Notes on Tortoiseshell. Fancy Bear snuffles around embassies and foreign ministries. Poison Carp targets Tibetan groups. GandCrab unretires. And Chameleon’s curious spam.

Dave Bittner: [00:00:03] Tortoiseshell is trolling for military veterans. There's been a fresh Fancy Bear sighting. The transcript of a conversation between the U.S. and Ukrainian presidents has been released. Citizen Lab warns that Poison Carp is actively working against Tibetan groups. A zero-day afflicting vBulletin forum software is out. GandCrab comes out of retirement. And there's an odd spam campaign in circulation that looks like phishing but seems not to be. 

Dave Bittner: [00:00:36]  And now a word from our sponsor, LookingGlass Cyber. Organizations have been playing a dangerous game of cyber Jenga, stacking disparate security tools, point solutions and boxes one on top of the other, hoping to improve their security posture. This convoluted and overloaded security stack can't hold up in today's microsegmented, borderless and distributed networks. As the enterprise network grows, organizations need a flexible protection around their unique network ecosystems. By weaving security into the investments your organization has already made, formerly disjointed tools can communicate with one another to disrupt and distract the adversary without revealing your defenses. With a software-based approach to unifying your security stack, security teams can easily scale their protection to fit their needs with one integrated software solution requiring no specialty hardware. Learn more at lookingglasscyber.com/contactus. That's lookingglasscyber.com/contactus. And we thank LookingGlass Cyber for sponsoring our show. Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights, like remediation advice to help fix faster while methodology-driven assessments ensure compliance needs are met, at bugcrowd.com. 

Dave Bittner: [00:02:12]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 25, 2019. Cisco's Talos intelligence unit has blogged a contribution to discussion of the Tortoiseshell threat actor that Symantec described last week. Symantec outlined the ways in which Tortoiseshell had sought to insinuate itself into the supply chain by hitting IT providers in the Middle East, especially in Saudi Arabia. The Symantec report noted circumstantial similarities between Tortoiseshell's code and the Iranian threat actor APT34, also known as OilRig. But they were quick to point out that this counted for next to nothing in terms of attribution since that code has been blown and publicly available to anyone for months. 

Dave Bittner: [00:02:59]  Yesterday, Talos blogged that Tortoiseshell is believed to be behind a bogus job site designed to attract U.S. military veterans and others who may wish to support them in their search for employment. Those who visit the site are liable to infection with malware that has both reconnaissance and remote access functionality. The reconnaissance malware has the internal name Liderc and retrieves information about the victim's system, including information that could identify whether the malware is running in a sandbox. The RAT is called IvizTech, and it does what such RATs do. 

Dave Bittner: [00:03:37]  Talos agrees with Symantec that the operators behind Tortoiseshell show poor opsec, but they think that in this case they may make up in volume what they lose through carelessness. Lots of people like veterans and are happy to help them find jobs, after all, and the URL of the malicious site is close enough to that of a legitimate U.S. Commerce Department site so that it might deceive the unwary. 

Dave Bittner: [00:04:00]  A note on circumstantial attribution. Liderc is the name of a maligned creature from Hungarian folklore that typically manifests itself as a bird. What does this mean for attribution? Not much. The hacker world isn't terribly sensitive about cultural appropriation. Fancy Bear has returned to a familiar foraging ground and with a familiar tool. The group has resumed its use of the Zebrocy toolkit against embassies and foreign ministries in Eastern Europe and the Middle East. ESET, which says this renewed activity dates to late August also notes that Zebrocy's suite of downloaders, droppers and backdoors has shown some evolution into marginally more effective forms. Like all thread groups, Fancy Bear goes by many names. It's also known as Sednit, Sofacy, Group 74, Strontium and APT28. But if you're keeping score at home, Russia's GRU military intelligence service is always the man behind the curtain. The group's interests, in this case, lie in espionage. 

