Ep 1898 | 9.1.23

DPRK cyberespionage update. New cybercriminal TTPs. The state of DevSecOps. Hacktivism and the nation-state. Cyberwar lessons learned. A free decryptor for Key Group ransomware.

Transcript

Dave Bittner: A VMConnect supply chain attack is connected to the DPRK. Reports of an aledgedly "fully undetectable information stealer." DB#JAMMER brute forces exposed MSSQL databases. A Cyberattack on a Canadian utility. The state of DevSecOps. A look at hacktivism, today and beyond. Betsy Carmelite from Booz Allen on threat intelligence as part of a third-party risk management program. Our guest is Adam Marré from Arctic Wolf Networks, with an analysis of Chinese cyber tactics. And a free decryptor is released for Key Group ransomware.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Friday, September 1st, 2023.

VMConnect supply chain attack connected to DPRK.

Dave Bittner: We begin with some notes on the latest badness out of Pyongyang.

Dave Bittner: ReversingLabs continues to track “VMConnect,” a supply chain attack involving malicious packages posted to the PyPI package repository: “The research team...has identified three more malicious Python packages that are believed to be a continuation of the VMConnect campaign: tablediter, request-plus, and requestspro. As happened with the ReversingLabs team's earlier VMConnect research, the team was unable to obtain copies of the Stage 2 malware used in this campaign.” The researchers note that the campaign has overlaps with previous attacks attributed to Labyrinth Chollima, a branch of North Korea’s Lazarus Group.

A "fully undetectable information stealer."

Dave Bittner: Cyfirma is tracking a new malware-as-a-service offering called “Prysmax,” advertised as a fully undetectable information stealer. Cyfirma notes that currently “[t]he malware is indeed fully undetectable by over 95% of signature-based detections commonly employed by antivirus solutions.” The researchers add that “[t]he infostealer strategically manipulates file associations, enabling it to execute whenever any .exe file is run. This technique ensures that the malware is triggered seamlessly, whenever legitimate executable files are opened, potentially leading to persistent infection.” In this case fully undetectable is no FUD.

DB#JAMMER brute-forces exposed MSSQL databases.

Dave Bittner: Securonix warns that DB#JAMMER attack campaigns are targeting exposed MSSQL databases with brute-force attacks in order to deliver the FreeWorld ransomware. The researchers note, “One of the things that makes DB#JAMMER stand out is how the attacker’s tooling infrastructure and payloads are used. Some of these tools include enumeration software, RAT payloads, exploitation and credential stealing software, and finally ransomware payloads.”

Dave Bittner: Securonix adds, “FreeWorld ransomware appears to be a variant of Mimic ransomware as it follows many similar TTPs in order to carry out its goals. Both variants appear to abuse the legitimate application Everything to query and locate target files to be encrypted.”

Cyberattack on Canadian utility.

Dave Bittner: The LockBit ransomware gang has claimed responsibility for an attack against an electrical infrastructure utility in Montréal, the Record reports. The utility, the CSEM, said, “The criminal group at work in this case has made public today some of the stolen data. The CSEM denounces this illegal gesture, while specifying that the data disclosed represents a low risk for both the security of the public and for the operations carried out by the CSEM. It should be noted that all CSEM projects are the subject of public documents. Therefore, all these plans – engineering, construction, and management – are already publicly available through the official process offices in Quebec.” And CSEM says it has no intention of knuckling under for the crooks–they can go whistle for their ransom.

The state of DevSecOps.

Dave Bittner: SANS has published a report commissioned by Synopsys looking at trends in DevSecOps. The survey found that “respondents deemed the ‘most useful’ activity (35.9%) in their security efforts to be ‘upfront’ risk assessments that occur before development starts — up from the 9th position in 2022.”

Dave Bittner: The survey also found that an increasing number of organizations are leveraging AI to assist in their DevSecOps efforts. SANS writes that, “A new trend in this year’s report is the number of respondents exploring artificial intelligence (AI) and data science for enhancing DevSecOps. This year shows a significant increase (+16%) in the use of AI or data science to improve DevSecOps through investigation and experimentation—up from 33% in 2022 to 49% in 2023. This trend mirrors the broader industry trajectory, as organizations increasingly leverage AI to automate and augment their security measures.”

The present state of hacktivism is probably its future state as well.

