Microsoft releases results of investigation into cloud email compromise. A buggy booking service. Adversary emulation for OT networks. Identity protection trends. Notes from the hybrid war.
Dave Bittner: Microsoft releases results of their investigation into cloud email compromise. A vulnerability affects a resort booking service. Adversary emulation for OT networks. Identity protection and identity attack surfaces. Sanctioning privateers (with a bonus on vacation ideas). Rob Boyce from Accenture Security tracks new trends in ransomware. Our Threat Vector segment features Mastering IR Sniping A Deliberate Approach to Cybersecurity Investigations with Chris Brewer. And Estonia warns of ongoing cyber threats.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Thursday, September 7th, 2023.
Microsoft releases results of investigation into cloud email compromise.
Dave Bittner: Microsoft has published the results of its investigation into how a Chinese threat actor was able to obtain a Microsoft account consumer key, which it used to forge tokens to access OWA and Outlook.com. Redmond's investigator's found that the threat actor (tracked as “Storm-0558”) compromised a Microsoft engineer’s corporate account, which had access to the crash dump containing the key. The company said, “Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.” The report outlines how the incident apparently unfolded. “Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (‘crash dump’). The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected). The key material’s presence in the crash dump was not detected by our systems (this issue has been corrected). We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network. This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected).”
Dave Bittner: Storm-0558 is a Chinese cyberespionage actor. The crash dump incident saw it compromise cloud-based Outlook email systems used by at least twenty-five organizations, including several US Government agencies, the State Department among them.
Dave Bittner: In full disclosure, we note that Microsoft is a CyberWire partner.
Vulnerability affects booking service.
Dave Bittner: Researchers at Bitdefender have discovered a series of vulnerabilities affecting the IRM Next Generation online booking engine built by Resort Data Processing, Inc. The researchers say that their investigation began in November of last year, when they began looking into indicators of suspicious activity on a server owned by a US resort. Files from Resort Data Processing’s booking engine were apparently improperly accessed by an unauthorized third party.
Dave Bittner: The researchers identified five vulnerabilities affecting the engine. Three involved the use of hard-coded credentials, and two were related to the improper neutralization of special elements. Bitdefender says it attempted to notify the vendor multiple times, but without receiving a response, which is why they’ve now published their findings. They caution that as far as they can determine, the booking engine remains vulnerable.
Adversary emulation for OT networks.
Dave Bittner: In a development of interest to the industrial security space especially, the US Cybersecurity and Infrastructure Security Agency (CISA) and the MITRE Corporation have released an OT extension for MITRE’s open-source adversary emulation platform Caldera. The MITRE Caldera team stated, “Caldera for OT introduces 29 distinct OT abilities to the hundreds of existing enterprise-focused abilities already included with Caldera.”
Dave Bittner: Nick Tsamis, chief engineer at MITRE Cybersecurity, told the Record, “One of the key challenges we’re focused on is getting easy-to-use and extensible capabilities in the hands of those tasked with defending critical infrastructure. With Caldera for OT, we seek to empower operational stakeholders to effectively develop and share knowledge, experience, and lessons learned with the larger OT cybersecurity community.”
Identity protection and identity attack surfaces.
Dave Bittner: Silverfort has published a study conducted by Osterman Research looking at the state of identity security. The survey found that 83% of respondents have experienced a breach involving compromised credentials, half of which occurred within the past twelve months.
Dave Bittner: The researchers also found that 65% of organizations haven’t thoroughly implemented multifactor authentication. They write: “When MFA does not protect the full scope of resources and access methods under attack, the elevated security promised by MFA is diminished as adversaries can still access resources without the MFA barrier. Moreover, when a resource has MFA applied to one access method but lacks MFA on another, the MFA protection is void since an adversary will simply use the unprotected method to access the resource.”
Dave Bittner: In February the US and UK jointly imposed sanctions on members of Russia’s privateering TrickBot gang. We characterize them as “privateers” because, while they pursue profit, they do so at the sufferance of the Russian government, and with that government’s protection and encouragement. Their targets are ones the Kremlin is happy to see disturbed–Western companies, for the most part. As the US Treasury Department put it at the time, “The Trickbot Group’s preparations in 2020 aligned them to Russian state objectives and targeting previously conducted by Russian Intelligence Services. This included targeting the U.S. government and U.S. companies.” Seven individuals were named in that round of sanctions.
