The CyberWire Daily Podcast 5.26.23
Ep 1832 | 5.26.23

CosmicEnergy: OT and ICS malware from Russia, maybe for red teaming. Updates on Volt Typhoon. Legion malware upgraded for the cloud. Natural-disaster-themed online fraud.


Dave Bittner: CosmicEnergy's OT and ICS malware from Russia may be for red teaming, may be for attack. Updates on Volt Typhoon, China's battlespace preparation in Guam and elsewhere. In the criminal underworld, Legion malware has been upgraded for the cloud. Johannes Ullrich from SANS examines time gaps in logging. Our guest is Kevin Kirkwood from LogRhythm with a look at extortion attempts and ransomware. And Atlantic hurricane season officially opens next week. Time to batten down those digital hatches.

Dave Bittner: I'm Dave Bittner with your CyberWire Intel Briefing for Friday, May 26th, 2023.

CosmicEnergy: OT and ICS malware from Russia, maybe for red teaming.

Dave Bittner: Researchers at Mandiant have discovered a new malware designed to disrupt electricity supply in critical infrastructure. Called CosmicEnergy, the malware specializes in affecting operational technology and industrial control systems by interacting with devices such as remote terminal units that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia. CosmicEnergy was uploaded to a public malware scanning utility in 2021 by a user in Russia. The version obtained by Mandiant lacks a built-in discovery capability, which means that a user would have to manually identify the IPs of MSSQL servers, MSSQL credentials, and target IEC 104 information object addresses. Attribution is inconclusive, but researchers suggest that this malware could have been a Russian red teaming tool used in exercises to simulate an electric infrastructure attack. CosmicEnergy was found on VirusTotal, of all places, which seems a curious place for a threat actor to park malware. But in truth, it's happened before. The researchers explain that it is possible that this malware was developed as a red teaming tool for Rostelecom-Solar, a Russian cybersecurity firm. Mandiant has not been able to attribute this malware to any nation-state. They write, although we have not identified sufficient evidence to determine the origin or purpose of CosmicEnergy, we believe that the malware was possibly developed by either Rostelecom-Solar or an associated party to re-create real attack scenarios against energy grid assets. It is possible that the malware was used to support exercises such as the ones hosted by Rostelecom-Solar in 2021 in collaboration with the Russian Ministry of Energy or in 2022 for the St. Petersburg International Economic Forum. They add that it is equally possible that this was created by another actor, as there is a lack of conclusive evidence. And of course, even legitimate red teaming tools can be put to malign purposes. They are, after all, inherently dual-use items. CosmicEnergy hasn't been observed in attacks so far, either in Ukraine or elsewhere, but the possibility of its offensive use can't be ignored.

Updates on Volt Typhoon.

Dave Bittner: Beijing's official position on the Five Eyes joint advisory concerning China's Volt Typhoon cyberespionage campaign against U.S. targets mostly located in Guam is that the whole affair is American disinformation with the connivance of Australia, Canada, New Zealand, and the United Kingdom and with amplification by private-sector stooges, in this case, again, in Beijing's view, Microsoft. In full disclosure, Microsoft is a CyberWire partner, but even if they weren't, we would strongly dissent from any characterization of them as stooges.

Dave Bittner: ABC quotes Mao Ning, spokesperson for China's Foreign Ministry, as saying, obviously this is a collective disinformation campaign by the United States to mobilize the Five Eyes countries for geopolitical purposes. She derided the report as extremely unprofessional, marked by a serious lack of evidence, adding, the U.S. side should immediately give an account of the cyberattack instead of spreading false information to divert attention, a familiar complaint by authoritarian regimes confronting reports of their conduct. She concluded, as we all know, the Five Eyes is the world's largest intelligence organization, and the NSA is the world's largest hacker organization, and it is ironic that they have joined forces to issue disinformation reports. We don't know. That advisory seemed pretty professional to us and chock full of pretty specific evidence. But as the kids say, read the whole thing and see what you think.

