Podcasts
The Microsoft Threat Intelligence Podcast
Ep 45
The Microsoft Threat Intelligence Podcast 5.28.25
Ep 45 | 5.28.25

Call of the Cyber Duty (A Global Cyber Challenge)

Show Notes
Transcript

Sherrod DeGrippo: Welcome to the Microsoft Threat Intelligence podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry, I'm your guide to the back alleys of the threat landscape. Hello and welcome to the Microsoft Threat Intelligence podcast. Before we get into the main part of the episode though, I have a special guest here who is going to talk to you about an event that we want you to join, and yes, you can do it from home. Everyone, I have with me Henning Rauch, also known, I got pronunciation lessons before we start. Also known as Professor Smoke. Henning, tell us what's coming up on June 8th for everyone.

Henning Rauch: Well, thank you so much for your super nice introduction and really good.

Sherrod DeGrippo: Oh, really good. Okay.

Henning Rauch: So, what's coming up on June 8th? Yes, one of the biggest events in cybersecurity. It's Call of the Cyber Duty.

Sherrod DeGrippo: So, it's a challenge that people can participate in.

Henning Rauch: That's correct.

Sherrod DeGrippo: And how much time do they have to play?

Henning Rauch: Well, first of all it's the latest and greatest version of our Kusto detective agency. So, it's a gamified learning platform which we created and designed and developed for people to sharpen their Kusto language skills, to engage in data-driven challenges. Now Call of the Cyber Duty is probably the most ambitious season of this series. It's the latest one. And unlike previous seasons like the first ones, it's transforming the usual challenges and the form of the usual challenges into high stakes, hackathon-style race. So, we've been sponsored by Wiz, Checkpoint and Microsoft Threat intelligence, and the great thing about it which makes it really different compared to the previous seasons is that players or participants can play either solo or create a team of up to six people. And the fastest team is going to win $10,000.

Sherrod DeGrippo: Right, there's a $10,000 prize. That's sweet. So, get a friend and you could work out between the two of you, 5k.

Henning Rauch: Absolutely. Yes. That's exactly what we are going to do. So, exactly what teams are able to do, right?

Sherrod DeGrippo: So, tell me just for those who don't know, KQL, or Kusto Query Language, what is the primary usage for KQL?

Henning Rauch: So, KQL as you correctly said is Kusto Query Language. So, it's available in the engine called Kusto. And Kusto is something that's really huge. So, it's the engine of data platforms such as Azure Datex. And other teams in Microsoft use that platform to create servers on top. Like [inaudible 00:03:25], sentinel. So, essentially all Microsoft security data is learning some way or one way or the other in this data platform, so it's super crucial for people that deal with Microsoft security products to learn this language.

Sherrod DeGrippo: I want to give people listening to the podcast any hints or clues that you can share that will give them a little bit of an inside advantage. Any suggested tips for doing well at the Call of Cyber Duty.

Henning Rauch: Okay, I can definitely do that. So, definitely brush up your KQL skills. Right, we have a couple of learning experiences. Probably the best way of preparing for the season, for the latest season is playing the old season. So, you can go to the website, detective.kusto.io and you can play the old seasons. Season one, season two, and a couple of other things that have been released. That's probably the best way of preparing for it, and it can also give you a small little hint as my alter ego Professor Smoke and the good tradition of the second season we are going to release some new functionality. Professor Smoke is going to give you some information how to use it. So, that's probably pretty much everything that I can give you. The rest is classified.

Sherrod DeGrippo: Okay. That seems fair. I have a tip even though I have never played the Call of Cyber Duty before. I am going to check it out when it starts on June 8th, but you can use copilot to help you build Kusto queries. I mean come on. Use the AI. It's there. I have found a lot of use in both Copilot and ChatGPT which are the primary LMM's that I use, for formatting everything. Like wedge axes, everything to get you expanded to where you want, and you can kind of go back and forth and say, "Oh, that was too much. That isn't exactly right." So, you can always get a little help from your AI friends. Professor Smoke and your AI friends are there to help you.

Henning Rauch: They are. That's definitely true. So, maybe one more little hint. You can try OMCP server, but that's it guys. So, no more hints.

Sherrod DeGrippo: Is Professor Smoke a hero or a villain? We don't know? It's unknown.

Henning Rauch: It's not unknown. The Kusto Detective Agency saves Professor Smoke from many villains, one of them being Krypto, and this time Professor Smoke is again going to help. But who knows?

Sherrod DeGrippo: I love it. I love that Professor Smoke is a German guy with the last name of Krauch. Well, anything else that we should know before we sign off giving everyone a couple of hints for the new Call of the Cyber Duty? Henning, what should people know before June 8th?