Dave Bittner: Reliaquest has taken a look at what it regards as a resurgence of hacktivism, and it finds this resurgence driven largely by Russia's war against Ukraine. The new hacktivists are not the independent actors of Anonymous's early days (indeed, Anonymous proper has faded away). Instead, they're state-inspired and state-directed, sometimes as more-or-less regular auxiliaries like the IT Army of Ukraine, sometimes as semi-criminal organizations, and sometimes as simple fronts for state intelligence services. Groups like KillNet and various privateering gangs represent the distinctive Russian contribution to this hacktivist resurgence. "The lines of attribution between threats are blurring," Reliaquest writes. "It’s becoming increasingly difficult for security researchers and defenders to distinguish between cybercriminal, nation-state, and hacktivist activity, with many of these groups using similar techniques or deliberately obfuscating their identities."

Dave Bittner: Distributed denial-of-service (DDoS) attacks have become the predominant mode of hacktivist activity, and hacktivists have become increasingly accustomed to using commodity malware available in underground fora. And, of course, hacktivism will continue to provide opportunities for nation-states to hide behind deniable front groups: "It is also likely that nation-state groups will similarly obfuscate their activity by masquerading as hacktivists, either from the outset or by leaving hacktivist-aligned artifacts to throw off defenders’ attempts at attribution."

Cyberwar lessons learned.

Dave Bittner: AFCEA's SIGNAL has published reflections on lessons learned from the cyber phases of Russia’s war against Ukraine. This comes as reminders from NSA and others of Sandworm’s attempts at cyberespionage against Ukrainian military targets continue to reveal the most recent set of Russian tactics, tools, and procedures.

Dave Bittner: Ukraine has generally been successful in defending itself against Russian cyber operations, but it was in many respects a near-run thing, with success stemming from a mix of preparation, improvisation, and urgent hard work. Early in the war Ukrainian authorities worked to relocate essential data and services abroad, beyond the reach of Russian kinetic attack. Cloud services became vital, but many government agencies in particular were unprepared for cloud migration. International cooperation, with both friendly governments and the private sector, was important (and would have been eased by some preparatory work to overcome inevitable language barriers).

Dave Bittner: Much of the successful improvisation, especially with respect to cloud migration and physical relocation, was made possible by anticipatory preparation. Thus two major lessons are, first, prepare, and second, cultivate and exercise partnerships. But the biggest lesson is this: Russian offensive cyber capabilities were grossly overestimated. So start early, cultivate partnerships, plan, prepare, and remember that the adversary isn’t ten-feet tall.

Decryptor released for Key Group ransomware.

Dave Bittner: Finally, bravo to EclecticIQ, which has released a free decryptor for Key Group ransomware. Key Group is a nasty Russian gang that targets individuals, seeking personal information. It both sells the data and holds the owners up for ransom.

Dave Bittner: Coming up after the break, Betsy Carmelite from Booz Allen on threat intelligence as part of a third-party risk management program. Our guest is Adam Marre from Arctic Wolf Networks, with an analysis of Chinese cyber tactics. Stay with us. [ Music ] China's approach to the US when it comes to cybersecurity has been complex and often contentious. In many ways, it mirrors the two nations' broader geopolitical interactions. For insights on the threats cyber defenders face from Chinese adversaries, I spoke with Adam Marre, chief information security officer at Arctic Wolf Networks.

Adam Marre: To really understand what's going on today with China and a relationship to them through cyber, we really have to understand what their ultimate goal is. And China's ultimate goal -- and this has been stated by them in various plans that they've released to the public -- is to become a recognized global superpower on par or greater than the United States. And so all of their operations in the cyber realm are focused on that. Because they recognize that cyber power is key to achieving that goal.

Dave Bittner: So as a chief information security officer yourself, when you think of China, what are the first things that come to mind?

Adam Marre: So I think most CISOs, when they think about China, they wonder what is the threat to my organization. Because probably they're looking at, at least reading the news if not actually reading the threat intel. And they're seeing an increase in capability. They're seeing an increase in tempo of the, you know, announcements of breaches that are attributed to China. And also, they hear things like when the FBI director, Christopher Wray, says that China has a bigger hacking program than every other major nation combined and have stolen more personal and corporate data than all other nations combined, it definitely brings it to your forefront of a risk to your own organization.

Dave Bittner: How in your mind does China compare to, say, Russia -- the Russian hackers, I suppose I should say? Do they tend to be noisier?

Adam Marre: So historically, China was known for less sophisticated, less technical attacks. They were noisier, and they were mostly focused on intellectual property theft and some espionage, including economic espionage as well as geopolitical. But that is changing. These intrusions, network intrusions, are becoming more and more sophisticated, more stealthy, and increasingly more bold. I think the boldness is coming from the increasing tensions between the United States and China, especially in the last few years. And as those tensions have increased, it appears that the willingness for China to attempt intrusions, network intrusions, that are more at high risk of being discovered, they're doing that more often. And it really shows that this is a very important part of their plan around their geopolitical objectives.

