A “flea” on the wall conducts cyberespionage. Cl0p update. Astrology finds its way into your computer systems. Fancy Bear sighted, again.

Dave Bittner: The Flea APT sets its sights on diplomatic targets. An update on the C10p gang's exploitation of a MOVEit vulnerability. Unpatched TP-Link Archer routers are meeting their match in the Condi botnet. The "Muddled Libra" threat group compromises companies in a variety of industries. A look into passwordless authentication. Derek Manky of Fortinet describes the Global Threat Landscape. Rick Howard speaks with Rod Wallace from AWS about data lakes, and Fancy Bear noses its way into Ukrainian servers.

Dave Bittner: I'm Dave Bittner with your CyberWire Intel Briefing for Wednesday, June 21, 2023.

The Flea APT prospects diplomatic targets.

Dave Bittner: A Chinese cyberespionage campaign has hackers hoping to be a flea on the wall in foreign affairs ministries across the Americas. The Threat Hunter team at Symantec released a new report detailing a recent cyberespionage campaign seen targeting various ministries of foreign affairs. This campaign is said to be conducted by the China-backed advanced persistent threat group called "The Flea," with other known aliases that include APT15, Nylon Typhoon, BackdoorDiplomacy, among others. It's deploying Backdoor.Graphican, a third-generation backdoor derived from the previously used Ketrican and BS2005. The report says the major difference between the functionalities of Graphican and Ketrican are Graphican's use of the Microsoft Graph API and OneDrive to obtain its command-and-control infrastructure. Symantec also drew similarities between Graphican and Fancy Bear's Graphite malware, which also uses Microsoft Graph API and OneDrive as a command-and-control server. Though their techniques may be similar, this doesn't necessarily mean they are collaborating, "The Flea" aims to gain persistent access its targets' networks.

An update on Cl0p's exploitation of a MOVEit vulnerability.

Dave Bittner: The Record reports that there appear to be at least sixty-three organizations that were compromised by the Cl0p ransomware gang via the MOVEit vulnerabilities. SecurityWeek says the group’s victims include Gen Digital, the US Department of Energy, the Nova Scotia government, British Airways, the British Broadcasting Company, Aer Lingus, and an array of others. Cyber Security Hub reports that PwC and Ernst & Young were also compromised. Cl0p claims that it doesn't have stolen data from the BBC, British Airways, and U.K. drugstore chain Boots, although the BBC notes that it’s entirely possible the group is lying. The gang also told BleepingComputer that it had deleted any data stolen from government entities.

Condi botnet is targeting unpatched TP-Link Archer AX21 routers. 

Dave Bittner: Researchers at FortiNet's FortiGuard Labs discovered a campaign that uses a newly marketed distributed denial-of-service botnet, Condi. The botnet uses an unauthenticated command injection vulnerability in TP-Link Archer routers to infect machines. Condi includes several features to ensure it is the only botnet running on the infected machine. It also disables the ability to remotely shut down the router, because the malware cannot survive a reboot or shutdown. The developer also seems to have incorrectly implemented the feature to kill previous versions of itself running on the infected router. Condi is unusual in using a scanner to search for open ports on HTTP servers to send what researchers says is a hardcoded exploitation request to download and execute a remote shell script that will infect vulnerable TP-Link routers. Condi creates an HTTP server that will, in turn, masquerade as a legitimate Apache HTTP server responding with a "Server: Apache" header. A bargain in the C2C market, Condi is offered on Telegram for the low-low price of just $5. Criminals can buy the source code for 50 bucks. FortiNet strongly recommends that users continue to update their machines to prevent threat actors from exploiting them. This vulnerability was discovered in mid-March of this year and was patched two days after its discovery.

Enter the Muddled Libra threat group.

Dave Bittner: Astrology may be making its way into your life, though not in the way that the mystics reading their horoscopes would tell you. Palo Alto Networks' Unit 42 is tracking "Muddled Libra," a threat group that uses the 0ktapus commodity phishing kit to compromise entities in the software automation, business process outsourcing, telecommunications, and technology industries. Unit 42 assesses that the group has an affinity for targeting customers downstream of their victims, using the data they've stolen, and they that if allowed, they will return repeatedly to the well to refresh their stolen dataset. This allows for a return to past victims, even following the company's initial response.

Passwordless authentication study released.