Dave Bittner: [00:05:04]  Speaking of Fancy Bear, recall that the group came to prominence in the wake of its intrusion into the U.S. Democratic National Committee, unmasked in 2016. The company the DNC called in to investigate was CrowdStrike, which seems to be why CrowdStrike is mentioned in the transcript of a phone conversation between U.S. President Trump and Ukrainian President Zelenskiy at the White House, released to assuage the curiosity of Congress. President Trump appears to ask his counterpart in Kiev for assistance in investigating either Fancy Bear's incursion or the content of what Fancy Bear found. Expect to hear more about the transcript and CrowdStrike as the U.S. House chews the matter over in coming weeks. 

Dave Bittner: [00:05:50]  It's common to hear security folks say something along the lines of, it's not a matter of if you get breached, it's a matter of when. But once someone gets in, how do you slow them down and keep them from having run of the place, jumping from one system to the next? Tim Keeler is CEO and founder of Remediant, a company that offers privileged access management. 

Tim Keeler: [00:06:10]  With lateral movement, that's when you establish a single system as your - kind of your starting base, your foothold. And then, you know, based from there, you take whatever you can get off of that machine that helps you move to other systems on the network. And, you know, it's kind of the initial starting point for an attacker. But ultimately, they have some objective, whether it be intellectual property, or customer data or financial motivations. That's kind of the ground zero. And lateral movement allows them to, you know, move to other systems that gets them access to that data. 

Dave Bittner: [00:06:44]  So is the notion here that there may be, I don't know, perhaps lower-level people within a company whose systems might not be as fortified as, say, the CEOs, for example? And so it might be easier to get in via their machine and then move on from there? 

Tim Keeler: [00:07:00]  Without a doubt. And I think this is why we see, you know, spear-phishing or phishing campaigns being so successful among attackers. You know, the technical sophistication is extremely low. But it's like, let's just, you know, blast this out to a large organization, and you always are guaranteed some percentage of success. And that really establishes your initial foothold, from an attacker's perspective. 

Dave Bittner: [00:07:24]  And so how much of organizations' defenses these days are set up to protect against this? Is it - you know, I think people have this image in their mind of, you know, the castle walls or the moat around the castle and trying to keep people out that way. But it sounds like with lateral movement, they're already inside the castle. 

Tim Keeler: [00:07:43]  Yeah. It absolutely is true. And I think one of the biggest shifts in cybersecurity is, you know, you know, kind of rewind the clock 20 years. Everyone was focused on protecting the firewall and protecting the network. Very rarely did you see anyone, you know, figuring out how to protect the human. And now there's been this, you know, mad scramble. And that's probably one of the most challenging aspects of cybersecurity is, you know, protecting the human and preventing them from going into a malicious webpage or clicking on a link that installs some malware. And, you know, I think we've found that it's just extremely difficult to do. 

Dave Bittner: [00:08:18]  We also wanted to chat about what happened back in 2017 with NotPetya. I mean, that's a prime example of this as well, yes? 

Tim Keeler: [00:08:25]  Yeah. Absolutely. And, you know, and this one was very unique because obviously, you know, it came from, you know, a nation-state actor and, you know, kind of overstepped its boundaries in terms of what it was targeting. But the - kind of the real interesting aspect of this was, you know, this is the first piece of malware that had some very sophisticated credential harvesting. And it was - it's one thing to leverage a zero-day exploit to infiltrate systems, but then when you take that in addition to, hey, I want to see what credentials are exposed on this system, harvest those and then use those credentials to then propagate the virus and malware even further - that was just kind of a level of, you know, of attack that changed techniques all around. And I think we're going to see a lot more of this as the next generation of malware. 

Dave Bittner: [00:09:12]  And so what are your recommendations in terms of people protecting themselves against this? 

Tim Keeler: [00:09:16]  You know, kind of the key one with NotPetya was, you know, the credential harvesting aspect. The first thing it did was target credentials that had administrative privilege, whether it was on that system or on other systems. And then it was, you know, very intelligent, where it would start going, you know, to other systems on the network, using those credentials to see, hey, what's the scope of admin privilege here? And that's where it was able to spread so, so quickly. 