Henning Rauch: Join our event on June 8th. It's the largest cybersecurity event ever in the entire history of the world. It's called Call of the Cyber Duty. It's an event of the Kusto Detective Agency. Join them June 8th. Form a team or play solo. Whatever you do, play it and have fun.

Sherrod DeGrippo: That sounds great. And we'll put in the show notes for those listening all of the links to the official trailer, the page where you can register, and if you just want to go check it out, it's detective.kusto.io, and you can learn all kinds of things there. Henning, thank you so much for joining us. I really hope to have Professor Smoke back sometime to learn scary secrets from him. He sounds very intense and German. I love it. Thanks for joining us.

Henning Rauch: Thank you so much. Thanks for the invitation, Sherrod.

Sherrod DeGrippo: Okay everyone, go play. Try to beat me. [ Music ] Hello and welcome to the Microsoft Threat Intelligence podcast. Thank you so much for joining us. Love getting some of the questions and comments that I got. When I went to RSA a couple of weeks ago, lots of people came up to me and told me their thoughts about the podcast, which were all positive fortunately, and we've got another great episode for you. I am Sherrod DeGrippo, director of threat intelligence strategy here at Microsoft. I am joined by two of my Microsoft colleagues. I have Rebecca Light with me. She is a security researcher here at Microsoft. Welcome, Rebecca.

Rebecca Light: Hello. Hello.

Sherrod DeGrippo: Thanks for joining us. It is Rebecca's first time. And our returning guest, Anna Seitz, also a security researcher at Microsoft. Anna is an old pro that you all probably remember. Anna, thanks for joining us again.

Anna Seitz: Thanks for having me back.

Sherrod DeGrippo: It's great to have you back. We've got some really cool things to talk about this week. Aqua Blizzard and Secret Blizzard, in collaboration as well as a little bit later, we're going to talk about DarkGate and ClickFix. So, a bit of a malware rundown for some of you. If you like malware, stick around for that one, but first, let's talk about this situation with Aqua Blizzard and Secret Blizzard potential collaboration. Anna, can you kind of give us a quick rundown of Aqua Blizzard and Secret Blizzard and what they're all about.

Anna Seitz: Absolutely. So, it's interesting that we're seeing this collaboration between Aqua Blizzard and Secret Blizzard. They actually are affiliated with the FSB, Russia's Federal Security Service. So, this is kind of the first time that we've ever seen them collaborating like this. The activity that we've been seeing started back in February 2025 where Aqua Blizzard and Secret Blizzard were compromising Ukrainian military devices.

Sherrod DeGrippo: So, let's also quickly for anyone listening, Secret Blizzard is also known formerly as Crypton. They're also referred to as Turla, Venomous Bear. And then for Aqua Blizzard the AKA there are Actinium, Gamaredon, UNC 530, and Primitive Bear. So, if you're collecting all the pokemons, those are the names that you will need to know. So Anna, tell me sort of what do we see in terms of these two threat actor groups collaborating? Have we nailed down what exactly might be happening there?

Anna Seitz: Yes, so Microsoft had observed Secret Blizzard deploying a PowerShell script on seven Ukrainian military devices that had been previously compromised by a separate Russian threat actor which was Aqua Blizzard. And on at least three of those devices, Secret Blizzard had a custom tool which was Kazuar V2 and shadow loader, which is a backdoor that decrypts and runs Kazuar, which was observed. And Microsoft assesses with high confidence that both of these threat groups are collaborating to access these devices with Aqua Blizzard facilitating the initial access operations on behalf of Secret Blizzard.

Sherrod DeGrippo: All right, there's a lot to unpack there. So, I want to start with the malware piece, the Kauzaur V2, and then I want to talk about A team, B team. So, that malware is a backdoor. It allows longer term persistent access. It allows control over systems. So, some basic rat capabilities. remote access trojan capabilities. It can do command execution, data theft, and it has a couple of techniques within it for evasion. So, that malware was not actually deployed until after Aqua Blizzard had already compromised those systems. Anna, I know you can tell what I'm thinking. This reminds me of BadPilot.

Anna Seitz: Absolutely. I think it's certainly becoming a clear pattern. Back in the BadPilot campaign that's where Seashell Blizzard had that subgroup.

