The CyberWire Daily Podcast 8.28.23
Ep 1894 | 8.28.23

DPRK's Lazarus Group exploits ManageEngine issues. SIM swapping as a threat to organizations. Ransomware hits a cloud provider. Spawn of LockBit. Train whistling. Influence laundering.

Transcript

The DPRK's Lazarus Group exploits ManageEngine issues. A Data breach at Kroll is traced to SIM swapping. Unusually destructive ransomware hits CloudNordic. Spawn of LockBit. Polish trains are disrupted by hacktivists. Rick Howard looks at the MITRE attack framework. Our guests are Andrew Hammond and Erin Dietrick from the International Spy Museum. And Influence laundering as a long-term disinformation tactic.

I’m Dave Bittner with your CyberWire intel briefing for Monday, August 28th, 2023.

DPRK's Lazarus Group exploits ManageEngine issues.

Researchers as Cisco Talos are closely following DPRK activity and say North Korea’s Lazarus Group has exploited a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) to target “an internet backbone infrastructure provider in Europe” and healthcare entities in the US and Europe. The threat actor used the vulnerability to deploy the recently discovered QuiteRAT malware, which the researchers note “has many of the same capabilities as Lazarus Group’s better-known MagicRAT malware, but its file size is significantly smaller.” The researchers add, “This substantial difference in size is due to Lazarus Group incorporating only a handful of required Qt libraries into QuiteRAT, as opposed to MagicRAT, in which they embedded the entire Qt framework.” So a little smaller, a little more unobtrusive, but still out there actively collecting.

Data breach at Kroll traced to SIM swapping.

SIM-swapping is a problem for consumer fraud, but it also afflicts enterprises. 

Security consultancy Kroll, while serving as a claims agent in three bankruptcies, has disclosed a data breach affecting information related to bankruptcy claims by several cryptocurrency trading firms, including FTX. An attacker gained access to the data after performing a SIM-swapping attack via T-Mobile against a Kroll employee.  

Kroll said in a statement, “Specifically, T-Mobile, without any authority from or contact with Kroll or its employee, transferred that employee’s phone number to the threat actor's phone at their request. As a result, it appears the threat actor gained access to certain files containing personal information of bankruptcy claimants in the matters of BlockFi, FTX and Genesis. Immediate actions were taken to secure the three affected accounts. Affected individuals have been notified by email. We are cooperating with the FBI and a full investigation is underway. We have no evidence to suggest other Kroll systems or accounts were impacted.”

KrebsOnSecurity warns that as a result of the breach, “people who had financial ties to BlockFi, FTX, or Genesis now face increased risk of becoming targets of SIM-swapping and phishing attacks themselves.” Thus breaches breed opportunities for social engineering.

Ransomware hits CloudNordic (and it's unusually destructive).

HackRead reports that Danish cloud provider CloudNordic was hit by a ransomware attack on August 18th that caused “a complete shutdown of the company’s servers and infrastructure,” and led to complete data loss for most of its customers. TechTarget quotes the company as saying, “As we cannot and do not want to meet the financial demands of the criminal hackers for ransom, CloudNordic's IT team and external experts have been working hard to get an overview of the damage and what was possible to re-create. Unfortunately, it has proved impossible to re-create more data, and the majority of our customers have thus lost all data with us. This applies to everyone we have not contacted at this time.”

CloudNordic notes that while the attackers attempted to steal customer data, there’s no evidence that they were successful in doing so. But the loss of data has been extensive.

Spawn of LockBit.

Kaspersky has published an updated analysis of the Lockbit ransomware builder that leaked in September 2022. The leaked builder allowed many different threat actors to create their own flavors of ransomware based on Lockbit.

Various gangs have used their versions of the builder to develop or at least propose new ransomware strains.

Crude "cyberattack" on rail control systems stops Polish trains.

Over Friday night and into early Saturday morning, a cyberattack halted trains near the Polish city of Szczecin [SHTAY-cheen]. An emergency radio signal was compromised and used to stop about twenty trains. Service was restored within a matter of hours. Both freight and passenger trains were affected. The BBC reports that Poland's internal security service ABW is investigating the incident.

There's widespread speculation that the incident was the work of Russian hacktivist auxiliaries. Evidence for that attribution is circumstantial but compelling. Polish officials note that "The signals were interspersed with recording of Russia's national anthem and a speech by President Vladimir Putin." Reuters reports that Stanislaw Zaryn, a senior Polish security official, said, "For the moment, we are ruling nothing out. We know that for some months there have been attempts to destabilise the Polish state. Such attempts have been undertaken by the Russian Federation in conjunction with Belarus."