Tim Keeler: [00:09:43]  It really boils down to understanding who has administrative privileges, whether it is on servers and, more importantly, in this case, workstations. But then, you know, really instilling some of the principles of least privilege and zero trust we've been talking about in the industry for so long. Let's, you know, let's try to reduce and remove and, you know, and take away the mitigation of admin credentials. 

Dave Bittner: [00:10:05]  That's Tim Keeler from Remediant. 

Dave Bittner: [00:10:08]  The University of Toronto's Citizen Lab describes a campaign directed against Tibetan groups by a threat actor the lab calls Poison Carp. Citizen Lab says, quote, "between November 2018 and May 2019, senior members of Tibetan groups received malicious links in individually tailored WhatsApp text exchanges with operators posing as NGO workers, journalists and other fake personas," end quote. The links in the messages led to the installation of exploits in the targets' mobile devices. A successor to GhostNet, the campaign has used a suite of Android and iOS exploits. Its typical infection vector continues to be social engineering, which Citizen Lab calls clever. 

Dave Bittner: [00:10:51]  It's one-click installation of mobile exploits is new to the Tibetan targets, who have become aware of and suspicious toward better-known phishing attempts, like the classic malicious email attachments. Reuters observes that this appears to be the same threat actor that's been active against China's predominantly Muslim Uyghur minority. The Tibetan diaspora has represented an irritant to Beijing since China reoccupied the country in 1950 after 37 years of independence. 

Dave Bittner: [00:11:21]  An anonymous researcher has published a zero-day affecting the widely used vBulletin web forum software. ZDNet says the vulnerability is a pre-authentication remote code execution bug. It's unclear whether the posting was done with malign intent or simply amounted to a bungled disclosure, but it does suggest that organizations using vBulletin should look to their defenses. 

Dave Bittner: [00:11:44]  Few will be surprised to hear that the GandCrab gang has returned from retirement. SecureWorks reports that the group has reassembled itself and is responsible for attacks using REvil ransomware, also known as Sodinokibi. GandCrab, at the end of May, announced its retirement on the hacking forum it had used since 2017. The announcement amounted to a kind of virtual sack dance. We successfully cashed this money and legalized it in various spheres of white business, both in real life and on the internet, the extortionists crowed, and then added, we are leaving for a well-deserved retirement. We have proved that by doing evil deeds, retribution does not come. 

Dave Bittner: [00:12:25]  They seem to have spent less than three months in that active-senior community they were heading for. Perhaps the black market's 401(k) wasn't up to expectations. At any rate, they're back and back doing the same kinds of things. To their proof that retribution does not come, one must add, yet. There are plenty of law enforcement agencies eager to offer hospitality to GandCrab. Whatever name they're operating with, it seems to be the same old crew. 

Dave Bittner: [00:12:57]  And now a word from our sponsor, ExtraHop, delivering cloud-native network detection and response with a hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud security failures will fall on customers, not service providers. That's one reason enterprises value the SOC Visibility Triad, Gartner's framework that helps teams like yours scale security and business operations safely and cost-effectively. When you combine network detection and response with endpoint protection and SIM, you have the visibility, threat detection and automated response capabilities you need to secure and support cloud growth. Learn more at extrahop/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. 

Dave Bittner: [00:13:56]  And joining me once again is Ben Yelin. He's the program director for Public Policy and External Affairs at the University of Maryland's Center for Health and Homeland Security. Ben, always great to have you back. We had a story come by today. This is from The Washington Post. This is their Cybersecurity 202 section. And it's written by Joseph Marks. It's titled, "White House Blocking Congress from Auditing its Offensive Hacking Strategy." Take us through what's going on here. 

