of that. There's a lot of personality management. You have a lot of people in authority who are panicking and trying to -- they might perceive that they've done something wrong even though incidents can happen to absolutely any organization, but there's a lot of blame and passing blame during incidents oftentimes. And there's a lot of people trying to protect themselves and their careers. Everybody is stressed out. It's a big crisis. It's the worst day for an organization so a lot of what we do is try to calm people down, and again, be that authoritative calm voice in the room.

Dave Bittner: As you walk around the show floor here at the RCA conference, what are you seeing in terms of trends in your specific industry, industrial control systems, or are there any patterns you're seeing among the providers there?

Lesley Carhart: The interesting thing to me at RSA every year is seeing what the flavor of the year is. Everybody is kind of coming in with similar products every year. They're still selling their services, or their products and they do important things, but they frame their advertising and their marketing materials around what ever people are kind of worried about, the collective subconscious for the year, and that's fascinating to me because it's not just the collective subconscious of technical practitioners like me, but also executives. What are they worried about? You'll see that reflected across the floor at RSA in terms of marketing and branding and how people are selling the same things that they sell every year, but this year they're concerned about specific things. So, on the floor this year you see a lot of ChatGPT. You see a lot of SBOM. SBOM is very relevant to industrial cybersecurity, so I'm really happy to see that discussed. Of course, the foundations on fundamentals are still very, very challenging for industrial operators. And is there more attention being brought to that at RSA? Not necessarily because the fundamentals like asset management and basic security monitoring, they are just cool and fun to flashy advertise for at RSA definitely, but they're still very, very important. But all the things that people are concerned about every year tend to be real issues that matter for cybersecurity. Like last year we saw a lot of discussion of Zero Trust. Everybody's booth. No matter what they were selling, they all talked about Zero Trust. The year before that it was Mitre ATT&CK. And those are all important things that are important elements to cybersecurity. It's just interesting to me to state seeing what people are concerned about and what they're talking about at RSA every year.

Dave Bittner: Yes, absolutely. Well, Lesley Carhart is director of incident response at Dragos. Thank you so much for joining us.

Lesley Carhart: An absolute pleasure. Thank you so much.

Dave Bittner: Karin Voodla is advisor for Digital Affairs at the Ministry of Foreign Affairs of Estonia. At last week's RSA Conference, I spoke with her about her participation in the US State Department's Global Emerging Leaders in International Cyberspace Security Fellowship.

Karin Voodla: It was something that was facilitated by the embassies across the globe, and I was approached by the -- or actually our MFA was approached by the US embassy in Thailand. When it was time to set up the candidates, my boss came to me, asking it sounds like a great program. Would you be interested? I was like absolutely. It seems something that it can be a great opportunity to meet people across the globe, to get more insights of the whole cybersecurity space that we're dealing with. So, I just thought it's a great opportunity. Of course, I didn't hear back for months and months so I was trying to figure out was I elected? What's the case? Where are we standing right now? And then eventually when Brian from our US embassy then next Brian reached out to me. He was like, "Congratulations. You're chosen," and then the excitement got real, and I was really trying to figure out what's waiting for me ahead.

Dave Bittner: Well, what were your responsibilities back home in Estonia?

Karin Voodla: Well, it's actually interesting because last year our MFA went through a reform restructuring, the MFA. So, before I was actually dealing with digital affairs under the trade department, and then now it was merged with cyber diplomacy. So, for a year almost we've been the digital and cyber diplomacy department. So, my duties have also changed a bit over time. But right now, I'm really focusing on international digital policy. So, it's a lot to do with the UN, the discussions on the global scale. Of course, we have some of our own projects globally by Estonia which I'm also a part of. Then again, it's the EU that we're a member of. So, some of the work in the EU, and of course, on a national level because we have to participate in our national policymaking matters. So, it's outwards but it's also inside of Estonia.

Dave Bittner: And so, what have the opportunities been through this fellowship? What are some of the things that you've been able to experience?

Karin Voodla: Well, today I'm still a bit jetlagged, right? It's 10 hours the time difference between here San Francisco and Estonia. But so far, the program has been great. It has been great since the evening I arrived. We had a nice dinner together. Everyone tired but you already go interact. You realize the people have come across the globe. Literally you have people from all kinds of continents. And then, so I would say the interactions are definitely one of the main things. Then again, we met the ambassador for cyber and digital space, Nathaniel Fick on Monday. Then we have been at the RSA Conference on Monday and then full day today. We also heard more about the Ransomware Taskforce just before coming here. Yesterday we visited the Google headquarters and heard about their activities in terms of their cybersecurity, and then we visited the Stanford University.

Dave Bittner: And I think a part of the program here is that you have the opportunity to interact with other fellows from different parts of the world. That has to be an enriching experience in its own.

Karin Voodla: Oh, absolute. I think that was why I was mentioning this as the first thing. You come here. Even though in my job you go and interact with diplomats inside of your working groups, the work of line that I do, but then you come here, and you realize how people's personal perceptions are also a bit different maybe from the states. So, it's literally just a lot of conversations that really open your eyes more in terms of what I do, but again, the cultural differences, I think these enrich our whole fellowship group a lot, and I think Linda from the state department who is bussing us around here a bit. That it really is a good group that's been put together, and I really seconded that.

Dave Bittner: What are you looking forward to over the time that you're going to be able to experience this, and what are you hoping to bring back home from the experience?

Karin Voodla: I on purpose didn't want to set any expectations for myself just to kind of go to the fellowship, see how it develops, get just the most out of it. I can. And I'm really thankful for the state department for the program that they have put together because really, hearing who have they managed to squeeze into the agenda knowing these people are really busy every day and they're really experts in their field. I think it will give us a lot of new information. Of course, I'm really interested to hear more about the US and its national initiatives and how their policymaking, and of course, the whole structure is because the real system compared to the country I come from, it's really different, and it's real interesting to actually hear how other countries operate and what they do.

Dave Bittner: Thanks to Karin Voodla from the Ministry of Foreign Affairs of Estonia for joining us.

Dave Bittner: And that's the CyberWire. For links to all of today's stories check out our daily briefing at the cyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at N2K.com. This episode was produced by Liz Irvin and senior producer Jennifer Ivan. Our mixer is Tre Hester with original music by Elliot Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.