The CyberWire Daily Podcast 3.22.21
Ep 1294 | 3.22.21

Transportation as an espionage target. Expensive, elaborate cyber campaigns by unidentified threat actors. Infraud operators sentenced in Nevada.


Dave Bittner: Indian authorities warn the country's transportation sector that it may be a target for cyber-espionage. Google's Project Zero describes an elaborate and expensive campaign that exploited zero-day vulnerabilities. The SilverFish threat group is elaborate, well-resourced and well-organized. Threat actors are quietly altering mailbox permissions. REvil is back. Some say yes to Moscow, others say nyet. Dinah Davis from Arctic Wolf on security metrics. Our guest is Graeme Bunton from the DNS Abuse Institute. And two Infraud operators are sentenced.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 22, 2021.

Dave Bittner: The Business Standard reports that India's Ministry of Road Transport and Highways yesterday alerted the National Highways Authority of India, the National Highways and Infrastructure Development Corporation. and India's automobile-makers to increase their readiness to defend themselves against cyberattack. The ministry said, quote, "the Ministry of Road Transport and Highways received an alert from CERT-In regarding targeted intrusion activities directed toward Indian transport sector with possible malicious intentions. The ministry has advised departments and organizations under transport sector to strengthen the security posture of their infrastructure," end quote. 

Dave Bittner: The warning prompted much speculation in the Indian press that China has shifted its targets from the energy to the transportation sector. The Hindu Businessline's coverage is representative. A note the paper obtained represents CERT-In's own conclusions. Quote, "CERT-IN has observed continued targeted intrusion activities from Chinese state-sponsored actors towards Indian transport sector with the possible intention to collect intelligence and conduct cyber-espionage. The notable threat actors such as APT41/Barium, Tonto Team, APT101, StonePanda, APT15/K3yChang, APT27/Emissary Panda, Winnti groups, and Red Echo have been targeting organizations across a range of industries aligned with the national strategic goals of the Chinese national policy priorities," end quote. 

Dave Bittner: Google's Project Zero has provided an update on a campaign they began tracking last year, providing additional information on seven zero-days its researchers detected a threat actor using this past October. Windows, iOS and Android systems were affected. Victims were usually infected in watering hole attacks. The unknown threat actor used a total of 11 zero-days over their campaign's yearlong run. Their development would have been expensive, and the infrastructure used was large and carefully constructed. The operation seems beyond the capabilities of any ordinary criminal group. 

Dave Bittner: Project Zero summarized the threat actor's sophistication as followed. Quote, "overall, each of the exploits themselves showed an expert understanding of exploit development and the vulnerability being exploited. In the case of the Chrome Freetype zero-day, the exploitation method was novel to Project Zero. The process to figure out how to trigger the iOS kernel privilege vulnerability would have been nontrivial. The obfuscation methods were varied and time-consuming to figure out," end quote. 

Dave Bittner: Researchers at Swiss security firm Prodaft report that they've identified a threat actor - they call it SilverFish - whose target list significantly overlaps the list of victims of SolarWinds exploitation. The researchers also say that some of SilverFish's servers were also used by the EvilCorp crime group. 

Dave Bittner: Prodaft offers no attribution, but they do characterize as a "highly sophisticated group of cybercriminals targeting exclusively large corporations and public institutions worldwide, with focus on the EU and US. The actor can be viewed as an entity possessing a high degree of sophistication and who goes beyond the necessary technical skills to conduct an operation of this magnitude. The actor demonstrates a comprehensive and up-to-date knowledge of exploitation practices, security architecture, protocols and anonymization techniques. More importantly, their knowledge transcends regional, cultural and linguistic barriers," end quote. 

Dave Bittner: Prodaft gained its information, the company says, by getting inside SilverFish's command-and-control servers. SilverFish's list of victims looks like an espionage pick-list. The dashboard Prodaft found indicates that SilverFish is running several distinct teams. 

Dave Bittner: Prodaft also says that the comments the operators entered alongside their targets are, for the most part, written in English and Russian, with a healthy leavening of urban slang. And whoever SilverFish's operators are, they punch the clock like a bunch of employees of the month. Prodaft says they work mostly Mondays through Fridays between 8 a.m. and 8 p.m. Coordinated Universal Time. 

Dave Bittner: Researchers at FireEye's Mandiant unit say that they've observed threat actors modifying mailbox folder permissions of user mailboxes to maintain persistent access to the targeted users' email messages. Mailbox permissions, Mandiant says, are often not monitored by defenders. They've added mitigation suggestions to their white paper on the topic. 

Dave Bittner: The REvil ransomware gang has hit Taiwanese device manufacturer Acer with a $50 million extortion demand, The Record by Recorded Future reports. The extortion includes the now-routine threat to release stolen company documents. Acer told BleepingComputer that to preserve the security of their continuing investigation, they are unable to provide details on the incident. 