Dave Bittner: This morning the two governments added eleven more members of the gang to the list of sanctioned individuals. They’re described as “administrators, managers, developers, and coders who have materially assisted the Trickbot group in its operations.” The sanctions require, as a minimum, that “all property and interests in property of the individuals that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC,” the Treasury Department’s Office of Foreign Assets Control. And the TrickBoteers will find it more difficult to do business with foreigners. The Treasury statement explains, “OFAC’s regulations generally prohibit all dealings by U.S. persons or within the United States (including transactions transiting the United States) that involve any property or interests in property of blocked or designated persons.”
Dave Bittner: Harsh realm, bros. Limited access to funds will among other things put a crimp in any plans for holidays abroad. But that’s OK–see Russia first, guys, and anyhoo we hear from Russian government teevee that things are pretty swell over there. So book a vacation in Chelyabinsk, where we understand the motels aren’t all that bad, where the meteors often miss, where the nuclear accidents have probably been cleaned up, and where actual indoor toilets are frequently available. Toilets that flush, guys–you can’t say no to that.
Estonia warns of ongoing cyber threats.
Dave Bittner: Finally, there are calls for allied cooperation against nation-state cyber threats.
Dave Bittner: Estonian Prime Minister Kaja Kallas warned that cyber conflict remained a high risk, and that Russia's war against Ukraine remains a contest of influence. She called cyberspace a “front line” in the war, It's not an isolated front, however, but part of a more general threat to democracies everywhere. The Prime Minister called for global cooperation among democracies to counter that threat in ways that use their inherent advantage, which she characterized as "openness" aided by technology, to preserve their position in cyberspace.
Dave Bittner: The website 19fortyfive describes ways in which cyber operations become increasingly effective when they're collaborative. While there's been some convergence with traditional modes of warfare, especially electronic warfare, cyber operations continue to be conducted largely within their own domain.
Dave Bittner: And, again, such operations seem best handled when friendly states and the private sector cooperate. This seems, so far, to be the single most important lesson to emerge from the sad story of Russia’s war of aggression.
Dave Bittner: In February, the U.S. and U.K. jointly imposed sanctions on members of Russia's privateering Trickbot gang. We characterize them as privateers because, while they pursue profit, they do so at the sufferance of the Russian government, and with that government's protection and encouragement. Their targets are ones the Kremlin is happy to see disturbed -- western companies for the most part. As the U.S. Treasury Department put it at the time, the Trickbot group's preparations in 2020 aligned them to Russian State objectives and targeting previously conducted by Russian Intelligence Services. This included targeting the U.S. government and U.S. companies. Seven individuals were named in that round of sanctions. This morning, the two governments added eleven more members of the gang to the list of sanctioned individuals. They're described as administrators, managers, developers, and coders who have materially assisted the Trickbot group in its operations. The sanctions require, as a minimum, that all property and interests in property of the individuals that are in the United States, or in the possession or control of U.S. persons, must be blocked and reported to OFAC, the Treasury Department's Office of Foreign Assets Control. And the trickboteers will find it more difficult to do business with foreigners. The Treasury statement explains, "OFAC's regulations generally prohibit all dealings by U.S. persons or within the United States, including transactions transiting the United States, that involve any property or interests in property of blocked or designated persons." So, sad to say, limited access to funds will, among other things, put a crimp in any plans for the Trickbot gang's holidays abroad.
Dave Bittner: Coming up after the break, Rob Boyce from Accenture Security tracks new trends in ransomware. Our "Threat Vector" segment features Mastering IR Sniping: A Deliberate Approach to Cybersecurity Investigations with guest Christ Brewer. Stay with us.
Dave Bittner: It's time for our sponsored "Threat Vector" segment brought to you by Palo Alto Networks. This week, Chris Brewer, a Director at Unit 42 and expert in digital forensics and incident response joins Dave Moulton to discuss Mastering IR Sniping. Here's their conversation.
Chris Brewer: Every contact by a criminal leaves a trace. So if it's physical evidence or digital evidence, any time a file is touched or interacted with, there's something that's left behind. [ Music ]
David Moulton: Welcome to "Threat Vector," a segment where Unit 42 shares unique threat intelligence insights, new threat actor TPTs, and real-world case studies. Unit 42 is a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world. I'm your host, David Moulton, Director of Thought Leadership for Unit 42. [ Music ] In today's episode, I'm going to be talking with Chris Brewer about IR sniping. Chris is a Director in Unit 42 and an expert in digital forensics and incident response with decades of experience. Chris, give me the TLDR definition of IR sniping.