Legion malware upgraded for the cloud 

Dave Bittner: Legion, a commercial malware tool, has been upgraded to target Amazon Web Services, from which it extracts credentials for authentication over SSH. Kaito Security released a report on the threat, emphasizing the progression towards exploiting more cloud services and that each version does a bit better. That's better from the crooks' perspective, which of course, from our perspective, means worse. Regarding the SSH credential harvesting being observed, Kaito researchers write, essentially the malware hunts for environment variable files in misconfigured web servers running PHP frameworks such as Laravel. Legion attempts to access these .env files by enumerating the target server with a list of hard-coded paths in which these environment variable files typically reside. If these paths are publicly accessible due to misconfigurations, the files are saved, and a series of regular expressions are run over their contents. Legion's developers also apparently enabled a previously dormant tool to import a Python library called Paramiko, which is an implementation of the SSHv2 protocol which allows them to exploit SSH servers. Hacker News reports that Legion is known for its use of Telegram as an avenue of exfiltration and sending spam messages to dynamically generated U.S. mobile numbers by making use of the stolen SMTP credentials. Matt Muir, a Cado Labs researcher, explains that the tool mainly exploits misconfigurations in web applications and so recommends that developers and administrators of web applications regularly review access to resources within the applications themselves and seek alternatives to storing secrets in environment files.

Natural-disaster-themed online fraud.

Dave Bittner: The Atlantic hurricane season formally opens on June 1st, and the U.S. Cybersecurity and Infrastructure Security Agency warns that scammers can be expected, as usual, to take advantage of people's natural concern to induce them to bite on various scams. CISA says, social engineering tactics, techniques, and procedures include phishing attacks that use email or malicious websites to solicit personal information by posing as a trustworthy organization, notably as charities providing relief. Exercise caution in handling emails with hurricane- or typhoon-related subject lines, attachments, or hyperlinks to avoid compromise. In addition, be wary of social media pleas, texts, or door-to-door solicitations related to severe weather events. The same goes for typhoons, and the Pacific typhoon season is already underway. Hurricanes and typhoons are bad enough without an augmentation of fraud.

Memorial Day is observed this Monday. 

Dave Bittner: And finally, this weekend marks the U.S. federal holiday of Memorial Day, observed on Monday. We won't be publishing on Memorial Day, but we'll be back as usual on Tuesday. We invite you all to join us in remembering those who have sacrificed for their country and in our hopes that this troubled world may see some peace.

Dave Bittner: Coming up after the break, Johannes Ullrich from SANS examines time gaps in logging. Our guest is Kevin Kirkwood from LogRhythm with a look at extortion attempts and ransomware. Stay with us.

Dave Bittner: Kevin Kirkwood is Deputy CISO at SIEM platform provider LogRhythm. I spoke with him about the evolving threat of ransomware and data extortion.

Kevin Kirkwood: If you look seven or eight years ago, a ransomware event was literally somebody coming in and figuring out a way to have you click on a link or do something odd like respond to an email. And it would take you to a point where it would start encrypting everything in your -- in your backend system -- anything that looked like a Word doc or a Microsoft product. It's also anything connected to the system that you're working on, like Dropbox as an example. It encrypts everything in there too. So that -- that's kind of the fun piece, right? But long story short, it's evolved over time. And as you're -- as you're looking at what's happened in the space, they pick their targets better. They -- they pick targets that -- that are known payers, somebody that comes in and has -- has had a ransomware event, didn't learn the lesson, and they figure out ways to get in there and cause them pain again. So it -- it is also about getting to the point where you're driving ransomware into a situation where it's not so much about encry -- encrypting anymore, either. It's becoming something where they look at it and say, okay, so I'm going to obfuscate the data or I'm going to corrupt the data, frankly. And that means that if your backup system doesn't work, isn't clean, isn't correct, you have no -- no choice. You're -- you're basically going to pay to get -- get the data back. And so what they do is they -- they've taken it to the next level. They've come in and they've stolen your data, they corrupt it in place, or they encrypt it in place still, in some cases. They basically tell you, hey, listen. The only way to get this back is -- is I have a copy, or I have a key. And once they get to that point, you can come in and say -- they can come in and say, if you don't pay, we'll just flip it out into the wild, and you'll want to keep us from doing that as well. So that's the second layer of the attack. A third layer actually might be if they're looking at -- at the environment that you're in, and you've got a huge number of systems, you've got a big sprawl of data, they're going to find something that's remote and distinct and drop in something that will allow them to come back in a backdoor at some level. So that's almost like a third layer of attack. Once they get you paying, they'll keep you paying as long as they can.

