Cyberespionage in Southeast Asia. Two young extortion gangs make their bones. Bot-herders like MikroTik devices. Log4Shell zero-day exploited in the wild. Update on the Assange case.
Dave Bittner: Cyber-espionage in support of Belt and Road and of Beijing's claims in the South China Sea. Karakurt ransomware skips the encryption and goes right to the doxing. BlackCat ransomware is rising. Vulnerable MikroTik devices are bot-herders' favorites. The Log4Shell zero-day is being exploited in the wild and will be a tough one to remediate. Julian Assange moves closer to extradition. Johannes Ullrich on changing user behavior. Our guest is Oliver Rochford of Securonix on the affordability of good security. And shoulder-surfing as a threat to Snapchat users.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, December 10, 2021.
Dave Bittner: Threat intelligence firm Recorded Future's study of Chinese cyber-espionage outlines the ways in which the intelligence effort is designed to support Beijing's Belt and Road Initiative. The principal targets of the campaign are Malaysia, Indonesia and Vietnam. The Philippines, Laos, Cambodia and Thailand are also being prospected.
Dave Bittner: Recorded Future's Insikt Group elaborates, quote, "the activity highlighted includes a group we track as Threat Activity Group 16, which has compromised several high-profile military and government organizations across Southeast Asia throughout 2021 using custom malware families such as FunnyDream and Chinoxy," end quote. The activity against targets in Laos and Cambodia are particularly concerned with supporting Belt and Road. And the cyber-espionage, while certainly bearing upon China's plans for economic dominance, also serves to support Beijing's side in territorial disputes, especially disputes in the South China Sea.
Dave Bittner: Accenture this morning published a description of the still relatively unknown Karakurt ransomware gang active since this June. It's still unclear where Karakurt fills in the underworld ecosystem. Karakurt - and the self-applied name is that of a venomous spider - is an extortion play, but it represents a kind of second-stage ransomware which doesn't bother to encrypt or otherwise damage or degrade its victims' data. Instead, it simply steals the data and then threatens to publish them on its dump site Karakurtlair. The gang counts on the embarrassment they threaten as a sufficient goad to the victims' paying up.
Dave Bittner: In any case, Accenture thinks Karakurt is just getting started. Quote, "Accenture Security assesses with high confidence that the group's operations have just begun and that Karakurt activity will likely continue to proliferate in the foreseeable future, impacting additional victims," end quote.
Dave Bittner: The BlackCat ransomware affiliate program, the MalwareHunterTeam tells BleepingComputer, is deploying a sophisticated executable written in Rust. BlackCat came to prominence in late November, and it's being hawked in Russophone criminal markets. The ransomware itself, also known as ALPHV, seems constructed from scratch, without the use of templates or other preexisting code.
Dave Bittner: Security firm Eclypsium describes how exploitable, vulnerable MikroTik routers and ISP devices have become and remain popular among bot-herders. The MikroTik devices are plentiful, powerful and, where they're vulnerable, they're relatively easy to incorporate into botnets. TrickBot reverted to them when U.S. Cyber Command disrupted its operations, for example, and they were also the bots of choice in the Meris botnet's then-record 21.8 million records-per-second distributed denial-of-service attack against Russian internet firm Yandex back in September. Eclypsium's advice to enterprise security teams is to get scanning, identify and isolate vulnerable MikroTik devices.
Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency - CISA - yesterday released three industrial control system advisories. CISA also urges organizations to apply the updates Cisco has made available for multiple vulnerabilities in Apache HTTP Server affecting the company's products.
Dave Bittner: While those vulnerabilities are certainly important and while CISA's advice is worth taking seriously, another Java issue is attracting even more attention. CVE-2021-44228 is a zero-day affecting the Java logging package log4j. This is widely used in a number of software products. A partial list, according to security firm Huntress Labs, includes products by Apple, Twitter, Steam, Tesla, a number of Apache applications - like Apache Struts, Solr, and Druid - Redis, ElasticSearch and any number of video games, Minecraft being prominent among them.
Dave Bittner: The vulnerability is undergoing active exploitation in the wild. Late last night, GreyNoise reported that they were currently seeing 2 unique IP's scanning the internet for the new Apache Log4j RCE vulnerability. Badpackets tweeted earlier this morning, mass scanning activity detected from multiple hosts checking for servers using Apache Log4j - Java logging library - vulnerable to remote code execution.
Dave Bittner: Some are calling the vulnerability Log4Shell. The Record says, quote, "Discovered during a bug bounty engagement against Minecraft servers, the vulnerability is far more impactful than some might expect, primarily because of Log4j’s near-ubiquitous presence in almost all major Java-based enterprise apps and servers. Naturally, all the companies that use any of these products are also indirectly vulnerable to the Log4Shell exploit, even if some of them may be aware of it or not."
