What up in the underworld’s C2C markets. An update on the Sony hack claims. Notes on cyberespionage, from Russia, China, and parts unknown. And there’s a market for bugs.
Dave Bittner: A Joint Advisory warns of Beijing's "BlackTech" threat activity. ShadowSyndicate is a new ransomware as a service operation. A Smishing Triad in the UAE. Openfire flaw actively exploited against servers. AtlasCross is technically capable and, above all, "cautious." Xenomorph malware in the wild. DDoS and API attacks hit the financial sector. In our Industry Voices segment, Joe DePlato from Bluestone Analytics demystified dark net drug markets. Our guest is Richard Hummel from Netscout with the latest trending DDoS vectors. And the FCC chair announces plans to restore net neutrality.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Wednesday, September 27th, 2023.
Joint advisory warns of Beijing's "BlackTech" threat activity.
Dave Bittner: We open with some breaking news, a warning of state-sponsored industrial espionage.
Dave Bittner: A Joint Cybersecurity Advisory was issued this morning by US and Japanese security and intelligence agencies warning of BlackTech, an industrial espionage activity cluster operated by China. BlackTech has shown the ability to modify router firmware undetected, and to "exploit routers’ domain-trust relationships." The campaign has begun by compromising routers in subsidiary companies and then pivoting from the subsidiaries to corporate headquarters in the US and Japan. The goal of BlackTech's collection has for the most part been the acquisition of intellectual property.
ShadowSyndicate is a new RaaS operation.
Dave Bittner: Group-IB describes a new ransomware-as-a-service (RaaS) affiliate called “ShadowSyndicate.” The researchers state, “[I]t’s incredibly rare for one Secure Shell (SSH) fingerprint to have such a complex web of connections with a large number of malicious servers. In total, we found ShadowSyndicate’s SSH fingerprint on 85 servers since July 2022. Additionally, we can say with various degrees of confidence that the group has used seven different ransomware families over the course of the past year, making ShadowSyndicate notable for their versatility.”
Smishing Triad in the UAE.
Dave Bittner: Resecurity warns that the Smishing Triad threat actor has “vastly expanded its attack footprint” in the United Arab Emirates (UAE). The researchers believe the goal of the campaign is to steal personal and financial data from Emirati citizens: “The group typically sends out malicious text messages from iCloud accounts they have previously hijacked, while masquerading as reputable organizations like government agencies, financial institutions (FIs), and shipping firms.”
Dave Bittner: Smishing Triad is also offering its smishing kits for sale on Telegram to other cybercriminals, so it’s another player in the C2C market..
Openfire flaw actively exploited against servers.
Dave Bittner: BleepingComputer reports that threat actors are exploiting a vulnerability (CVE-2023-32315) in Openfire messaging servers to deploy ransomware and cryptominers. Openfire released a patch for the flaw in May 2023, but as of last month more than 3,000 servers were still vulnerable. Doctor Web warns that the ongoing campaign has been active since at least June: “This exploit performs a directory traversal attack and allows unauthorized access to the administrative interface of the Openfire software, which is used by attackers to create a new user with administrative privileges.”
Dave Bittner: And, of course, the incidents are another lesson in the school of hard knocks on the importance of patching. We know that patching isn’t always as easily done as it is advised, but known vulnerabilities are far more often exploited than are the flashier and feared zero-days.
Claims of a compromise at Sony are investigated with cautious skepticism.
Dave Bittner: CyberSecurity Connect has reported that a ransomware gang, Ransomed.vc, claimed to have successfully hacked into Sony, gaining access to sensitive information the company holds. Sony has said very little about the incident. The company did offer a terse statement to IGN, which reads in full, “We are currently investigating the situation, and we have no further comment at this time.”
Dave Bittner: Outsiders who've seen the proof-of-hack Ransomed.vc offer are skeptical: it seems far short of what one would expect from a compromise of the claimed magnitude, and it's also consistent with being information culled from a variety of third-party sources. CyberSecurity Connect says it consists of "screenshots of an internal log-in page, an internal PowerPoint presentation outlining test bench details, and a number of Java files."
Dave Bittner: Ransomed.vc is thought to be a new group, active only over the past month or so, although some of its members may be alumni of other gangs. It appears to operate mostly from Russia and Ukraine, and seems to be both a direct ransomware operator and a player in the ransomware-as-a-service market, where it recruits criminal affiliates. BleepingComputer notes that another criminal actor, "MajorNelson" disputes Ransomed.vc's claims, saying that it's the actor who's in fact responsible.