Dave Bittner: Axiad, this morning, released the findings of a Passwordless Authentication Survey it commissioned conducted by Enterprise Strategy Group. The survey covers an array of vectors related to authentication: challenges, user experience, user attitudes toward authentication, and the wants and needs of organizations that implement authentication measures. Professionals across the cybersecurity, development, and IT fields within North America were surveyed. Phishing and social engineering attacks proved to continuously be a point of concern, as 92% of the survey's respondents reported fear over credential harvesting. Almost 60% of respondents report with confidence that they believe compromised accounts, or harvested credentials, have been the cause for a successfully implemented cyberattack within the last year. Passwordless authentication seems to be a prioritized vector for these professionals, as a majority, 82% of respondents, placed a move to passwordless authentication within their top five priorities, with 85% reporting a move to passwordless authentication planned within the next one to two years. Respondents also report a belief that a move to passwordless authentication will aid IT and support teams within their organization, with 86% of those surveyed in agreement.

Fancy Bear noses into Ukrainian email servers.

Dave Bittner: And finally, the GRU's APT28 group, Fancy Bear, used three Roundcube exploits against Ukrainian email servers in the course of a renewed and recently detected Russian cyberespionage campaign. The attack's success was enabled, CERT-UA says, by the victims' continued use of an outdated version of the Roundcube open-source webmail software, a version that remains susceptible to SQL injection attacks. CERT-UA credits the detection of the activity to information received from a Western company working within a program of regular information exchange and thanked them for their aid and their disclosure. The company is unnamed, but it's clearly Recorded Future, given the link CERT-UA provides to the research that tipped them off to the GRU campaign. Recorded Future says as much itself. An extensive account published yesterday by the company's Insikt Group says, "The campaign leveraged news about Russia's war against Ukraine to encourage recipients to open emails, which immediately compromised vulnerable Roundcube servers and shared that they discovered an overlap in the campaign with activity form BlueDelta, who exploited the Microsoft Outlook zero-day vulnerability last year. In any case, the investigation and exposure of the activity as a good example of the international public-private partnership that's proven useful to Ukraine in the cyber phases of its defensive war against the Russian invaders.

Dave Bittner: Coming up after the break, Derek Manky of Fortinet describes the Global Threat Landscape. Rick Howard speaks with Ron Walace from AWS about data lakes. Stay with us.

Dave Bittner: Derek Manky is Chief Security Strategist and Global VP of Threat Intelligence at FortiGuard Labs, part of security firm Fortinet. They recently released their semi-annual Global Threat Landscape Report, and I checked in with Derek Manky for the details.

Derek Manky: To me, the most prominent and what we highlighted in the report is the rise of wiper malware or wiperware as it's known, as well. So of course, these are attacks that have been quite limited in the past, Dave. Usually we saw maybe one of these campaigns per year, always APT focused, so a nation state going after critical infrastructure. What we saw last year and certainly in the second half of last year was an acceleration effect where we're seeing much more wiper malware being developed. We are seeing it being mass distributed, so not limited to APT. Yes, we saw some instances that started as targeted attacks via APT groups, but it's really become commoditized. I mean, there's wiper malware we observed that's been available on GitHub as an example. So there's a lot more families, a lot of distributions. We observed over 25 countries, just with wipers alone, and if we compared the third quarter, the fourth quarter last year, it is a 53% growth in activity just for wipers.

Dave Bittner: How is the wiper malware being implemented here? Is it replacing ransomware? Or is that the threat to the organizations they coming after?

Derek Manky: So, not replacement. It's unfortunately supplemental and complementary. It's a part of a playbook when we talk about cybercrime. So what we're seeing, really, is the wiper malware being used in the playbooks along with ransomware campaigns. Because it is destructive in nature, they can show, you know? It's the effectively saber rattling, showing that they mean business, that they can take down critical systems, cause revenue loss, and demand a higher payment in ransom. So it's being used in the targeted ransom campaigns. And again, these are going from seven-figure to eight-figure ransom demands. And if we look at how they're implementing this, it's actually quite different, right? All -- every single wiper that we've observed, all are developed differently. Some are just looking at, you know, data. Some are looking at entire disks and partitions. Some that we've seen, in rare instances, are actually going after firmware, bricking devices, as well.

Dave Bittner: I know one of the things that you're covering here is intelligence that CISOs have available to them. What are you seeing there?

