Chinese threat actors reel in Barracuda appliances. Diicot: the gang formerly known as Mexals, with Romanian ties. Recent Russian cyberespionage against Ukraine and its sympathizers.

Dave Bittner: A Chinese threat actor exploits a Barracuda vulnerability. An upgraded version of the Android GravityRAT can exfiltrate WhatsApp messages. Cybercriminals pose as security researchers to propagate malware. Updates on the Vidar threat operation. A new Romanian hacking group has emerged. Shuckworm collects intelligence, and may support targeting. The Washington Post's Tim Starks explains the section 702 debate. Our guest is Rotem Iram from At-Bay with insights on email security. And Russia's Cadet Blizzard.

Dave Bittner: I'm Dave Bittner with your CyberWire intel briefing for Thursday, June 15th, 2023.

Chinese threat actor exploits Barracuda vulnerability.

Dave Bittner: Following a late May announcement of a zero-day vulnerability affecting the Barracuda Email Security Gateway, Mandiant has identified an actor they believe is based in China targeting Barracuda ESG appliances. The gang, identified as UNC4841, may have exploited this vulnerability as long ago as October of last year. The threat actors sent phishing emails containing malicious file attachments that exploited the vulnerability and allowed for initial access into affected devices. UNC4841 is said to primarily rely on three families of code: SALTWATER, SEASPY, and SEASIDE. The hackers are said by researchers to "aggressively target specific data of interest for exfiltration" following the initial compromise. The gang is said to be using this access for cyberespionage purposes. Barracuda recommends isolating and replacing affected devices. Mandiant adds that further investigation and hunting within systems would also be a good idea, as this gang has shown a strong capability for lateral movement, and is nothing if not persistent.

Upgraded Android GravityRAT can exfiltrate WhatsApp messages from an infected device.

Dave Bittner: Researchers at ESET have found an updated version of the Android GravityRAT that can exfiltrate stored WhatsApp messages and delete files on command. The remote access Trojan is being delivered in the form of chat applications. These are, in fact, corrupted versions of opensource OMEMO IM code. When ESET attempted to download an affected instance of BingeChat, they found that its registration was closed, leading them to believe that this campaign is highly targeted. ESET writes that it's possible that the operators even go so far as opening registration at the time a specific target is anticipated to be online. The researchers have been unable to find any victims of the campaign, which further suggests the campaign is intended for specific targets, and not a large-scale campaign. Though attribution of the threat actors behind this RAT is unknown, Facebook and Cisco Talos have suggested that a Pakistan-based APT may be responsible.So, while the number of victims affected by the Trojan may not defy gravity, its capabilities are something worthy of note.

Cybercriminals pose as security researchers.

Dave Bittner: Researchers at VulnCheck have discovered malicious GitHub repositories claiming to be zero-day proofs-of-concept posted by security researchers. Vulncheck says that the cybercriminals operate multiple fake accounts and Twitter profiles posing as employees of a fictitious company named "High Sierra Cyber Security." The malicious profiles often use legitimate headshots of security researchers, and contain a malicious repository. Avkash Kathiriya, Senior Vice-President of Research and Innovation at Cyware, commented that "It's worth repeating these security 101 tenets: Don't download questionable files from GitHub. Don't install any sample malware in a system that is not isolated. Don't trust what you see on Twitter. If you spend all day researching threats and scam techniques, don't be surprised when you become the target." That's one moral of this story.

The Vidar threat operation.

Dave Bittner: Team Cymru continues to track the Vidar commodity malware operation. The malware's operators are using public VPN services for anonymity, and have begun migrating to Tor. The researchers state that recent changes have made the monitoring of updates to malware more difficult. Researchers say that "Previously, it was possible to download any files hosted on the URL path /private, such as the bash script responsible for installing the necessary components for a new Vidar campaign, making it possible to monitor malware updates." Unauthenticated file download attempts now redirect back to the Vidar affiliate login screen.

New Romanian hacking group described.

Dave Bittner: Cado Security researchers today reported discovering threat patterns they associate with the Diicot threat group. Diicot, the gang formerly known as Mexals, is deploying malicious payloads that aren't in public repositories. In particular, the group has its hands on an initial access tool that self-propagates, and it's also using custom packages to hide binary payloads. Diicot engages in a range of criminal activity, including cryptojacking, doxxing, and DDoS attacks. Active since at least since 2020, Diicot has recently been seen using a Mirai-based botnet, "Cayosin," in attacks against routers running the OpenWrt operating system. The gang's new "Diicot" moniker is also the name of the organized crime and anti-terrorism police unit in Romania. That, combined with observations of the Romanian language in strings and log statements, has led researchers to conclude that the gang's origins are Romanian.

