A cyberespionage operation of unclear provenance shifts its targets. Cyberattacks on voting in Ecuador. Other notes from the cyber underworld. And doxing the Duma.
Dave Bittner: HiatusRAT shifts its targets. Ecuador's difficulties with voting is attributed to cyberattacks. Carderbee is an APT targeting Hong Kong. auDA (OOO-duh) turns out not to have been breached. Ukrainian hacktivists claim to dox a senior member of Russia's Duma. Russian influence operations take aim at NATO's July summit. Joe Carrigan describes attacks on LinkedIn accounts. Our guest is John Hernandez from Quest to discuss why he believes the MOVEit flaw is a wakeup call for CISOs. Security, not by obscurity, but by typo.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Tuesday, August 22nd, 2023.
HiatusRAT shifts its targets.
Dave Bittner: Researchers at Lumen’s Black Lotus Labs continue to track “HiatusRAT,” a cyberespionage campaign targeting edge networking devices. The campaign has shifted its targeting from Latin American and European entities, and is now primarily focused on organizations in Taiwan. Lumen states, “The Taiwanese targeting affected a wide range of organizations from semiconductor and chemical manufacturers and at least one municipal government organization.” The threat actor also targeted a server used by the US military: “Given that this website was associated with contract proposals, we suspect the threat actor could gather publicly available information about military requirements, or search for organizations involved in the Defense Industrial Base (DIB).” The researchers note, “The shift in information gathering and targeting preference exhibited in the latest campaign are synonymous with the strategic interest of the People’s Republic of China according to the 2023 ODNI threat assessment.” Attribution is unclear. The targeting is consistent with Chinese intelligence interests, but such consistency is merely circumstantial.
Ecuador's difficulties with voting attributed to cyberattacks.
Dave Bittner: Absentee balloting in Ecuador’s current election has been a problem. The Record quotes Diana Atamaint, president of the National Electoral Council, as saying. “We inform the Ecuadorian people that according to preliminary reports, the telematic voting platform suffered cyber attacks that affected the fluidity of accessing the vote.” She added, “We also clarify and emphasize that the cast votes have not been violated.” She made no attribution and offered no speculation about motives, but did say that the attacks “were identified as coming from seven countries: India, Bangladesh, Pakistan, Russia, Ukraine, Indonesia and China.” The "telematic voting platform" is used to handle absentee balloting.
Carderbee: an APT working targets in Hong Kong.
Dave Bittner: The Symantec Threat Hunter Team, part of Broadcom, has published a report on “Carderbee,” an APT group that’s launching supply chain attacks against organizations in Hong Kong. The threat actor is using the legitimate Cobra DocGuard encryption software to deliver the Korplug malware (also known as “PlugX”).
Dave Bittner: The researchers note, “Malicious activity was seen on about 100 computers in impacted organizations; however, the Cobra DocGuard software was installed on around 2,000 computers, indicating that the attacker may be selectively pushing payloads to specific victims.”
Dave Bittner: KorPlug, or if you prefer PlugX, is known to be used by several threat groups. Which one is responsible for the current Carderbee wave, however, is so far unknown.
auDA turns out not to have been breached.
Dave Bittner: auDA, the domain authority for the Australian top-level domain dot au, late yesterday said it had completed its investigation of an apparent cyberattack and concluded that "there is no evidence that cyber criminals have accessed auDA systems, or have obtained auDA data." A "sole trader" with an Australian domain name was being extorted by a ransomware operator. The trader didn't pay, and the gang then claimed, falsely as it turned out, to be in possession of auDA data. Thus the auDA incident seems to have been a case of gangland’s big talk far outrunning reality.
Ukrainian hacktivists claim to dox a senior member of Russia's Duma.
