Cyberespionage and developments in the cyber underworld, including an offering in the C2C market. Russian hacktivist auxiliaries stay busy (and so do their masters in the organs).
Dave Bittner: The Lazarus Group targets developers. Threat actors target the banking sector with fake LinkedIn profiles and open source supply chain attacks. Vulnerabilities reported in OpenMeetings. HTML smuggling is sold in the C2C market. Johannes Ullrich from SANS describes attacks against niche web apps. Our guest is Damir Brecic of Inversion6 discussing the privacy and security concerns of Meta's new Threads app. And Romania's SVR reports a pattern of Russian cyberattacks.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Friday, July 21st, 2023.
Lazarus Group targets developers.
Dave Bittner: GitHub has discovered “a low-volume social engineering campaign that targets the personal accounts of employees of technology firms, using a combination of repository invitations and malicious npm package dependencies.” GitHub states, “We assess with high confidence that this campaign is associated with a group operating in support of North Korean objectives, known as Jade Sleet by Microsoft Threat Intelligence and TraderTraitor by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Jade Sleet mostly targets users associated with cryptocurrency and other blockchain-related organizations, but also targets vendors used by those firms.”
Dave Bittner: The threat actor begins the attack by impersonating developers or recruiters with phony or compromised accounts on GitHub, LinkedIn, Slack, and Telegram. After establishing trust, the threat actor convinces the victim to collaborate on a GitHub repository. The victim clones and executes the repository, which contains malicious npm dependencies. GitHub says that no GitHub or npm systems were compromised in the present campaign.
Threat actors target banking sector with fake LinkedIn profiles and open source supply chain attacks.
Dave Bittner: Checkmarx reports what it characterizes as the first known open-source software supply chain attacks targeting the banking sector. The researchers describe one attack where a threat actor pretending to be a bank employee used a fake LinkedIn profile to disseminate malicious packages to other bank employees. The package scanned to see what OS the victim’s computer was running and then decoded a second malicious NPM package accordingly. Checkmarx writes, “During our investigation, we discovered that the Linux-specific encrypted file was not flagged as malicious by VirusTotal, a widely used online service for scanning files for known viruses. This allowed the attacker to maintain a covert presence on Linux systems, minimizing the risk of detection, and increasing the probability of success.”
Dave Bittner: The attackers then exploited Azure’s CDN subdomains (even going so far as to use the targeted company's name in the subdomain) to deliver a second-stage malicious file called “Havoc Framework.” It’s an evasive approach. “This tactic is particularly clever because it bypasses traditional deny list methods, due to Azure’s status as a legitimate service… Havoc’s ability to evade standard defenses, like Windows Defender, makes it a go-to option for threat actors, replacing legitimate toolkits such as Cobalt Strike, Sliver, and Brute Ratel.”
Dave Bittner: Although the malicious open-source packages were reported and removed, Checkmarx expects that such supply-chain attacks will continue. “We anticipate a steady escalation in targeted attacks, including on banks. Our primary intention with this blog is to shine a light on the Tactics, Techniques, and Procedures (TTP) we’ve observed and foster collective understanding and awareness of these emerging threats. The need of the hour is to stay vigilant, continuously evolve our defenses, and stay a step ahead of the threat actors.”
Vulnerabilities reported in OpenMeetings.
Dave Bittner: Researchers at Sonar have discovered three vulnerabilities in the OpenMeetings web conferencing app. The vulnerabilities could allow a user to gain administrative privileges and conduct remote code execution. The researchers say, “Attackers can combine this issue with additional code vulnerabilities we found to hijack an OpenMeetings instance and execute commands on the underlying server. All they need is an account that they can create themselves in the default configuration." The vulnerabilities were patched with Apache OpenMeetings 7.1.0.
HTML smuggling enabled by a phishing kit sold in the C2C market.
Dave Bittner: And another group of researchers at INKY have discovered a phishing kit that’s being used for HTML smuggling campaigns. The emails attempt to convince users that their company benefits, payroll, or health insurance accounts need immediate attention.
Dave Bittner: The phishing campaigns share some common features:
“Each phishing email sets out to harvest the user’s credentials,
“The emails are personalized, meaning that parts of the recipient’s email address are used in the sender’s display name, HTML attachment name, and email subject.
“No text can be found in the email body, except for fake confidentiality disclaimers found in the footer.
“The malicious script is encoded so that email scanners can’t analyze the code.”
Dave Bittner: The kit is an offering in the dark web criminal-to-criminal souk. This kind of criminal trade is one of the ways the C2C market has commodified advanced hacking tools that would otherwise remain beyond the reach of the more poorly skilled and resourced cybercriminals.