Shuckworm collects intelligence (and may support targeting). 

Dave Bittner: Russian intelligence services are again targeting Ukrainian government and security services in a persistent intelligence collection campaign. The Symantec Threat Hunter Team, released a long form article discussing the long term behavior of the Russian APT Shuckworm. Shuckworm, also known as Garmaredon or Armageddon, seems recently to have targeted Ukraine's security services, military, and government organizations with a view to establishing long-term persistence for continuing intelligence collection. Symantec writes, "In some cases, the Russian group succeeded in staging long-running intrusions, lasting for as long as three months." They observed repeated attempts at accessing and stealing sensitive information related to Ukrainian service members, air strikes, training reports, and the like. Shuckworm constantly evolves its tools to evade detection and throw off defenders' attempts to profile the threat actor. Although Shuckworm has been active against Ukrainian networks since 2014--the year of Russia's invasion of Ukraine's Crimean province--its most recent attacks in February and March of 2023 are of particular interest: they scan a victim's network for files that could contain sensitive Ukrainian military information and could possibly be used to target kinetic strikes against Ukrainian units.

The GRU's Cadet Blizzard operation.

Dave Bittner: And finally, Microsoft researchers have now identified a cluster of cyberattacks as the work of a Russian General Staff Main Intelligence Directorate, or GRU, unit Microsoft has named "Cadet Blizzard." Redmond thinks that Cadet Blizzard, formerly tracked as DEV-0586, has been operating since 2020. They associate the unit with last year's WhisperGate wiper attacks against Ukrainian targets, and they note that in recent months the threat actor has been associated with influence operations. Cadet Blizzard isn't the only GRU threat actor working against Ukraine. While Microsoft links Cadet Blizzard to the Russian GRU, they maintain that the group is separate from the more familiar Forest Blizzard and Seashell Blizzard gangs, known also as STRONTIUM and IRIDIUM, respectively. Compared to Forest Blizzard and Seashell Blizzard, Microsoft assesses Cadet Blizzard as generally less effective than its better-known institutional siblings. Still, it's enjoyed a modest level of success, and it's not an outfit defenders can afford to disregard.

Dave Bittner: Coming up after the break, the Washington Post's Tim Starks explains the section 702 debate. Our guest is Rotem Iram from At-Bay with insights on email security. Stay with us.

Dave Bittner: Cybersecurity insurance provider At-Bay, recently published a report exploring the effectiveness of various email security solutions, along with recommendations for revamping email security practices. Rotem Iram is CEO and cofounder of At-Bay.

Rotem Iram: One of the things that have frustrated me personally as somebody who has been in the security industry for a while, is that it is really difficult to know what is the relationship between certain technology choices that we made and the risks that is entailed. It's easy to believe that they help, but how much do they help? Which one is better? How much should I spend to buy initial security controls? Is it worth the investment or not? It's really difficult to answer any of these questions without a financial analysis of the actual loss results and that is what is made me excited to build an insurance company where we get to see claims of more than 40,000 of our insurance over these last few years and start to tease out what are the relationships between certain product choices and certain technology choices that our customers have made, and the financial losses that they experience later on. And what we've done in our report is highlight two elements that are related to email security. The first one is the choice of the underlying email client. We believe that this really important, because if I would take the metaphor "protecting a house" I want to know how you built your house first before I'm interested in what security solutions you've overlaid the house. Yes, it is important to know if you have locks on your doors and a fence around the house and closed, you know, cameras, but I want to know is the house made out of brick or wood or is it straw? Right? And the first thing that we've identified is that and, by the way, maybe it's also important to say is, our analysis is a statistical analysis of our own claims experience. It says nothing about the technical capabilities of the products, only how we experience customers that have decided to buy and purchase, and use those products. And what we see is that, companies who chose Google Workspace as their email environment experienced significant fewer losses to customers that have chosen Microsoft 365 or Microsoft Exchange, and that could be a combination of both issues with how easy it is to break in to either one of those platforms, or also how much attention the factors are putting into anyone of those platforms. But regardless to why this is happening, at the end of the day as an insurance company that does not want to or that wants to find ways to limit how much we lose on each policy, we have found that Microsoft Exchange, which is the on-premise kind of older version of Microsoft Office, Microsoft Exchange is dramatically more vulnerable than the Cloud email solution, Workspace, and 365; they're almost a factor of the three compared to Google Workspace and the Google Workspace out performs Microsoft 365 by almost twice as better in terms of the frequency of attacks. And then, the second layer is the layer of email security solutions that companies purchase to put on top of their email solution. These are companies like Mimecast, Sophos, Intermedia, AppRiver, Proofpoint, Barracuda and others. What we found, generally speaking, is that these solutions all do a good job reducing the risk of the insurer, but we had found stronger correlation between Mimecast email security solutions and lower frequency compared to each one of each of the other choices. So, Mimecast came first with almost 30% lower frequency of incidence that started an email compared to the average email security platform. And then you can read the full list in our report that we published.