According to WIRED, the emergency stop signal was transmitted over a legacy radio-frequency system that lacks either authentication or encryption. Anyone with the right equipment--and such equipment is both cheap and readily available--can trigger an emergency stop by sending a "series of three acoustic tones at a 150.100 megahertz frequency." The biggest difficulty such a hacker might face is getting physically close enough for their signal to be within range.

Some people have pooh-poohed the notion that this is a cyberattack, but it might be useful to think of it as a very old-school kind of cyberattack. 

It's in fact a throwback hack of a throwback system. Among the original hackers, before people thought of hacking or talked about cybersecurity, were the phone phreaks. Starting in the late 1960s they discovered that sending the right tone into a telephone let them make free long-distance phone calls, which back then were pricey. You needed a 2600 hertz tone to engage the old Bell System's long-distance service, and you could use cheap musical toys to do that: a whistle offered as a prize in boxes of Cap’n Crunch cereal did it, if you covered up the right hole before blowing. Some people can even sing that high. Or so I’ve been told. 

Influence laundering as Russia's long disinformation game.

Finally, you’ve heard of money laundering, taking cash and disguising where it came from. The same kind of thing can be done with disinformation. Call it influence laundering.

The New York Times describes the organization of a Russian influence campaign that concentrates on the use of front groups to cultivate Western influencers who can be counted on to disseminate and amplify the Russian government's chosen narratives. The Russian services are playing a long game. According to the Times, "The newly declassified U.S. analysis looks at how Russian intelligence services, in particular the Federal Security Service or F.S.B., have been secretly using allies inside nominally independent organizations to spread propaganda and cultivate ties with rising leaders, efforts that are intended to play out over long periods of time." It's in some respects a familiar exercise in public diplomacy, but it differs from most of these in its use of front organizations and the cultivation of "co-optees" and what used to be called, during the Cold War, "useful idiots." A representative front organization is a nongovernmental organization, Creative Diplomacy. "The organization bills itself as a public diplomacy program for aspiring leaders to facilitate dialogue with Russia." Creative Diplomacy denies any association with the Russian government; the US government thinks otherwise.

CNN notes that the narratives prominently feature the official Russian line on the war against Ukraine (the Ukrainians are Nazis, NATO is behind the war, Russia is defending its interests and protecting oppressed ethnic Russians, and so on.) but they also extend to other areas of Russian interest, notably the ongoing civil conflict in Syria. One of the lines pushed about Syria accuses the White Helmets, a volunteer humanitarian relief organization operating in opposition-controlled Syrian territory, of trafficking in human organs and of faking chemical attacks by the Assad regime's armed forces. All of this is hooey, of course, but it’s less obviously hooey if it’s washed through someone who’s not an employee of the FSB. Or RT, for that matter. It’s an old tactic, and goes back long before cyberspace was so much as a gleam in DARPA’s eye. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too.

Don’t forget to check out the “Grumpy Old Geeks” podcast where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find “Grumpy Old Geeks” where all the fine podcasts are listed. And check out the “Recorded Future” podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That’s at recordedfuture.com/podcast.

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.

Selected reading.

North Korean APT Hacks Internet Infrastructure Provider via ManageEngine Flaw (SecurityWeek)

Lazarus Group exploited ManageEngine vulnerability to target critical infrastructure (Help Net Security)

Cyber scams keep North Korean missiles flying (Radio Free Asia)

Claimant Data Breached in Genesis, FTX and BlockFi Bankruptcy Cases (Wall Street Journal)

Kroll data breach exposes info of FTX, BlockFi, Genesis creditors (BleepingComputer)

Crypto investor data exposed by a SIM swapping attack against a Kroll employee (Security Affairs)

Kroll Employee SIM-Swapped for Crypto Investor Data (KrebsOnSecurity)

Kroll Suffers Data Breach: Employee Falls Victim to SIM Swapping Attack (The Hacker News)

FTX bankruptcy handler Kroll discloses data breach (The Stack)

CloudNordic Faces Severe Data Loss After Ransomware Attack (Hackread) 

CloudNordic loses most customer data after ransomware attack | TechTarget (Security) 

Lockbit leak, research opportunities on tools leaked from TAs (SecureList)

LockBit 3.0 Ransomware Builder Leak Gives Rise to Hundreds of New Variants (The Hacker News)

Poland investigates cyber-attack on rail network (BBC News)

Poland investigates hacking attack on state railway network (Reuters)

Hackers bring down Poland’s train network in massive cyber attack (Ticker News) 

The Cheap Radio Hack That Disrupted Poland's Railway System (WIRED)

Russia Pushes Long-Term Influence Operations Aimed at the U.S. and Europe (New York Times)

Newly declassified US intel claims Russia is laundering propaganda through unwitting Westerners (CNN Politics)