The CyberWire Daily Podcast 1.6.21
Ep 1243 | 1.6.21

Who worked through SolarWinds? An APT “likely Russian in origin,” says the US. Rattling backdoors, rifling cryptowallets, and asking victims if they’re ensured. No bail for Mr. Assange.

Transcript

Dave Bittner: The U.S. Cyber Unified Coordination Group says the Solorigate APT is likely Russian in origin. Threat actors are scanning for systems potentially vulnerable to exploitation through a Zyxel backdoor. ElectroRAT targets crypto wallets. Babuk Locker is called the first new ransomware strain of 2021. The New York Stock Exchange re-reconsiders delisting three Chinese telcos. Joe Carrigan from Johns Hopkins joins us with the latest clever exploits from Ben-Gurion University. Our guest is Jens Bothe from OTRS Group on the importance of the U.S. establishing standardized data privacy regulations. And Julian Assange is denied bail.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, January 6, 2021. 

Dave Bittner: Yesterday afternoon, the Cyber Unified Coordination Group, the task force established by the US president and his National Security Council to investigate and remediate the Solorigate incident, released a statement on its conclusions so far. It read, in part, "This work indicates that an Advanced Persistent Threat actor, likely Russian in origin, is responsible for most or all of the recently discovered ongoing cyber compromises of both government and nongovernmental networks. At this time, we believe this was and continues to be an intelligence-gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly," end quote. 

Dave Bittner: This isn't the first attribution of the campaign to Russia by U.S. officials. Both Secretary of State Pompeo and Attorney General Barr said as much during media availabilities over the past few weeks. But it is a more formal acknowledgment of Russian responsibility than were those earlier statements. The UCG is composed of elements drawn from CISA, the FBI, NSA and the Office of the Director of National Intelligence, all of which are notably more reticent in offering attribution than either senior officials or the private sector. 

Dave Bittner: Roles and missions within the UCG task force are worth reviewing. The FBI has the lead for threat response and is working on identifying victims, collecting evidence, analyzing the evidence to determine further attribution and sharing results with the government and private sector partners to inform operations, the intelligence picture and network defense. 

Dave Bittner: CISA, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, has the lead for asset response, which involves sharing information quickly with government and private sector partners. 

Dave Bittner: ODNI, the Office of the Director of National Intelligence, coordinates the intelligence community's collection and analysis of information relevant to the incident, providing situational awareness for key stakeholders. NSA is serving in a support role, with a focus on assessing the scale and scope of the incident and on providing technical mitigation measures. 

Dave Bittner: BleepingComputer reports that attackers are working to exploit vulnerable Zyxel systems. Researchers at security firm GreyNoise have found three distinct scans in progress for SSH devices. The scanners then tried to log in using Zyxel backdoor credentials. One of the IP addresses doing the scanning has been using Cobalt Strike's SSH client, which suggests to researchers that the threat actor may be using this technique to evade detection by threat intelligence shops. 

Dave Bittner: Bitcoin has reached new highs in the new year. The cryptocurrency was trading this morning at $34,241.20, and cybercriminals are predictably following the money. Security firm Intezer is describing a criminal campaign it's calling ElectroRAT. It targets credentials for crypto wallets by inducing its victims to download Trojanized apps the gang offers via social media and alt-coin user forums. The malware is cross-platform, with Windows, MacOS and Linux variants in circulation. Its capabilities include keylogging, screenshots, exfiltrating data, downloading files and executing commands on the victim's console. 

Dave Bittner: 2021's first new strain of ransomware, Babuk Locker, is out in the wild, according to BleepingComputer. It's assessed as amateurish but equipped with effective encryption. The ransom demands have been running from $60,000 to $85,000. 

Dave Bittner: The hoods' negotiating messages are interesting in two respects. They ask the victim if they're covered by cyber insurance and whether they're working with a ransomware recovery company. This would seem to suggest that the criminals are looking to insurance companies and security firms as, effectively, middlemen, presumably thinking that those third parties might be counted on to persuade the victim to pay up. 

Dave Bittner: Bloomberg says that, after a call from US Treasury Secretary Mnuchin, the New York Stock Exchange is reconsidering its reconsideration and is again thinking it may delist China Mobile, China Telecom and China Unicom. Executive Order 13959, "Addressing the Threat From Securities Investments That Finance Communist Chinese Military Companies," effectively prohibits U.S. citizens from investing in the Chinese telecommunications firms. 

Dave Bittner: The executive order takes effect on January 11. The order's provisions are complex, and Treasury has published a set of FAQs in the hope of bringing some clarity to the matter. 

Dave Bittner: On the one hand, quote, "any transaction in publicly traded securities or any securities that are a derivative of or are designed to provide investment exposure to such securities of any communist Chinese military company is prohibited, regardless of such security share of the underlying index fund, ETF or derivative thereof," end quote. 