Dave Bittner: I'm curious as an insurance provider, to what degree do you feel as though you're having influence over organizations and the things they choose? I mean, you can set rates based on some of the data you're gathering here, right?

Rotem Iram: Absolutely. We use this data first and foremost to for our own pricing exercise, so that we can price the policy adequately and we reflect our--this pricing back to the customer. And so, what we tell our customers is here are the choices that you have made and here is the resulting insurance premium and, by the way, if you have made different choices, this is what--how--this is the opportunity you have to improve. Typically, customers don't care about making their insurance policy worse, but here are the way in which you could get access to better coverage or better premiums, lower premiums, if you were to adopt other solutions that we find are better performing when it comes to risks. In some cases and, by the way, our customers view us as a very credible and very much an objective third party; we don't have--we don't care which solution went--we're not tied to any one of these specific platforms or solutions, we want to decrease risk, and in that way we are very much on the same side as the insurer. I'll say more on that; At-Bay focuses on small and medium sized companies. These are companies that do not have the budget or the expertise to manage security themselves. There is no CEASO in the organization that has a very strong opinion about security solutions. And they see the insurance company as a partner that not only buys away some of the risk, right, for the premium, but also as a very credible entity to help them manage their risks. And so, as kind of their trusted partner, they often times follow our advice even when it's not--and it's much easier to do it this way when we can actually show them the relationship between losses and the choices that they make. In some cases, for example in the case of the old kind of Microsoft Exchange services, we would significantly limit the coverage in the policy unless they upgraded to a better--to a Cloud solution and we're happy to help them. By the way we've partnered with Microsoft to help Exchange customers upgrade their environments for no fee to the Office 365 environment because it is so much safer and so much better for us, but if they choose to remain with the Exchange environment, we--we in many cases, tell them that they should probably go and seek insurance from another provider.

Dave Bittner: That's Rotem Iram from At-Bay.

Dave Bittner: Joining me once again, is Tim Starks. He is the author of the "Cybersecurity 202" over at the Washington Post. Tim it's always great to have you back.

Tim Starks: Always great to be back.

Dave Bittner: So, earlier this week you published a story about the ongoing debate over Section 702 authorization which is really hot and heavy right now among Congress and the various players in this world. Can you give us a little overview before we dig into the current specifics of what led us to where we are here today?

Tim Starks: The issue with Section 702, this is a program that was created after 9/11, eventually became authorized into law, it was sort of a secret administration program for a while and then they did go ahead and authorize it with a little bit of extra protections that had been in there. The idea of the program originally was, of course, to capture or to be able to eavesdrop on terrorists and the thing that made it controversial is that it was under the Foreign Intelligence Surveillance Act which, as you might imagine, was supposed to be foreign-related.

Dave Bittner: Right.

Tim Starks: And in this case, they were targeting foreigners, but the people on the other line of the communications they were eavesdropping on what might be, Americans. This is warrantless surveillance. So, it was very controversial to get the point of being authorized and then reauthorized again in 2018, because we're talking about, you know, Americans being surveilled upon; that's something we take a little--we take a little different approach to the United States.

Dave Bittner: Right.

