The Russo-US summit ended in frank exchanges and the prospect of further discussions on cybersecurity. Ferocious Kitten tracked. Initial access brokers. Molerats return. Ransomware arrests.
Dave Bittner: The U.S.-Russian summit took up cyberconflict, cyber-privateering and cyber-deterrence, ending with the prospect of further discussions. Ferocious Kitten's domestic surveillance, ransomware gangs are using a lot of initial access brokers, the Molerats are back, troubleshooting a wave of intermittent internet interruptions. NSA offers advice on securing business communications tools. Ukrainian police arrest six alleged Clop gangsters. Andrea Little Limbago from Interos on bringing the private sector back into the defense equation. Our guest is Charles Herring of WitFoo with the case for cybersecurity as an extension of law enforcement. And nine alleged ransomware hoods are collared in Seoul.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, June 17, 2021.
Dave Bittner: The Russo-American summit between Presidents Putin and Biden concluded yesterday after three hours of face-to-face talks. Reuters calls them professional as opposed to friendly with some expressions of a willingness to pursue matters of arms control and cybersecurity going forward. Recent ransomware attacks came up, The New York Times writes, characterizing the two countries as remaining profoundly divided on this and other matters, with President Biden requesting an explanation and President Putin denying any Russian involvement. In a post-summit media availability - the two presidents did not hold a joint press conference - Mr. Biden said the discussion went like this. Quote, "I looked at him and said, how would you feel if ransomware took on the pipelines from your oil fields? He said it would matter. I pointed out to him that we have significant cybercapability, and he knows it," end quote.
Dave Bittner: Forbes reads the U.S. position as a direct promise of retaliation in kind to future Russian cyberattacks. Presumably, the retaliation would be proportionate and symmetrical, but it does seem to represent a move toward some commonly understood deterrence regime short of the Cold War's mutual assured destruction and with greater ambiguity, but an attempt at deterrence nonetheless.
Dave Bittner: Computing reports that President Biden not only made reference to U.S. retaliatory capabilities, but also argued that critical infrastructure should be off limits to cyberattack. For his part, President Putin gave, according to TASS, a fairly irenic take on the summit. Quote, "As for the assessment, I believe there was no hostility at all. On the contrary, our meeting was certainly held in a principled manner. We differ in many respects in our assessments. However, to my mind, both sides showed willingness to understand each other and seek ways to bring the positions closer. The conversation was quite constructive," end quote. The New York Times reports that Russian government-aligned media have taken the line that President Biden is a man we can do business with and that it's gratifying to see that he recognizes Russia as a great power.
Dave Bittner: A report by Kaspersky Labs details a six-year record of domestic surveillance by an Iranian APT Ferocious Kitten. As suggestive as the circumstantial evidence may be, Kaspersky doesn't explicitly attribute the operations to Iran's government, but CyberScoop reports, FireEye sees a connection.
Dave Bittner: Security firm Proofpoint discerns a trend among ransomware gangs. They're relying less upon phishing and more on the services of initial access brokers to obtain a foothold in victims' networks. As their report puts it, quote, "Ransomware operators often buy access from independent cybercriminal groups who infiltrate major targets and then sell access to the ransomware actors for a slice of the ill-gotten gains. Cybercriminal threat groups already distributing banking malware or other Trojans may also become part of a ransomware affiliate network. The result is a robust and lucrative criminal ecosystem in which different individuals and organizations increasingly specialize to the tune of greater profits for all except, of course, the victims," end quote. Proofpoint also published a report this morning outlining recent activity by the Molerats, which Proofpoint also calls TA402, an Arabic-speaking, politically motivated threat group closely associated with elements in Gaza and active principally against Middle Eastern targets.
