Log4j updates, with a side of Fancy Bear. Roots of Huawei’s career as a security risk. Tropic Trooper is back. Meta boots “cyber mercenaries.” Other cyberespionage incidents.
Dave Bittner: It seems that Fancy Bear may be interested in Log4shell after all. CISA issues Emergency Directive 22-02, which addressed Log4j. Huawei’s reputation as a security risk may be traceable to a 2012 incident. Tropic Trooper is back and interested in transportation. Meta kicks out seven cyber mercenary surveillance outfits. PseudoManusrypt looks curiously indiscriminate. Johannes Ullrich from SANS Technology Institute on making the great Chinese firewall work for you. Our guest is Terry Halvorsen from IBM on next-gen cybersecurity efforts to fix the cybersecurity inequity. And the U.S. Commission on International Religious Freedom is reportedly hacked.
Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Friday, December 17, 2021.
Dave Bittner: One of the mysteries about Log4shell so far has been the relative absence of Russian exploitation, whether by privateers or intelligence services.
Dave Bittner: To review the bidding, given the extensive activity observed on the part of China, North Korea, Iran and Turkey, where have the Russian threat actors been? BGR noted that the usual Russian operators seemed to have been quiet, so far. Mandiant, in its own rundown of cyber-espionage taking advantage of Log4j vulnerabilities, sensibly said, quote, "We expect threat actors from additional countries will exploit it shortly, if they haven’t already. In some cases, state sponsored threat actors will work from a list of prioritized targets that existed long before this vulnerability was known. In other cases, they may conduct broad exploitation and then conduct further post-exploitation activities of targets as they are tasked to do so," end quote.
Dave Bittner: There are signs, now, that Fancy Bear, Russia's GRU, has been actively exploiting Log4j vulnerabilities. SecurityScorecard just this morning reported that it's observed Drovorub activity, and use of the Drovorub toolkit points to Fancy Bear, APT28, Russia's GRU military intelligence service. Drovorub, which means woodcutter, is a toolkit developed by the GRU's 85th Main Special Services Center for use against Linux systems. Drovorub has been described as a kind of attacker’s Swiss Army Knife, with multiple uses.
Dave Bittner: And that activity has been extensive. SecurityScorecard regards Russian reconnaissance, probing and probable exploitation as comparable in scale to what's been observed from China. More developments can be expected, the researchers write. Quote, "It’s important to remember that we are still in the very early days of trying to understand this security issue and how it’s being used by threat actors," end quote.
Dave Bittner: There may be reason to think that self-propagating worms are under development to take advantage of Log4j bugs. Researcher Greg Linares believes at least three groups are working on a Log4j worm. SecurityWeek, which cites Linares, also quotes other researchers who think the news of a coming worm is unproven at least, unlikely at best or probably likely to lead to worms less serious than some of the high-profile cases observed earlier this century.
Dave Bittner: Log4j is from Apache's open-source library, and some have asked if the vulnerability exposed as Log4shell should call into question the very idea of using open-source software. The short answer would be, according to some, not at all. IT World Canada has a useful discussion of the issue, in which they point out that the Open Source Security Foundation is well-funded, backed by deep-pocketed tech firms and that securing open-source software is not a hobbyist's labor of love.
Dave Bittner: MIT Technology Review takes the contrary view, arguing that the security of open-source software is indeed overlooked and underfunded. Their article quotes Veracode's CTO, Chris Wysopal, who says, quote, "The open-source ecosystem is up there in importance to critical infrastructure with Linux, Windows and the fundamental internet protocols. These are the top systemic risks to the internet," end quote.
Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency this morning issued Emergency Directive 22-02, directing the U.S. Federal agencies that fall within its remit to identify and update all vulnerable systems no later than 5 p.m. Eastern Standard Time on December 23. CISA gives the agencies until December 28 to report completion.
Dave Bittner: A coda to the required actions suggests the complex challenge of addressing complex environments. Quote, "These required actions apply to agency applications in any information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates or otherwise maintains agency information - i.e., all applications in agency ATO boundaries. For federal information systems hosted in third-party environments, such as cloud, each agency is responsible for maintaining an inventory of its information systems hosted in those environments - FedRAMP Authorized or otherwise - conducting all necessary reporting to CISA accounting for such systems and working with service providers directly for status updates pertaining to, and to ensure compliance with, this directive," end quote.
Dave Bittner: Vendors are working to patch their products against Log4shell, and it's proving to involve the struggle most observers have foreseen, Reuters reports. As the patches are issued, they should of course be applied when practical - and if you’re a Fed, applied by Christmas Eve, lest ye face the wrath of Director Easterly, which would be like a visit from the Ghost of Christmas Yet To Come.
