Cyberespionage in East and Southeast Asia, for both intelligence collection and domestic security, Spyware tools tracked. Shifting cyber targets in Russia’s hybrid war. Securing the Super Bowl.
Dave Bittner: The Gelsemium APT is active against a Southeast Asian government. A multi-year campaign against Tibetan, Uighur, and Taiwanese targets. Stealth Falcon's new backdoor. Predator spyware is deployed against Apple zero-days. An update on Pegasus spyware found in Meduza devices. There’s a shift in Russian cyberespionage targeting. A rumor of cyberwar in occupied Crimea. In our industry voices segment, Amit Sinha, CEO of Digicert, describes digital trust for the software supply chain. Our guest is Arctic Wolf’s Ian McShane with insights on the MGM and Caesars ransomware incident. And if you’re looking for a Super Bowl pick, go with an egg-laying animal…and, oh, the NFL and CISA are noodling cyber defense for the big game.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Monday, September 25th, 2023.
“Rarely seen” Gelsemium APT active against Southeast Asian government.
Dave Bittner: We begin today with a quick overview of some recent activity that appears to be associated with Beijing.
Dave Bittner: Palo Alto Networks’s Unit 42 is tracking an obscure threat actor, “Gelsemium,” that targeted a Southeast Asian government. The campaign “featured a combination of rare tools and techniques that the threat actor leveraged to gain a clandestine foothold and collect intelligence from sensitive IIS servers belonging to a government entity in Southeast Asia.” The researchers also note that Gelsimium isn't alone: three separate clusters of cyberespionage activity have targeted “different governmental entities in the same country, including critical infrastructure, public healthcare institutions, public financial administrators and ministries.” Each cluster appears to be the work of distinct threat actors.
Multi-year campaign against Tibetan, Uighur, and Taiwanese targets.
Dave Bittner: In another development, Volexity describes long-running surveillance campaigns by the China-aligned EvilBamboo threat actor against Tibetan, Uyghur, and Taiwanese individuals and organizations. The researchers note that these groups represent three of the Five Poisons designated by the Chinese Communist Party.
Dave Bittner: The threat actor uses backdoored apps to target users of Android and iOS devices: “[T]here are often supporting Telegram groups used to share the latest version of any given application EvilBamboo is pushing. Sometimes these groups are themed around a specific application, but on other occasions they are themed around a category of applications. While it may seem unusual to download apps from a source like this, it is not an uncommon practice, particularly where users may speak languages (such as Tibetan or Uyghur) not commonly supported by the official versions of apps.
Stealth Falcon's new backdoor.
Dave Bittner: ESET says the Stealth Falcon APT (which probably acts on behalf of the United Arab Emirates) is using a new and “very sophisticated” backdoor called “Deadglyph” to conduct espionage against government entities in the Middle East. Deadglyph “has an unusual architecture, and its backdoor capabilities are provided by its C&C in the form of additional modules.” The researchers add, “Notably, Deadglyph boasts a range of counter-detection mechanisms, including continuous monitoring of system processes and the implementation of randomized network patterns. Furthermore, the backdoor is capable of uninstalling itself to minimize the likelihood of its detection in certain cases.”
Predator spyware deployed against Apple zero-days.
Dave Bittner: Last week researchers at Google and the University of Toronto’s Citizen Lab discovered an actively exploited zero-day exploit chain for iPhones. The exploit chain was developed by commercial spyware vendor Intellexa and used by Intellexa subsidiary Cytrox’s spyware product Predator. Apple issued patches for the flaws on September 21st.
Dave Bittner: According to Citizen Lab, Predator was used by the Egyptian government to target Egyptian presidential candidate Ahmed Eltantawy: “In August and September 2023, Eltantawy’s Vodafone Egypt mobile connection was persistently selected for targeting via network injection; when Eltantawy visited certain websites not using HTTPS, a device installed at the border of Vodafone Egypt’s network automatically redirected him to a malicious website to infect his phone with Cytrox’s Predator spyware.”
