The CyberWire Daily Podcast 8.31.23
Ep 1897 | 8.31.23

GREF and Earth Estries from China. GRU’s Sandworm surfaces again, wielding “Infamous Chisel.” Hacktivist nuisances in the hybrid war. A zero-day is discovered. And the Wolverines are back online.

Transcript

Dave Bittner: China deploys tools used against Uyghurs in broader espionage. The Five Eyes call out a GRU cyberespionage campaign. Russian hacktivist auxiliaries hit Czech banks and the platform formerly known as Twitter. A Spring-Kafka zero-day is discovered. Deepen Desai from Zscaler explains RedEnergy Stealer-as-a-Ransomware attacks. Luke Nelson of UHY Consulting on ransomware’s impact on schools. And, hey, go Wolverines: the University of Michigan overcomes a cyberattack that delayed the academic year.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Thursday, August 31st, 2023.

China's GREF deploys tools used against Uyghurs in broader espionage.

Dave Bittner: We begin today with developing stories on cyberespionage.

Dave Bittner: Cybersecurity firm ESET is reporting that the China-linked threat actor they track as “GREF” is distributing the BadBazaar Android malware via Trojanized versions of Telegram and Signal in the Google Play store and the Samsung Galaxy Store. Both stores have since removed the malicious apps. 

Dave Bittner: ESET notes that BadBazaar has been used in the past to target Uyghurs and other Turkic ethnic minorities. In this case, the malicious Telegram app, called “FlyGram,” was shared in a Uyghur Telegram group.

Dave Bittner: The researchers add that the malicious Signal app, called “Signal Plus Messenger,” “represents the first documented case of spying on a victim’s Signal communications by secretly autolinking the compromised device to the attacker’s Signal device.”

Cyberespionage campaign by Earth Estries.

Dave Bittner: And here’s a second story that may or may not be traceable to Chinese intelligence services.

Dave Bittner: Researchers as the security firm Trend Micro describe a cyberespionage campaign by a cybercriminal group the researchers call “Earth Estries.” The threat actor is targeting “organizations in the government and technology industries based in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the US.” Trend Micro states, “[W]e believe the threat actors behind Earth Estries are working with high-level resources and functioning with sophisticated skills and experience in cyberespionage and illicit activities.”

Dave Bittner: The researchers refrain from making any attributions, but they note that there are some overlaps between Earth Estries and the China-linked FamousSparrow APT. We note that they did describe Earth Estries as having “high-level resources” and some cyberespionage sophistication. So the hints are still circumstantial, but as the old saving has it, if it walks like a duck and sounds like a duck, it’s probably a duck. In this case the hoods are quacking like Peking duck.

Five Eyes call out GRU cyberespionage campaign.

Dave Bittner: Early this morning the Five Eyes--the intelligence services of Australia, Canada, New Zealand, the United Kingdom, and the United States--issued a joint advisory providing further details on the malware, "Infamous Chisel," used in a GRU cyberespionage campaign first described early this month by Ukraine's SBU.

Dave Bittner: Infamous Chisel targets Android devices on behalf of Sandworm, the threat group associated with the GRU’s Main Centre for Special Technologies (GTsST). The US Cybersecurity and Infrastructure Security Agency (CISA) explains that "It performs periodic scanning of files and network information for exfiltration," including system and application configuration files. It "provides network backdoor access via a Tor (The Onion Router) hidden service and Secure Shell (SSH)," as well as other capabilities that include "network monitoring, traffic collection, SSH access, network scanning, and SCP file transfer." Infamous Chisel isn't sophisticated or well-crafted malware. The Five Eyes assess the malware's components as representing "low to medium sophistication." They "appear to have been developed with little regard to defense evasion or concealment of malicious activity." Its targets seem to have been mainly Ukrainian military devices.