Dave Bittner: The group is interested in espionage, and its targets are generally governments or what Proofpoint calls government-adjacent organizations. The group's latest campaigns use custom malware, LastConn, which appears to be an upgraded version of the previously observed SharpStage malware. LastConn both gains access to the targets and collects information from them. The malware sports distinctive features that render both automated and manual analysis difficult. Those features include geofencing on the basis of IP address, restricting target selection to computers with Arabic language packs installed and distributing malware in password-protected archive files.
Dave Bittner: The Molerats' typical approach to their targets in this campaign was spearphishing. One interesting observation Proofpoint makes is that whereas the Molerats had been making attacks on a weekly basis, they abruptly went on a two-month hiatus between March and early May, which coincided with both fighting in Israel and Gaza and with observance of Ramadan. Whatever the reason for the time off, the Molerats seem to be back.
Dave Bittner: Akamai is working to resolve issues with its content delivery platform that have caused brief, intermittent outages in airline and financial services sites, CNN reports.
Dave Bittner: The U.S. National Security Agency this morning released advice on securing unified and voice communication. NSA describes the focus of the guidance as minimizing risk of disclosing sensitive info or losing service while using VVoIP. Risks include eavesdropping, impersonating users or perpetrating denial of service downtime. Unified communications systems and their closely allied voice-over-IP systems offer rich and easy collaboration tools. But they also - and this is a familiar story - offer a more expansive attack surface than do old-school voice telecommunications. NSA advises network segmentation; layer 2 protections; PSTN and internet perimeter protection; staying up to date with patching; authentication and encryption of signaling and media traffic; deploying standard fraud detection measures; using backups and monitoring to ensure availability; managing the risk of distributed denial of service; controlling physical access; and verifying your systems in a test bed.
Dave Bittner: Ukrainian police have arrested six alleged members of the Clop ransomware gang. The Record reports that law enforcement agencies from the Republic of Korea and the United States rendered assistance. The police seized not only servers, but a lot of cash and some fancy luxury cars, which suggests the alleged gangsters were living the gangsta lifestyle as seen even on Ukrainian TV.
Dave Bittner: And finally, a most unwelcome form of computer customer service has surfaced in South Korea, where police in Seoul arrested nine employees of a local computer repair company. They're charged with creating and installing ransomware on their customers' computers. The authorities say the suspects got about $321,000 in ransom payments from the 40 or so companies they serviced in 2020 and 2021. Not all the repair company's employees were involved, and the alleged perpetrators were all in the Seoul office. Still, on balance, this can't be good for repeat business.
Dave Bittner: People have varying opinions when it comes to choosing the best metaphor for approaching cybersecurity. Some think it's most similar to public health, emphasizing things like basic hygiene and herd immunity. Others see it as a public safety issue, making sure you have proper locks on your doors and windows and that you can summon law enforcement if need be. Charles Herring is co-founder and CTO of WitFoo, providers of a SecOp security platform. He joins us to make the case that coming at cybersecurity using a law enforcement model is the way to go.
Charles Herring: So about 20 years ago after 9/11, I was on active duty in the U.S. Navy and detailed to the Naval Postgraduate School to spin up what we would call today the cybersecurity group there. And there was - the first thing that we spent a lot of time debating was, should the network security group be a security group that focuses on the Navy - I mean, on the network? So I said, should the security group be a group that focuses on the network or should it be a network group that has some security function?
Charles Herring: And the way that played out is I ended up working for the director of security for the base and - instead of working for the CIO or chief information officer. And the meetings I would have in the department would be with the base police and the intelligence officers. And we would talk about adversaries, criminals and crimes. And so that was the scope of my initial cybersecurity work.
Charles Herring: But then I would go to other meetings with the IT department, and we would talk about firewall rules and patching and antivirus and those types of things. And so it was two different - completely different worlds that I got to experience virtually every day, each with different outcomes and different goals. And that really led to - a lot of the research that followed over the next 20 years was, should it be IT or should it be security? And, you know, where does each one play a role?