Russian hacktivist auxiliaries continue DDoS against miscellaneous Western sites.
Dave Bittner: CyberScoop reports that Anonymous Sudan, which despite its name is run by Russian intelligence services, continued distributed denial-of-service (DDoS) attacks against a variety of Western organizations. The latest incident affected OnlyFans, the online subscription service used by a variety of content creators, but especially by adult entertainment creators. OnlyFans is merely a target of opportunity, disrupted because it was available for disruption. It has no independent strategic significance.
Dave Bittner: Mandiant yesterday summarized its research into the activities of Russian hacktivist auxiliaries. The researchers view Anonymous Sudan as essentially a subsidiary of the larger and better-known KillNet, and they regard the evidence of cooperation with Russian security services as circumstantial but nonetheless compelling. "KillNet has remained relatively consistent in its targeting of Ukraine’s supporters and prioritization of DDoS attacks since Russia invaded in February 2022, and despite new capabilities, the collective has hardly altered its targeting patterns," the report concludes. "While Mandiant cannot confirm collaboration or cooperation with Russian security services, KillNet’s targeting of victims consistently reflects the interests of the Russian state.”
Dave Bittner: The researchers cite Microsoft’s attribution of some recent outages to Anonymous Sudan as further circumstantial evidence of Russian control. Mandiant expects to see KillNet and its affiliates to continue their DDoS attacks, and to be increasingly brazen in their operations.
Dave Bittner: There’s plenty of swagger and swank, of course, in the hacktivist auxiliaries’ style. And it’s worth noting that swagger and swank are also circumstantial evidence of a group that’s toeing the Kremlin line. The overarching message of Russian influence operations, especially over the past year and a half, has consistently been, “Fear us, take us seriously, and be afraid.”
Romania's SVR reports a pattern of Russian cyberattacks.
Dave Bittner: And, finally, it’s not just the Russian auxiliaries who’ve been active. The chief of cyber for Romania's intelligence service, the SRI, said this week that Romania had received cyberattacks from all three of the major Russian intelligence services–that’s the SVR, GRU, and FSB–since Russia invaded Ukraine in February 2022.
Dave Bittner: Coming up after the break, Johannes Ullrich from SANS describes attacks against niche web apps. Our guest is Damir Brecic of Inversion6 discussing the privacy and security concerns of Meta's new Threads app. Stay with us.
Dave Bittner: Social media giant Meta recently released their Threads app and platform to much fanfare and debate. Many see it as a direct shot across the bow of Twitter where things are not what they once were. Damir Brecic is CEO at security firm Inversion6, and I reached out to him for thoughts on Threads.
Damir Brecic: So in essence, it's a microblogging app very similar to Twitter. It allows folks to communicate both on a personal as well as on a professional level, typically through a mobile application.
Dave Bittner: And so what are some of the specific concerns that you have with Threads as a security professional?
Dave Bittner: Yeah, and I suppose it's fair to say that Meta's reputation precedes them when it comes to gathering up people's personal information.
Damir Brecic: Right, exactly, right? So it's that -- it's that kind of old-school George Orwell 1983, you know, sort of fears, right?
Dave Bittner: Yeah.
Damir Brecic: Where Big Brother's watching everything, and now we're being, to a certain extent, profiled, which on one hand can be somewhat interesting, right? So when my wife and I are walking around, you know, let's say in a mall-type setting or, you know, we're visiting a new location, we may get an occasional pop-up here or there with regards to "Hey, there's this, you know, sale going on here," or whatever, and so from that aspect, it feels, you know, not, you know, not that threatening, but then all of a sudden, if you're in a more work-related aspect, or let's say you're traveling for business, and all of a sudden you could be starting to get suspicious links sent your way or some sort of suspicious advertising coming your direction that you haven't even asked for, nor are you prompting on your own.
Dave Bittner: I'm curious, your perspective as a CISO, the notion of prohibiting users from accessing an app like this versus, you know, an educational approach or, you know, trying to provide guidance. I guess I'm thinking about the potential for shadow IT where if you tell somebody no, that can make it even more alluring.
