No crackdown on ransomware from Moscow (at least so far). Cyber Partisans in Belarus. A long-running Chinese cyber campaign. Phishing and other cybercrime. Mercenaries.
Elliott Peltzman: That Russian crackdown on ransomware gangs people thought they were seeing hasn't happened, at least according to the FBI. The Cyber Partisans take a virtual whack at President Lukashenko's government in Belarus. Operation Harvest is complicated and long-running. Phishing with the promise of infrastructure funding. The criminal market for bogus vaccine cards. Johannes Ullrich from SANS on dealing with image uploads - vulnerabilities in conversion libraries. Our U.K. correspondent Carole Theriault on deepfakes - what you need to know now. And a deferred prosecution agreement in a cyber mercenary case.
Elliott Peltzman: From the CyberWire studios at DataTribe, I'm Elliott Peltzman, filling in for Dave Bittner, with your CyberWire summary for Wednesday, September 15, 2021.
Elliott Peltzman: Hope that Russian authorities were cracking down on ransomware gangs has proved to be a false dawn. FBI Deputy Director Paul Abbate yesterday told the Intelligence & National Security Summit what o'clock it was, and dawn is still a long way off. The Bureau has seen no evidence of Russian cooperation or unilateral action against the cyber gangs.
Elliott Peltzman: The Record quotes Abbate as saying, quote, "based on what we've seen, I would say there is no indication that the Russian government has taken action to crack down on some ransomware actors that are operating in the permissive environment that they've created there," end quote. The U.S. has requested action and cooperation, but these haven't been forthcoming. Quote, "I would say that nothing's changed in that regard," the deputy director added.
Elliott Peltzman: The temporary occultation of the REvil gang after some high-profile ransomware attacks were followed by some direct talk from Washington to Moscow had raised hopes in some quarters that the U.S. had succeeded in altering Russia's toleration and encouragement of privateering in cyberspace. But that appears not to have been the case. REvil is back, and if you take the gang at its word, they were more or less just out for a smoke, and now break time is over.
Elliott Peltzman: The U.S. is thus mulling what to do about ransomware in particular as a matter of national policy. The director, NSA, General Paul Nakasone, told the AP that, quote, "even six months ago, we probably would've said, ransomware - that's criminal activity. But if it has an impact on a nation, like we've seen, then it becomes a national security issue. If it's a national security issue, then certainly we're going to surge toward it," end quote. The surge would involve, at the very least, increased attention to the problem and more of the familiar imposition of costs on the bad actors.
Elliott Peltzman: While you can't shoot your way out of the problem entirely, there may be a role for more aggressive action. Bloomberg quotes the U.S. National Cyber Director Chris Inglis, also speaking at the Intelligence & National Security Summit, to the effect that, quote, "there is a sense that we can perhaps fire some cyber bullets of a kind and shoot our way out of this. That will be useful in certain circumstances. If you had a clear shot at a cyber aggressor and I can take them offline, I would advise that we should do that so long as the collateral effects are acceptable," end quote.
Elliott Peltzman: But, of course, attacks against specific adversary assets in cyberspace - and with respect to ransomware, we're talking mostly about Russian assets - are unlikely to be sufficient to deter Russian leadership. Chris Inglis says, quote, "there's a larger set of initiatives that have to be undertaken. Not one of those elements is going to be sufficient to take this thing out," end quote.
Elliott Peltzman: It does, however, seem to be the case that NSA and U.S. Cyber Command are indeed contemplating a surge against ransomware in cyberspace.
Elliott Peltzman: The Washington Post this morning reported on the fortunes of Cyber Partisans, a dissident hacktivist group in Belarus. The group, thought to be composed of about 15 Belarusian expatriates and believed to have the support of some dissidents within Belarus' security apparati, has been an inveterate critic of President Lukashenko's government.
Elliott Peltzman: The Cyber Partisans now claim to have obtained access to recordings of more than 5 million calls outlining repressive measures the government instituted after last year's disputed presidential election, widely believed to have been fraudulent. Evidently, the regime not only taps its own operators, but is also sufficiently leaky to have lost control of the recordings to the Cyber Partisans.
Elliott Peltzman: McAfee this morning published a study of Operation Harvest, a cyber-espionage campaign the researchers believe to be operated by a Chinese threat group, either APT27, aka Emissary Panda, or APT41, Wicked Panda or Winnti - perhaps both. It's a complex and long-running effort marked by multiple privilege escalation and persistence techniques and presence in the network.
Elliott Peltzman: The security firm INKY reports finding a new phishing campaign prompted by the recent U.S. infrastructure bill. The hoods send a bogus email purporting to be from the U.S. Department of Transportation. The phishbait says, essentially, that since a trillion bucks in change is about to flow from the government to those savvy enough to position themselves for it, you, too, recipient, should ring the bell on that gravy train.