Dave Bittner: Huntress Labs advises that users of Apache log4j should upgrade to log4j-2.1.50.rc2 as soon as possible. They also point out that this isn’t a complete solution, and that the problem is so widely distributed that users will have to wait for individual vendors to push fixes.
Dave Bittner: WikiLeaks impresario Julian Assange may be approaching extradition to the U.S., where he faces 18 counts of espionage and conspiracy to illicitly access a military computer. The Wall Street Journal reports that the High Court has overturned a lower court's stay of extradition. Mr. Assange isn't out of appeals - he's expected to seek relief from the U.K.'s Supreme Court.
Dave Bittner: The lower court that had blocked his extradition held that Mr. Assange would be at risk of suicide should he be held in the harsh conditions afforded by American prisons. But the High Court was satisfied, the Journal writes, that, quote, "diplomatic assurances given by the U.S. that Mr. Assange wouldn’t be held under the strictest maximum-security conditions if extradited were sufficient to clear the path to extradition," end quote.
Dave Bittner: Mr. Assange will remain in a British prison while his extradition process continues. The U.S. Justice Department described itself as pleased by the decision, but declined further comment.
Dave Bittner: Shoulder surfing may be banal, but effective. ESET has posted a how-to Snapchat shoulder-surf demo as a warning. The hacker looks over the user's shoulder, obtains their phone number, uses it on their own phone to tell Snapchat they've forgotten their password, then looks back over the victim's shoulder to see the confirmation code appear as a drop-down. So use two-factor authentication and stay aware of your surroundings.
Dave Bittner: And a side note, since a lot of people are up in arms nowadays about the effect of social media on youth - Snapchat says it’s marketed to the 18-to-24-year-old demographic. Our own teen spirit desk tells us, OK, boomer, no way. In fact, teens and tweens who like each other no longer try to get one another’s phone numbers, which would be the kind of thing some Gen-X granny would do. They ask instead if they can Snap someone. We hope they’re paying attention to who’s around them, but somehow we doubt it.
Dave Bittner: The best security in the world doesn't do your organization any good if you can't afford it. And despite security budgets trending toward increases these past few years, many companies find themselves faced with tough security choices. Oliver Rochford is security strategist and analyst at Securonix, and I checked in with him for insights on security affordability.
Oliver Rochford: I think that in the moment, there are quite a lot of businesses who are finding that the ceiling of entry in some industries has just risen due to security requirements. You know, I think we talk about good security being affordable, but the point of that risk is this point of affordability which you have to reach to even be a viable business. And if you can't, even though it might take a time or two you realize it, you're not actually able to operate securely. So the question of how much this is - I think it's an important one. And at the same time, of course, we do have ways of being able to lower that ceiling, you know, of our strategies to be able to do that. But it has to be clear to a lot of people that if you're using digital technologies, there's a minimum buy-in price.
Dave Bittner: And what is that minimum buy-in? What is the least that people can do and still consider themselves to be secure?
Oliver Rochford: I think that's going to depend to a great degree on risk appetite. But the way that it's normally calculated is a - you know, it's normally a percentage of IT budget, and IT budget is only a percentage of revenue. And what's typical in that area? Well, depending on the industry, 5 to 10% of revenue is normally IT budget nowadays. And some - in tech, you're going to have it a lot higher, of course. And then the security budget - typically somewhere around 5% again.
Oliver Rochford: So if you have 50 million revenue, you have maybe $250,000, $350,000 to play with. And that sounds like a lot. But, I mean, if you have 250 employees, that's about $80 per employee per month. And that has to include all of the user-facing stuff, the VPN, the two-factor authentication, the endpoint protection but, more importantly, also all of the stuff that kind of runs in the back office from disaster recovery and backups and, you know, security monitoring and so on. So it's actually not that much money.
Dave Bittner: So are organizations being unrealistic in estimating the amount of spend that it takes for this?
Oliver Rochford: I think in many cases, they are definitely trying to stretch the budget to an unrealistic degree, right? I mean, the biggest cost aside from technology are people. For - as an example, a lot of people will tend to buy the technology but not have the people to man it. We can use services. That's an ideal solution to this problem. But then you're moving from having to run your own security to liaising and managing these relationships, which for some organizations doesn't seem any easier. But you have to be able to fulfill this in some way. And I think that because it's an invisible cost until you're breached, for a lot of businesses, they do underestimate it. Yeah.
Dave Bittner: How do you recommend that organizations go and do their shopping around for these sorts of things? If I'm - you're looking at two different providers and their prices are very different from each other, how do I go about that evaluation?