Dave Bittner: Tech companies face a range of regulatory and legal challenges as they do business in a range of countries. Many of those challenges have to do with protecting personal data. While certainly not trivial, in most cases, that's a regulatory burden companies are meeting, often by complying with the most stringent applicable rules and letting those set the general standard way of operating. So businesses organize themselves to operate in compliance with GDPR, to take one common standard. 

Dave Bittner: In other cases, it's trickier, especially where the law tends to serve policy and not vice versa. Consider the accommodation Apple recently reached with Russia. WIRED reports that, beginning next month, iOS devices sold in Russia will prompt users to install a set of government-approved apps - browsers, messenger platforms and even antivirus services. 

Dave Bittner: It's not exactly preloading, and users can opt out if they so choose, but WIRED still sees it as a bending on Apple's part to the demands of an authoritarian regime. And the magazine thinks that other such regimes will notice and that Apple may hear from like-minded governments soon. 

Dave Bittner: Other vendors have pulled away - Cellebrite, for one. The lawful intercept vendor that's been criticized for the ways in which some of its government customers have abused its products announced last week that, effective immediately, it would no longer do business with any customers, private or public, in either Russia or Belarus. 

Dave Bittner: The company said, quote, "as part of our standard business operations, we regularly review and update our compliance policies to ensure we operate according to accepted international rules and regulations," end quote. And by implication, selling its digital intelligence solutions to Moscow and Minsk wouldn't be good international citizenship. 

Dave Bittner: And finally, the US Justice Department announced Friday that two gentlemen associated with the Infraud Organization were sentenced to terms of imprisonment for their part in the activities of Infraud, which Justice says involved the mass acquisition and sale of fraud-related goods and services, including stolen identities, compromised credit card data, computer malware and other contraband. 

Dave Bittner: Sergey Medvedev - also known as Stells, segmed and serjbear - of Russia pleaded guilty in the district of Nevada to one count of racketeering conspiracy and received 10 years in prison. Mr. Medvedev is a co-founder of Infraud. 

Dave Bittner: Marko Leopard - also known as Leopardmk - of North Macedonia also copped a guilty plea, and he received five years at Club Fed. 

Dave Bittner: Infraud was a big operation. The Department of Justice says the transnational gang was responsible for the sale and/or purchase of over 4 million compromised credit and debit card numbers. The actual loss associated with Infraud was in excess of $568 million. That's a lot by any standard. 

Dave Bittner: PIR, the Public Interest Registry, the folks behind the .org domain, recently launched the DNS Abuse Institute. They say that their goal is to provide tools to identify and report DNS abuse. Graeme Bunton has taken on the role as the DNS Abuse Institute's inaugural director. He joins us to explain the mission of the organization. 

Graeme Bunton: So the DNS Abuse Institute was founded by PIR, who run the .org registry. And PIR has a - in their name, Public Interest Registry, this public interest mission. And over the past few years, I would say the prevalence of DNS abuse - and I can go into the definition of that in a minute - has become an increasing issue. And they were trying to think about how they could use their public interest mission to really make a dent into that problem. And the result of that was to try and stand up a - its own sort of institute. 

Dave Bittner: Yeah. I mean, let's dig into that. I mean, what are some of the issues that we face when it comes to DNS? 

Graeme Bunton: So DNS abuse - and let's make sure we're all talking about the same thing - is - we define as malware, botnet, pharming, phishing and spam - where it's serving as a vehicle for those previous items. And those are, you know, online harms that are using the DNS specifically to cause them. And those are online harms that use the DNS itself to cause those harms. 

Graeme Bunton: And so we have seen the sort of - in the operation of the registry - and I actually come historically from a registrar, and maybe I'll come back to that in a sec - you know, that those things are causing real harms around the world. And there is a - there's been, like, a lack of coordinated effort on these issues. And so this was really where we thought the DNS Abuse Institute could make a real difference. 

Dave Bittner: And so what are some of the things that you're looking to do here? What do you hope to accomplish? 

Graeme Bunton: So I think the first thing that we really need to do - and maybe backing up slightly is, you know, I've been on board now for I think a week and a half. And so we're really still figuring out the breadth and scope of our strategy and how we're going to prioritize the things that we're going to work on. And that requires quite a bit of digging and some research. 

Graeme Bunton: But I think to start, we really need to be able to get the community - so that sort of, you know, registrar and registry industry and cybersecurity to a certain extent - to make sure that we're all talking about the same thing. And so that's going to be develop a model to measure DNS abuse across the industry, publish that model and make sure that we're all addressing the same problem. So that, I think, is step one. 