Damir Brecic: Mm-hm, yeah, agreed. I think, first and foremost, it always starts out with strong awareness, right? So if you're going to be bringing on an application on to your personal device, it has to meet a minimum requirement, and I think that's up to those individual businesses. You know, let's say, you know, hypothetically, let's say they decide, hey, it has to have some sort of an encryption capacity or capability similar to like a Twitter, for example, you know, that could be one of the requirements, making them aware of what some of the potential harms can be, making them aware of the threats that are out there, the one that I mentioned earlier was the man-in-the-middle attack, they could become very susceptible to that in their general lives, not necessarily just from a business perspective, but also what type of content are you sharing? What level of sensitive information to critical information are they sharing? So again, it's a level of due diligence that companies need to start to become much more diligent on, especially in the dawn of new types of apps like this, you know, that are going to be coming out, and I think with this new notion of these, quote/unquote, you know, Twitter-killers, which technically, Threads, you know, is starting to become a major competitor for them, this is probably going to become a more of a newer norm where folks are going to have a kind of a 31 flavors, if you will, to loosely use that Baskin-Robbins aspect, but, you know, what I'm saying. Like, there's going to be folks who are going to have all sorts of options going forward and it's a matter of doing the appropriate due diligence, you know, in their processes of making sure it meets, first of all, their company's policies, but then also their own personal policies, right? If they have children, you know, what are they exposing their children to? Who are they allowing their kids to communicate with? So on and so forth. You know, I think a lot of that comes down to personal choice. So it's a blend of your personal and your -- and the corporate policies the organization should work with.
Dave Bittner: That's Damir Brecic from Inversion6.
Dave Bittner: There's a lot more to this conversation. If you want to hear more, head on over to the CyberWire Pro and sign up for "Interview Selects" where you'll get access to this and many more extended interviews.
Dave Bittner: And joining me once again is Johannes Ullrich. He is the Dean of Research at the SANS Technology Center. Johannes, it's always great to have you back on the show. I know you and your colleagues there at SANS have been seeing some interesting scans for vulnerabilities, looking at some web applications. What's going on here?
Johannes Ullrich: Yeah, what's really happening is that there are sort of these -- I call them "niche web applications." They're important. They're not that widely used. So the problem is a little bit that vulnerabilities in those web applications are not widely reported on, so they're often overlooked in your vulnerability management process. We saw a couple here. Apache NiFi, that's sort of a Wi-Fi. That's an application that's sort of used for machine learning to prepare data. GeoServer, something to look up geographic coordinates and properties. And then also some JIRA plugins. So these are all important systems that usually hold important data, but not very commonly used, and the scans for these vulnerabilities really sort of disappear with all the noise that you have from all the bots that are looking for IoT devices. So everybody kind of focuses on the IoT devices, which are often old vulnerabilities, like persistence, they're still vulnerable, they probably have already been exploited multiple times, and these newer vulnerabilities in those niche applications are often overlooked and what attackers are then doing with them.
Dave Bittner: So what's the solution here? I mean, is it as simple as if you're using some of these niche applications you should be looking through your logs for things that are specifically looking for them?
Johannes Ullrich: Yeah, I think it really comes down to, you know, the good old inventory problem, which, of course, is hard. It's hard in particular for applications like this because this may be something the developer just started up to experiment with. There may not necessarily be sort of official project yet associated with it. Just developer thought, hey, you know, this is a great application. It can help us in a certain project that we're sort of talking about. Let me just play with it to see how it works and how useful it is. But then, of course, those applications stay up and running. They're not really being taken down. In particular, if you're not using like cloud systems and such to set up these applications, they may not sort of have your normal perimeter protection that you're sort of used to for other applications.
Dave Bittner: Is this a particular concern for folks in the, like, critical infrastructure or manufacturing spaces? I would imagine that those are folks who may be using specialized bits of software.
Johannes Ullrich: I think that's part of it. It's also just software development in general, because software developers tend to use fairly specific pieces of software, like Jira, for example, that's often used to manage development teams. Like, Jira is well known. I wouldn't really call it a "niche application," but these plugins that you're installing, that sort of adds another complication to the inventory problem. Now you not only have to track that you're running Jira, you have to know what plugin you're using.
Dave Bittner: So for the folks who are charged with protecting their systems here, you mentioned this could be an inventory problem. I mean, is this a matter of working with the folks on your team so that you know what they're running?
Johannes Ullrich: Yes, I think that's very much it. It's sort of informing them about these vulnerabilities and the need to track these applications, just the awareness of showing them, hey, this is how these applications are being actually attacked. So setting up some sensors in front of these applications can help just to show that they are being attacked and hopefully that will then tell developers and others that are setting these applications up that they wouldn't need the cooperation of the security department, of your IT department, whoever is responsible for that in order to adequately secure these applications.
Dave Bittner: All right. Well, Johannes Ullrich, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. Be sure to check out this weekend's "Research Saturday" and my conversation with Joshua Miller from Proofpoint. We're discussing their findings on "Welcome to New York, Exploring TA453's Foray into LNKs and Mac Malware." That's "Research Saturday." Check it out. We'd love to know what you think of this podcast. You can email us at email@example.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector as well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester with original music by Elliott Peltzman. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.