Dave Bittner: Where do you suppose we're headed here? Any idea what the future might look like? Obviously, everyone has a close eye on Taiwan.

Adam Marre: Yeah, exactly. And so one of the things I think we're seeing here is some peacetime preparation for real-world conflict that may arise. So you pointed out Taiwan, there's also other issues in the South China Sea. And if any of those flashpoints were to become a real-world conflict -- so when we actually have, you know, warfighter ship, something like that, exchanging blows or something happening in the real world -- the cyber realm would certainly be part of that conflict. And China would ostensibly try to dismantle their enemy's -- in that case, the United States -- ability to fight. And they would do that through attacking key infrastructure. So we have already seen and discovered breaches into US key infrastructure, things like communication networks in Guam and in other places like this. And Jen Easterly, the director of the US Cybersecurity Infrastructure Agency, has warned multiple times this year about China using their formidable capabilities in gaining intrusion into critical infrastructure that would be used in the case of one of those conflicts. Another thing she points out is it wouldn't just be attacking our ability to fight in the region. They could also attack critical infrastructure in the United States in the hopes that that would dissuade support from the citizens of the United States to support such a conflict. So you can imagine if there's a conflict over Taiwan, and yet, you know, the water system or communication system or bus transit is not working in a major US city, maybe folks would say, well, I don't care that much about that conflict over in Taiwan, that doesn't affect me, I care about getting clean water into my house; and therefore, I don't want to support this. I think we're going to see that kind of thing in addition to disrupting, you know, direct military communication lines.

Dave Bittner: What sort of recommendations are you and your colleagues there at Arctic Wolf making to your own clients to prepare for some of these possibilities?

Adam Marre: Yeah, so the first thing is to really understand the threat that you're facing. And recently, there was a joint intelligence briefing that came out about Chinese hackers using living-off-the-land techniques to avoid detection. Again, this is showing an increase in the sophistication of attack. But the first part, stepping back and answering the question, what do we tell our customers, the first thing is to really understand the threat. So you as an organization might not think China would have any interest in you. But there's a couple things that you should know. One is that, for years, the Chinese have focused on intellectual property theft that you wouldn't expect. There was one case I was familiar with when I was still working for the government where Chinese hackers actually stole engineering plans for residential/commercial sprinkling systems. So you can think if we're going that deep into what they're interested in, they made be interested in something in your company, in your business. The second thing is they're increasingly using supply chain attacks. That means they could use your company as a vector not to attack you but to attack one of your customers. So you also need to think about your customers when you're evaluating whether or not this is a threat that you face. Now, the good news is, to start off in protecting against this kind of threat is no different than increasing your general cybersecurity program at your company. So this is going to be the basics, and this will be for companies that maybe aren't as mature or don't have as large a security teams, they're going to want to be focused on patching vulnerable systems, managing their credentials, using multifactor authentication, creating a strong culture of security awareness in their company, all the basics. And we all see the breach reports that come out each year, and these basics are usually the things that are compromised, especially patching and mismanaged credentials -- weak passwords and things like that. So if you're wondering where to start, that is a great place to start. And that's what we tell our customers, and we help them with that security journey. For companies maybe that are more advanced, they're going to be wanting to look at baselining normal host behavior and starting to increase their detections on these more sophisticated attacks. So you might look at what is normal behavior on your systems and then start to monitor for even the use of built-in tools on endpoint systems, but maybe they're being used in a strange way. So you can think of tools like PowerShell or WMIC in the case of Windows. And you want to be able to prioritize the logging of those things. Another thing that's helping is CISA, I mentioned earlier, they are now publishing, and they have for a little while now, but they're publishing known exploited vulnerabilities. And you can start to focus your energies on those known exploited vulnerabilities, looking for the indicators of compromise that are published, to start doing threat hunting for this kind of threat. And I highly recommend signing up for the regular emails that come out of CISA and other organizations to help inform your security team to start looking for these kind of very stealthy and agile attacks so that you can detect them. But would, of course, be if your company is more advanced in their security journey. And finally, everyone's going to want to take a look at their supply chain. You're going to want to conduct a full review of your supply chain. This means the SaaS vendors that you use, where you get hardware from, all of these things, to look and say, what is the security of the supply chain that I use directly, and what is the security of these organizations? You know, when we think of vendor due diligence, we think of other parts of your supply chain. And you're going to want to make sure your security team, your procurement team, your sourcing team, are all working together to make sure we understand what we depend on, not just for your business continuity planning in case of an incident, but also understanding what is the risk that one of these vendors is compromised, and therefore we are compromised.