Elliott Peltzman: Basically, the crooks are after Microsoft credentials, and their approach is direct, simple-minded and, alas, all too likely to persuade them unwary. The email simply says, USDOT - that is, the U.S. Department of Transportation - invites your business to submit bids for the department's projects, followed by a big blue click here button. It continues, quotes will be submitted online in the bid system after signing in.
Elliott Peltzman: Experienced textual critics of U.S. government requests for proposals will be moved to skepticism, but those unused to government work might bite on that phishbait.
Elliott Peltzman: As vaccine mandates are planned and brought into effect, the criminal market for bogus vaccine passports has surged with the new policy-driven demand, security firm Check Point reports.
Elliott Peltzman: The key conclusions that they reached in their study are that the criminal market for fake vaccine certificates has expanded globally to 28 countries. The most recent additions are Austria, Brazil, Latvia, Lithuania, Malta, Portugal, Singapore, Thailand and the UAE. On August 10, Check Point had identified about a thousand vendors of phony certificates operating on Telegram. That number has now swollen by an order of magnitude, with more than 10,000 hoods now hawking bogus vaccine passports.
Elliott Peltzman: Demand is driving up prices. They currently range from about $85 to $200 per document. Since President Biden began talking about a vaccine mandate, the value of a U.S. card has doubled from $100 to $200.
Elliott Peltzman: As a general rule, Check Point thinks everyone should be aware that genuine vaccination certificates aren't sold over the internet. As their report puts it, as a general statement, genuine health-related certificates are not sold over the internet. Anybody who is offering to sell such documents over the internet - clearly doing so illegally. We recommend people not engage with sellers publishing on such groups or marketplaces anywhere across the web. And insofar as it makes sense to talk about price gouging in a criminal market, dog bites man. Crooks are greedy.
Elliott Peltzman: And finally, the U.S. Department of Justice has reached a deferred prosecution agreement with three former intelligence and military personnel who provided services to the UAE that violated export and computer abuse laws in the course of work they undertook on behalf of the UAE.
Elliott Peltzman: Quote, "on September 7, U.S. citizens Marc Baier, 49, and Ryan Adams, 34, and a former U.S. citizen, Daniel Gericke, 40, all former employees of the U.S. intelligence community or the U.S. military, entered into a deferred prosecution agreement that restricts their future activities and employment and requires the payment of $1,685,000 in penalties to resolve a Department of Justice investigation regarding violations of U.S. export control, computer fraud and access device fraud laws. The department filed the deferred prosecution agreement today, along with criminal information alleging that the defendants conspired to violate such laws," end quote.
Elliott Peltzman: There are plenty of legitimate ways of doing business abroad with not only the permission, but with the positive encouragement of U.S. law. But providing unlicensed export-controlled defense services in support of computer network exploitation and a commercial company creating, supporting and operating systems specifically designed to allow others to access data without authorization from computers worldwide, including in the United States, would not be among them.
Elliott Peltzman: The Emirati company that hired them was identified by The New York Times as DarkMatter. The three gentlemen who reached the agreement must pay almost $7 million and forego the opportunity to ever receive a security clearance. They also agreed to keep their noses clean and cooperate with investigators for the next three years.
Carole Theriault: In Nina Schick's book on deepfakes, she writes that the rapid rate of change has made our information ecosystem ripe for exploitation. Increasingly, bad actors ranging from the nation-states to lone influencers are using this new set of circumstances to spread disinformation or information that is meant to mislead. And she says compounding this issue with the fact that we're still in the foothills of the AI revolution is going to lead to a further evolution of our information ecosystem.
Carole Theriault: And that's where the idea of deepfakes come in. Where are we at with them? They became a thing a few years ago, but they keep popping in and out of the press as though there's something nebulous about them. I asked Javvad Malik - he's a security guru at KnowBe4 - what his view on deepfakes. Here's what he had to say.
Javvad Malik: I think from deepfakes point of view, there's two use cases that I think we're going to see more of, which is quite frightening. One is where they use it in a layered attack. And by that, I mean is where you might get a text message. And to reinforce that, you'll get an email. And then to reinforce it, you'll see a deepfake video. I might send you a WhatsApp message saying, hey, Carole, check out this video. And then I'll email you saying, did you check your phone? Check that out. And then I might text you to get your...
Carole Theriault: Right.
Javvad Malik: And then because you're receiving the same message on multiple platforms, it becomes far more believable. And you're more likely to get sucked into it because you're like, well, if these people believe it, then it must be true. In a layered attack, we're going to see more use of that.
Javvad Malik: The second part is, really, in misinformation and disinformation campaigns. The truth is kind of, like, on one end, and complete falsehood is on the other end. It's the gray area in between that a lot of people are always on the fence about. They can be shifted one way or another. And the deepfakes, they're very good when they're used sparingly, in small amounts, just to mix in the right amount of doubt into something to cause you to question the validity of something. So....