Dave Bittner: What are the options that organizations have to counter this? If this is where we find ourselves, what can folks do?

Kevin Kirkwood: Well, there -- there's a couple of pretty basic things. I mean, the backup situation hasn't changed. You -- you absolutely have to have good backups. You have to practice your backups. You need to have, you know, a -- a training system in place so that folks know that what a phishing attempt is, what -- what it means when you have a phishing attack. And that's typically one of the ways where -- where the problem gets started. You know, people get phished, they click on a link, they click on something, they provide credentials, they do something that's -- that's beyond the pale of normal operations. And if you don't have the training in place, you don't keep them constantly aware that this is occurring, people have a tendency to -- to forget. And -- and, you know, one -- one misstep can ruin a whole lot of days for a company. And so it's -- it's things like that. Then, of course, on top of that, your ransomware is typically some kind of malicious file, a malicious program. And so as long as they haven't updated their -- the core code, a lot of the cyber vendors, malware vendors, or malware detection facilities will actually come back in and provide you a solution to that. So you keep your -- your malware signatures up to date, and your system should detect it and -- and keep it from happening. Now, that doesn't mean that the attacker can't get fancy, recompile his -- his malicious code, drop it into a new name in a new area, and have it become a new zero-day for the attack. Long story short, they need to get in, they need to be able to figure out ways to detect and automate the sending of the data. And so looking at your backup systems, looking at your files as they transfer, are things that you need to be thinking about on a fairly regular basis. You know, you suddenly see a large link or large blob of data leaving the organization, get suspicious. If it's a backup, get suspicious even more, and figure out ways that you can, again, keep an eye on this. NDRs are out there. Network detection and response routines are out there. And these can help you identify where there's a problem and could allow you to actually stop an attack from happening. User and entity behavior analytics can also help significantly. All right, so these are things where somebody does something that's unique -- elevates credentials, does something that -- that, you know, is not normal behavior for them. They traverse into a new area, and -- where they shouldn't be. You know, that's something you can -- can put a stamp on and say, yep, that's bad practice. We're going to stop that. So it's things like that. I mean, there's a lot of tools in place to -- to help people, but it takes a coordinated, precise strategy and tactical approach to solve this problem. If you're not thinking through ransomware at the right level, you're not driving to detect and respond at the right level, you're potentially toast.

Dave Bittner: I think that's really the trick, right? I mean, it's -- there is a good bit of complexity here. And so I'm curious for your insights on what's the best way for organizations to go about prioritizing the time, the resources, that they have to kind of dial in what best fits their particular threat model.

Kevin Kirkwood: It's also about who they are as an entity, right? So if you're a mom-and-pop shop, and you don't think of yourself as a target, you're probably thinking wrong. If you're a mid-size company, and you have some level of security in place and a security posture in place, that makes sense. Make sure that you're -- you're thinking through, you know, what's the -- what's the worst thing that could happen? What's your worst day? And ransomware could be that worst day. As an example, there was a security company here recently -- I think it was 2020 or 2021 -- that actually got attacked, got their data exposed. They exfiltrated about 700 megabytes of data. And as a security company, that's almost a game killer, right? How do you make sure that that doesn't occur to you? And so it's things like that that you need to be well aware of and ahead of. Healthcare companies -- another great target. They typically have a limited response plan in place. They probably don't spend a lot of money and time on security. And the hackers know that. And so they'll come in. They'll spot a potential target. They'll look at that organization. They'll figure out who the players are, and they will begin their spear-phishing routines and get themselves into your system. And so it's about how -- how do you make sure that you've got the right people in place to help you think through this, the right IT components in place to help you recover should this occur, folks that are ready to react and respond very quickly, then systems that basically can help you with the detection response that will basically stop the -- stop the attack in its tracks if you -- if you can figure it out.