Derek Manky: Yeah, this one is quite interesting as well, this is a good-news story, Dave. So you know, we often talk about the bad news. The threat landscape can be quite overwhelming. So this is a new feature in our report, and what we looked at was, we simplify this, looked at the total attack surface, which is how many vulnerabilities are out there in history since we started tracking vulnerabilities? And if you look at NIST and MITRE, you know, tracking about 200,000-plus. That's a lot, right? That's a big attack surface. But really, what matters to organizations is what is the observable attack surface? So for each given organization, what vulnerabilities actually exist? And then, what is the observable attack vulnerabilities, right? And so, this is what we call the red zone, because it's a correlation of datasets where we looked at how many, you know, holes, essentially, are there out there that we can observe? But out of those holes, what are attackers actually going after and attacking? And again, if you, instead of boiling the ocean, now you're going from 200,000 vulnerabilities to roughly in that observable attack surface, it's much lower. About 15,000 of those we're actually seeing there as holes out there. But in fact, only 1% of those we're seeing under active attack. So it's a good-news story is that, hey, we're not dealing with this. Yes, it's a massive attack surface. But in reality, these are the ones attackers are going after. And it's actually a quite a bit of a smaller subset, something more manageable for CISOs.

Dave Bittner: What are you seeing in terms of innovation on the malware providers here? I know we're seeing a lot of, you know, things like ransomware as a service, but are they actively iterating? What are we seeing there?

Derek Manky: So the ransom as a service and crime services, that's one innovation piece. That's a business model, as we know. So there's a lot of new services that we're seeing being added to their portfolio on forums that they're offering. You know, it started years ago with DDoS as a service, phishing as a service, botnet infrastructure stuff. Now, as you mentioned, ransomware as a service, but we're seeing more tagged onto that as well, like reconnaissance services as an example. So the service portfolio is one innovation piece, but the malware creation, what we're seeing, is a retrofitting aspect. It is quite interesting. Actually, we -- a lot of the threats that we talked about years ago, Emotet. I'm going to pick on that as an example. Big threat, prominent years ago. There has been multiple takedown attempts on it. We saw it's still one of the biggest families out there we see and why? Because they're learning from success, and they're building on existing code and retrofitting, right, adding new elements to it to make it even more successful.

Dave Bittner: Well, based on the information you've gathered here, what are the take homes? What are the recommendations for organizations to better protect themselves?

Dave Bittner: Yeah, so there's good news here again, right? The take homes are just if I talked about that red zone, right? There's simple management that can be done to really mitigate the risk for penetration and entry points that attackers are using to get into these, right, to deploy things like wiper malware as an example. Also, because shifts are -- because the attacks are going to more of a targeted nature, organizations are better to be to be focusing on the left side of the attack chain, right? So more education and awareness, preparation, doing security training, penetration testing, breach and attack simulation, looking at things like deception technology, as well too, because all these things can actually trap you know, these attacks before they hit production environments. So, that's one piece of it. On the other side, of course, as we talked, malware continues to innovate, so being able to observe zero-day malware attacks, such as the wiper malware families that are being created, and the new ransom variants, as well. ZTNA, we talked about Zero-Trust Network Access. These are all valid code payloads, valid techniques, to mitigate.

Dave Bittner: That's Derek Manky from FortiGuard Labs, part of Fortinet.

Dave Bittner: Continuing our series of interviews from the AWS Reinforce Conference that took place recently in Anaheim, California, my CyberWire colleague, Rick Howard, speaks with Rod Wallace from AWS. Their conversation centers on data lakes. Here's Rick Howard and Rod Wallace.

Rick Howard: The CyberWire is an Amazon Web Services media partner, and in June 2023, Jen Eiben, the CyberWire's Senior Producer, and I traveled to the magical world of Disneyland in Anaheim, California, to attend their AWS Reinforce Conference and talked to senior leaders about the latest developments in securing the Amazon Cloud, I got to sit down with Rod Wallace, the General Manager of Amazon Security Lake. Before Rod came to Amazon, he was a CISO building his own security data lake and was pressuring all the cloud providers to make it easier to do. I started out by asking him to explain just exactly what he was trying to build.

Rod Wallace: Yeah, the things that, you know, as we've move from being a, really, an enterprise focus that did all of its own IT on premise, towards cloud, one of the things we very quickly -- and also as our applications went from being monolithic to microservices, and it gave developers that opportunity to wedge, as I said, micro services. They all log and build logging and troubleshooting around their individual service. And then, when you go onto something like cloud, where you essentially can spin up and spin down instances, and you have all these services, while all of those services teams generate logs, which is a two-edged sword for security teams. It's like, yes, we've got insight and visibility, and it's like, oh, no.

Rick Howard: Oh, no. I have insight and visibility.

Rod Wallace: Yeah, and then like so what do you do with it. So the term I use sometimes is like exhaust that comes off of these, and if you just try and take that exhaust and aim it at what was really meant as, at the time, like so kind of these on-prem mentality of like the analytics engines, you would very quickly run out of CPU or budget.