Dave Bittner: The exploit chain was delivered via a man-in-the-middle (MITM) attack. Google explains, “[I]f the target went to any ‘http’ site, the attackers injected traffic to silently redirect them to an Intellexa site, c.betly[.]me. If the user was the expected targeted user, the site would then redirect the target to the exploit server, sec-flare[.]com. While there’s a spotlight on ‘0-click’ vulnerabilities (bugs that don’t require user interaction) this MITM delivery also didn’t require the user to open any documents, click a specific link, or answer any phone calls.”
Update on the Pegasus spyware found in Meduza devices.
Dave Bittner: In another spyware incident, investigation into a Pegasus infestation at Meduza continues. The expatriate (and dissident) Russian news outlet now thinks that a European country, and not Russia, was responsible for the monitoring. Suspicion is now directed mostly toward a jittery Latvian security apparatus. Russia had been the obvious initial suspect, but that conclusion now seems premature at best, and probably false.
A shift in Russian cyber targeting.
Dave Bittner: Yurii Shchyhol [YOO-ree Shuh-CHEE-haul], head of the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) said Friday, in an interview with Reuters, that his organization has seen a distinct shift in the targets selected by Russian cyberespionage services. At least two of the major intelligence organs--the GRU and FSB--had previously shown a distinct preference for collecting against Ukraine's electrical power infrastructure. They're now concentrating on Ukraine's law enforcement agencies, and specifically on those units charged with collecting and analyzing evidence of Russian war crimes.
Dave Bittner: "There's been a change in direction, from a focus on energy facilities towards law enforcement institutions which had previously not been targeted that often," Shchyhol told Reuters. "This shift, towards the courts, prosecutors and law enforcement units, shows that hackers are gathering evidence about Russian war crimes in Ukraine."
Dave Bittner: This may represent the early stages of an attempt to destroy evidence and otherwise interfere with investigations, but it's far more likely that it amounts to a form of opposition research, that the collection is being conducted with an eye to preparing disinformation campaigns that would be deployed to discredit otherwise credible allegations of war crimes. The activity is consistent with other recent incidents, including the compromise of systems at the International Criminal Court.
Dave Bittner: It’s circumstantial evidence of a guilty mind.
Cyberattack reported in occupied Crimea.
Dave Bittner: Around the time a Ukrainian missile strike hit the Black Sea Fleet headquarters in occupied Sevastopol Friday, Russian sources in Crimea said that the conquered peninsula was under cyberattack. "An unprecedented cyber attack on Crimean Internet providers," Oleg Kryuchkov, spokesman for the local occupation authorities said in his Telegram channel. "We are detecting interruptions in the Internet on the peninsula. All services are working to eliminate the threat. We apologize for the temporary difficulties." The Kyiv Independent wrote Friday that Ukrainian authorities had yet to comment. No further developments were reported over the weekend. The are some rumors of Ukrainian hacktivist auxiliary action and some complaints by Russian occupation authorities, but this is still so far a rumor of cyberwar.
A tabletop cyber exercise prepares for the Super Bowl.
Dave Bittner: And finally, do you follow professional football? Did you know that the Super Bowl has a complex and dynamic attack surface? It does.
Dave Bittner: The National Football League (NFL) and the US Cybersecurity and Infrastructure Security Agency (CISA) held a tabletop exercise last week to “explore, assess, and enhance cybersecurity response capabilities, plans, and procedures ahead of Super Bowl LVIII.”
Dave Bittner: CISA stated, “The Super Bowl LVIII Cybersecurity Tabletop Exercise is the latest in a series of assessments and exercises designed to ensure the safety of events at Allegiant Stadium. This exercise brought together more than 100 partners from the NFL, stadium, and federal, state, and local governments to review and discuss plans and procedures for protecting against, responding to, and recovering from a significant cyberattack during the Nation’s most-watched sporting event. The four-hour exercise also provided an opportunity for participants to identify the available resources, capabilities and best practices of their governmental partners and strengthen their resilience.”