Sherrod DeGrippo: So, that's the malware. But what's interesting here is that Secret Blizzard only deployed that malware after Aqua Blizzard did the initial compromise. And so, what this mirrors, if you're listening to the podcast, as you should, you should listen to every single episode, they're all gold. We did an episode and a blog post about Seashell Blizzard using an initial access group that was called the BadPilot campaign if you want to search that up. It's a full write up on the threat intelligence blog for Microsoft. So, Anna, I am seeing, what I would say now, this is the second one. So, we're looking at a pattern building of sort of these really capable threat actor groups leveraging the initial access of a different group. It sounds like they're almost using the crimeware style, initial access broker capability and then sending in another potentially more sophisticated, but certainly more established threat actor group. So, previously in the BadPilot situation, we saw Seashell Blizzard leveraging initial access done potentially by another group. In this case, we are seeing Secret Blizzard leveraging initial access brought by Aqua Blizzard. Can you kind of help us contextualize that a little bit?

Anna Seitz: Right. So, what we're seeing is instead of one group having the consistent techniques and procedures that's all encompassing of that one group, now we're seeing them bleed into other groups and also operate for different - especially in the case with the blizzards. Different intelligence direct threats of Russia. They are easily perhaps working together for that initial access component, and then they're handing off to a secondary group. So, this has happened with that BadPilot campaign, and it's also happening here. And we've also seen it even Aqua Blizzard has been operating with other storm groups as well. So, we just published on Storm-0593, which has similar handoff capabilities where Aqua Blizzard is conducting initial access and now handing off to another storm actor as well. Just to jog everyone's memory, the storm actors are the actors that are still in development and haven't quite graduated to being officially named one of our weather pattern official groups yet.

Sherrod DeGrippo: That's important to note. In the previous naming scheme these were devs. They're now storms. Essentially they're still in development. For those of you who are threat intelligence analysts, you know that confidence levels are really important, and Microsoft generally does not elevate a storm or dev actor until competence is pretty high and that we have a really fully fleshed out actor profile to associate with it. I've never seen such rigor with threat intelligence as I have seen at Microsoft, and it's something that's taken extremely seriously. So, it would not be a Sherrod DeGrippo event without me trying to tie this back to crime. This seems really similar to the criminal model for financially motivated threat actors where there's an initial access broker capability. Do we have any indicators that there's some use of tooling or infrastructure that's also crime associated here?

Anna Seitz: That's a really good question. I think when we're looking at all of these events, and especially how different threat actors are now handing off to other threat actors as part of other military intelligence units or whatnot, it's become this crazy ball of yarn. Trying to figure out is this for espionage? Is this for crime? And I think it seems to be a little bit of everything. Just to go over Secret Blizzard's MO is that they are typically trying to gain long-term access for intelligence gain into systems. And then Aqua Blizzard is primarily concerned about targeting organizations in Ukraine. But I do think it's absolutely possible, and I think there has been some evidence based of the crime component to all of this as well.

Sherrod DeGrippo: That's really interesting. I think we're seeing what makes attribution more and more complicated when tools and infrastructure begin to overlap, particularly when it begins to overlap with financially motivated or crime actors, it just kind of makes the playing field muddied in a way that makes it really difficult to put high confidence attribution on things. To untangle sort of the knots of who owns this infrastructure. I mean I know in my career I have definitely seen infrastructure double compromised. People talk about that all the time especially things that are just kind of hanging out there. I won't mention any of those content management systems that have admin panels that just end up getting hammered by a variety of threat actor groups and used for social engineering, but sometimes we see that. I think it's possibly a sort of new way of the future that maybe Russia is creating a process-oriented approach to these compromises. Anna, do you think that we'll see this initial capability and then bringing in the next threat actor group going forward? Is this something that you think might build more? Would we want to have you on another podcast in a month or two talking about this again?

Anna Seitz: I will say we'll put this on the docket for next time. I definitely even just looking at some of these storm groups, to kind of go sideways a bit, some of these groups could even just be speculating and operated by contractors, government contractors. I mean I think it's definitely a military/criminal ecosystem that just seems to be prevalent even from the times of day that people are operating. The times of the day and the times of the year that some of these campaigns are ongoing. So yes, absolutely. I think it's certainly a model that seems to be getting a little bit more clear to us as security researchers as we continue to investigate. But yes, it's a very fascinating thing.