Dave Bittner: The Cyber Resistance hacktivist auxiliary, which operates in sympathy with Ukraine during the present war, claims to have obtained access to emails belonging to Alexander Babakov [bah-BAH-koff], a deputy chair of Russia's Duma. The Cyber Resistance provided the documents--some 11 GB of material--to InformNapalm for analysis and assessment. InformNapalm in its turn says the email is also being made available to international journalists in the interest of exposing Mr. Babakov's alleged corruption.
Dave Bittner: That corruption, the Cyber Resistance suggests, extends to "bribery, money laundering, extortion, supporting your mice abroad." Files posted by InformNapalm include, as the Record summarizes, "scans of Babakov’s passport, tax and financial documents, as well as his medical records."
The authenticity of the material remains under investigation, but Mr. Babakov's reputation for corruption is longstanding. He's been under sanction by the EU, Switzerland, and Canada since 2014, by the US since 2017. A lot of the specific corruption he’s been associated with by these countries involves, of course, sanctions evasion.
Dave Bittner: One sidelight: InformNapalm alleges that the emails include congratulations from Mr. Babakov to Mr. Steven Seagal, who has received both honorary citizenship and the Order of Freedom from President Putin. There are also some communications to a third-party asking that a billion rubles be donated to the "Steven Seagal Cinematography Support Fund." The scale of the donation is justified, the communications allegedly explain, by the "scale of the personality," that personality being presumably Mr. Seagal himself, the auteur responsible for the environmentally themed action film On Deadly Ground. Or perhaps Mr. Babakov admires some of Mr. Seagal's other starring vehicles, like Under Siege, or Glimmer Man. Tommy Lee Jones’s scenery chewing portrayal of murderous crazy is just gravy in Under Siege, by the way, a bonus to be enjoyed slathered atop Mr. Seagal’s trademark, flowing yin-style of martial artistry. A billion rubles is currently worth about $11 million, not as much as it used to be, but still, not chump change.
Russian influence operations aimed at NATO's July summit.
Dave Bittner: Graphika has analyzed Russian influence operations aimed at shaping a narrative around the Atlantic Alliance's July summit in Vilnius. The campaign featured documents the operators claimed to have been stolen from the Lithuanian government, and it exhibited a strong interest in driving a fissure between France and the other members of the Alliance. The content distributed included bogus press releases disseminated by inauthentic personae. Graphika identified two distinct operations in the campaign. The researchers attribute one to Doppelganger, which they describe as "a sprawling campaign that has impersonated media outlets and government agencies since at least May 2022 to disseminate pro-Russia messaging." The other operation is attributed to a familiar group, Secondary Infektion, known since 2014 for using fake personae to stage "falsified and hacked documents online."
Dave Bittner: Whether the two operations were closely coordinated or simply shared a common strategic objective is unclear. The campaign was complex and extensive, but its results were negligible. "Their content received minimal shares from authentic users, and what online traction they did generate was largely in existing pro-Kremlin communities. Graphika also observed social media users, including influential pro-Kremlin figures, calling out the activity as fake, suggesting the actors often failed in their efforts to deceive online audiences." The Sekondary Infektion material in particular was marked by slovenly linguistic execution. "The posts contained grammatical errors typical of native Russian speakers, such as incorrect use of definite and indefinite articles - a consistent feature of Secondary Infektion activity." You know, like ShadowSpeak, only not as funny.
Security, not by obscurity, but by typo.
Dave Bittner: And, finally, spelling counts, kids.
Dave Bittner: LAD Bible reports on a story told in the new documentary “Billion Dollar Heist” about a major theft from the Federal Reserve Bank of New York by suspected North Korean hackers. The hackers sent thirty-five fraudulent orders via the SWIFT network to transfer nearly one billion dollars from an account belonging to Bangladesh Bank. The first five orders were successful, giving the hackers just over $100 million.
Dave Bittner: One request, however, contained a typo--the hackers had misspelled “foundation” as “fandation”--which caused an automated defense system to flag the transaction for further review. As a result, the other twenty-nine requests were also blocked, preventing the attackers from stealing another $850 million.
