The CyberWire Daily Podcast 9.28.21
Ep 1427 | 9.28.21

Homecomings, happy and not so happy. A backdoor for espionage, a Trojan for cybercrime. DDoS techniques, those iPhone zero-days, and indictments. And one guilty plea.

Transcript

Dave Bittner: The triumphant homecoming of Huawei's CFO. Microsoft describes the FoggyWeb backdoor, a significant cyber-espionage tool. Kaspersky looks at the BloodyStealer Trojan and finds it especially risky to gamers. A novel approach to distributed denial-of-service. Apple looks into those iPhone zero-days. Joe Carrigan looks at the latest offerings in passwordless authentication. Our guest is Mathieu Gorge of VigiTrust on how law enforcement and executives can work together to fight cyberthreats. And a look at doings in cybercrime.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, September 28, 2021. 

Dave Bittner: Huawei CFO Meng Wanzhou's return to China after a prolonged detention in Canada on a U.S. warrant in connection with her company's violations of sanctions against Iran has proven to be, Quartz reports, a moment of nationalist pride in her home country. The Wall Street Journal reports that Chinese news media have downplayed or ignored the role of hostage diplomacy - the release of two Canadians held in China - ascribing Ms. Meng's homecoming to the unspecified but heroic efforts of the Communist Party. 

Dave Bittner: Microsoft yesterday released its study of a new persistent post-exploitation backdoor, FoggyWeb, used by the Nobelium threat group. FoggyWeb is used both for exfiltration of victims' data - including configuration databases of compromised Active Directory Federation Service servers, decrypted token-signing certificates and token-decryption certificates - and for deploying and executing additional malware payloads. 

Dave Bittner: Nobelium is Microsoft's name for the Russian government threat group others call Cozy Bear. It's associated with Russia's SVR Foreign Intelligence Service and sometimes with the FSB Security Service. Microsoft's report includes detailed mitigation advice. We note, in the spirit of disclosure, that Microsoft is a CyberWire sponsor. 

Dave Bittner: Kaspersky researchers have an account of BloodyStealer, a Trojan currently being sold in dark web markets catering to criminals. BloodyStealer is hawked as an information stealer useful for employment against gamers using a range of platforms including Steam, Epic Games Store and EA Origin. The Trojan is both evasive and resistant to analysis. 

Dave Bittner: It's also cheap, going for a monthly subscription of 10 bucks or a lifetime subscription of only $40, which suggests, again, how deeply commodified attack tools have become. Practically anybody can afford them. BloodyStealer can be used against targets of many kinds, not just gaming platforms, but Kaspersky thinks gamers likely to figure high on the criminals' hit lists. 

Dave Bittner: Nexusguard describes a distributed denial-of-service attack technique, Black Storm, more effective and potentially damaging than the more familiar DNS amplification attacks. 

Dave Bittner: Vice reports that Apple is still investigating iPhone zero-days disclosed by frustrated researcher Habr and that Cupertino has apologized for its dilatory response to his bug program disclosures. 

Dave Bittner: And now, let's check the hot sheets, the police blotter, the supermarket tabloids - the places where the men in black would get their news - as if the men in black needed to get their news from anywhere other than from us, of course. 

Dave Bittner: U.S. attorneys for the Eastern and Northern Districts of Texas have indicted a large number of alleged criminals for cybercrimes. The Eastern District has indicted 23 alleged creeps on a variety of charges, including romance scams, investment fraud and business email compromise. All of the suspects are in custody and considered, we observe, as always, innocent until proven guilty. 

Dave Bittner: Their colleagues in the Northern District have indicted 11, one of whom is also named in dispatches from the Eastern District. These are charged with wire fraud and money laundering. They are also in custody, scooped up last Wednesday in a big dragnet. 

Dave Bittner: The crimes charged are particularly loathsome in that they frequently involved elder fraud. They were also lucrative, netting the hoods at least $17 million by the U.S. attorney for the Eastern District of Texas' reckoning. 

Dave Bittner: Acting U.S. Attorney Nicholas J. Ganjei said in the Justice Department's press release, quote, "the criminal conduct alleged in this case is sophisticated in its means, expansive in its scope and callous and its aims. The indictment alleges a scheme where all manner of fraud, including romance and investment scams, was unleashed on an unsuspecting American public, including the elderly and most vulnerable, with the ill-gotten gains siphoned off and funneled overseas. The amount of loss, both financial and emotional, alleged in this case is nothing short of staggering," end quote. 