Dave Bittner: A question: is the hacker handle “MajorNelson” an homage to I Dream of Jeannie?” The world wonders, or at least people who watch reruns of 1960s vintage American situation comedies wonder.
AtlasCross is technically capable and, above all, "cautious."
Dave Bittner: NSFOCUS Security Labs reports tracking a patient, persistent, low-profile APT that's impersonating the Red Cross to prospect its victims. The researchers call the threat group "AtlasCross." The researchers believe that AtlasCross shares no significant "attribution indicators" with other known threat groups. None of the usual markers, which NSFOCUS lists as "execution flow, attack technology stack, attack tools, implementation details, attack objectives, [and] behavior tendency," show any similarity to those employed by other actors, and the researchers offer no speculation about AtlasCross's allegiance.
Dave Bittner: The initial approach is phishing. An email with American Red Cross blood donation information in its subject line carries an attachment, “Blood Drive September 2023.docm.” For the phishbait document to be displayed, the victim is prompted to enable macros: the preliminary screen carries a reassuring note "This document is protected by McAfee DLP. Click 'Enable Content' to view." Once the target does so, the document displays a promotional flier for an American Red Cross blood drive. It also initiates communication with the attacker and installs a loader Trojan. That loader detects the host environment and executes shellcode that subsequently loads the final payload, AtlasAgent, which collects information about the host, executes shellcode, and carries out further actions against the target.
Dave Bittner: AtlasCross has compromised twelve servers, all of them in the United States, and all of them hosted in an Amazon cloud. The hosts are otherwise clean, and are unlikely to trip warnings or otherwise arouse suspicion. For more on the campaign, see CyberWire Pro.
Xenomorph malware in the wild.
Dave Bittner: A new version of the Xenomorph Android banking Trojan is targeting customers of more than thirty-five US financial institutions, according to researchers at ThreatFabric. The threat actors also continue to target users in Spain and Canada. The researchers note, “From a purely technical point of view, this new campaign of Xenomorph does not feature major modifications from its previous iteration. This is a testament to the maturity of this Android Banker. Most of the work from the Threat Actors operating Xenomorph is going into developing additional ATS modules, and most importantly distributing their product.”
DDoS and API attacks hit the financial sector.
Dave Bittner: Akamai this morning outlined trends in DDoS and API-based attacks afflicting the financial sector: They’re up, across the board. “Web application and API attacks in the financial services industry grew by 65% when comparing Q2 2022 with Q2 2023, accounting for 9 billion attacks in 18 months. This was driven in part by cybercriminal groups' active pursuit of zero-day and one-day vulnerabilities as pathways for initial intrusion.”
Dave Bittner: Additionally, the report found that “banks are bearing the brunt of web attacks (58%), followed by other financial services companies, such as fintech, capital markets, property and casualty insurance, and payment and lending companies (28%).”
FCC chair announces plans to restore net neutrality.
Dave Bittner: Jessica Rosenworcel, chair of the US Federal Communications Commission (FCC) announced plans this week to restore net neutrality rules that were established in 2015 but rescinded during the Trump Administration. Net neutrality would, the FCC said in a factsheet, "establish basic rules for Internet Service Providers that prevent them from blocking legal content, throttling your speeds, and creating fast lanes that favor those who can pay for access."
In cyberwar, the FSB is more active, but the GRU does more damage.
Dave Bittner: The State Service of Special Communications and Information Protection of Ukraine (SSSCIP) has issued its report on the cyber phases of Russia's war for the first half of 2023. This assessment of Russian cyber activity in the wake of reports that Moscow's intelligence services are taking a close and focused interest in Ukrainian investigations of Russian war crimes, the FSB (notably its Gamaredon actor) has been the most prolific attacker of Ukrainian networks. Hacktivist auxiliaries acting under Russian government direction have also been active. But the most successful and damaging Russian actor in cyberspace has been the GRU, in the form of its Sandworm organization.
Dave Bittner: Ukraine continues to show considerable resilience in the face of Russian cyberattacks, and the devastating attacks against the country's infrastructure widely anticipated at the time of the invasion have fallen short of expectations. But as winter approaches, and as Russian state propagandists call for as much suffering as possible to be inflicted on Ukraine's civilian population, Bank Info Security reports that Kyiv's cyber defense efforts are turning to protection of critical infrastructure, especially energy infrastructure, during the coming cold months.
Get yer bugs right here.
Dave Bittner: And, finally, hey everybody: there's more than a bounty on bugs--there's an investment opportunity, too. VCs are pouring hundreds of millions with a capital "M" into bug farming start-ups, which appears to represent a new development in the bug-hunting industry. Yes, the red-teamers are moving from their primitive hunter-gatherer phase to the more systematic, hydraulic farming stage of their civilization, and investors are taking notice, says Crunchbase...