Sherrod DeGrippo: So, speaking of contractors, I think that's just something I'll mention really quickly for listeners. We also track private sector offensive actors. They're also referred to as cyber mercenaries at times by some groups within Microsoft. Mystic typically refers to them as PSOA's or private sector offensive actors. Those are tracked under the tsunami name. So, Russia is Blizzard. China is Typhoon. Iran is Sandstorm. North Korea is Sleet. Criminal is tempest or financially motivated is Tempest, and those PSOA's are tracked under Tsunami. If you want to see more about the naming scheme and a list of all of the different countries that we track and their associated names, you can go to aka.ms/threatactors. Not only can you read a nice blog; that's how it all works, but you can download Excel format, and we got JSON for you too for the nerds. So, go and check that out. Anna, what else should we know about this campaign in terms of this collaboration between Aqua Blizzard and Secret Blizzard? >> I think the most important thing to take away from this is that this is a shift in tactics which is always interesting to us as researchers. So, Aqua Blizzard and Secret Blizzard have increasingly focused their targeting on Ukrainian military targets, and this has been something previously reserved for Russia's main directorate of the general staff of the orange forces, or GRU. These military intelligence actors. And this is demonstrating the shift in Russian strategic operations in Ukraine that aligns with Russia's military doctrine. Got it. So, it sounds like there is some escalation there. There's some new process and technique there. As Anna mentioned, when threat actors change techniques it's concerning but it also has some, in my optimistic pollyanna point of view, it does have some indications that defenders are winning to some degree. Threat actors will continue using the same tactics for as long as they work. And my focus on crime, I think it still applies to nation sponsored actors. If the TTP's work, the TTP's will go on. If the TTP's work they will persist. Threat actors don't generally change what they're doing if they're getting what they want. That's just kind of a rule for life whether it's spiritual, philosophical, or technical. You change what you're doing until you get what you want, and then you just have what you want, and you keep doing what gets it for you. So, I think ultimately seeing threat actors make changes to the way they operate is an indicator that we've had some success. Anna, do you think that's right from the defense side of the house? From defenders?

Anna Seitz: Totally. I totally agree with that. It's good and bad. It's a definite - if they're changing tactics, that means, yes, you're right. Something is not just working for them.

Sherrod DeGrippo: Anything we need to share here for defenders in terms of better security capability? Anything that you would suggest that organizations can do here in light of this threat?

Anna Seitz: I always say the most significant thing in any of our recommendations are to implement the attack service reduction roles that we publish in collaboration with these investigations. Those are probably the number one thing that will get you started in the right direction. Another thing that you can do in this particular instance is to just review additional monitoring and hardening recommendations, and we have a profile based on that PowerShell abuse technique profile that you can go check out as well. So yes, there's a lot of recommendations there but as far as starting small and continuing to build out I would say that ARS roles are probably number one.

Sherrod DeGrippo: Got it. And I think something that I would just say from a mindset perspective in security, this Kauzer V2 malware is absolutely one that's out there on the landscape. It's available to get. Lots of threat actors can use it. I think that there is something to be said for understanding when you see malware you can't do attribution based solely on that malware most of the time. Ninety percent of the time you can't just say oh it's this malware therefore it's this actor. Even more so now as we're seeing threat actors leverage these initial access teams, entity groups, whatever you want to call it, as that gets more prevalent the ability to do attribution based off malware is even less of the right direction. So, keep in mind, use of malware very rarely ever is a direct indicator to attribution. Anna, that was fantastic overview of Aqua Blizzard and Secret Blizzard collaboration. Okay, Rebecca, kind of explain what ClickFix is, how does that differ from a standard malware standard delivery?

Rebecca Light: Yes. So, ClickFix is a little bit tricky. It tricks the user. So, what it does is, in this particular campaign, it used Google ads to redirect the user to a malicious site. And then the Clickfix-- when the ClickFix comes in is when a little box pops up and it's a fake verification page. And what it does is it has the victim copy and paste malicious code right into their system which then goes to the malware. We have been seeing a lot of ClickFix lately.

Sherrod DeGrippo: So, let's walk through the attack chain a little bit. The victim or the target is typically shown a fake captcha, is that correct, or some kind of fake verification page?

Rebecca Light: Correct. Sometimes it's a captcha. Sometimes it is an error message of some sort that pops up. In this campaign we saw verification steps was the wording on it. In others I've seen I am not a robot popped up. It's to emulate the captcha part where they get the victim to click on something, but in reality what it's doing is it's leading to that malware.

Sherrod DeGrippo: Okay, so this isn't malware where it typically downloads a file. It actually gives the targets some kind of prompt, like a fake captcha or some kind of verification page dialogue that the user has to go through.

Rebecca Light: Correct. And it usually guides the victims step by step. So, in this instance it said press this button and this button, and then press control v. And what's happening in the background is the malware is starting.

Sherrod DeGrippo: So, that's the ClickFix technique, and in this instance we were seeing them leverage DarkGate malware. So, can you tell us a little bit about DarkGate malware and how these two work together?