Dave Bittner: On the other hand, the executive order, quote, "does not require U.S. persons, including U.S. funds and related market intermediaries and participants, to divest their holdings in publicly traded securities and securities that are derivative of or are designed to provide investment exposure to such securities of the communist Chinese military companies identified in the annex to EO 13959 by January 11, 2021," end quote. 

Dave Bittner: So apparently, no new investment, but no requirement to divest immediately either. Stock prices of the companies on the list continue to ride the roller coaster. 

Dave Bittner: WikiLeaks founder Julian Assange will remain in jail, CNN reports. A judge denied bail at a hearing this morning. Mr. Assange will continue to be incarcerated in Her Majesty's Prison Belmarsh. 

Dave Bittner: Judge Vanessa Baraitser, who Monday denied a US request that Mr. Assange be extradited to face 18 federal charges related to WikiLeaks, hacking and espionage, was the jurist who denied him bail. Reuters says that Mr. Assange is being held pending the outcome of an appeal the US Department of Justice filed Monday. The judge said this morning, quote, "I am satisfied that there are substantial grounds for believing that if Mr. Assange is released today, he would fail to surrender to court to face the appeal proceedings. As far as Mr. Assange is concerned, this case has not yet been won. The outcome of this appeal is not yet known," end quote. 

Dave Bittner: With 2020 upon us and a new administration heading into the White House, it's an opportunity to consider the possibilities of new data privacy regulations coming out of Washington. Jens Bothe is director of global consulting with OTRS, a cyberdefense and security management firm in Frankfurt, Germany. Having been through the implementation of GDPR, he shares insights on how it could inform our approach to data privacy stateside. 

Jens Bothe: So in Germany itself, we had a very good data protection law already before the GDPR was introduced and then made to a German law. So there is not much change in Germany but a lot of change, for sure, in the rest of Europe and the rest of the world because of the GDPR. 

Dave Bittner: And have we seen the sorts of fines that people were expecting? How has that come to pass? 

Jens Bothe: Yes, there were some very high fines in especially huge companies. So Google was one of the first to get fined based on the GDPR in Europe, but also a lot of other companies because they got data loss or whatever, did not tell the people what they're doing with the data or were sharing it with the wrong people. So we've seen already some fines in different areas. 

Jens Bothe: But what has also - has been seen is that the governmental units which have the data protection as a main business try to convince people to check - or companies - go into companies and try to check with them what they can make better. So we also see that at the first step, especially in the small and medium-sized business, the government tries to avoid fines at first and trying to work with these companies to make it better and to help them to fulfill all the needs of the regulation. 

Dave Bittner: And do you suppose that the GDPR has - is really getting the result that folks had asked - had hoped for - that, you know, the companies who are collecting data - has there been the meaningful change in their behavior that was the desired outcome here? 

Jens Bothe: Mostly, yes. So we see that companies think about, do we really need to collect this data? What we need to tell the people? So you really saw a huge spread of webpages - or on webpages of slide-ins and pop-ups to ask for concerns or just to inform people that data is collected. Sometimes, it seems a little bit too much. Actually, you have to give consent if cookies are used. 

Jens Bothe: But it brings a little bit more to attention of all the users, which are not deeply trained in how the internet is working and so on, especially set data is collected every time they visit pages, look at things, and this data can be used for a lot of different things, and they really have to say yes or no and know what happens to their data. 

Dave Bittner: That's Jens Bothe from OTRS. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host on the "Hacking Humans" podcast. Hey, Joe. Good to have you back. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: You know, when I see these stories come by that have to do with interesting ways to get information off of computers in ways that people haven't thought about before, there's one organization I always think of (laughter). You know who that is, right, Joe? 

Joe Carrigan: Yes, I do. It's Ben-Gurion University (laughter). 

Dave Bittner: Yes (laughter). And they're at it again. 

Joe Carrigan: Yep. 

Dave Bittner: So this is an article from ZDNet What's going on here, Joe? 

Joe Carrigan: So this is the work of Mordechai Guri. And he has - I guess probably with some of his students here, they have come up with a way to exfiltrate data using RF. But a couple interesting things about this. First, they can actually emit the RF in the 2.4 gigahertz bandwidth, which is where Wi-Fi listens and talks. All right? So that means they can use other equipment or equipment that is already equipped, that already exists to intercept this signal, right? There are already tons of cheap pieces of equipment you can buy that are tuned to listen in this frequency. 

Dave Bittner: Right. 

Joe Carrigan: Let me give you some background on how this works. And this is how any of these RF side channels work. They - there's a wire somewhere that is the proper length. And if you put a signal on that wire and then take that signal off, if you oscillate a signal on that wire, you effectively create an RF signal, right? 