Dave Bittner: …Oh, wait...sorry, they're talking about actual bugs, the kinds with at least six legs, or sometimes none at all. We should've read beyond the headline.
Dave Bittner: Are our faces red--it just shows how important it is to RTWT, as the kids type. The VCs want to put their money in companies that will enable livestock, pets, and people to eat more bugs. As if they aren’t doing so already. The bugs are an eco-friendly and protein-rich alternative to that gack you're probably eating right now.
Dave Bittner: If you're into this kind of bug, and let's face it, not everyone is, we earnestly recommend a visit to Montreal's Insectarium, the world's biggest bug museum and zoo. Try to time your visit when they're having their croque-insecte [crawk-ann-SEKT] when you can sample many dishes made from bugs. We recommend the meal-worm cookies. Vaut le voyage, [VOE luh ywai-azh] as the Guide Michelin [GHEED mish-LAN] might put it.
Dave Bittner: Those software bugs, the other kind? Forget about it. Not as tasty. And those VCs invest in so many things. In the software as opposed to the entomological world, we say step right up–there’s an NFT in Brooklyn you might be interested in.
Dave Bittner: Coming up after the break, Joe DePlato from Bluestone Analytics demystifies dark web drug markets. Our guest is Richard Hummel from NETSCOUT with the latest trending DDoS vectors. Stay with us. There is a certain mystique when it comes to the dark web, the metaphorical back alleys of the internet where buyers can find everything from stolen credit card numbers to databases of login credentials and, of course, physical goods like drugs. Bluestone Analytics as an organization supports national security through their Dark Blue Intelligence Suite. In this sponsored Industry Voices segment, I check in with Joseph DePlato, CTO and cofounder of Bluestone Analytics, for his insights on dark web drug markets.
Joseph DePlato: We define the dark web as a part of the general internet that requires additional input from the user to access. And whether that's a username and password or some type of encrypted application that allows a user to have end-to-end encryption, there's an additional item that the user needs to access this environment.
Dave Bittner: Can you help demystify it a bit for us? I mean, to -- if I -- it was something that I wanted to go poke around and I was curious about, you know, what sort of effort would it take on my part to be able to do that?
Joseph DePlato: Today, it's actually very easy. There's projects like The Onion Router, better known as Tor, which is the most popular dark web that -- that's out there. And there's an app for it. So you can actually download an app for your iPhone or Android device or just download a browser, a dedicated browser for your Mac or PC and then instantly have access to that specific dark web.
Dave Bittner: Well, let's dig into the topic of drugs on the dark web. I suppose it's that age-old thing that, where there's a desire, there's a market. And this is where we find a popular market for drugs.
Joseph DePlato: Absolutely. So you can find nearly any drug that you are looking for within this environment. There are both individual sellers that will run their own sites, as well as drug marketplaces that are run by, you know, a certain organization or certain individual. Or multiple vendors can come in and sell their goods.
Dave Bittner: And how does the marketplace work? I mean, where are the providers getting their product? How do things get paid for? How does it all run?
Joseph DePlato: So it's reputation-based. So it's on the manufacturers or the vendors to ensure that their product is actually good, high-quality, and is not, for lack of a better word, you know, killing their users. So they're finding their drugs or manufacturing their drugs in multiple different places. From our research, from our analytical team, there's a lot of traffic of Chinese-based companies selling what we call precursor chemicals. And then, once you have a precursor chemical, you can ship that anywhere. They're not ask regulated or well-regulated like regular drugs. And then you can create other drugs, you know, like fentanyl, which there's a huge opioid crisis in the US. You can create those anywhere in the world and then get those -- get those into whatever country you need. So what you could do is you could buy precursor chemicals from China, let's say, have them shipped directly into the US or Mexico, and then actually manufacture and create the drugs there so you're not moving drugs internationally. You're moving pieces or parts of those drugs internationally.
Dave Bittner: Are there legitimate uses for the dark web here, I mean, beyond the drug markets? I think it has this reputation of being this dark, scary place. Is there another side to it, or does it -- reputation come deserved?
Joseph DePlato: Yeah. So, historically, the whole -- the whole reason that dark web came about was a way for marginalized individuals or citizens of a country who are under a dictatorship or having their rights taken away to get information out of that country into the international community without direct connections back to themselves. So an anonymous way that they can report on-the-ground information without themselves or their families becoming a target of these oppressive governments. And I think of countries like Iran, Russia now, China, even China where, you know, what we see on news might not necessarily be the truth on the ground.
