The CyberWire Daily Podcast 11.12.21
Ep 1458 | 11.12.21

Tension in Eastern Europe. A Hong Kong watering hole. US, EU join the Paris Call. Cybermercenaries. CISA’s plans for countering disinformation, and for forming a white-hat hacker advisory group.


Dave Bittner: Notes on rising international tension in Eastern Europe. A watering hole campaign in Hong Kong. The U.S. and the EU have joined the Paris Call. NSO Group's prospective CEO resigns his position before formally assuming it. Void Balaur, a cyber mercenary group, is active on the Russophone Cyber Underground. Johannes Ullrich on leaked vaccination cards and COVID tests. Our guest is Carolyn Crandall of Attivo Networks on what organizations should be focused on to protect Active Directory. CISA intends to increase its capacity to work against misinformation and disinformation, and they also intend to recruit white hat hackers to an advisory board.

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, November 12, 2021. 

Dave Bittner: Since international conflict inevitably brings cyber-conflict in its wake, we begin with a brief account of rising tension in Eastern Europe. Ukraine has expressed concern over Russian troop movements near its borders, and other governments have seconded Kyiv on the matter. Bloomberg quotes U.S. Secretary of State Blinken as saying the deployments resembled the run-up to the 2014 invasion of Crimea. There are also problems between Belarus and its neighbors. Minsk's push of migrants over the Polish, Latvian and Lithuanian borders - which Foreign Policy calls exporting instability - and Belorussian President Lukashenko's threats to stop natural gas deliveries to the EU should the EU sanction Belarus, according to The Washington Post, are additional sources of friction. 

Dave Bittner: According to the BBC and the view from Warsaw, the Russian and Belorussian actions represent a campaign coordinated by Moscow. Bloomberg writes that the U.S. has warned the EU of the possibility of a Russian attack against Ukraine. But Russia's ambassador to the U.N., according to the Military Times, says there will be no invasion unless Russia is provoked and then cites alleged instances of provocation, which would seem to undercut peaceful reassurances. Expect cyber-tensions to rise accordingly. 

Dave Bittner: Google's Threat Analysis Group has outlined a watering hole campaign apparently designed by a well-resourced group, likely state-backed, exploiting a macOS zero-day to spy on Hong Kong democracy advocates. Google's researchers write, quote, "the watering hole served an XNU privilege escalation vulnerability, CVE-2021-30869, unpatched in macOS Catalina, which led to the installation of a previously unreported backdoor," end quote. 

Dave Bittner: Google disclosed its discovery to Apple, and Apple patched the vulnerability in the last week of September. Google doesn't say which state is the likely backer of this particular campaign, but the report is being widely received as calling out a Chinese intelligence operation. 

Dave Bittner: The Chinese services have been taking a greater interest in Taiwan lately, too. That's the conclusion Taiwan's National Defense Report for 2021, released Tuesday, describes significant increases in Chinese collection against what Beijing regards as a breakaway province. Breaking Defense sees Taipei's report as echoing many of the conclusions of the U.S. Defense Department's China Military Power Report, which also sees Taiwan as one of China's principal targets. 

Dave Bittner: The U.S. and the EU have announced that they'll join the Paris Call for Trust and Security in Cyberspace, agreeing to support the Call's nine principles. The U.S. adherence to the Call represents a change from the previous administration's policy. So far, 80 states, 36 public authorities and local governments, 391 organizations and members of civil society and 706 companies have joined. 

Dave Bittner: The Paris Call's nine principles are worth reviewing - first, protect individuals and infrastructure; second, protect the internet; third, defend electoral processes; fourth, defend intellectual property; fifth, non-proliferation; six, life cycle security; seven, cyber hygiene; eight, no private hack back; and nine, international norms. 

Dave Bittner: The CEO-designate of controversial intercept vendor NSO Group has stepped down before formally assuming leadership of the company, Reuters reports. Isaac Benbenisti explained in his letter to NSO Group's chairman that special circumstances arising from the company's placement on a U.S. blacklist render it impossible for him to carry out his vision for the firm's future. NSO Group has been controversial in many countries, and its position as a prominent vendor of readily abused surveillance tools has become an embarrassment to the Israeli government. 

Dave Bittner: The Jerusalem Post reports that the Palestinian Authority said this week that several employees of its foreign ministry have had NSO's Pegasus tool installed on their phones. The Israeli Defense Ministry, the Post says, declined to comment, and NSO Group said that it's not the operator of the products it sells. Any abuse, in the company's view, is the responsibility of the operators. 

Dave Bittner: Trend Micro has published an extensive report on a cyber mercenary operation it's calling "Void Balaur," and whose activities the researchers say at first appeared to be associated with the GRU's APT28, or Pawn Storm. On further review, however, they think it likelier to be linked to the mercenary group also known as RocketHack, which was itself described earlier this year. 