Dave Bittner: You're making radio. 

Joe Carrigan: Exactly. This is exactly how the radio in your car works because you're doing the same thing at the radio station. They're turning off and turning on a signal very quickly to modulate that signal so that your car can receive it. 

Dave Bittner: Yeah. 

Joe Carrigan: And these guys have found out that they have - that there's a wire somewhere that they can write ones and zeros to fast enough to actually emit - or with a certain rate, really - doesn't have to be fast enough, but they're doing it so that that emits effectively a Wi-Fi signal that lets them move data from an air gap system. 

Joe Carrigan: So this system doesn't have any network cards in it, not even - it doesn't have a Wi-Fi card. It doesn't have an ethernet card or anything, but they can actually communicate from that air gap system to a device a couple of meters away at a rate of about 100 bits per second. 

Joe Carrigan: So it's kind of an academic exercise. You're really not going to get a lot of information off at 100 bits a second. Maybe you can get some hashes off if the system is on a network that - let's say the system is connected to a network that's air gapped, and you want to impersonate somebody. You can probably use something to get hashes off if you can get malicious software onto that computer, which is another part of the challenge. 

Dave Bittner: Yeah, or just be very patient. 

Joe Carrigan: Right. Right. And it wouldn't take long at 100 bits a second to get a hash off. It might take a couple of minutes. But it's really interesting work. And these guys have found all kinds of ways, all kinds of side channels in the RF spectrum to get data off of these computers. 

Dave Bittner: And in this case, they're using the RAM... 

Joe Carrigan: They're using the RAM. 

Dave Bittner: ...In the system, somehow getting the RAM to resonate at the right frequency, where you're generating... 

Joe Carrigan: Exactly. By doing rights - by timing the rights to the memory at the right time. And a couple of interesting things about this is it can be done by a process in user space. You don't need to have root access to the computer to do it. Anybody can do it. You can even do it from a VM within the computer. 

Dave Bittner: Wow. It's just - I mean, it's so clever, right? I mean... 

Joe Carrigan: It is. 

Dave Bittner: (Laughter) It's just so clever. And time and time again - you know, hats off to the folks over at Ben-Gurion. I mean, this is - they're just - they - this is one of their specialties - right? - is just coming up - the creativity here, that time and time again, they're coming up with these things. 

Joe Carrigan: Right. I'm always fascinated by side channels. I think that they're really interesting. We have a professor, Lanier Watkins, at the Information Security Institute who also does work with side channels. And I can listen to him talk about it all day. You know, it's just something that is really interesting to me. I don't know why. It's one of those things that catches my fancy. 

Dave Bittner: Well, if you'll permit me a trip down memory lane, this reminds me of something from the early days of 8-bit computing and the old TRS-80 Model I, which was RadioShack's first home computer, one of the original important computers in 8-bit computer history. So back then, computers had no sound, right? The TRS-80 Model I had no sound. But someone had come up with a clever piece of software. It was called Dancing Demon. 

Joe Carrigan: I remember Dancing Demon. 

Dave Bittner: And Dancing Demon, you could put in different dance steps that you wanted the demon to do. And this little, very low resolution, blocky little demon with a - the curtain would raise. The demon would come out, and he'd do a little shuffle, a little soft-shoe, and he'd tap dance. 

Dave Bittner: Well, the computer had no sound, but the programmers figured out that - one of the things about the Model I is that it was leaking all kinds of RF energy. In fact, RadioShack had to stop making the computer and they made the Model III because the FCC came and said, listen; you guys got to stop making this. This is... 

Joe Carrigan: Right. You're violating Part 15 here. 

Dave Bittner: (Laughter) Right. This is out of hand. But what you could do is, you would put a - you'd hold a - you take an AM radio, put it next to the computer, and the programmers had figured out that they could manipulate the RF coming out of the machine to make the sound of the little demon tap dancing with - somehow they'd figured out how to time certain activities within the computer to make, you know, practically a spark-gap generator... 

Joe Carrigan: (Laughter). 

Dave Bittner: ...You know, on the AM radio to make the sound of the little demon dancing. And that's how you had sound back in the original 8-bit computer days. So, you know, not that far off from what they're doing here, however many - 40 years later, right? 

Joe Carrigan: Right. It's the exact same technology, except now they're able to control a wire on a - you know, it's not really a wire; it's like a trace on a circuit board - to get it to emit something that you can exfiltrate digital information with. 

Dave Bittner: Yeah, just spun up their own little software-defined radio, right? 

Joe Carrigan: That's right. 

Dave Bittner: Yeah. All right. Well, it's an interesting story for sure. And again, hat tip to the folks at Ben-Gurion. It's just - they blow me away with - just the cleverness here is amazing. Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Avoid the noid. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.