Chris Brewer: Yeah. So it's a targeted, deliberate way of approaching an investigation. You can't really go and do one host at a time approach. It doesn't work. It works for five, ten bots. When you've got 5,000, 20,000, 30,000, you've got to have that new methodology. And that's where IR sniping comes in. The sniper response methodology is taking a targeted, deliberate approach to an investigation.
David Moulton: Chris, before we get much further into this, I want you to talk about the guiding principles for this methodology.
Chris Brewer: Yeah. There's some foundations there with the guiding principles. These have been around for a very long time. I think it's kind of the -- the core piece of any investigation. If it's computer investigation, crime scene, whatever it happens to be. And one of the big ones is the Locard Exchange Principle. Basically, the idea behind that -- every contact by a criminal leaves a trace. So if it's physical evidence or digital evidence, anytime a file is touched or interacted with, there's something that's left behind. The other idea for this one is Occam's razor. The simplest explanation is often the right one. It's really easy to get excited. It's, like, oh, it's China or it's Russia or it's APT. Usually it's the simplest explanation there. And the last one is the Alexiou Principle which is probably new to a lot of folks. But basically that one has four big things. It's what questions are you trying to answer? What data do you need to answer that question? How do you analyze that data? And then, finally, what does that data tell you?
David Moulton: What about IR sniping helps you do your job better, faster, more effectively?
Chris Brewer: Yeah. So kind of taking that same approach and understanding that, and then focusing on the stuff that the lawyers, that counsel, that the client really care about. And we can kind of summarize that with these basically four big questions. So what did they take? That's the data exfiltration question. The -- are they still here question. That's, hey, is the bad guy still present inside our environment? The command and control, the IP address's domains. And then the third big question is -- where did they go? What's the lateral movement? What all -- what are all the systems that were touched -- what all is impacted here? Did they spread out to ten systems? Are they -- 500 systems? They hit our routers and switches as well? It's understanding that -- where did they go? And the fourth big question, usually when you're running an investigation, it kind of answers itself. And that's -- how did they get in? So finding patient zero, identifying how they got into the environment.
David Moulton: Chris, would you say that using IR sniping gives you better results faster in an investigation?
Chris Brewer: Absolutely. When we're running a case, we'll assign workstream leads to look at these questions and then it doesn't matter if you're getting ten hosts today and you've got 500 the next day. When you're taking this deliberate approach, the answers come really fast. So the nice thing about this methodology as well is you're constantly doing a QC of your own review of your own data because you're repeating the questions, you're repeating the steps, and looking at data again as new stuff comes in.
David Moulton: You presented at Cactus Con on IR sniping. What are some of the things you found the audience reacted to the strongest?
Chris Brewer: So taking this approach, most incident response investigations can be solved within about 72 hours when you're taking this targeted, deliberate approach, focusing on the stuff that matters, getting rid of all the extra noise, then focusing on those four big questions.
David Moulton: Chris, tell us where we can find out more about this approach.
Chris Brewer: Cactus Con was a recorded presentation that's out there on YouTube if you want to Google it. Type in Cactus Con 2023. It's out there. I've also got the GitHub link out there as well. Those are great places. Or if you want to talk with on LinkedIn, I'm always on there as well. [ Music ]
David Moulton: Chris, thanks for sharing where people can learn more about IR sniping. We'll make sure that those are linked up in our show notes. I'm so glad you were able to take time away from the work you're leading at Unit 42 to talk with me today on "Threat Vector." Join us again on the CyberWire Daily in two weeks. In the meantime, stay secure, stay vigilant. Goodbye for now. [ Music ]
Dave Bittner: That's David Moulton with Chris Brewer from Palo Alto Networks' Unit 42. [ Music ] And I am pleased to welcome back to the show Robert Boyce. He is Global Lead for Cyber Resilience and Managing Director at Accenture. Rob, it's always great to welcome you back. I just want to take a couple minutes and touch base with you on some of the things that you and your colleagues there at Accenture are tracking when it comes to ransomware.
Robert Boyce: Yeah. Thank you, Dave, and it's -- it's always fun being here. So -- I think as -- as you know, and we've talked about on the show before, we -- we do a "quarterly ransomware trends." And I think we're going to have to now rename ransomware trends, quite honestly, because we are seeing -- we're not seeing a big uptick in ransomware in particular anymore. What we are seeing, of course, is a huge uptick in data theft and extortion. So that's really the trend that we're seeing now. And what I think is really interesting here and, you know, we've -- I think, you know, one of the most successful groups we've seen I would say in the last two months, CL0P -- I'm sure everyone has heard of them and MOVEit it by now. They -- they -- they had a very different approach to this which I thought was really fascinating. You know, they seem to play this as a -- as a strictly a volume game. They created either, you know, their own exploits or used known exploits that had very recently been discovered, and essentially tried to exploit as many organizations globally as -- as they could, as quickly as they could, to gain initial footholds. So where we've seen ransomware affect groups in the past try and really use more, you know, slower techniques around phishing and other things, like, these guys were 100% vulnerability driven to be able to just, you know, open up access to as many -- to many organizations as they could. Once they did that, of course, then they ran the data exfiltration and extortion campaign. We estimate that they have -- that they have exploited over 500 victims in a six-week period and that they have made between $80 and $100 million estimated in payments in this short amount of time. So, as you can imagine, when you have 500 victims in such a short amount of time, it's a -- probably a bit chaotic for them as well in how they're -- in how they're actually trying to collect. So there's really no pressure to pay. I mean, this is strictly a volume game, getting as many as they can, trying to find maybe is there one or two, you know, big fish, one or two whales in that -- in that pool that they -- they can capitalize on. You know, we've seen some big companies mentioned in their -- in their leak site.
Dave Bittner: What is the current best practice if an organization finds themselves victim of an -- of something like CL0P? You know, you -- you fell victim to the move at vulnerability and CL0P took advantage of that and now they're threatening to post your stuff. Where do we stand now in terms of the best way to approach this?
Robert Boyce: Hey, there's no really one right answer, honestly. You know, I -- I think organizations are really, I don't want to say unprepared to have -- to make this decision, but I often do see that because I think that a lot of organizations put so much time into creating incident response playbooks meaning, very tactically, how do we respond to different events? And not enough time thinking about the business implications of that, meaning, you know, what decisions do we need to make at an executive level should we be the victim of a ransom demand or an extortion demand? And so I -- I really still find that a lot of organizations are playing it by ear. And they -- they have -- they're making a decision based on the sensitivity of the data. You know, so it's -- it's been very -- it's been very interesting to see. I mean, clearly people are paying because this is a very viable business for this -- these organizations. But I just don't think there's been enough focus put on executive preparation in these types of scenarios.
Dave Bittner: An organization like CL0P, do -- to what degree do they let the victim know what they have? What I'm getting at here is -- is the victim able to do a calculation of what is the potential material impact to my business based on what we know they've taken?
Robert Boyce: You are able to download the victim files. So you can take a look at them. Typically they get posted a little after, you know, the demands have been met or not met -- typically not met. And there is the ability to look at it afterwards. And I think as we've talked about in some of our previous recordings, like, that data is now becoming really, really valuable for other threat actors to make secondary and tertiary attacks, just understanding the client environment better. So, you know, there's -- there's still value in -- even if you're not going to pay and your data gets posted, even if you don't think it's important, it could still be super important to help enable threat actors to make higher fidelity, secondary, and tertiary attacks. So that's something -- a trend that we -- we've talked about before on this show, and -- and it's going to continue, especially now as we're seeing this high volume of victim disclosures. Often, though, threat actors will, you know, give you clues on what the data could be, and so then you could go and do your own investigation to -- to try and make that business decision on whether it's important enough for you to pay for it to remain private or not. But, as you can imagine, in large organizations, having an understanding of where all your data is and the value of that data by system is quite a bit more complex than most people actually understand.
Dave Bittner: Yeah. All right. Well, Rob Boyce is Global Lead for Cyber Resilience and Managing Director at Accenture. Rob, thanks so much for joining us.
Robert Boyce: Of course, Dave, my -- my pleasure. [ Music ] [ Music ]
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at firstname.lastname@example.org. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly-changing world of cyber security. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's Strategic Workforce Intelligence optimizes the value of your biggest investment -- your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our Mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Results of Major Technical Investigations for Storm-0558 Key Acquisition (Microsoft Security Response Center)
MITRE and CISA release Caldera for OT attack emulation (Security Affairs)
MITRE Caldera for OT now available as extension to open-source platform (Help Net Security)
United States and United Kingdom Sanction Additional Members of the Russia-Based Trickbot Cybercrime Gang (US Department of the Treasury)
Estonian PM: cyberspace is Ukraine war frontline (Euromaidan Press)
Cyberwar and Conventional Warfare in Ukraine (19FortyFive)