Ben Yelin: [00:14:22]  So about a year ago, the White House developed an offensive hacking strategy to go after our adversaries, like Russia and Iran, basically, in case they attack our cybersecurity, our computer systems. It's a way of using offensive hacking strategies as a military weapon. So we have defensive capabilities and offensive capabilities. Generally, these strategies would be given to the relevant congressional committees of jurisdiction. But the chairs and ranking members of those committees claim that they have not been able to get access to these policies and therefore have not been able to perform oversight. 

Ben Yelin: [00:15:02]  So the controversy at this point is that the chairman of the relevant House subcommittee has said they have not seen the policy. There's frustration on both the Republican and Democratic side that they're not able to evaluate the strategy, provide congressional oversight and perhaps offer the White House some guidance as to how to conduct this policy. 

Dave Bittner: [00:15:29]  Now take me through some of the background here. I mean, we're talking about coequal branches of government. We're talking about, you know, Congress's ability to declare war, and how does that venture into cyberwar or not. There's a lot in play here. 

Ben Yelin: [00:15:46]  Yeah. So Congress, according to our Constitution, does have the sole power to declare war. That's become a bit of a murky power in the last half-century or so. As a matter of fact, the last declared war was World War II. Oftentimes, we've had these mini-war declarations. Of course, most recently, the authorization for the use of military force in 2001, which justified the war in Afghanistan and general military operations relating to the war on terror. And it's sort of been used as a catchall justification for all other types of counterterrorism military strategy. 

Ben Yelin: [00:16:23]  When it comes to cybersecurity, we haven't really come up with a legal framework in terms of thinking about it the way we look at traditional war powers. Congress of course, has not declared a war, cyber or otherwise, on either of these countries. But generally, the president has Article II authority as commander in chief to protect the defenses of the United States. And I think both parties on Capitol Hill will agree that that would encompass using offensive hacking strategies in case our cyber systems are attacked. 

Ben Yelin: [00:16:57]  I don't really think that's a matter of controversy in this dispute. I think the issue is their ability to provide guidance and oversight. Now, the White House will say this is classified material, we're afraid of leaks. And I think those concerns are very valid. But we have processes in place so that members of Congress can get access to these classified briefings in a classified setting. So for the most classified material, it usually goes through what's called the Gang of Eight, which is the leadership of each house of Congress and the leadership of the relevant committees. So the Senate Intelligence Committee and the House Select Committee on Intelligence. 

Ben Yelin: [00:17:39]  But for something like this, that I don't anticipate would be at the level of needing to go to the Gang of Eight, I think the subcommittees of jurisdiction which are mentioned in this article - the House Armed Services Committee Cybersecurity Subcommittee being first and foremost - I think it would be customary for those committee members to get access to this classified information. And I think that's the source of the concern and the frustration. 

Dave Bittner: [00:18:07]  Does Congress have any ability to force the White House's hand here? 

Ben Yelin: [00:18:13]  So the one avenue they do have, of course, is attaching a rider to a must-pass Department of Defense policy bill. So the Defense Authorization Act. That bill authorizes all types of defense programs annually. A version of the Defense Authorization Act has passed both houses of Congress, and they are currently reconciling their differences. What some members of the House have suggested is that there needs to be a provision attached to that bill mandating the release of this offensive hacking strategy to the relevant congressional committees. If the Trump administration stuck to their guns, that could, of course, cause a standoff. 

Ben Yelin: [00:18:54]  They might say, we're not going to approve this defense authorization bill if it includes this rider that we have to release offensive hacking strategies. You know, will they torpedo a defense policy bill, which is generally supported by a majority of members of both political parties? I have my doubts about that. But, you know, it's certainly something that's now going to be part of negotiations on that must-pass piece of legislation. 

Dave Bittner: [00:19:20]  Hmm. All right. Well, Ben Yelin, thanks for joining us. 

Ben Yelin: [00:19:23]  Thank you. 

Dave Bittner: [00:19:29]  And that's the CyberWire. 

Dave Bittner: [00:19:30]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat-management platform. Learn more at observeit.com. 

Dave Bittner: [00:19:41]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.