Dave Bittner: His colleague in the Northern District of Texas was even harsher in his estimation. Acting U.S. Attorney Prerak Shah said at a press conference announcing the charges, quote, "crimes like these are especially despicable because they rely not only on victims' lack of internet savvy, but also their isolation, their loneliness and sometimes their grief. As the victims open their hearts, the perpetrators open their wallets. The only mistake these victims make is being generous to the wrong people," end quote. 

Dave Bittner: The crew arrested are believed to be part of a transnational gang whose activities emanate from Nigeria. The Record reports that the suspects are thought to be members of the Black Axe, a Nigerian criminal confraternity that emerged from university student associations in the 1970s with quasi-religious overtones. Members are said to hold that they have a duty to prey on the gullible, the unwary, the weak. They're known for human trafficking, violence and drug trafficking and, of course, online fraud. 419 scams, the familiar Nigerian prince scam, is often used as an initiatory crime for new members. 

Dave Bittner: What else? Well, there's this - some thirdhand news of gangland, but it looks legit. Reuters reports that TASS, the Russian news service, is authorized to disclose that one Aleksei Burkov has been deported from U.S. confinement back to Russia. He was arrested in Israel in December of 2015 and extradited to the United States in November of 2019. In January of 2020, Mr. Burkov pleaded guilty to fraud, identity theft, computer intrusions and money laundering. He was operating websites that facilitated carding and other computer crimes. 

Dave Bittner: Why the man booted him out of the U.S. is unclear, since the U.S. and Russia don't have an extradition treaty, but Mr. Burkov isn't likely to be getting a hero's welcome in Moscow. He's wanted there on Russian charges, too. 

Dave Bittner: The Wall Street Journal says a U.S. cryptocurrency expert has pleaded guilty to illegal export of blockchain technology to North Korea. Virgil Griffith took the plea yesterday in a Manhattan federal court. He'd been, until his arrest in November of 2019, a senior researcher for the Ethereum Foundation. The occasion for his offense was his attendance of a 2019 conference on blockchain technology, where he consulted with the North Koreans. The U.S. attorney for the Southern District of New York charged him with conspiring to violate the International Emergency Economic Powers Act, the law that prohibits U.S. citizens from exporting goods, services or technology to North Korea. 

Dave Bittner: The blockchain may still look like something out of a techno-libertarian wild, Wild West, but prudent desperados should know that law west of the Pecos stops somewhere east of Pyongyang. 

Dave Bittner: When a data breach or other security incident occurs, many organizations are hesitant to call in law enforcement. There are a number of reasons for that reticence, be it fear of additional scrutiny, bad PR if the incident goes public or just a general distrust of the police. Mathieu Gorge is CEO and founder of VigiTrust, a provider of integrated risk management SaaS solutions. I checked in with him for insights on how we might see better collaboration between law enforcement and the private sector. 

Mathieu Gorge: So you have to understand the life of a CISO, right? So if you look at a CISO, a CISO is the person whose name nobody knows if everything goes well, but the minute something goes wrong, they're public enemy No. 1. So they're not necessarily the most popular people in the company, let alone in the C-suite, let alone at the board, if they ever get a seat at the board table. 

Mathieu Gorge: And so they tend to shy away from anything that has any kind of connection, remote connection to legal stuff. And so to them, law enforcement means there's a legal problem. There might be a lawsuit. There might be criminal charges, whatever. I don't deal with that. Let the chief legal officer or the attorneys deal with that. 

Mathieu Gorge: And what they don't understand is that the role of law enforcement goes well beyond that type of stuff. For instance, the FBI is doing a lot of work in the U.S. in terms of educating people, in terms of talking to CISOs, in terms of talking to the security industry, generally speaking. Interpol is doing the same. Where VigiTrust is based in Ireland, we have the Garda computer crime bureau. They're doing that as well. And in many countries, they are doing that. 

Mathieu Gorge: But I think that they're not necessarily invited into the organization because the CISOs feel that maybe they're going to start digging around. You know, maybe they're going to see stuff that we are doing that's not exactly the way we should do it. Or maybe they know compliance better than we do or security better than we do. And they may think - they may find issues that we're not aware of, or they may highlight issues we are aware of but we haven't managed to address yet. And so they see them as - clearly as somewhat of the enemy. And I think that's the wrong approach. 