Dave Bittner: NFL Senior VP and CSO Cathy Lanier noted, “At the NFL, we understand how important it is to practice like you play, and this week's exercise is the first of many simulations we will conduct prior to Super Bowl LVIII.”
Dave Bittner: Our Super Bowl prediction is Ravens versus Eagles,with the Ravens prevailing, but then we always pick an ornithological final for professional sports championships. When they aren’t two birds in the running, we’ll at least go for an oviparous championship. In the World Series, for example, we’re predicting an Orioles-Diamondbacks contest, egg-laying animals only, with the Orioles taking the championship in six.
Dave Bittner: Yeah, yeah, we know, we know, before we get objections from herpetologists–diamondbacks carry their eggs internally. But still, y’know, eggs and everything, so close enough. Place your bets.
Dave Bittner: Coming up after the break, Amit Sinha, CEO of DigiCert, describes digital trust for the software supply chain. Our guest is Arctic Wolf's Ian McShane with insights on the MGM and Caesars ransomware incidents. Stay with us. [ Music ] The SolarWinds incident back in 2020 put a spotlight on the challenges of securing the software supply chain. Since then, a variety of solutions have been proposed, along with products and platforms to strengthen and simplify the process. My guest today is Amit Sinha, CEO of DigiCert. In this sponsored Industry Voices segment, he shares his insights from being on the front lines of the battle for digital trust for the software supply chain.
Amit Sinha: If you follow the news, in January this year, GitHub reported that a whole bunch of encrypted code signing certificates were exfiltrated. Well, fortunately, those certificates were password-protected, the effects were contained. But that was a huge problem. If you look back earlier, you know, you had issues with code signing keys being compromised at Azus, at Intel, and even Microsoft. In the case of Azus, you know, they manufacture drivers. And, unfortunately, they put the codesigning keys on Web servers that were basically being used to download those drivers. Once those web servers were compromised, the signing keys were stolen, and hackers were able to then essentially sign malware with those driver updates, right. And that was crazy. So now you have, you know, malware infested drivers that are, you know, fundamental to your operating system in making sure that your devices are working properly. Intel was a similar problem. Codesigning keys for their boot guard system got leaked, and again, led to potentially malicious firmware during the boot process. And then recently, Mandiant has talked about how Microsoft's codesigning keys were illicitly obtained by again threat actors, and they used that to sign malware, pretending to be Microsoft. Imagine how bad that is. You know, you get a piece of software on your PC and it says, yep, authentic, signed by Microsoft. It just lets people feel safe when it's not. So the first problem here is that signing keys need to be protected. And fortunately, in June this year, standards bodies were born, and now it's a basic requirement that you cannot issue code signing keys without a hardware token. And what a hardware token, or HSM, module does is it essentially makes sure that the private keys cannot be exfiltrated, copied, shared, etcetera, right. So it reduces the attack surface of the types of problems that we talked about. So that's a good evolution. So step one, you know, you do need to get codesigning keys. And for that, you need to establish yourself as a software developer. And what companies like DigiCert do, being a root of trust on the Internet, as part of our code signing process, we validate the organization. We check your credentials. We make sure that you're legitimate, and then also, your code signing keys, which starting in June this year, has to be on an HSM. Now, more mature organizations will take it a step further. They'll say, well, not only do we need to protect our code signing keys, I need to do two other things. The second thing I need to do is I need to inspect my software development supply chain, right. I need to integrate software trust in the entire CI/CD pipeline, in the build process itself.
Dave Bittner: And how do we do all this without creating undue friction for the developers themselves? I know you've made the point that, you know, they want to write their code, they want to do their work, they don't want to be slowed down by these sorts of things. Can we protect against that?