Dave Bittner: The UK's National Cyber Security Centre (NCSC) framed the report as an instance of support for Ukraine. Paul Chichester, NCSC Director of Operations, said, “The exposure of this malicious campaign against Ukrainian military targets illustrates how Russia’s illegal war in Ukraine continues to play out in cyberspace. Our new report shares expert analysis of how this new malware operates and is the latest example of our work with allies in support of Ukraine’s staunch defence. The UK is committed to calling out Russian cyber aggression and we will continue to do so.”

Russian hacktivist auxiliaries hit Czech banks and the platform formerly known as Twitter.

Dave Bittner: In addition to GRU cybersespionage, Russian cyber activity continues in the form of implausibly deniable hacktivist cutouts, tools and fronts for Moscow’s intelligence services.

Dave Bittner: NoName057 (16), the Russian hacktivist auxiliary, moved from operations against Poland to hit a similar target set in the Czech Republic. The Brno Daily today reported distributed denial-of-service (DDoS) attacks against Komercni banka, CSOB, Air Bank, Fio banka, Ceska Sporitelna, a number of Czeck banks as well as the Prague stock exchange. Expats.cz adds Raiffeisen and Moneta Money Bank to the organizations targeted. These were nuisance-level attacks, representing no threat to the organizations' or their customers' data. NoName057 (16) says the attacks are intended to punish the victims' support for Ukraine, and to induce them to reconsider such support. Full service was restored at most sites within hours of the attack.

Dave Bittner: Anonymous Sudan, which is probably neither Sudanese nor Anonymous, but rather a hacktivist auxiliary answering to Russian intelligence services, yesterday disrupted the social media platform X in "about a dozen countries," the BBC reports. The nominal goal of the action was to get Mr. Elon Musk to open up Starlink service to Sudan. The hacktivists, stung by widespread suspicion that they're really a bunch of Russians, offered the BBC such evidence as images of passports to attest to their bona fides as for-real Sudanese. Judge for yourselves, but this one quacks a lot like a Muscovy duck.

Dave Bittner: It’s worth noting that the Russian cyber operations deployed in the current hybrid war against Ukraine, apart from some wiper attacks executed in the opening hours of the shooting war, a year and a half ago, have largely been confined to conventional cyberespionage and nuisance-level hacktivism. The much-feared crippling bolt from the blue has yet to arrive.

Spring-Kafka zero-day discovered.

Dave Bittner: Turning to a newly discovered vulnerability, researchers at security firm Contrast Security have discovered a deserialization vulnerability (CVE-2023-34040) affecting Spring-Kafka, a project used for development of Kafka-based messaging services. Contrast explains, “Insecure deserialization...occurs when a vulnerability allows untrusted or unknown data to be passed, enabling a denial-of-service (DoS) attack, code execution, authentication bypass or other types of abuse to an application’s logic.” The researchers were able to develop a proof-of-concept that could conduct remote code execution or denial-of-service attacks.

Dave Bittner: VMware has issued a patch for the vulnerability.

University of Michigan overcomes cyberattack that delayed the academic year.

Dave Bittner: And, finally, the University of Michigan has restored internet to its Ann Arbor, Dearborn, and Flint campuses after sustaining a cybersecurity incident over the weekend, EdScoop reports. The company had severed its networks from the internet due to “a significant security concern.” 

Dave Bittner: University president Santa J. Ono, stated yesterday, “We expect some issues with select U-M systems and services in the short term, and not all of our remediation efforts are complete. However, they will be resolved over the next several days....The investigative work into the security issue continues, and we are not able to share any information that might compromise the investigation. We appreciate your understanding as we continue to move through the investigative process.”

Dave Bittner: The university is working with federal law enforcement to investigate the incident. It seems the university took quick and decisive action to respond to the attack, which itself argues that they had prepared and exercised that response. That’s the consensus of the experts we heard from, which we’ll summarize by saying, go Wolverines! 

Dave Bittner: Coming up after the break, Deepen Desai from Zscaler explains RedEnergy Stealer-as-a-Ransomware attacks. Luke Nelson from UHY Consulting on ransomware's impact on schools. Stay with us. [ Music ] Luke Nelson is Managing Director at UHY Consulting. I recently spoke with him about the state of ransomware, its impact on schools, and how the Biden administration's plans will affect cybersecurity.