Dave Bittner: That's Adam Marre, chief information security officer at Arctic Wolf Networks. [ Music ] And joining me once again is Betsy Carmelite. She is a principal at Booz Allen Hamilton for Cyber Defense Operations. Betsy, it is always great to welcome you back. You know, there's been a lot of talk lately about third-party risk, and I wanted to touch base with you about how threat intelligence ties into how organizations are approaching third-party risk management.

Betsy Carmelite: Yeah, thanks, Dave, and it's great to be back. We look at threat intelligence as being able to help mitigate the risk coming from third-party partners and systems. And by that we mean it can provide the context behind vulnerabilities and attack surface exposures that third-party connections and data transfers can introduce externally to another organization. And to put some definition around things, the risk coming from third parties is the potential for new vulnerabilities to be added into or exacerbate an organization's existing attack surface. So the threat intelligence that we want to be careful about defining is that analyzed information that identifies adversarial or unintended harm, and it drives security decision-making, less the raw information that you're getting off of, you know, monitoring and log data. Turning that information into a more finished analyze form. So that can inform how the vulnerability and security weakness might be exploited in a specific organization circumstance.

Dave Bittner: You know, I always hear folks when they talk about threat intelligence, they talk about how important it is that it be actionable. Is that what you're talking about here?

Betsy Carmelite: Yeah. And there are a couple of ways that threat intelligence can be actionable but also, you know, better derived before moving into the action phase. One thing, you know, looking at the reconnaissance phase of an attack, and that's really where you do want to take the action, prioritize those reconnaissance and initial access phases of an attack for risk reduction. So you want to look at your internal threat intelligence, that's the intelligence and data coming from an organization's networks and logs. What story is that telling you? Again, not just the raw data. That's really the most helpful intelligence for providing direct visibility into active exposures or any threats. And when you're looking at that recon or initial access phase, an organization can identify if there is activity on its networks. That may be a result of an external connection. And perhaps that scanning, extraction of personal information such as credentials or personally identifiable information, also the gathering of internal database information or traffic leaving the network. In the latter case, you know, that's really in the danger zone, so you want to be catching a lot of that intel and looking at it against the recon phase.

Dave Bittner: So when we're talking about third-party risk management, to what degree is it helpful to have third-party threat intelligence, to have someone from outside the organization supplement your own internal threat intelligence?

Betsy Carmelite: Yeah. So that's an area where understanding where your sources are coming from and what sources you can make use of is really important. So there are companies that do specialize in customizable third-party risk management programs. Because this is really hard work and complex, you know, understanding all the entry points and all of the intelligence and the vulnerability information that can affect those entry points. So they can work with let's just say a critical infrastructure stakeholder to look at their specific threat circumstances. But back to the data, threat and vulnerability information gathered from open sources can be really helpful, providing insights into internet connected devices and interconnected devices. And also the information that organizations and its employees expose, that can tell us how attackers might exploit an enterprise. And also realizing that attackers create threat intel about us. So thinking like an attacker and finding a threat intel provider who can think like that attacker. Also, applying cyber psychology principles and understanding how the attacker would seek out social engineering entry points. And many other entities can figure out those social engineering entry points.

Dave Bittner: So what are your recommendations for folks to start down this path to better come at this?

Betsy Carmelite: Organizations should conduct third-party compromise assessments, and those are also based on threat intelligence and known adversary capabilities. And the assessments will use the threat intelligence, specifically how actors -- their tactics, techniques, procedures -- are already compromising networks and data to understand how the third-party may have previously been breached or indicate the current potential for breach and exposure based on information gathered from the third-party. This is actually really critical also, prior to partnering or prior to a merger and acquisition, to have this kind of compromise assessment performed, to know what you're really getting into in terms of risk, and how to mitigate it before going into the partnership. And threat intelligence can also teach external entities and individuals how threat actors are escalating privileges. And we've seen this in several high profile and extensively damaging attacks to retailers, for instance, in the past decade. So understanding where you can implement a privilege access management program is really a strong recommendation here.

Dave Bittner: All right, well, Betsy Carmelite is a principal at Booz Allen Hamilton for Cyber Defense Operations. Betsy, thanks for joining us.

Betsy Carmelite: Sure, Dave.

Dave Bittner: And that's the CyberWire. A reminder -- Monday is the Labor Day holiday here in the US, and we'll be taking the day off. We'll be back, of course, as usual, on Tuesday. If you're off as well, enjoy the long weekend, and if you're not, have a good productive start to the week. Be sure to check out this weekend's Research Saturday, and my conversation with Kristopher Russo and Stephanie Regan from Palo Alto Networks Unit 42. We're talking about their threat group assessment, looking at Muddled Libra. That's Research Saturday, check it out. For links to all of today's stories, check out our Daily Briefing at the cyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. [ Music ]