Amit Sinha: Yeah, absolutely. Look, you know, there is a bit of a trade-off between security and ease of use. I'll share an example. I mean, we talk a lot about generative AI these days. And every CEO is out there saying, hey, what we do with generate AI? And that puts pressure on the software development community, on their teams. And, you know, they'll go and they'll download whatever packages are available without, you know, scanning them, without thinking about it. And that can lead to increased risk, right. There have been discussions where, you know, some language models and some neural network frameworks were laced with malware. And nobody's really thinking about scanning them. So sometimes, you know, when there is pressure to deliver things, people take shortcuts. And it becomes an easy door through which threat actors and infiltrate your software development process. So back to your question, how do we make it easy, so, you know, you have secure software development without too much friction in the process? It starts with an automation. If you look at DigiCert's Software Trust Manager solution, we automate and integrate into your CI/CD pipeline, basically your development pipeline. And all the keys are managed in the cloud, in cloud secure HSMs. Once you set up your policies, automation kicks in and you can say during, you know, these key big processes or these milestones, automatically scan software, flag anything that looks bad. And if everything is green, you know, generate a bill of materials and sign the software. So from a developer's perspective, it is smooth, it's automated, and what you're shipping is high quality software that is, you know, tamper resistant. It's almost like, if you look at FDA, stamping a piece of food as organic, right, with all the contents on it. It just gives a higher level of assurance. But does it take a little bit of extra work? Sure. But as a consumer, you feel better because you can make informed choices. The same is true for software. I think if you have the right set of tools, you can generate high quality software, stamp your brand on it, and your customers can feel more assured that they have, you know, a good product.
Dave Bittner: That's Amit Sinha from DigiCert. [ Music ] MGM Resorts and Caesars Entertainment in Las Vegas are both recent victims of high profile breaches of their systems, with Caesars reportedly negotiating a ransom payment and MGM claiming to have most of their systems back online, with a few fits and starts. Ian McShane is vice president of strategy at Arctic Wolf Networks, and I checked in with him for insights on these high roller hacks.
Ian McShane: My brain, it instantly went to, I wonder if that's ransomware, just like any other kind of incident. A similar thing happened a few weeks when I was flying from London to the US, and the air traffic control system in the UK went down. The first thing that came to my mind is, I wonder if that's ransomware? And it seems like there's where a lot of people's brains go to when they see organizations, certainly high profile organizations, having some kind of technical difficulties.
Dave Bittner: And that seems to have played out here, right? Even if we're only at the point of informed speculation. And I suppose Caesars has filed an 8K. I mean, ransomware seems to be where we've landed?
Ian McShane: It seems like. Yeah, you're right, there's a lot of this is just speculation or at least educated guesswork on behalf of people that have been in and around the incident itself. But yeah, it certainly seems like it was a ransom-type event. I don't know whether ransomware was actually deployed to anything. There's been talk of, you know, some infrastructure being infected with something, but I don't know that it's actually been confirmed, certainly not for MGM anyway.
Dave Bittner: I think part of what's been surprising people is at least the perception with organizations like this, you know, big casinos who are handling millions of dollars a day, that they would have the resources to have better security than perhaps what we're seeing here. Is that a fair assessment?
Ian McShane: It's important to think about what really happened here. And, you know, ultimately it sounds like what it is is some kind of phishing or vishing -- which is an awful voice phishing, I suppose. And so these kind of social engineering incidents can really happens to any organization. It's less about technical controls and more about people and process. Now, that's not to say that people are necessarily to blame. It's hard to point fingers and say they could've invested more or they didn't invest enough when we don't really know the entire story. And again, it's important to understand that anyone, any organization, or any human being, for that matter, could be caught out by this type of scam. Just think about the amount of people that are, you know, conned into giving away or transferring money away on a daily basis, which, again, is another kind of social engineering attack.
Dave Bittner: I suppose it's a reminder that if this can happen to well-funded organizations like these, that it could happen to anyone.