Luke Nelson: Well, certainly as we saw schools move more remotely with the pandemic a few years ago, there was an opportunity for bad actors to manipulate and, you know, take advantage of that situation. So we've certainly seen cyberattacks directionally increase for school systems, local, state governments in general as they've gone to more of a remote workplace. And so, you know, as we think about what the government's response is to those activities, there are certain way, you know, an education component to it, and there certain way, how do we increase the mitigants that will disallow those bad actors to have access to, you know, student information, you know, students being able to be productive in the school place as well.

Dave Bittner: So how has the Biden administration addressed this? What sort of plans are they signaling here?

Luke Nelson: Yeah, it's interesting, you know, I think about it in terms of it's been a progression. So if we look back into, you know, 2020, I believe, was when they first came out with the Cybersecurity Improvement Act that really talked about the IoT, the Internet of Things, and the government being able to, you know, meet the minimum security requirements that needed to take place. The reason that was initially pushed out was because at that particular point in time, I think there was something around, you know, mid-90% in terms of unencrypted data that was moving back and forth between, you know, the federal government agencies, and they said, you know, we needed to change that. You know, as we fast-forward a little bit, there was a cyber grant program that was approved through the state and local Cybersecurity Act in 2022 that actually allowed funding for those state and local entities to take federal money and increase their security posture. Where that initially started was, you need to do a risk assessment, you know, using the NIST security framework and determine what your plan would be. In year one, I believe there was about $180 million that was distributed into those local and state entities last year. This year, I guess, you know, it was almost double, almost $375 million, if I'm recalling correctly, that got pushed out to youths. Simultaneously, as that $375 million was being approved, the Biden administration and the Department of Education, you know, came out and said, you know, "We want to make sure that the Department of Education is pushing out some standards as well to specifically K through 12 schools." So my assumption is that part of that money that has already been tagged for that local and state government funding grant program will actually make its way into the K-12. I would also anticipate through directly the Department of Education for not only vendors to be able to be selected for the education and for the hardening of devices in the way, but also for the Department of Education to take a look at how students are learning in this new kind of remote world and whether or not that they feel as if there needs to be some adjustments to the overall infrastructure.

Dave Bittner: Yeah, it really seems like a huge problem to tackle, not the least of which is, you know, that schools are run by the states, and so there's so many different ways of organizing the districts, the different sizes and different ways of funding them. It's going to be a challenge for the feds to come in here. I mean, I suppose, on the one hand, every school system welcomes additional funding from the feds to help them tackle this problem.

Luke Nelson: Yeah, that's exactly right. You know, the intention of the local and state Investment Act is really to take federal monies and distribute it to those local and state agencies to determine how they want to use it. We have seen some of that we use specifically for schools, but obviously, it's intended to be a broader reach other than just schools. However, with the recent acknowledgement from the Biden administration on specifically the Department of Education and how they want to be moving through the process, they will either use those federal funds to do something similar specifically for K through 12, or there will be additional funds allocated based upon the findings that they're seeing as part of this initial rollout.

Dave Bittner: It strikes me that cybersecurity in particular is something that has broad bipartisan support, which, you know, is a bit of a unicorn in today's political environment. Do you feel as though the Biden administration is doing a good job of taking advantage of that sentiment these days?