Dave Bittner: Void Balaur has been advertising in underground C2C markets since 2017 at least. As far as Trend Micro can tell, the group has an exclusively Russophone clientele. Quote, "to our knowledge, Void Balaur has never advertised in underground forums that were not Russian language-oriented. However, there used to be a website on that was registered on February 21, 2018 and was available on its bare IP address until at least December 2020. On the website, Void Balaur listed services such as hacking into mailboxes or flooding them with spam, distributed denial-of-service attacks and flooding phone numbers in Commonwealth of Independent States or CIS countries only," end quote. 

Dave Bittner: For what it's worth, the criminal word-of-mouth about Void Balaur is pretty favorable. Quote, "the feedback that Void Balaur receives on underground forums is unanimously positive. Posters mention that the hacking service delivers the requested information on time, while others commented positively on the quality of the delivered information from mailboxes. Yet others posted about passport details they had requested," end quote. 

Dave Bittner: Void Balaur's offerings would be equally attractive to criminal gangs and espionage services. The latter, Trend Micro points out, would regard the cyber mercenaries as strategic assets. 

Dave Bittner: Some developments at the U.S. Cybersecurity and Infrastructure Security Agency are worth mentioning. First, the agency continues to issue advisories on ICS security. CISA yesterday released 18 industrial control system advisories. 

Dave Bittner: Second, Director Easterly said that her agency intends to increase its capacity to work against disinformation and misinformation. The Hill reports that the move to expand that capacity is motivated by the experience of the 2020 U.S. election. 

Dave Bittner: And third, CISA intends to bring a set of white hat hackers into a cybersecurity advisory board, which, according to the account in Roll Call, would not only serve as a source of advice, but would also help preclude the growth of an underground market for zero-days. 

Dave Bittner: And finally, some sad news for the cybersecurity industry. Alan Paller, founder of the SANS Institute and for many years a leader in the sector, passed away Tuesday at the age of 76. He's being especially remembered for his contributions to education in the field. Our condolences to his family, friends and colleagues. His was a life well-lived, and he will be missed. 

Dave Bittner: Attivo Networks recently released research highlighting the gaps in security for Active Directory and that many organizations are struggling to identify the best tools and techniques to do so. Carolyn Crandall is chief security advocate and CMO at Attivo Networks. 

Carolyn Crandall: Active Directory - it's remarkable for it being the main directory services of most organizations. However, it's not often thought about. It's more relegated to kind of a plumbing maintenance. But what's been seen in so many major attacks today is that attackers are getting in and they're exploiting Active Directory. And because it really is the keys to the kingdom, they're then able to conduct these massive attacks and demand very large ransomware payments. 

Carolyn Crandall: And so what is happening is organizations are needing to rethink how they protect their Active Directory and try to find ways to kind of build that castle and remote around Active Directory, especially in today's distributed world. It's just now there's no longer a perimeter border, so now you've got to think about it as far as identities and how they'll access this resource and how to better protect it, given that that's how they'll be trying to exploit it and get in. 

Dave Bittner: So what are you and your colleagues there at Attivo tracking in terms of how folks are coming at Active Directory? 

Carolyn Crandall: So we track it on many fronts. We like to follow the attacker. And if you start at the endpoint, you look at the exposed credentials and how the attacker is able to find the attack paths and the access into Active Directory. And they're looking for everything from the credentials that may be left there so that they get privileged access, and then they're looking for other exposures and vulnerabilities to be able to get in so that they can take control. 

Carolyn Crandall: And once they are able to get control, then they're able to do things like download mass amounts of malware. They can reset security policies. They can do things to hide their tracks. They can delete backups. They can do all kinds of damaging things. 

Carolyn Crandall: And so once you hit that Active Directory level, you're looking at the visibility to those exposures. Plus, you're also looking at the live attack activity in order to see when those things, such as a mass account change is being made or mass password changes or things like DCShadow or DCSync type of attacks or those favorite golden ticket type of attacks that can be quite deadly. And so you're really looking for that activity to be able to detect it before any real damages can be done. 

Dave Bittner: And how do users get insights onto that? I mean, what are your recommendations in terms of detection methods? 

Carolyn Crandall: Yeah, a lot has changed. I mean, before, a lot of people would be using, you know, logs and other things to look for unusual behavior. But unfortunately, there's just not enough AD administrators and time, quite honestly, to do this in the manual way that's been done before. And so what you've seen in the last year is a lot of automation coming around automated Active Directory security assessments. And you can use tools for that. So there, you can see visibility to vulnerabilities and also the exposures. So not just, you know, are you patched, but also where those misconfigurations are there. 

Carolyn Crandall: And then there's also some really cool - two levels of technology. One is to see if an attacker is trying to enumerate Active Directory. And then there's also cool concealment technology that's out today that actually hides the Active Directory objects from the attacker and then will misdirect them. And they do this by feeding it disinformation. 

Carolyn Crandall: And it's amazing because if the attacker's using their typical tools like, say, Bloodhound or Mimikatz, they're going to do their query. They're going to get the information back that they think they're supposed to get. And so they're going to take action, but it's really disinformation that can just steer them into a decoy. 