Dave Bittner: So stay in school, kids.
Dave Bittner: Coming up after the break, Joe Carrigan describes attacks on LinkedIn accounts. Our guest is John Hernandez from Quest to discuss why he believes the MOVEit flaw is a wakeup call for CISOs. Stay with us. The MOVEit flaw continues to make headlines as more organizations reveal they've fallen victim to the vulnerability. John Hernandez is president and general manager at Quest Software, and he believes for CISOs, MOVEit should serve as a wake-up call.
John Hernandez: It's crazy how we just can't as businesses and operators, we just can't wait around for Klopp [assumed spelling] to come out with their ransom payment demands and take time to secure our software supply chains. Every company and government around the world really needs to get ahead of this as much as they can as things are continuing to evolve in the marketplace based on the MOVEit exposure there. And some of those things that we're seeing out there is the need to have a real strong defense in depth approach that really ensures that the people are following basic procedures and processes. I mean, as a matter of know, you know, we work with Microsoft pretty, pretty deeply as a partner with them and they identify key things. In the Digital defense report that came out late last year that 88% of impacted customers do not even employ best practices of security. And 90% of accounts compromised via password attacks were not even protected with strong authentication. So there's just some basic things that could be done there to make sure that you're tightening up your environments.
Dave Bittner: Can we get into some of the specifics here? I mean, I think it's fair to say many organizations saw this MOVEit vulnerability as a bit of a wake-up call or a shot across the bow. Looking forward, what sort of things should people be putting in place to make sure that they're not victim of the next version of this?
John Hernandez: Yeah. I think what we're seeing is every CISO and their teams that we're working with is really putting in the risk mitigation framework and really understanding what is the cost to mitigate these risks in how you mobilize budget and teams and vendors to help secure the environments here. And when you look at those types of those tradeoffs, it is really understanding where do you attack the high priority items first to reduce those vulnerabilities obviously. And as they're thinking through that, and we're working with many companies and governments on that, is applying things like the NIST framework and the security cyber resilience lifecycle that that lays out around how do you identify your vulnerabilities? That's the first thing out there is if you don't know where your vulnerabilities are, you can't do anything to tighten them up. And once you identify those things, you absolutely have to protect and detect when things are happening against those vulnerabilities and ultimately your response and the ability to recover if a breach like this does happen is very critical to keep a supply chain going. As a matter of fact, we got a webinar coming up at the end of the month with our customers and partners and we took a little survey with them over the last few weeks, and surprisingly one of the top five things that are top of mind right now based on this MOVEit exposure here is the supply chain is very much top of mind right now.
Dave Bittner: Well, speaking of supply chain, you know, what's your take on some of the efforts that have been made here? And I'm thinking of things like S bombs, you know, software builds of material, or that sort of thing. Are they helpful? Do they complete the picture?
John Hernandez: No. It's going to take much more than that obviously. I mean this is a complicated multiple variable challenge that every enterprise is really experiencing and trying to get ahead of. And I think that's why you see so many vendors and agencies out there trying to put together things like Gartner taking a look at, you know, what they call the cybersecurity mesh architecture, which is a broad and extensive architecture that includes many, many different software solutions and SaaS platforms and services organizations to really pull that together. And when you look at each of these different enterprises and governments alike, it's understanding again where your vulnerabilities are so you can attack those things first. But at the end of the day, you know, us working with Gartner and really tying into that mesh architecture, you know, they've been published out there saying that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chain. So this is definitely a wakeup call which happened over the summer and making sure that folks are putting this top of mind, mobilizing budgets and going after those vulnerabilities.
Dave Bittner: You know, when you think of the organizations that you and your colleagues work with and you see success, are there any common elements for the ones who seem to be coming at this from the right?