Graeme Bunton: And then it's going to be working through the pillars that the institute is sort of founded on. And those are collaborations. That's making sure that we're working together as an industry. It's education, and that's making sure that everybody has the resources and understanding. And then innovation is our third pillar, and that's where we're really going to begin building tools and providing really interesting things for the industry to start really getting better. And that's the one that I find pretty interesting. 

Dave Bittner: That's Graeme Bunton from the DNS Abuse Institute. 

Dave Bittner: And joining me once again is Dinah Davis. She is the VP of R&D at Arctic Wolf. Dinah, always great to have you back. I want to talk today about measuring success and how you establish good security metrics within a company. What sort of things can you share with us? 

Dinah Davis: Yeah. So really, your metrics have to be related to the organization's risk profile, right? One set of metrics that is going to help one company isn't necessarily the same set of metrics that matters for another. You know, like, a health care organization has very different risk levels than a law firm or than a tech company, right? And so you can't just have a basic blanket set of metrics that are going to work for everyone. But what you can do is really measure your amount of risk in your threat landscape. 

Dinah Davis: So the first thing you need to do to do that is to identify the vulnerabilities you have in your system. So you can do this with a vulnerability assessment tool. We have one with Arctic Wolf. It will look through your system to find the level of software that's running everywhere. Like, each piece of hardware and software, what is it running? It'll then look those versions of software up in a publicly accessible system that the National Vulnerability Database - or the NVD is what it's called - and determine if there's any vulnerabilities. And it'll give you a list of the vulnerabilities and their common vulnerabilities and exposures, which we call a CVE score. So if you hear people talking about a CVE score, that's what it is. 

Dinah Davis: And so once you have this list of, like, everything that's going on in your network and vulnerabilities, this is how you, like, you want to prioritize, right? So the CVE score goes from, like, 0 to 10, OK? If it is a nine or a 10, you drop everything. You drop everything and you go patch that immediately. 

Dave Bittner: Right. 

Dinah Davis: A high is pretty close to drop everything, but maybe not quite as severe as the nine or a 10. A nine or a 10 means there's active hacks against it, there's active attacks, right? So if you're in a medium of a four to a 6.9, then you can use - you know, you want to plan a maintenance window to fix it. You don't want to maybe wait until the next one, but you want to plan one, but it doesn't need to be the next day. It should just be soon. And anything below that, you can fix in a regular maintenance window, right? 

Dinah Davis: So now, you want to measure yourself against your CVEs and what your scores are here. So you want to look at your mean time to patch. So for anything above a seven, how long does it take your organization to fix it? You want to track that so that you know if you're fixing them faster or slower, if you need to change process around patching so that you can improve, right? 

Dinah Davis: So tracking how many issues above a nine or a 10 - really anything above a seven - how many of those you have, how many mediums and how many low-risk you have, trending that over time and looking at the mean time to patch. Those are really good metrics to look at. Doesn't - that doesn't matter what kind of organization you are, but it takes into account your risk profile, right? 

Dinah Davis: Another important metric to watch is your account takeover risk, right? So for an account takeover - critical risk, it means the password and the username and possibly personal identifiable information was leaked, and there could be malware using that information being used right now. So you want to drop everything, go immediately force a password change for all accounts for that user on your system and then audit any activity that your user had in the system, making sure you're doing scans of their laptop. 

Dinah Davis: High risk is, you know, the user account was revealed and maybe a decryptable or plain text password - pretty high risk. Again, reset their passwords immediately. And then medium and low is, you know, a little slower you have to react. They're probably - maybe their account was exposed. Maybe an encrypted password was exposed, but not a lot else. And so then you can have, you know, the user rotate their corporate credentials the next business day. It's not a drop everything. So that's something you want to track on an ongoing basis. 

Dave Bittner: Now, do you ever find that you sort of have a little - I don't know, like a mismatch between the severity, but what it actually means to a particular company? In other words, you know, something comes back and it says, hey, this isn't - in a normal ratings ranking of severity, it may not be that high, but for this particular company, it is high. 

Dinah Davis: Yeah, that can happen, too, because it depends on what you're using various systems for. If it's a medium, but it's like - let's say it's a medium vulnerability, but it's a main system you're using with a lot of, like, customer-specific or private data or important data in it, that could mean it bumps it up quite a bit for you. So you do want to evaluate them as they come in. 

Dinah Davis: Oftentimes, they'll get a score and then the client can also - you know, a lot of the systems will allow for you to mark it as higher than it is - like, manually push it higher - so that you can schedule it to be changed faster. 

Dave Bittner: All right. Well, Dinah Davis, thanks for joining us. 

Dinah Davis: You're welcome. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. It takes the day's work right out of your hands. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.