Oliver Rochford: So, you know, this is a typical lemon market, especially for services. You know, the original lemon market is because you can't tell how sour a lemon is before you bite into it. So why would you pay more for one over the other? And it's the same as with services.
Oliver Rochford: I can remember when I was an industry analyst from the time that somebody had started with a provider to the time that they were giving references for, like, industry research, which might have been three to four months, the satisfaction level had dropped tremendously. And that's because they started to learn about, OK, you know, what was included? What wasn't included - how much elimination of false positives, for example, a provider will do using threat intelligence before they forward it to you and eliminate work for you? All of these things you don't necessarily know until you're a bit familiar with your services.
Oliver Rochford: So I would say on the one hand, you know, make sure that you vet a service provider in terms of speaking to the actual service delivery manager - so the actual analyst - to see what their process looks like in detail, which points to their responsibility and yours again. And ask them what kind of companies in your industry and your size they already have. Try to speak to references who've been there longer, not new customers because they're still a bit bleary-eyed - the ones who have renewed. And ask about the renewal rate as well. I think these are important points.
Oliver Rochford: And lastly, you know, they're going to be in an ivory tower. They're never going to get to know your business in particular because they're managing maybe a couple hundred organizations. But you can ask them how they tried to mitigate that problem. If they're not even aware it's a problem, I'd run a mile. But they should know your type of business if they can't get to know your business specifically, for example.
Dave Bittner: That's Oliver Rochford from Securonix. There's a lot more to this conversation. If you want to hear the full interview, head on over to CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews.
Dave Bittner: And I'm pleased to be joined once again by Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the ISC StormCast podcast. Johannes, it's always great to have you back. You know, Johannes, people are starting to move around the country and indeed the globe these days. And that means that those of us who are trying to keep track of them for security reasons are faced with some new patterns. What are you all seeing there?
Johannes Ullrich: Yeah. One thing that sort of, you know, I ran into myself starting to travel, in particular, international again - companies over the last year or so got used to people pretty much staying put. And of course, at the same time, you also had a lot of attacks against VPN servers and such. So there are only two options that an administrator has at this point. They can find a real solution like multifactor authentication, but that's hard. Or they can do something simple that will at least keep the noise down in the logs, and that's blocking certain IP address ranges, or only allow a limited set of IP address ranges to connect to the VPN concentrator. And that worked well as long as people pretty much connected from home. Maybe they connected from a mobile phone or such, but they didn't, for example, connect from abroad to your VPN. And now, as they start traveling again, you'll have a lot of unhappy users.
Dave Bittner: (Laughter) Yes, I would imagine so. I mean, is this a matter of checking in with your users and, I don't know, putting geofences around certain people? Like, you know, I know Johannes is a traveler, but, you know, Dave likes to stay at home.
Johannes Ullrich: That can work, but really, I want to get people away from those geolocation blocks based on IP address. They're really not doing you much good. They cut down a little bit of the noise in the logs, but an attacker with any kind of sophistication knows how to use a VPN themself, make themself appear to come from whatever country they would like to appear to come from, maybe even from a particular ISP they would like to appear to come from.
Johannes Ullrich: These IP blocks that people are putting in place are really, you know, what's often referred to as security through obscurity. They help a little bit, but in the end, you have to do the work. You have to put the time in and do something real, like patch your systems and set up multifactor authentication. Anything else is really just sort of giving you the appearance of security and, in the end, probably causing more pain to your users than to the attacker.
Dave Bittner: So, I mean, is that really the take-home here, that we should just be jettisoning this type - this particular type of security of trying to geofence users?
Johannes Ullrich: Yeah. It really doesn't do too much good, and the potential of, like, a denial of service if, for example, a certain user's ISP is down and they have, all of a sudden, to use completely another ISP for a backup and such - you're pretty much causing more pain to users than you would cause to a real attacker. That's not a situation we usually like to be in.
Dave Bittner: Where do you strike that balance when you have a user who is a frequent traveler and they're going all over the world? Is multifactor authentication the easiest answer there?
Johannes Ullrich: Yeah. Multifactor authentication is pretty much it at this point - also, secure endpoints, in particular for travelers that - you'll harden their endpoints, the systems they're connecting from, so those systems themselves don't get compromised. That's probably one of the larger risks for frequent travelers, in particular abroad.
Dave Bittner: All right. Well, Johannes Ullrich, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. Don't miss this weekend's "Research Saturday" and my conversation with Ilya Volovik from Gemini Advisory. We're discussing how FIN7 recruits talent for a push into ransomware. That's "Research Saturday." Check it out.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.