Rick Howard: Yeah. Hard drive space, too, right?

Rod Wallace: Yeah, absolutely, if you're doing it on prem and these sort of things. So what we thought is that we need a cloud-first solution to security, as opposed to trying to bolt cloud into an on-prem security model. So my security team, who said, look, why don't we use cloud and the scalability of cloud to make a repository for our security logs that that will grow with us and we can flex it up and down and change it over time? And that was the start.

Rick Howard: Was it just a basic data dump, just instead of dump trying to store it locally, we would just get it up into -- so we have all these. We can now store everything for relatively cheaply compared to what we used to do. Is that what the basic idea was?

Rod Wallace: That was the basic idea. But we initially built it just for our on-prem, sorry, our on-cloud sort of things, because it's very easy to do that, and a lot of the AWS services we're using at the time, you know, just it's really easy to use. However, it's really easy to get started doing these things. But then, as you get into it, you start discovering that you're, you know, your one person and becomes two, becomes four, and so, you know, we have an expanding team doing this. But we didn't just do a data dump, to your point is, because you very quickly realize that what you end up with then is a dump.

Rick Howard: Yeah.

Rod Wallace: And so, we did things like tried to build a schema, and then what happens when you do that, of course, is you have to go to all your app teams and say, hey, please, you know --

Rick Howard: Follow my schema that I need. Yeah.

Rod Wallace: And, yes, I'll throw LAP teams that are good at, yeah, doing that. Right? So anyways, then we ended up spending our time chasing teams to try and keep them on the path. But anyways, it was helpful. It was less expensive than an alternative solution to that, and we used it. And what I kind of said to my team was if one of the cloud providers ever makes one of these, like let's go and use that, because we were finding that we were spending more time wrangling the data than analyzing the data, and that's death for a security team.

Rick Howard: So you were knocking on the door of Amazon and the other cloud providers saying, hey, I need this kind of thing, and they say, hey, we're going to build one come work for us basically?

Rod Wallace: It was a little more circuitous than that, but one of the nice things about the cloud providers there, they -- all of them. It doesn't matter what's really open to feedback and getting their CISO customers like involved in feedback, and it just so happened I was on Steve Schmitz at the time when he was the CISO here and we started having a conversation about how are we dealing with data exhaust? And you know, a lot of the CISOs around there were nodding with this idea that they were building a security lake. And so, at the time, unbeknownst to me, I guess, they took that away and started using our working backwards process to set -- so you synthesize from customer feedback, what should we build? And they interviewed me as a customer, along with many others. But then anyways, as time went on, and I decided I wanted to go and do something else, I was just chatting with my friends at AWS, and they said, funny, you know? How would you like to come and do like a second time around, you know? And I leapt at the opportunity, you know?

Rick Howard: So what's different now? I mean, you're into it for -- how many years now you've doing it?

Rod Wallace: At AWS?

Rick Howard: Yeah.

Rod Wallace: A year and a half.

Rick Howard: So what's -- in its current form, what have you added to it that you didn't think about when you were doing -- trying to build it yourself?

Rod Wallace: Well, there are a few things. One is in terms of getting your logs out of AWS now. I'm inside the machine. So while we built Security Lake off of all the same services that any of our customers can use, we have access to some of the ways that we can get the logs in a way which doesn't disturb any of the other logging in place. You know, so when I was building my own, we'd have to like go to account owners and things like that. So we can just hook it up. So I would say we have the ability to take a lot of the friction out that I would have to have done as a DIY builder and did have to get into. But the other piece is that customers, and it's really interesting to see want AWS to be an advocate for them out into the industry, the security industry specifically. So that, you know, customers said it's cool having a data lake but if every darn source of logs or findings or whatever is in a different format, all you're doing is pushing a problem back to me, and they said we don't appreciate it. So can you advocate? And so, AWS does have with its ecosystem to be able to have those conversations in the industry, and that's why the industry got together and decided to create the open-source schema that we're adopting in Security Lake, and they've been adopting, as well, and customers have really thanked us for that. I would not have been able to create and get traction with a schema or something like that on my own, and I know a number of our customers have DIY'd it, tried building their own schema, and they run into what I ran into.

Dave Bittner: That's Rick Howard speaking with Rod Wallace from Amazon Web Services.

Dave Bittner: And that's this CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like The CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment your people. We make us smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer, Jennifer Eiben. Our mixer is Trey Hester with original music by Elliot Peltzman. The show was written by Rachael Gelfand, our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.