Dave Bittner: The CyberWire's continuing coverage of Log4shell may be found on our website.
Dave Bittner: Bloomberg reports that U.S. reservations about Huawei as a security threat have been confirmed by revelation of a 2012 incident in which Australian security authorities traced a malware infestation to a malicious Huawei update.
Dave Bittner: Bloomberg writes, quote, "The incident substantiated suspicions in both countries that China used Huawei equipment as a conduit for espionage, and it has remained a core part of a case they’ve built against the Chinese company, even as the breach’s existence has never been made public, the former officials said," end quote.
Dave Bittner: Australian security services determined that a Huawei software update installed on the network of a major Australian telecommunications company contained malicious code that recorded data transiting the network and sent its take back to China. The malware was self-limiting, apparently in hope of evading detection. It deleted itself after several days of persistence in the network.
Dave Bittner: The Australians shared their discovery with their American counterparts, who then detected a similar attempt against a U.S. network. The incidents had not been formally disclosed, but they provide a clear motivation for the strong suspicion of Huawei that's marked both the U.S. and Australian policy over the past decade, especially with respect to allowing that company a place in 5G infrastructure.
Dave Bittner: Tropic Trooper is back, and as security firms Trend Micro and Kaspersky write, the threat group has a new name and a new target set. It's now also being called Earth Centaur, and it's resurfaced to go after targets in the transportation sector. MITRE assesses Tropic Trooper as an unaffiliated threat group that is probably a hired gun but notes that its favorite targets have been in Taiwan, Hong Kong and the Philippines. It's been associated with Pirate Panda, which suggests that its customers are probably in Beijing.
Dave Bittner: Facebook parent Meta has banned six commercial surveillance firms and one unidentified entity, all of whom it characterizes as cyber mercenaries, from its platforms. The companies affected include CobWebs Technologies, Black Cube, Cognyte and Bluehawk CI, all based in Israel. India's BelltroX, Cytrox of North Macedonia and one unidentified entity operating from China. Up 50,000 users may have been affected by the banned companies' products. The University of Toronto's Citizen Lab has called out Cytrox and its Predator tool as worthy of special attention. Predator was installed, they find, on the phones of at least two Egyptian dissidents.
Dave Bittner: Kaspersky has identified a mass spyware campaign they're calling PseudoManuscrypt because of the features it shares with the Lazarus Group's Manuscrypt malware. But attribution is unclear. PseudoManuscrypt is indiscriminate in un-Lazarus-like ways, and it's been seen to use a data exfiltration mechanism hitherto associated with China's APT 41, known both for cyber-espionage and a financially motivated APT side hustle. It's also been distributed in some cases by the Glupteba botnet, a Russian tool. About 35,000 systems have been attacked, with most targets being either governments or industrial control systems.
Dave Bittner: Security firm Avast report's finding a targeted attack by an unknown threat actor using a backdoor in what the security firm identifies only as a small, lesser-known U.S. federal government commission associated with international rights. Ars Technica says the victim is the U.S. Commission on International Religious Freedom. The commission hasn't, Avast says, responded to its disclosures or attempts to engage it, and so little is known about how effective the attack was. But the researchers think it's reasonable to conclude that the attackers were able to intercept and possibly exfiltrate all local network traffic in the organization.
Dave Bittner: It looks like an espionage operation. An intelligence service might find the commission interesting in its own right if that service should be serving a regime that regarded religious freedom as a burr under its saddle. But compromising a small commission might be useful for other reasons - connections to nongovernmental organizations, the possibility of being able to pivot from the commission to other more inherently interesting or U.S.-allied agencies and so on.
Dave Bittner: And finally, operators of industrial control systems get an early stocking-stuffer from the U.S. Cybersecurity and Infrastructure Security Agency. CISA yesterday released 27 more industrial control system security advisories, which is, seriously, useful and a lot better than a lump of coal.
Dave Bittner: There is a continuing push at the federal level to bring government agencies up to speed with their cybersecurity and rare bipartisan agreement that it is indeed a national priority. One of the issues to overcome is inequity between government agencies, levelling the playing field governmentwide. Terry Halvorsen is general manager of IBM Federal and previously was chief information officer for the U.S. Department of Defense.
Terry Halvorsen: I think you will find some organizations in the federal government that are very advanced in their cybersecurity practices and some that are still working their way to get up to the standard that they want to.
Dave Bittner: And so how do we go about getting them all up to the level where they need to be? What needs to be done here?