Carolyn Crandall: And here, they kind of spill their beans, right? Now they get all the information collected on their TTPs, and they get information so they can shut down that attack, but also get counterintelligence on how that attacker is attacking them. So it's super efficient. It throws off real attackers. We see it all the time with pen testers and the red teams come back and say, hey, I got into your Active Directory. And now, fortunately, the defender is like, well, no, not really. Here's every step you took, you know... 

Dave Bittner: (Laughter) Right. 

Carolyn Crandall: ...From 20 command sets in about what you're doing. So it's really fascinating technology. 

Carolyn Crandall: You want to know if somebody is in tampering with your Active Directory. And it's a really no-excuse situation anymore, right? You know, if it is your crown jewels and it can change and cause such damaging harm to your organization that whether it's driven by compliance or insurance policies, things are going to get tighter. And not protecting your Active Directory could be seen as negligent behavior. 

Carolyn Crandall: And so we know it's coming in 2022, a lot of changes around it. So I definitely encourage businesses to get ready for it and to change their security architecture. It's not hard to do - not expensive to do either. But get ready for the things that are going to be expected around Active Directory protection because it's just not acceptable not to protect that valuable of a resource anymore. 

Dave Bittner: That's Carolyn Crandall from Attivo Networks. There's a lot more to this conversation. If you want to hear the full interview, head on over to CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews. 

Dave Bittner: And joining me once again is Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the "ISC StormCast" podcast, which I must admit is my second-favorite daily cybersecurity podcast - for obvious reasons. 


Dave Bittner: Johannes, it's always great to have you back. I wanted to touch base today about vaccination cards and COVID tests. You know, I recently went in and got my booster shot, and I felt really good about that. But one of the things that struck me is that there's nothing particularly secure about these cards that they're handing out these days. 

Johannes Ullrich: Yeah, and that's part of problem - so, you know, fake cards. But in order to get a fake card, a great fake card, you need some information that looks legitimate, like, for example, the lot number of the vaccine should be one that actually has been used in a particular area. That can sort of be used to identify fake cards. 

Johannes Ullrich: What happens, sadly, more and more is these cards leaking. Now, initially, we have seen people posting them on social media. But with some of the regulations, for example, around travel, your airline or even the travel agent or someone that arranges travel for you, a hotel, may ask you to provide them with a copy of the card. And what easier to do than just send it to them in an email? And what we are seeing is these vaccination cards but also COVID test results leaking more and more. And essentially, all it takes is a decent Google query in order to find them. 

Johannes Ullrich: So that's one problem - that people just overshare a little bit. And I don't really want to just point to social media. It's also sending them as an email. For example, what we found is there are a bunch of these cards and vaccination results and test results on VirusTotal. VirusTotal, what a lot of people don't realize, makes essentially all the documents that you upload to them public. Now, you need paid access for the data to search it, but still, it's public. It's, after all, owned by Google. So Google isn't in the business of making data like this public and searchable. 

Dave Bittner: You know, I think that's a really interesting point. I mean, do you have any insights into what degree are things that we send around in email, attachments that go out via email - are bad actors scanning for that stuff actively? 

Johannes Ullrich: Yeah. What often happens is - think about email attachments like PDFs, and often in this case, it is a PDF - that some organizations are essentially using scripts to upload these files to VirusTotal. It saves them buying all of these virus scanners themself and then trusting VirusTotal's results whether or not a file is malicious or not, which is, on the surface, not a bad idea. But inadvertently, in sending these documents to VirusTotal, they make them public. And, yes, actually, COVID test results are probably one of the lesser issues here as far as confidential documents that are being uploaded. 

Dave Bittner: So are you saying that, really, all it takes is a paid membership to VirusTotal, and you have access to all of these scanned documents? 

Johannes Ullrich: Correct. You have to find the right keyword to search for, and then it's actually kind of like a Google search but just against the database of documents uploaded to VirusTotal. So you definitely should be a little bit careful. And I don't want to take away from the value of VirusTotal. They provide a very valuable service. 

Johannes Ullrich: As an alternative instead of uploading the document, you can also just query a hash of the document with VirusTotal to see if it was already uploaded and either found to be malicious or not malicious. So that's another option - not quite as good as uploading the actual document if you're trying to find malware, but probably a better compromise. 

Dave Bittner: Yeah. I mean, is this a situation where perhaps folks should be using different services or, dare I say, paying for services to scan their email? 

Johannes Ullrich: Yeah. It's not that terribly hard to build your own little VirusTotal and not that terribly expensive necessarily given that, you know, all you have to buy is a couple licenses for different virus scanners and maybe create a script. And probably you can even find one already exists that does these scans for you on premise on your systems. But it's old-fashioned, Dave, and nobody's doing anything on the premise anymore. We all send our data in the cloud and cross our fingers and hope for the best. 

Dave Bittner: Yes. I stand corrected, of course. All right. Well, Johannes Ullrich, thanks for joining us. 

Johannes Ullrich: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at If you find yourself with some free time this weekend, be sure to check out "Research Saturday" and my conversation with Tara Gould from Anomali. We're discussing their research inside TeamTNT's impressive arsenal, a look into a TeamTNT server. That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.