Luke Nelson: Yeah, I think, you know, it's ever-evolving, right? I mean, unfortunately, the cybersecurity space is evolving in real time, right, you know, from a day-to-day perspective. That industry, and I'll call it an "industry," is, you know, well-funded, whether that's, you know, nation-state actors or private institutions who are going after assets, right? I mean, they want to see a return on what they're seizing. I'll call it that, right? So in terms of like a ransomware type of an event, right? If you can walk down a school for a number of days or get access to student information, you know, can I make $50,000 and not get prosecuted for it? We're seeing a lot of that take place basically because the price point for entry is so low, a couple thousand dollars, right? You can spin up a environment that you could go and enact in a nefarious capacity for these school districts, right? And that's going to continue to evolve. So part of what I think the Biden administration is taking a look at is understanding processes and the human component as to whether or not we need to educate more versus hardening technology systems, which I do think is part of the answer. So I do think they're taking advantage of, you know, what the current sentiment is, but also at the same time, it's a reality, and as we move more and more into a digital world, you know, we obviously moved more quickly due to COVID and the pandemic into the space, but we're going to continue to move more digitally, or continue to, for our school systems, and now's the time to take a look at, say, how do we want to design this differently in the future.

Dave Bittner: That's Luke Nelson from UHY Consulting. [ Music ] And joining me once again is Deepen Desai. He is the Global CISO and Head of Security Research and Operations at Zscaler. Deepen, it's always my pleasure to welcome you back to the show. I want to talk today about some research that you all recently put out. This is Ransomware Redefined, RedEnergy Stealer-as-a-Ransomware Attacks. Help me understand what you all are uncovering here.

Deepen Desai: Yeah, thank you, Dave. So RedEnergy Stealer, and this actually is a campaign that we spoke about at a security conference, ThotCon, early this year. So the team in this case actually discovered a new family, honestly, a new threat category, which is -- which we have dubbed "Stealer-as-a-Ransomware." So the family involved here, RedEnergy, uses a fake update campaign and it's responsible for targeting multiple industry verticals. The goal over here is to steal information from various web browser and exfiltrating sensitive data, and then it also has these additional modules incorporated inside, and one of them, as I mentioned earlier, is ransomware. So this is where they're encrypting the files and that's where we're seeing this interesting merge of activities of a stealer as well as ransomware.

Dave Bittner: So in terms of them activating the different tiers of capabilities here, is this a case where -- are they stealing the information first, and then if they don't get what they want, do they threaten the ransomware component, or how are they coming at things?

Deepen Desai: Yeah, so in the campaign that we observed, we didn't see the ransomware functionality invoked, but as we analyzed the payload that was planted on the endpoint, right, the focus main was, yes, there was active stealing of information once the attack is successful, but when we analyzed the payload and we looked at all the different capabilities, the malware actually includes ransomware module that encrypts the user data, and the extension they used was an interesting one as well. I won't spell it, but it -- basically, the goal over there is to render the system unusable, right, and then if the payload has been installed on multiple systems, then it's going to cause business disruption as well. We did not see any kind of lateral propagation module in this, but that's still possible as a second stage payload that they can download, that they can always download on one of the system that's infected and then move laterally from that point onward.

Dave Bittner: I see in the research here that they're also going after your backups?

Deepen Desai: Yes, deleting backup is an important functionality, especially when you encrypt data and user is able to easily revert back to the previous backup, right? So if you want the ransomware functionality to be effective, this is something that they will always incorporate. Now, that's where doing those offline backups, air gap backups, right, where your backup information is secure, even after these type of activities done on your endpoint, is extremely important.

Dave Bittner: And what have you seen in terms of who these folks seem to be targeting?

Deepen Desai: So they were targeting multiple industry verticals, but we specifically saw them targeting manufacturing industries, and there were multiple companies that we saw which -- all of which had notable LinkedIn and internet presence as well, so I would say in this manufacturing industry is their primary target over here.

Dave Bittner: And how does someone find themselves infected with this? You mentioned this is a -- it's a fake update campaign?

Deepen Desai: Yeah, it's the old, you know, hey, your plugin needs to be updated, your browser needs to be updated, and this is where the infection chain starts. When someone falls for this, the initial payload gets installed, it will then attempt to escalate privilege. It will also download further payloads and the CNC activity begins from that point onward.

Dave Bittner: I see. All right. Well, Deepen Desai is the Global CISO and Head of Security Research and Operations at Zscaler. Deepen, thank you so much for joining us.

Deepen Desai: My pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector as well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show is written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [ Music ]