Mathieu Gorge: And so what we are seeing now is we're seeing law enforcement worldwide trying to address that misconception out there by providing stuff back to law enforcement. And if I may, there's another point there. And that's you look at public-private partnership generally speaking, whether it's for security or not, there's always a feeling from the industry that the industry gives way more to the government than the government gives back. 

Mathieu Gorge: And that feeling is very true in cyber. There is kind of a feeling that, collectively, the security industry and the industry, generally speaking, is providing a lot of data to the government so that they can help them with protecting the organizations, but the government is not necessarily reciprocating. So there's kind of that idea that, hey, you know, I scratched your back, but you don't scratch mine. 

Dave Bittner: What part does law enforcement have to play in fostering this relationship? Should they be doing a better job at outreach, at saying, you know, if we come and engage with you, it's not going to be a fishing expedition? 

Mathieu Gorge: Yeah, I think that's a fair point. I do believe that some of them are doing a good job at that. They're still kind of faced with some pushback, as I explained earlier. But, yes, they need to - I think they need to really share information, right? And that's the issue that there's still that kind of conception out there that we are going to share information with them, but they're not going to share information with us. 

Mathieu Gorge: At VigiTrust, we have a Global Advisory Board, which is a noncommercial think tank with about 700 members - CISOs, board of directors, regulators, law enforcement, academia and so on. And the guys that we have that come to talk to our advisory board - and some of them are actually full members of the board - from FBI, Interpol, local police, and they share data. 

Mathieu Gorge: And, yes, they share data to a smaller group of people that they've already vetted and so on, but they're quite happy to share some data. And they're happy to say, hey, we're seeing that type of attack. We're seeing a rise of that type of attack in that particular industry in that particular region. Hey, we're seeing a type of attack we've never seen before. We're also seeing attacks that we don't understand. Have you guys seen those attacks? And it's kind of that whole idea of creating a dialogue and a two-way street as opposed to a one-way one. 

Mathieu Gorge: So to that extent, I believe that they still need to do a better job at volunteering information to the public - I mean the selected public in terms of CISOs. But I do believe they are going the right direction. 

Dave Bittner: That's Mathieu Gorge from VigiTrust. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting article - this is from WIRED, written by Lily Hay Newman. And it's titled "You Can Now Ditch the Password on Your Microsoft Account." This is something we talk about a lot over on "Hacking Humans"... 

Joe Carrigan: Right. 

Dave Bittner: ...People dealing with passwords. So what's going on here, Joe? 

Joe Carrigan: Dave, it seems like passwords - or getting rid of passwords has been on the horizon like fusion power, right? 

Dave Bittner: Right (laughter). 

Joe Carrigan: I use this reference frequently, but, you know, it's always been 10 years away, 10 years away. 

Dave Bittner: No matter when you ask. 

Joe Carrigan: Exactly. 

Dave Bittner: Yeah. 

Joe Carrigan: But the thing to remember about passwords is it's a terrible solution that was developed very early on in the early days of computing as a means to make sure that people weren't hogging up all the resources on a time-sharing computer. 

Dave Bittner: Yeah. 

Joe Carrigan: Right, and to allocate that time. And even the first time it was implemented, somebody found a way around it. 

(LAUGHTER) 

Joe Carrigan: But I digress. But so we have these passwords now. We've been using passwords, and we've been trying to secure passwords with hashing. And humans are terrible at developing passwords that are random. 

Dave Bittner: Yup. 

Joe Carrigan: So we've been recommending using a password manager. People don't do that because it has friction. People hate using passwords. It seems like passwords hate people. People hate passwords. 

Dave Bittner: Yeah. 

Joe Carrigan: So we've been saying we should just get rid of passwords. And we haven't really found a good way to do that. Well, Microsoft has finally taken a step in that direction. With their Office 365 product or Microsoft 365 product, you can now opt for the passwordless means of authentication. And there are a number of ways you can do that. 

Joe Carrigan: No. 1 is you can use some kind of biometric device, right? Like, if your phone or your computer has a fingerprint reader, you can use that...  

Dave Bittner: Yeah. 