John Hernandez: Yeah. You know, one thing that we see pretty common where there's success is obviously working with the CISO office and the CIO on projects like this to really tighten up security vulnerabilities and protect areas like Active Directory, which is the authentication for like 90% of corporations and governments around the world. It's so critical to protect those crown jewels of all that data that can be held ransom and then take down the entire enterprise or government. But as we're thinking through those types of engagements with our customers and government agencies as well that we work with, it really is, you know, the combination of not only the CISO office and all the things that they're bringing to bear on these topics. But it's also interesting enough working with the digital workplace transformation teams in both customers and partners, because there's a lot going on over in that side of the shop that really can tighten up some of those security things and clean up some of the environments that have exposure before you even apply security protocols. On top of it, cleaning it up is very important as well.
Dave Bittner: What are your recommendations for organizations who want to come at this? I mean, where do they begin?
John Hernandez: Yeah. I think the first thing is really doing the identification. Like the NIST framework highlights. You know, understanding what the attack paths look like into your enter prize. Understanding where your vulnerabilities exist that allows you to prioritize as an organization. What are your biggest areas of concern that you're going to have to mobilize quickly to go and tighten up? Some of the other things, like I mentioned earlier, is just applying some of the best practices around, you know, two factor authentication and password protection and the ability to make sure that you're using best practices that are published out there. It's surprisingly how many companies just don't do that today. And those are some of the basic building blocks just to get right out of the gate and then there's so many ways you can take it on from there. But really understanding what you're dealing with is the number one priority.
Dave Bittner: That's John Hernandez from Quest Software. And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co host on the "Hacking Humans" podcast. Hey, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Interesting story came by. This is from the folks over at CyberInt, the threat intelligence company.
Joe Carrigan: Yep.
Dave Bittner: And they are tracking what they're seeing are attacks on LinkedIn accounts. What's going on here, Joe?
Joe Carrigan: So somebody is attacking LinkedIn accounts and they are following a very specific modus operandi here.
Dave Bittner: Okay.
Joe Carrigan: Is what they call it, MO. And what's happening is one of two things is happening to people. Either their accounts are getting compromised because of either credential stuffing attack or brute forcing or something, they're somehow getting into the accounts.
Dave Bittner: Yeah.
Joe Carrigan: Or they are forcing the login so often that LinkedIn has an automated response that says, okay. You need to validate your account. So you have to go in and do a few things so that we know it's you. And it's interesting to note that one of the things CyberInt does in this is tracking the Google searches that have changed. So over the past 90 days, they've noticed that LinkedIn contact number searches have increased 150%. So people are going to Google searching for LinkedIn contact number and trying to get in touch with LinkedIn.
Dave Bittner: Right.
Joe Carrigan: They're also noticing that there's a lot longer response time from LinkedIn support because LinkedIn is probably dealing with a bunch of these.
Dave Bittner: Yeah.
Joe Carrigan: They've noticed some breakout search terms. LinkedIn account hack 2023. LinkedIn account restriction verify identity. And LinkedIn account recovery appeal. When people who have lost control of their accounts or losing control of their accounts, one of two things is happening. Either the accounts are just being deleted, which is kind of odd, or they're being held for ransom for a relatively low amount. A couple, they're saying a few tens of dollars. You know, so give me 50 bucks and you can have your account back.
Dave Bittner: Kind of a nuisance ransomware.
Joe Carrigan: Yeah, almost.
Dave Bittner: Yeah.
Joe Carrigan: I don't know what the threat actor is up to here. I don't. If this were a nation state, they wouldn't be locking people out of their accounts. You know, if they were doing an intelligence operation, they just lay low and hopefully you'd never check and find out that someone was logging in from a different location. Right?
Dave Bittner: Yeah.
Joe Carrigan: You can check that on LinkedIn to see where you're logged in and you can terminate those sessions as well. But these guys are going in, changing the email address to an email that's just a bunch of random characters and then changing the password, locking the people out.
Dave Bittner: I see.