Dave Bittner: Are there any of these chemicals that are of particular concern to you, that are particularly troublesome.
Joseph DePlato: Yeah. So essentially any synthetic opioid. So there's one synthetic opioid in particular, isotonitazene, that has its potency when compared with other opioids is a lot -- a lot greater. It's more potent than morphine, with estimates ranging anywhere from 50 to over 100 times more potent than morphine. So this makes it one of the more potent synthetic opioids, although there's even more potent substances out there like carfentanil. When you compare those opioids like fentanyl, another synthetic opioid, it's approximately 50 to 100 times more potent than morphine, as well, given the potency of isotonitazene in a similar range. And the two can be considered roughly comparable in strength. But, again, that's the issue with these synthetic -- synthetic opioids is the potencies can vary based on how they were produced, right. Unlike pharmaceuticals, like actual we'll say legal drugs that have a pretty substantial and reviewed manufacturing process, you know, these don't. People are making them, you know, anywhere. Cartels are making them in warehouses and people's basements. You know, it's difficult to have a consistent strength when you're not consistently making a batch with the same equipment and the same people every single time.
Dave Bittner: And to what degree are these folks aware of your efforts and actively attempting to thwart what you're up to?
Joseph DePlato: That's a great question. So, you know, we do monitor our back end. And, obviously, we have to have our security team and security crew need to have their T's crossed and I's dotted. Oftentimes when we publish reports, and we publish public white papers that we'll push off to various government agencies and throw up on our websites, oftentimes after those reports are published we do see sudden spikes in traffic, let's say, against both our website, as well as our tools coming from, you know, various countries. And I'm not going to name those countries, countries on here. But it does make you a target. But, beyond that, what type of target is unknown. To date, we really haven't had any major compromises. So it's hard to know what specific information these groups are actually looking for. And, at the end of the day, we're just a small company, right? To them, it might be more effective to go after the actual government agencies themselves versus, you know, a small crew that's just trying to do good in the world.
Dave Bittner: You know, for the folks in our audience who are security professionals, what's your advice for them keeping an eye on these markets, to have intelligence into these sorts of places? How do they dial that in, in an effective way?
Joseph DePlato: It really depends on the tooling that they have on their back ends. However, I am a huge fan of consuming threat intelligence. And my recommendation would be to pull up as much white papers and as many -- as much information from experts that are in this space that are actually going in there collecting and aggregating this information and presenting it in a digestible way or purchasing a threat intel feed or an API from some of these vendors that you actually have that information in your specific system so that, when you're doing searches, when you're looking for selectors or trying to find correlations, you have the biggest view and the biggest net possible to catch whenever you see anomalous activity.
Dave Bittner: That's Joseph DePlato from Bluestone Analytics. The folks at application and network performance monitoring company NetScout recently shared the latest edition of their biannual DDoS Threat Report, documenting the trends they're tracking and distributed denial of service incidents. Richard Hummel is Senior Manager of Threat Intelligence at NETSCOUT, and he joins us with insights from the report.
Richard Hummel: One, we have more DDoS attacks than we've ever had. Two, the adversary has gotten wise to many of the defensive postures and have changed tactics. Three, there's different kinds of infrastructure being used to deploy these attacks in ways that we've not seen previously. Four, vectors are still being discovered, which means new things that adversaries are using and defenders have to come up with ways to mitigate. We also have the encrypted traffic that's causing issues. We have DNS query floods attacking DNS servers, authoritative recursive, you name it. We have all of this different methodology employed in place. And so I would say where the State of the Union is, we're in a hot mess. And DDoS attacks are kind of surging in levels unprecedented, whether it's methodology, it's direct path attacks, it's button-based attacks, it's attacks against application layer, kind of web app, websites, things like that; geopolitical hacktivism involved in DDoS at levels we've never seen before. You've got Anonymous Sudan. You've got Killnet. You've got D-Dasha. You have all these different gangs out there. We had this spurt of financially motivated DDoS extortion is what we would call it. So I would say that we're further down the creek than we wanted to without all of our paddles.
Dave Bittner: Well, let's dig into some of the details of the report here. But what were some of the highlights that caught your eye?