Ian McShane: Yeah, exactly. And, again, it's a reminder that technology isn't the be all and end all in cybersecurity. There's a lot to be said for the human process, the human factor, in both the defensive side and on the receiving end of the attack itself. You know, it almost sounds similar to the incident with Uber last year as well, which used another type of social engineering, but this time through technology, right, to gain access. And ultimately, that one caused a lot of panic across the industry around the use of multifactor authentication and how the app alerts can really be used to annoy someone into doing something they normally wouldn't do.
Dave Bittner: What do you suppose is going on at this moment when it comes to incident response?
Ian McShane: Well, it's been a week, maybe a little bit longer, 10 days, I guess, as we were caught in this. So at this point, I would've expected a company of that size to have a pretty well defined disaster recovery plan, you know. Assuming they have contingency plans for when power goes out or when their systems go down, you know, not through a threat actor incident, but through some other kind of problem, I would imagine that they've got well-rehearsed plans to bring things up and running as fast as possible, certainly for their critical infrastructure. So at this point, I would imagine that there is probably some law enforcement engagement going on to help understand what happened, how it happened, and whether or not there's a need for law enforcement to help with. As well, you know, the internal postmortem of figuring out, how do we get everything back to a good state, and how do we prevent this from happening again in the future?
Dave Bittner: You know, it's easy to throw rocks, you know, from the outside and be critical here. But one of the things that struck me with this incident was the breadth of systems that have been affected here, I'm speaking specifically with MGM. We hear slot machines have gone down, reservation systems. There's reports of hotel doors not being accessible, and so on. As we read the tea leaves on that, is it likely that the bad actors were able to get in and then make lateral movement? Or were maybe more of these systems hosed together in a common way than perhaps was wise?
Ian McShane: It's very difficult to say. And, of course, you know, Monday night quarterbacking is very easy for people like us to sit here and do, and largely unfair, really.
Dave Bittner: Right.
Ian McShane: There's a couple of things, you know. It could be that they had, say, you know, a flatter network typology than they could have. So just one successful intrusion meant the actor could move laterally to anything. It could go way more deeper than that. Maybe, you know, the adversaries were specifically attacking a user account or user credentials that had, you know, explicit permissions across multiple systems. Or maybe they hopped between accounts. Maybe, you know, the chain of attackers is more complex than, you know, just a phishing attack. There's so much unknown about what happened here. And the impact, like you said, is so broad, it makes this a really interesting incident. And I mean that in the best possible way possible. I don't mean to be detrimental to the people that are suffering through the incident response process themselves.
Dave Bittner: Right. Well, what are some of the lessons you think that we can take away from this?
Ian McShane: Well, again, it comes down to it's not just technology. You know, if this truly was, as widely reported, if this truly was a threat actor calling up the helpdesk and walking through some kind of remediation workflow to get access to an account, it's one of those things where you have to think about, how do you authenticate the person on the other end of the phone? How do you guarantee that, you know, Ian calling the Arctic Wolf helpdesk is really Ian asking for his account credentials to be reset? Similar in a way to how we talk about business email compromise, right, which is that scam where someone manages to convince, from an insider email account, convince someone with the authority to transfer money to send a large sum of cash to a bank account outside of normal process. And so, you know, I think there's something to be said for security awareness -- helping people understand what are the risks. But also, you know, going through the process and procedure and making sure you're giving your employees that are tasked with this type of helpdesk work, where you're, you know, resetting credentials or providing locked out accountholders with access to their accounts, that they're able to actually authenticate the people correctly, and not just, oh, this is your name, this is your email address, let's get that sent over to you straight away.
Dave Bittner: That's Ian McShane from Arctic Wolf Networks. [ Music ] And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at the cyberwire.com. Don't forget to check out the "Grumpy Old Geeks" podcast where I contribute to a regular segment with Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. We'd love to know what you think of this podcast. You can email us at email@example.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.