Joe Carrigan: ...Instead of a password. 

Joe Carrigan: You can use an app on your phone that you're logged into your Microsoft account, and it says, here's a code, or is this you? 

Dave Bittner: Yeah. 

Joe Carrigan: And then you say yes, and that authenticates you, right? 

Joe Carrigan: You can use a YubiKey. And this happens to be the one I like the best, using a YubiKey. 

Joe Carrigan: And then there are other ways to log in, like a verification sent to your phone or as an email as an alternative to a password. 

Dave Bittner: Yeah. 

Joe Carrigan: All right, now, I'm less inclined to like those... 

Dave Bittner: OK. 

Joe Carrigan: ...Right? - because of SIM swapping if they're going to send you an SMS, or if they're going to send you an email, now it's dependent upon how secure your email is. 

Dave Bittner: Right. 

Joe Carrigan: Right? 

Dave Bittner: Right. 

Joe Carrigan: Also, if Microsoft is your email provider and you need to authenticate to that, you know, there's kind of a loop there, right? 

Dave Bittner: Right, right. 

Joe Carrigan: So... 

Dave Bittner: Yeah. 

Joe Carrigan: ...I recommend the YubiKey over the other ways of doing it. I'm not a big fan of biometrics. The app is actually fine. You and I have talked about biometrics. And actually, if you're talking about using modern biometrics and you said, I'm just going to use that, I wouldn't argue with you about it. 

Dave Bittner: Yeah. 

Joe Carrigan: I do have some concerns about it long-term. If there ever becomes a problem with the protocol or a way to spoof the biometric information, that biometric information is, by its very nature, immutable and cannot be changed. 

Dave Bittner: Right. 

Joe Carrigan: And that's really the crux of my problem. So I don't have a threat model in mind. But when a threat does attack that authentication method, there will be little we can do to change how we authenticate. 

Dave Bittner: Yeah. We should mention, I mean, this article points out that Microsoft has made this available to their Enterprise users for a while now. 

Joe Carrigan: Right. 

Dave Bittner: They have 200 million users on that side, so they really had an opportunity to test this with a large group of people. And this is what they're rolling out to consumers. 

Joe Carrigan: Right. 

Dave Bittner: And I wonder, with an organization as large as Microsoft, with the influence they have - I should mention, by the way, Microsoft is a CyberWire sponsor. With the scale and influence that they have, could they really shepherd in a change here? Could this be a step along the way to be done with passwords once and for all? 

Joe Carrigan: Yeah, I think Microsoft is a big player in this field. And as a player by their nature, they're kind of a leader here. 

Dave Bittner: Yeah. 

Joe Carrigan: Other developing organizations - I mean, Apple already has the Face ID... 

Dave Bittner: Right. 

Joe Carrigan: ...As a means of authentication. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? So other organizations like Google and Amazon and Facebook and all these other big ones that you always think of, they could start following suit with this and ditching passwords, or at least offering users the opportunity to ditch your password. 

Dave Bittner: Yeah. 

Joe Carrigan: I do like - of all these methods, my favorite is the authentication token. These are usually based on something called universal two-factor, and that is a almost - it's a form of public key-private key authentication, which is something we've been looking for for years is an easy way to do that. And universal two-factor has been around for a while, but it is a good way to do public key-private key authentication. 

Joe Carrigan: Because let's say someone does breach Microsoft and steals all the information about users. If you're talking about password hashes, well, those are crackable unless you have a really strong password. But if you're talking about public keys, they're useless. They're absolutely useless. The only use that public key has is for authenticating the person who has access to the private key. 

Dave Bittner: Right, right. Yeah, there's an interesting quote in here from Bret Arsenault, who is Microsoft's chief information security officer. And he says, "you think that everyone (ph) hates passwords, but there is one faction of people who love passwords. They're called criminals." I think that's right. 

Joe Carrigan: It's a very astute observation, yeah. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: They love them. 

Dave Bittner: I think it'll be interesting to see if this becomes the default, where you can - if when you sign up for a new account with Microsoft or some of these other providers, does these - do these passwordless options - are they the default? You can still use a password if you wanted to, but they really try to channel you into this new way. I think that could be a good move. 

Joe Carrigan: Yeah, I think it could be as well. 

Dave Bittner: Yeah. All right. Well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.