Richard Hummel: I think the biggest thing that has changed for us or not really change, per se, is that, every time we think we've reached a new watermark, the watermark just disappears. And we're, wait a minute. Where are we at now. And we're doing things with our data now that we've not previously done to kind of predict, not necessarily predict but try to get a better understanding of what's happening at the -- in different nuances. Let me put it this way. When you go and you look at the DDoS threat landscape and you say wow, NetScaler saw 13, 14 million DDoS attacks in this year. You're like, wow; that's a lot of attacks. And if you look at all of the other DDoS reporting out there, many of them will say, well, we saw 30,000 attacks in a year. Well, we see like 44,000 DDoS attacks per day. And that is a conservative estimate. I would say that that's a drop in the bucket compared to what actually is out there. The reality is, is that many of the DDoS attacks that are launched by adversaries just go completely unnoticed because they don't cause a ripple effect. They don't cause downstream damage. There's a lot of things to consider here where service providers are like, you know what? Okay. It's a DDoS attack. But do I really care? Is it really knocking anyone offline? Can I just saturate across my network? And so I would, you know, put a thought provoking question out there. Is 14 million attacks really what we see in a year, or is it more like 200 million. And that's actually something that I've been spending a lot of time on and researching. And when we actually go live with our webinars sometime mid-October for the Threat Report, we're going to talk about something called a DDOS tax. We're going to talk about something called the calculated ceiling of DDoS attacks. And both of these are, look. DDoS attacks are always there. They're always present. They're always underlying normal internet traffic. And, also, the actual numbers of these things are way higher than we even think or what we report typically. And so I would say that, if there's a watermark, if there's a record, it's there to be broken. And at some point in time it's going to be broken. And that's really kind of what we've seen time and time again. This is our 11th report. So five and a half years now we've been doing this. And that's really -- every single time, we don't think something's NETSCOUT get broken. And guess what? It gets broken. And so DDoS attacks, the methodology, the different vectors of what adversaries are doing, how they're innovating, how infrastructure is changing, that's really kind of the most surprising to me. There's a couple of, you know, individual key findings in there, that were also a little bit eye opening. But I would say that's the biggest one is just understanding that, no matter what we think is the ceiling, we need to think again.
Dave Bittner: And where do we stand in terms of being able to adequately defend against these attacks? Are the tools that we have today up to the task?
Richard Hummel: Absolutely. I think if the right tools are chosen, the right solutions are in place, and the right training is present, as well as that periodic retesting, that's going to solve your problems. Now, let me put it this way. Do you need DDoS protections, mitigations, providers from NETSCOUT? Now, this could be, you know, biased a little bit. I will say we have the best solutions. But practicing things like BCPs, or best current practices, making sure that your systems are patched, making sure you have proper segmentation and isolation of your network, make sure your crown jewels are taken offline or unaccessible to the public, making sure that you have redundancies in place, if you follow BCPs, that's like 80% of the way there. It's the extra 20% where you need the solutions. You need something -- if you're an enterprise, you're a large enterprise, you need something on prem. Why? Because a service provider has hundreds, thousands of downstream subscribers and enterprises that they have to protect at the same time. Now, if you have 1000 people being attacked at one time, can you dedicate the resources necessary to make sure that this one entity over here is always protected and always going to get the best, absolute possible protection that your upstream can provide? Chances are, it's probably not, right? So if you're an enterprise and you have to maintain you're always up posture, then you need to make sure you have something online protecting you from packet 1. You can't wait for the service provider to free up or have capacity or trigger some really high bandwidth throughput threshold that's just way too high for you. So enterprises must have an on prem. You must have it in mind. You also don't want a stateless because the problem a lot of enterprises make is they try to defend DDoS with firewalls. Firewalls are not designed for this. You want your firewall focused on the more insidious threats, the things where you need to reassemble the sessions, you need to examine inside those packets to understand the payloads. No. You need a stateless device here that says, I'm going to just drop all this stuff here because I know it's bad. Now, that's not even a full solution because what happens when you get 100 gig attack? Now the on-prem solution for an enterprise doesn't scale, right? Maybe you can go up to 100 gigs. But what about the 300 gig attack? Maybe you're a really massive enterprise that happens to get into the world stage in politics. And now you've got Killnet, and you've got Anonymous Sudan and all these guys coming after you, launching these big attacks. Is it going to suffice that you have this on-prem in line? No. Now you need to have upstream protection as well. So when your on prem is overloaded, you can signal up to the cloud. You can signal up somewhere else to say, hey. I need help with these. If you're a service provider, now you've got to worry about all these subscribers. So you have to have massive capacity and skill. Then you have others that maybe can't afford these different things, so you're looking at a cloud-only solution, just to protect maybe a few websites or a few different assets. So there's a lot of different scenarios here. And I would say that the solutions in place absolutely work, but you have to have the solution in order for it to work.
Dave Bittner: That's Richard Hummel from NETSCOUT. And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at firstname.lastname@example.org. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's Strategic Workforce intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tr Hester with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.