Carole Theriault: They're sneaky.
Javvad Malik: Exactly, just the right amount. You're just sneaky. Exactly. That's the perfect term. And what it does is it's just enough to sow those seeds of doubt into it just to get you thinking, well, you know, maybe, you know, the government is doing this. Maybe the DVLA is after us like this. Maybe - you know, there's all these kinds of little things that you can do.
Javvad Malik: And by that, what you create is dissent because you divide people's opinions. And small changes or small difference of opinion can have really big impacts very quickly. And that's where deepfakes will probably be really impactful.
Carole Theriault: I think he's right. I think it is the people that are in the middle, that aren't strongly attached to one view or another, that are probably most vulnerable in this situation. So those of us that consider ourselves in the gray area, maybe continue to exercise extra vigilance out there.
Carole Theriault: This was Carole Theriault for the CyberWire.
Dave Bittner: And I'm pleased to be joined once again by Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the "ISC StormCast" podcast. Johannes, it's always great to have you back. You know, I can't help but thinking about images as being benign. And I know I should have shed that assumption, you know, long ago. But it's still hard for me to think of something like a good old JPEG or a GIF image as being anything but just what it is, just an image.
Dave Bittner: But that's not the case anymore. And you wanted to share some work that you and your colleagues have been doing when it comes to vulnerabilities in conversion libraries. What's going on here?
Johannes Ullrich: Yeah, Dave, thanks for having me again. And this is really sort of one of those often-overlooked things. It's actually not really new by any means. But images can be code in some cases. But the main problem with images is that, first of all, there are so many formats and sub-formats. So you typically have to deal with dozens or so of different formats in the respective conversion libraries. And then images are, most of the time, compressed. And turns out that whenever you deal with compressed data, it becomes a little bit difficult to allocate the correct amount of memory. And that's how you end up with your classic buffer overflow then.
Johannes Ullrich: And that's what often happens to these libraries. Now, where this really comes to play is if you are accepting image uploads, for example. So a lot of web applications allow customers, for example, to upload images. Or you have applications where you allow, for example, PDFs to be uploaded, which have similar issues, maybe even more so than your plain images. And you have to then display them back either to an administrator that vets these images or to other users, for example, as part of a product review or whatever feature you have on your site that does allow users to upload images.
Dave Bittner: And so what's the potential problem here?
Johannes Ullrich: Probably the most obvious problem is what if you have a malicious file, like a PDF? That's probably what people are most familiar with. And now an unsuspecting user is looking at the PDF and is getting exploited.
Johannes Ullrich: Well, there's a way to prevent this. And one common technique that developers have used in the past in order to prevent exposing their users to malicious content is they convert those images or files. So, for example, for a PDF, you can convert them to PostScript and then back to PDF. There's a special version of PDF - PDF/A - that avoids a lot of the problems.
Johannes Ullrich: But what you're doing then, and many people are not really aware of - you're really sort of moving the problem from the user to your server. Basically, who do you want to rather have hit by malicious code? Is it your user...
Dave Bittner: (Laughter).
Johannes Ullrich: ...Browsing your website or is it your server? As a developer, well, let's go for the user, but...
(LAUGHTER)
Dave Bittner: Right, right. It's - depending on who you're talking to and what day of the week it is, you might get a different answer on that, right?
Johannes Ullrich: Correct, yes. And so that's - also, like, Dave, if you want to, for example, change the resolution, change the size of an image, there's a very popular open-source library called ImageMagick to do this with, and it had a number of issues, and just recently again, that allowed an attacker to trigger a code execution on the server as the image is reformatted.
Dave Bittner: So what are your recommendations here, then? I mean, is this a situation where - you know, the software package you were just talking about - has that been updated? Has it been patched? Is it - is this a matter of, you know, trusting your third-party code?
Johannes Ullrich: It is a little bit a matter of third-party code and trusting, basically, those libraries. The latest vulnerability here, which was Ghostscript vulnerability here in ImageMagick - I'm not 100% sure if it has been fixed yet, but it was not fixed when the vulnerability was first announced. It's also a relatively easy-to-exploit vulnerability. So you always have this window. And how fast can you patch all of this stuff? That's also another problem here.
Johannes Ullrich: Very common mitigation technique here is really just assuming that stuff will go wrong, that stuff happens so often in IT. And isolate the process or run the conversion in something like a Docker container, virtual machine, whatever works for you, something that you can easily reset after the conversion happens so whatever exploit may have happened there, it's not going to leak any confidential data. It's not going to be persistent. And with that, you at least sort of limit the impact of any vulnerability like that.
Dave Bittner: All right. Well, interesting stuff. Johannes Ullrich, thanks for joining us.
Johannes Ullrich: Thank you.
Elliott Peltzman: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and security leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Elliott Peltzman: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Brandon Karpf, Tre Hester, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Dave Bittner. And I'm Elliott Peltzman. Thanks for listening.