Terry Halvorsen: I don't know that I know everything that needs to be done, but I would make a couple suggestions, and I think some of these suggestions apply as well to the commercial sector. I think one of the first ones is you have to take a look at the size of your agency or your organization and determine, am I large enough and can I afford on my own to, say, do all of the things that you have to do to have a very good cybersecurity program? And I think one of the things that maybe the government might want to look at - and I think Fed commercial agencies might want to also look at - is sharing some of those responsibilities. I also think that becomes a much more efficient way of doing business. You know, everybody trying to do every part of cybersecurity might not be the best way to do that. This would allow agencies, if they share, to maybe, you know, form a - what I'll call a cybersecurity coalition, share the expense and probably be able to do a better overall job of executing on their cybersecurity mission.
Terry Halvorsen: The other thing I'll add is I also think there is a role for industry to play here. I'm very excited about the current administration really calling for industry to play a bigger role - got CISA really working to reach out to industry to help solve the problems 'cause I think if we're going to really get a nation cybersecurity position and really improve that, that it will take cooperation between the government and industry so that we have both a secure government and a secure commercial sector.
Dave Bittner: Let's dig into that some. I mean, can you give us your insights on some of the things that we've seen coming out of the White House when it comes to cybersecurity?
Terry Halvorsen: Well, I think the first thing most people look at is as you have - is the executive order. You've got, you know, coming from the White House, coming from the president, an executive order that says we're going do some things. We're going to measure them within cybersecurity. And I think that's very good. Some of the things apply just to the government. But some areas, you know, like supply chain apply more broadly to both the commercial and the government sector. And I think that's a great start. I think this administration will look at it as a start and will see some continued emphasis in some new areas where it will apply both through the commercial and the government sector.
Dave Bittner: Are you optimistic that we're on the right path here, that we're up to this task to be able to take on these challenges?
Terry Halvorsen: I'm optimistic that we're up to the task. I think we still have more work to do. Like I said when we started this, I'm very happy that you - in this case, we've got, you know, an administration up to the president's level that seems to be very interested in making cybersecurity a top priority. From what I have seen, this is an area where there - one of the two where we have really good bipartisan support in Congress to make cybersecurity better. And I think within the last couple years, what we have seen is both industry and government recognizing that yeah, we are going to have to work together to solve this. So I think the environment has come together. And I think we have the right timing and the right capabilities to make it work. We'll have to see if we'll follow through on all that.
Dave Bittner: That's Terry Halvorsen from IBM Federal.
Dave Bittner: And I'm pleased to be joined once again by Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the "ISC StormCast" podcast. Johannes it's always great to have you back. You know, I know there's some research that you are working on. You've been kind of poking around the edges of the infamous Great Chinese Firewall to see if you can maybe leverage some of its capabilities there. What have you been up to lately.
Johannes Ullrich: Yeah, so one thing I observed - my home systems I'm still one of the few people who runs their own mail servers because I don't trust the cloud. And I do see a lot of inbound spam connections from China. I don't normally email from China. I don't like these geoblocks because they're hard to maintain. So I figured hey, you know, let's make the Chinese Great Firewall work for me here. And I added some keywords to my mail server's banner that are commonly blocked by the Great Chinese Firewall.
Dave Bittner: And what happened?
Johannes Ullrich: Well, the sad part is not much.
Johannes Ullrich: So my view of the firewall was definitely a little bit too simplistic here. And over the two weeks - I did two weeks without the keywords, two weeks with the keywords - I didn't really see a significant change in the traffic. I still saw the same number of connections, the same number of IP addresses. So it didn't - like, one thing I was kind of hoping for - that maybe some of those IP addresses that scammed me would get blocked by the Great Chinese Firewall, or maybe my home IP would get blocked. But neither has happened yet.
Dave Bittner: And why do you suppose that is? I mean, are the spammers coming out of China using their own workarounds to get around the firewall?
Johannes Ullrich: That could be one option. I'm also thinking that maybe the firewall is a little bit more specific, that it doesn't look at these banners, which are usually not used to convey content to an end user. But maybe they're more looking at the email itself. So that's one possible option here. I may have picked the wrong keywords, but I picked keywords that are commonly associated with the firewall. So there are some more or less accurate published lists of these keywords. And I put a bunch of them in, so I've probably hit a couple that that should be blocked. But that's something I'm still working on. So there's still a little bit research in progress here.
Dave Bittner: All right. Well, looking forward to checking in with you as you continue that research. Johannes Ullrich, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's "Research Saturday" and my conversation with Sagi Tzadik and Nir Ohfeld from Wiz. We're discussing their recent Black Hat Europe talk about the need for a cloud vulnerability database. That's "Research Saturday." Check it out. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.