Joe Carrigan: There is some talk in here about the consequences of that, the impact of a LinkedIn account, and they talk about the damage to your reputation if your account is hacked. Right? Like they can publish content, they can damage your professional reputation if you're heavily reliant on LinkedIn for that. They can do things where they attack people that you know through other attacks. We had a recent story on Hacking Humans where we talked about the possibility of somebody getting, you know, that just because you've lost access to one of your accounts and the malicious actor now has it, that doesn't mean you're the only person that's affected by that.
Dave Bittner: Right.
Joe Carrigan: It spreads throughout your network, throughout whoever you're connected to. They're also now at risk, and that's a very real, real problem. But on Linked in, it can be amplified because this is a professional social network.
Dave Bittner: Yeah.
Joe Carrigan: You're supposed to be conducting yourself professionally on here. Although I will say that I've noticed that LinkedIn is more like Facebook lately. But that's just my grumpy old manness about it.
Dave Bittner: I wonder, too, like could it be multi tiered? In other words, these folks are going after people's credentials and if it's a low profile credential, then they hit them with nuisance ransomware.
Joe Carrigan: Right?
Dave Bittner: But if it's a high profile credential, that has, maybe that has more value on the open market.
Joe Carrigan: Yeah. This article doesn't make any statement about that, but, yeah. I would imagine that if they get a high profile individual's account, probably, well, it's definitely more valuable to them. Whether or not they want to do anything about it as bad actors is up to them, and whether or not they even realize it. I mean, the fact of the matter is, this could be young kids, right, just doing these attacks, try to make a couple of fast bucks.
Dave Bittner: Mm-hmm. And of course, they emphasize the importance of multi step verification, multi [inaudible].
Joe Carrigan: Multifactor authentication?
Dave Bittner: Yeah.
Joe Carrigan: They say what you can do. You can check your account access. So if you log into LinkedIn, you can go to Privacy and Security under Settings and find out where you're logged in. You can terminate sessions there. You have to enter your password to terminate a session, which I guess kind of makes sense.
Dave Bittner: Yeah.
Joe Carrigan: Check your email for any messages from LinkedIn indicating the addition of another email account. If you didn't initiate that, consider that a significant warning sign, they say.
Dave Bittner: Right.
Joe Carrigan: Password security. Employ a strong and lengthy password unique to your LinkedIn account, and avoid password reuse across platforms, which is always a good idea. And the best way to manage that is with a password manager. And then they say, multi factor authentication.
Dave Bittner: Yeah.
Joe Carrigan: Enabling two step verification to your LinkedIn account. Now, I went to LinkedIn and looked at the options that they have. They only have two options. You can only get a text message, or you can use one of those authenticator apps to generate a one-time password using a seed.
Dave Bittner: Okay.
Joe Carrigan: So they're going to flash a barcode up, and then you're going to be able to do that. So, you know, be mindful that that, you've had problems with that with discord --
Dave Bittner: Right.
Joe Carrigan: -- that if you lose the access to that seed, then you lose access to LinkedIn.
Dave Bittner: Yeah.
Joe Carrigan: You know, it would be nice to see them do something where you could use something with the FIDO2 compliant system.
Dave Bittner: Right.
Joe Carrigan: They're Microsoft, LinkedIn is owned by Microsoft. Microsoft is part of FIDO2. They're on the board. They're board level members of the FIDO2 --
Dave Bittner: Yeah.
Joe Carrigan: -- alliance, or the FIDO alliance, rather. FIDO2 is the protocol. I'm misspeaking there. So I'd like to see LinkedIn let you use some kind of FIDO device.
Dave Bittner: All right. Well, the original article here is from the folks over at CyberInt. It's titled "LinkedIn Accounts Under Attack." Joe Carrigan, thanks for joining us.
Joe Carrigan: My pleasure, Dave.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the cyberwire.com. We'd love to know what you think of this podcast. You can email us at CyberWire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Trey Hester with original music by Elliot Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