Dave Bittner: I suspect for a lot of folks, we think that - certainly the perception is that a lot of these bad actors are getting away with what they're doing with little consequence.
Charles Herring: That's true. So if - the analogy I like to build is if you were - if you built a home, and you put a large wall around it and barbed wire fence and put bars on the door and moats around the walls. The reason you do that is to increase the amount of time it would take for a criminal to get inside the home and execute a crime. But if there are - if the police are never called, if you're not able to shoot at or protect - create pain for the criminal, those things don't mean anything, and they can blow up the wall. (Laughter) They can dig under it.
Charles Herring: It's the - and that's the role that we're supposed to do in security - increasing risk until law enforcement shows up. The major deficiency we have right now is we're not in the habit of collecting evidence in a way that's going to allow us to communicate with law enforcement. And there's also a risk associated with calling law enforcement - that we're afraid of what they will discover as part of their investigation, whether it's someone in our organization or something being disclosed.
Charles Herring: And so what's happening is this - sort of this code of silence that occurs. We never inform law enforcement. And only - law enforcement is the only group that can go and translate a IP address to a human being and put handcuffs on the person. Because the IP addresses don't care about being blacklisted, right? It's like putting handcuffs on the getaway car. It's a component of the crime. And until we're able to take what we consider logs in IT, turn it into evidence, turn that evidence into affidavits, get those affidavits to law enforcement, we can't close the loop on what does it take to move away from just always being terrified and trying to be the last person criminalized. Or as a friend of mine said just last week, I don't need to outrun the bear, I just need to outrun the slowest person the bear's chasing.
Dave Bittner: Right.
Charles Herring: That mentality is bad citizenry (laughter). And eventually, the bear figures out that you're tastier than the slow guy...
Dave Bittner: (Laughter).
Charles Herring: ...Which is starting to occur now. And that doesn't even...
Dave Bittner: Right.
Charles Herring: ...Work anymore.
Dave Bittner: That's Charles Herring from WitFoo.
Dave Bittner: And I am pleased to be joined once again by Andrea Little Limbago. She is the vice president of research and analysis at Interos. Andrea, it's always great to have you back. I know lately you have been doing some writing with some of the work you do with NWC about this notion of bringing the private sector into the defense equation. What can you share with us about that work?
Andrea Little Limbago: Yeah. So the project largely stems on, you know, focusing on lessons unlearned in cyber over the last decade or so. And, you know, one of the ones that I've seen is just really - the lesson unlearned is really how to integrate the role of the private sector and, in some regards, even just acknowledging just how much the private sector is on the front line of attacks. And so we really - you know, we're still very much so stuck in Cold War mentalities when thinking about what the private sector can and cannot do, what the role of it is, how even the private sector and the government can interact. And so it's really gotten to the point where, one, we haven't evolved our thinking on that at all, despite the enormous attacks that continue to be - continue to hit the private sector.
Andrea Little Limbago: What's also leading to the divide - we hear about the Silicon Valley-D.C. divide that's been going on for quite some time. And even to the point - you know, in very recent testimony, Senator King said that, basically, smaller companies in Silicon Valley especially have given up on the Pentagon. So that's not something that is very sustainable for our national security. And, you know, fortunately, there have been - you know, that's a known problem. And so that's starting to get addressed. But the challenge is that, you know, it's not changing enough. And so in some regards, the Pentagon-Silicon Valley gap - that, you know, is how it's generally framed - is starting to be addressed by things such as the Defense Innovation Unit and Defence Works, those kind of new governmental programs that are aimed at expediting the acquisition process.
Andrea Little Limbago: And then conversely, you know, there are plenty of efforts out there - not plenty, but there are some efforts out there that are trying to get technologies into policy, like the Aspen Tech Policy Hub, TechCongress, NSI's Technologist Fellowship. And so all those programs are really great, and they're very useful at addressing specifically the Silicon Valley-D.C. divide, but the private sector is much bigger than that. And so we really need to think about, you know, what will the role of the private sector be, you know, potentially in warfare? I mean, you know, it's one of the things that sometimes it takes a shock to really think these kinds of thought - these new thinking about how to address it. But, like, in the pandemic, we saw many in the private sector switch their manufacturing model to help support, you know, manufacturing of health equipment.
Andrea Little Limbago: And so, you know, the question is, what would happen, you know, if we - if there was some sort of conflict? What would be the role of the cybersecurity community? What would be the role of others in the financial sector and the energy sector, you know, really, the broader manufacturing sector? And so we really don't have good answers for that because we still think about it much more so in a Cold War mentality. And so we really are - we're at a point, though, where the private sector is really rethinking their role as far as their role with national security and even as far as, you know, their own footprint.
Andrea Little Limbago: And so we're at, actually, a very opportune window right now where because the private sector has had so much disruption from COVID, from the reshoring and the very supply chains disruptions, they're rethinking their global footprint right now and their role in building technology and what's in their technology stack. And so it's a really good time for the government to rethink, you know, how could those - you know, how could the private sector and public sector work together? You have more in the private sector now that are much more willing to address some of the national security concerns. It's not all of them, but there are some much more so now than in the past. And so what can we do to bring the private sector back into the defense equation and do things that are, you know, as it makes sense, you know, collaboration in the areas of where the bottom line and national security overlap? And I'd argue that that overlap is bigger than it has been in quite some time.
Dave Bittner: When you say that we're still approaching this from a Cold War mentality, what does that mean?
Andrea Little Limbago: Yeah. You know, it's basically - and it's on both sides, by the way. It's both on - several times we hear it's coming from the government side and also very much so on the private sector, where for a while it was - you're really thinking that the government is the one that is in charge of entirely national security. The private sector is in charge of business. And for a lot, the two don't cross.
Andrea Little Limbago: You know, early in the Cold War, and especially much even more so during World War II, the private sector played a much more outsized role in national security. And that really has just kind of ebbed since that time. And so we need to, you know, get back to thinking about how the private sector can be an asset towards national security. And it can be in a variety of ways. And it doesn't really have to be actually even being involved in warfare.
Andrea Little Limbago: But when you think about, you know, the restructuring going on as far as the various technologies and what technologies and companies are allowed and not allowed within businesses these days, you know, that there's been over 300 Chinese companies have been named by Commerce that are no longer allowed to be - you know, to have partnerships with companies in the U.S. And so the U.S. is now - the U.S. corporations are being hit both by the various disruptions from the trade war and the tech war, as well as all these regulation shifts. And so they're really rethinking the footprint of where they're going to be and what technologies are going to be in their tech stack going forward. And so that's a good time for the government to both help out as far as providing various kinds of incentives. Like Japan, for instance, has paid over $4 billion to its private - or is in process of paying that to their private sector to help them reshore. And so there's a lot on what the U.S. could do on the incentive side to help with the compliance to build towards those kind of trusted networks that the U.S. government wants to build for greater national security. And so there's just a lot that could be done in that area, from that to, you know, even more of a holistic and - actually, you know, moving toward a federal data protection law would be very, very helpful. Just have some, you know, greater consistency across makes it - makes compliance a whole lot easier and really, you know, thinking about those - you know, different areas and just what could be the broad range of incentives that the government could help with to help move towards those trusted tech stacks, to move, you know, when they're thinking about reshoring, you know, helping out and facilitating where they may want to go and providing, you know, additional kinds of, you know, carrots for like-minded countries that might be good places, both for the business, for the bottom line, but also might make sense in the national security side. And so there's a lot of transformations that are going on. And if the government and private sector can work a little bit better on that, I think we'll be just a lot more prepared going forward into the future to handle all the transformations that are going on.
Dave Bittner: All right. Well, Andrea Little Limbago, thanks for joining us.
Andrea Little Limbago: Great. thanks.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.