Dave Bittner: That's Kevin Kirkwood from LogRhythm.

And I'm pleased to be joined once again by Johannes Ullrich. He's the Dean of Research at the SANS Technology Institute and also the host of the ISC Stormcast podcast. Johannes, it's always great to welcome you back. You know, people complain about their logs, that [laughter] -- the firehose of information that is contained in their logs. But you make the point that sometimes the absence of logs can be a key indicator that perhaps something is awry.

Johannes Ullrich: Yes, David. That's certainly one of those things that, as a SOC analyst, you'll come into work and hey, you know, no alerts today. Easy day, you know? [laughter]

David Bittner: Yay.

Johannes Ullrich: Yeah, let's get some more coffee, and let's go take an early lunch and such. But log volume is actually a very important indicator. I remember, you know, one of the very, very early sort of hacking groups I sort of tracked back in the '90s. They called themself the Lumberjacks because the first thing they did was they cut down all the logs. [laughter] But one standard thing that attackers are doing is to disable logging or at least to reduce logging, and that's something to be aware of. So you definitely have to have some mechanism in place to alert you if the log volume is suspiciously low. The tricky part here is that log volume often fluctuates a lot during the day. You have things like brute-force attacks or denial-of-service attacks that can all of a sudden create very high log volume. And the -- so it can be a little bit difficult to sort of establish a proper lower end sort of a floor in your logging that -- that will alert you of basically not having enough logs. Some way to possibly make this a little bit easier and more accurate is to establish lower -- this log floor for individual log sources and also have average volumes that you're expecting for these sources because not all sources are as volatile as, for example, failed login attempts.

Dave Bittner: Is this an application, dare I say, for some machine learning or artificial intelligence?

Johannes Ullrich: Everything is better with machine learning. [laughter] No, certainly it is. Certainly it is. But there are actually some simpler things that you can do -- some Fourier transforms or such where you aren't just looking at -- a lot of this is cyclic, where you have more logs during business hours than off business hours. So you tend to have these seven-day, 24-hour type of cycles sort of in -- in your log volume. You have some of these processes, like, that sort of kick off at certain times that great a lot of logs. Once you are identifying some of that and reduce some of this, you can certainly get a better idea of what normal is in your log volume. But for large amounts of logs, and such very diverse logs, something like machine learning certainly would be a good application here.

Dave Bittner: You know, I'm reminded of all those movies, you know, spy movies and such where there's a security camera and, you know, somebody needs to get into a building. So rather than having the feed from the security camera go dark, you know, they'll cut in their own feed that just shows an empty hallway or something like that. Have we seen threat actors do that with logs where, rather than just disabling logging, they just sort of fill it with benign information?

Johannes Ullrich: I haven't come across that yet. So maybe want to cut this out to not give anybody here any ideas? [laughter]

Dave Bittner: Okay. Fair enough. [laughter]

Johannes Ullrich: I wouldn't be surprised if someone has done that, but can't remember where anybody has sort of sent, like, you know, benign logs or replayed logs?

Dave Bittner: Yeah.

Johannes Ullrich: Maybe sometime sort of in the packet space, but not really. No, I don't really seen that in this.

Dave Bittner: Yeah. [multiple speakers]

Johannes Ullrich: In this attack. But yeah, interesting idea.

Dave Bittner: Yeah. All right. Well, Johannes Ullrich, thanks so much for joining us.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at Be sure to check out this weekend's "Research Saturday" and my conversation with Himaja Motheram and Emily Austin from Censys. They're sharing their research. Months after first GoAnywhere MFT zero-day attacks, Censys still sees about 180 public admin panels. That's "Research Saturday." Check it out. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment -- your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our Mixer is Tré Hester with original music by Elliot Peltzman. The show was written by John Petrik. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.