Tim Starks: So, there are other ways in which, you know, U.S. citizens can be spied upon here. One of the things that they can do, the FBI can go in and if they have some evidence of a crime or if they have some foreign intelligence purpose that they can justify, they can go and search that database of all those communications they've collected based on looking for the U.S. person communications. So, they can--there's a fear that this is so-called reverse targeting or backdoor searches. So, all of this has been very controversial for a longtime, but it's only gotten more controversial since the last reauthorization because FISA is now wrapped up in some hostilities that Republicans have over FISA overall, not Section 702 that you saw on a Trump campaign ad, and also there have been yet more reports of abuses that have been coming out in the last few months.

Dave Bittner: And so, this is up for renewal this year, right, and it expires at the end of this year, so what's the overall debate here?

Tim Starks: Yeah, they don't have a lot of time. The administration started making a push on this earlier this year, and maybe they should have gotten started sooner, because this is--this is--this has not gotten too far in terms of who's acting on it. This--there--this is again, one of the first hearings on this matter in the Senate Judiciary Committee this week. They're one of the committees that have oversight of that FISA law. They just had it in June and if you know Congress very well, you know that sometimes it takes a little while for them to get to the point of actually taking action. So, this is--we're still early in the process of this. One of the things that we are seeing come up more often, and the administration does not like this, is the notion of a warrant requirement for going into that database and searching for a U.S. person. So, that's going to be a real sticking point, just maybe give the folks listening a little more reason to understand why Section 702 is so important, we're talking about you know eavesdropping on emails, eavesdropping on texts; you get into this sort of cybersecurity world pretty quickly and while it was conceived for anti-terrorism purposes, these days the administration--the FBI said, nearly half or approximately half, of the uses of that--that querying, is for cybersecurity cases where they're trying to go in and find victims of cybersecurity incidence, we're trying to track down the hackers responsible. So, it's got a lot of cybersecurity ramifications that it's always had, but it's gotten more and more if you listen to the administration.

Dave Bittner: What is the burden here of having to get a warrant? I mean, that seems to align with the notion of the Fourth Amendment; why is the administration against that additional burden?

Tim Starks: Yeah, so they have a couple different answers to that. One is, that despite what people do say about the Fourth Amendment concerns and Congress mentioned this, you know, this week, it is first and foremost on their mind, they say that no court that has evaluated this program has said it is--it goes against the Fourth Amendment. The other thing they say is that it would be wildly impractical if they had to do it every single time they wanted it; the courts would just be completely clogged up. They wouldn't be able to ever get anything done with speed. In some cases they say, we're trying to find out really quickly in real-time, who a victim is, and if you're worried about trying to track down who a victim is and you have to wait any length of time, you're going to have a lot less success.

Dave Bittner: Any notion of how this is likely to play out?

Tim Starks: Oh, god. I hate it when you ask me that Dave [brief laughter].

Dave Bittner: It's so--it's so unfair of me, but I'm asking the questions here Tim [brief laughter].

Tim Starks: Ellen Nakashima, my colleague, she and I were discussing this and she Tweeted about this, this is not--this is not violating confidentiality of discussions, it feels like if this is going to happen, the administration might have to accept some kind of warrant requirement. There was a call that--that some senior administration officials did with reporters where one of the reporters asked "Are you going to talk about maybe just doing a clean 6 month extension?" I could see that happening or you know some kind of extension, and I can see it happening in part because it's happened before, but they keep having to kick the can down the road, but what the ultimate deal looks like is really, it's difficult for me to imagine, because the opposition from the Republican side has really been mounting. They control the House. The opposition from civil liberties-oriented Democrats and Republicans has always been there and I think it's hardened if anything. It's really difficult for me to imagine them getting a version of the deal where they don't have to make some kind of concessions on warrants, but it's hard to imagine what a--what a middle ground looks like. It, you know, right now it's "We don't want a warrant" versus "We do want a warrant." And you can't, you know, you can't have half a baby, you know?

Dave Bittner: Right.

Tim Starks: If one person wants it--wants a child and the other person in the relationship doesn't, you can't--there's no compromise. One person seems to have to give up. So, it's I think trying to be creative around how that warrant requirement could work, is probably where a deal lies, or the administration is just rolling over and saying, look we need this authority so much that we will--we will deal with this and live with this warrant requirement.

Dave Bittner: Alright, well time will tell as we like to say. Tim Starks is the author of the Cybersecurity 202 at the Washington Post. Tim, thanks for joining us.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at the cyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire, are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by Rachel Gelfand. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.