Rebecca Light: Yes. So, DarkGate malware has been around since 2018. It's not anything new, but what is new is using ClickFix for delivery. Like I mentioned before a lot of times it's delivered through - it just downloads. Like it goes to somewhere and it downloads. There's not a whole lot of user interaction with it in most campaigns. But in this campaign, it just leads the victim step by step to download it. It's a little bit more tricky.

Sherrod DeGrippo: And to talk a little bit about DarkGate from capability standpoint, it's a keylogger. It can do data theft. So, exfiltration. It has remote access capabilities. And there has been some reports of it potentially deploying ransomware as well.

Rebecca Light: Yes.

Sherrod DeGrippo: And you mention it was active since 2018. So, why is this one still so popular in terms of why it's being used? Do you think it's just the features or it's good innovation? What makes DarkGate so popular?

Rebecca Light: It is. It is pretty good at evasion. It also has continued to change tactics and delivery. So, it started out - there's been campaigns with phishing and with fake updates and ad-based delivery, and now it's kind of swung around to ClickFix. So, the combination is why it's still prevalent. It's started one way. It's gone the other and now it's combining with ClickFix so here we are.

Sherrod DeGrippo: So Rebecca, what else should we know here in terms of ClickFix leveraging DarkGate or any of these campaigns that are going on right now?

Rebecca Light: Well, first and foremost with ClickFix, a lot of times it uses the Google ads to redirect to the malicious sites. So, always checking those url's before you click on it. In this case it imitated the notion application which is for productivity. And it was typo squatted. So, it was s2 notion I believe was the domain name. So, it wasn't actually the Notion website. It was one that mirrored one, and then once you go on it it led to the ClickFix and then the download, the malware download. So, always doublechecking the url's before you click. And then, of course, following a lot of the recommendations. And like Anna mentioned, the tech service reduction rules are also very important for detecting malware that's delivered through ClickFix. That's really interesting because I know that there aren't any software developers listening to this podcast, but Notion is really popular in coding and software development circles. All of you new vibe coders out there that just started using notion, the threat actors I assume have an idea of that victim space. So, they know that there is a certain type of highly technical coders, software developers, software engineers that are using notion, that are notion's customers and notion's userbase. So, it's pretty clever, I think, of the threat actor to choose something that could essentially have downstream capability to get into code bases. And software supply chain is something that we talk about at Microsoft extensively because we're one of the world's largest software providers. The software supply chain is really important to us going all the way back to SolarWinds where threat actors really made a big splash with compromising software supply chain. I think that notion as such a big tool for developers and people that have downstream customers, people that have code in other places, that was a very insightful choice by the threat actors to imitate notion. Yes, and that's usually the type of sites that they're mimicking. Are ones that a lot of people use and the right kind of people are using to be victims. So, it'd be beneficial for them.

Sherrod DeGrippo: Right. So, I'm going to give an assignment to all the listeners now. Go to your software developer friends and ask them one security question. Ask them if they check url's before they open their tools. Ask them if they hardcore credentials into their code. Ask them the last time they did an audit of their GitHub to look for any security issues in code they're deploying. There are many tools that come from GitHub, a Microsoft product, that can help them make sure that their code is secure. The Copilots, of course as well, the GitHub Copilot is great at helping developers become used to secure software development and threat driven software development. So, ask your coder friends because I doubt there's any coders listening to this podcast. But also send them a link to this podcast. Listen to it. Well, I want to thank both of you for joining us. Anna Seitz and Rebecca Light, two security researchers at Microsoft to tell you all about Aqua Blizzard, Secret Blizzard collaboration. And DarkGate malware being delivered through the ClickFix technique. I'll leave everyone with one final suggestion. If your computer starts giving you instructions for what to do step by step, maybe question the machines a little bit. Thanks for listening, and Rebecca, Anna, thanks for joining me.

Anna Seitz: Thanks for having us.

Sherrod DeGrippo: Thank you. Thanks for listening to the Microsoft Threat Intelligence podcast. We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode we'll decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, msthreatintelpodcast.com for more, and subscribe on your favorite podcast app.

The Microsoft Threat Intelligence Podcast
Podcast Info
HOST(S):
Sherrod DeGrippo
Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft, is a frequently cited threat intelligence expert with a 19-year career leading global threat research and analyst teams. She was named Cybersecurity Woman of the Year in 2022 and Cybersecurity PR Spokesperson of the Year for 2021. Sherrod has provided expert commentary for BBC News, Wall Street Journal, CNN, and New York Times and has presented extensively at conferences including Black Hat, RSA Conference, RMISC, SleuthCon, and others.
Schedule: Bi-Weekly
Credits: Producer is Rob Petrillo, Production Manager is Max Solomon, Scheduling and Administrative Support is Elliot Volkman, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft