The CyberWire Daily Podcast 12.21.21
Ep 1483 | 12.21.21

Belgium’s MoD suffers Log4shell attack. A man-in-the-middle concept. APT activity. Five Russians face US charges (one’s in custody). Fortunes of coin-mining. Holiday greetings from CISA and the FBI.


Dave Bittner: Belgium's Ministry of Defense comes under attack via Log4j vulnerabilities. A cellular handover man-in-the-middle exploit is described by researchers. The FBI says an APT group is exploiting unpatched Zoho ManageEngine Desktop Central servers. The U.S. charges five Russian nationals with a range of cybercrimes. Coin-miners in China feel some heat. Ben Yelin describes a Meta lawsuit targeting anonymous phishers. Our guest, Todd Carroll of CybelAngel, explains the shifting tactics of troll farms. And Grinchbots aside, CISA and the FBI offer holiday greetings and advice.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, December 21, 2021. 

Dave Bittner: Belgium's Defense Ministry told the news service VRT yesterday that the ministry had sustained an attack via Log4Shell vulnerabilities. The ministry's representatives said the incident began last Thursday and that while the ministry has been working to contain the exploitation and keep networks running, some portions of its networks have been unavailable. The ministry's Facebook page yesterday posted a note telling inquirers not to expect full service from its sites yet. 

Dave Bittner: The Register quotes Belgium's Center for Cyber Security, not a Ministry of Defense organization, as saying, quote, "companies that use Apache Log4j software and have not yet taken action can expect major problems in the coming days and weeks," end quote. NATO, whose headquarters are in Brussels, didn't respond to the Register's inquiry about whether the Atlantic Alliance's networks were affected. 

Dave Bittner: L'Avenir's take is that the incident was both foreseeable and probably preventable. The publication notes that the attack occurred four days after CERT-be issued its own version of the warning most national cybersecurity authorities shared urging a prompt upgrade to Log4j version 2.17.0 or later. In fairness to the MoD, patching an issue like this isn't always easy or straightforward. 

Dave Bittner: There's no attribution so far of responsibility for the incident. Both nation-state intelligence services and criminal organizations have exploited vulnerabilities in Log4j. And some press mentions of Chinese, Iranian, North Korean and Turkish threat actors amount to little more than a priori possibilities. Those were the countries whose intelligence services were first mentioned in dispatches as having begun to scan for Log4Shell. 

Dave Bittner: And an attack that degrades a network is certainly consistent with criminal activity. Some of the better known gangland operations have taken an interest in Log4j vulnerabilities. Threatpost, for example, has an account of the attack chain the Conti ransomware gang is using to take advantage of Log4Shell. 

Dave Bittner: Researchers at New York University Abu Dhabi have published research on a vulnerability in the handover procedures cellular networks use to preserve service with minimal latency for mobile users. They've demonstrated the possibility of man-in-the-middle attacks - specifically "a new type of fake base station attack in which the handover procedures based on the encrypted measurement reports and signal power thresholds are vulnerable," end quote. 

Dave Bittner: The U.S. FBI warns that unnamed foreign intelligence services are actively exploiting a vulnerability - CVE-2021-44515 - in Zoho ManageEngine Desktop Central servers. Quote, "since at least late October 2021, APT actors have been actively exploiting a zero-day, now identified as CVE-2021-44515, on ManageEngine Desktop Central servers. The APT actors were observed compromising Desktop Central servers, dropping a webshell that overrides a legitimate function of Desktop Central, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials," end quote. 

Dave Bittner: There's a fix available. Affected organizations are advised to apply the upgrades Zoho provided in an early December security advisory. 

Dave Bittner: Switzerland has extradited Russian national Vladislav Klyushin of Moscow to the U.S., where he faces charges related to hacking in furtherance of insider trading. Four indicted co-conspirators remain at large. 

Dave Bittner: He arrived in the U.S. on Saturday. And the charges against him were unsealed yesterday in the U.S. District Court for the District of Massachusetts. The U.S. Justice Department says Klyushin is charged with conspiring to obtain unauthorized access to computers and to commit wire fraud and securities fraud, and with obtaining unauthorized access to computers, wire fraud and securities fraud. 

Dave Bittner: A conspiracy implies conspirators. And the U.S. alleges that Mr. Klyushin had four partners in crime. Moscow residents Ivan Ermakov and Nikolai Rumiantcev are also charged with conspiring to obtain unauthorized access to computers and to commit wire fraud and securities fraud, and with obtaining unauthorized access to computers, wire fraud and securities fraud. 

Dave Bittner: The U.S. Attorney for the District of Massachusetts points out that Mr. Ermakov is an alumnus of the GRU, Russia's military intelligence service, and that he's also wanted for his alleged role in influence operations intended to disrupt the 2016 U.S. elections. 

Dave Bittner: Mr. Ermakov seems to have had fingers in several pies. He also faces charges in connection with hacking and disinformation operations that targeted international sporting federations, anti-doping agencies and anti-doping officials, all of which allegedly occurred while Russia was in bad odor with the Olympic movement for bringing chemically enhanced athletes to the Games. 

Dave Bittner: Two other alleged co-conspirators, both of Russia's second city, St. Petersburg, are Mikhail Vladimirovich Irzak and Igor Sergeevich Sladkov. Mr. Klyushin, Mr. Ermakov and Mr. Rumiantcev, the U.S. attorney says, all worked for M-13, a Moscow-based security company that said it offered penetration testing and advanced persistent threat emulation, which, the U.S. attorney points out, both seek exploitable vulnerabilities in a computer system purportedly for defensive purposes. 

Dave Bittner: The company's website said that its solutions were used by the administration of the president of the Russian Federation, the government of the Russian Federation, federal ministries and departments, regional state executive bodies, commercial companies and public organizations. We hope they were a best-value provider. 

Dave Bittner: We'll add that Switzerland is a swell place to vacation, but they do have a functioning extradition treaty with the United States. If you're looking for a holiday spot, we hear Chelyabinsk is nice this time of year. 

Dave Bittner: China cracked down on widespread and power-hungry cryptomining operations back in May. But CNBC reports miners have been able to evade the law by spreading their operations out to make their consumption of electricity less obvious. This seems to be a case of the inherent difficulty of enforcement, as opposed to the states turning a blind eye toward illegal coin-mining. 

Dave Bittner: In any case, some of the miners CNBC talks to clearly worry about being brought to justice. Quote, "we never know to what extent our government will try to crack down to wipe us out," one who asked to be identified by his nickname Ben said. 

Dave Bittner: Some are considering looking into offshoring their operations until the heat dies down. The irregular, dry spell that's drawn down water levels in hydroelectric dams has also been a problem for the coin-miners. They're accustomed to moving their rigs around to take advantage of other power sources. But again, with the heat on, that's becoming harder to do. 

Dave Bittner: For all of their difficulties, CNBC says the Chinese coin-miners account for about 20% of the global production of Bitcoin. But given too much official attention, they're increasingly thinking about moving to a softer environment, particularly America. So listeners stateside, you may find Ben moving into a friendly part of your local power grid. 

Dave Bittner: WIRED publishes an update on another holiday season problem - the Grinchbots that automate online ordering of in-demand products - toys, gaming consoles and the like - in order to create scarcity and drive a lucrative resellers' market. 

Dave Bittner: And finally, the U.S. Cybersecurity and Infrastructure Security Agency - that's CISA - and the FBI are offering some sound holiday security advice, even presenting it - and why not? - in the form of a Hallmark moment. CISA director Jen Easterly and the FBI's assistant director of the cyber division, Bryan Vorndran, seated with small presents and a nice snowman puppet between them point out that while the holidays are times of happy distraction and lighter than usual staffing, there are still ways of staying safe online. 

Dave Bittner: They recommend identifying IT employees who can be available on weekends and holidays if you need to surge to handle an incident or ransomware attack. Remind your people to use strong passwords and not to reuse them in different accounts. Put multifactor authentication in place for remote access. Ensure that potentially risky services, like RDP, are properly configured, secured and monitored. Talk to your people about how to recognize phishing. And, finally, as you resolve to remain prepared and alert, review your incident response plans. 

Dave Bittner: They close with warm holiday wishes, which we heartily return. 

Dave Bittner: If you are a regular user of online social media, you have likely seen posts come by that are quite obviously the work of some sort of troll farm, laughably spewing misinformation or blatantly partisan points of view repeated by multiple accounts that were created moments ago in a fit of algorithmic scripting. These troll farms continue to increase in number and sophistication. Todd Carroll is chief information security officer and VP of cyber operations at security firm CybelAngel and was previously special agent in charge of the FBI's Chicago field office. I reached out to him for his take on troll farms. 

Todd Carroll: Well, we see them popping up all over the place. You know, they've been in Southeast Asia, you know, the old eastern European countries. Now we see them more popping up in Africa, right? So I mean, they're - I don't think they're that very hard to find or they're being set up by - on behalf of a foreign nation that is trying to potentially use that to push an agenda or to push a certain message, to influence via social media a certain cause or whatever. 

Todd Carroll: So I mean, you know, for example - right? - so you want an example on this. So if I wanted to push an agenda - right? - behind a certain candidate versus another one, and I want to influence it from a foreign point of view - right? - whether it's another country that feels that this would be more favorable or to actually increase the discourse between, you know, the population inside a country, then these trolling forums could push certain messages or whether it's true information or disinformation that's against the other candidate or in support of. And that's what the information is. 

Todd Carroll: So it's looked at in social media that there is - the messaging is higher. You know, that - you know, I see this more so - maybe it's the truth or the message is even being pushed out where before, it wouldn't be because the information is completely false. 

Dave Bittner: And what techniques do they use to put these messages out there? 

Todd Carroll: Usually, the main social media - Facebook, Twitter are probably the two most popular ones and probably will continue as that's where, you know, from - if we look at from a U.S. point of view - right? - that's where a lot of people sit and a lot of people, right or wrong, take a lot of their information and see what they believe is going on. 

Todd Carroll: If you keep seeing the same message over and over again, whether or not you are reading it or you're ingesting it or you believe it, then you kind of - in your back of your mind, you're developing a, you know, is this the truth? Is it - is this what's going on? Is - I keep seeing the same thing about this candidate or this cause or whatever the issue being pushed is at that time. 

Dave Bittner: What about the platforms themselves? To what degree are they trying to tamp down these sorts of things? 

Todd Carroll: Yeah, they are. I mean, it's, you know, we see it all the time. You know, Facebook is out there saying they shut down 1,500, you know, accounts that do this, but they're just going to pop up on something else, right? It's a little difficult, probably, for them. I know they're spending more and more time, especially as the media's spending more time calling these fake accounts out - they're working on it. 

Todd Carroll: But it's not, you know, that's - listen, Facebook and Twitter were set up to - for people to share information and share their opinions. And it's probably a little bit difficult for them to find these accounts. But when they do, they've been, you know, pretty reactive to shut them down. 

Dave Bittner: You know, for organizations who are concerned about this sort of thing, what are your recommendations for them to keep on top of it? Is this a threat intelligence type of thing, or how should they go about it? 

Todd Carroll: Yeah, definitely a threat intelligence type because this is information that's being spread that could be targeting your company, could be targeting your geopolitical views. It could be, you know, us as individuals, us as companies. 

Todd Carroll: So I think being aware that there's this activity that's out there - right? - not taking all your information from one source, seeing when the sources are posted, right? If most of them are coming out of Africa, they're like businesses, right? They show up at 9 to 5 - you know, that timeframe. You know, do most people you know in the U.S. post at 3 in the morning, right? You know, I - well, I have some relatives that do. 

Todd Carroll: But we don't - it's kind of awareness that these things do exist and not just taking what's out there for granted and educating yourself but then also calling out - if you're a company and you know this is information that is wrong, working with the authorities or working with Facebook and Twitter to call out these groups to get shut down, especially if they're targeting your company. 

Dave Bittner: That's Todd Carroll from CybelAngel. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Interesting story from the folks over at The Record by Recorded Future. It's titled "Meta" - Facebook - "Sues Operators of"... 

Ben Yelin: Still hard to get used to, isn't it? 

Dave Bittner: (Laughter) It is. It's - they sue operators of 39,000 phishing sites. This article caught my eye because it uses terms like describing this lawsuit as just weird and legal gymnastics, which I thought made it perfect for us to talk about here. Ben, what do you - what's going on here, Ben (laughter)? 

Ben Yelin: Yeah. I feel like you send out the bat signal every time you see legal gymnastics. 

Dave Bittner: Yeah (laughter). 

Ben Yelin: That's my cue to enter. 

Dave Bittner: Right. 

Ben Yelin: So they are - Meta is suing basically 100 John Does, so anonymous individuals, people who have actually sent out these phishing emails that are hosted through this - how do you pronounce it? 

Dave Bittner: I think it's Ngrok. 

Ben Yelin: Ngrok service. 

Dave Bittner: Yeah. 

Ben Yelin: So they're trying to get an injunction against these John Does and damages of at least $500,000 from the operators of these sites. So these are individuals who have created phishing links that are, you know, used to mimic sites that are under the Meta domain, so, like, Instagram and Facebook. And obviously they're using those to collect your information. 

Dave Bittner: Right. 

Ben Yelin: What legal analysts have said here is, this is a weird lawsuit 'cause it's very hard to go after anonymous people who are posting these phishing emails... 

Dave Bittner: Right. 

Ben Yelin: ...Or this phishing material. We don't know who they are. It's going to be really hard to enforce it in court. 

Dave Bittner: Yeah. 

Ben Yelin: And unless we can deanonymize them - what I think Meta is trying to do here is set a precedent that this type of action will not go unnoticed and there will be consequences if we, you know, ever find out who it is. So it's almost more about protecting their brand than it is about actually punishing phishing actors. 

Ben Yelin: So, you know, sometimes you file a lawsuit to protect your brand. I get it. If I was Meta and I had billions of dollars in legal resources, you know, I'd want to show my customers that I'm going after the people who are making your life miserable, stealing your information. So I completely get it. I don't think we're going to get a favorable judicial ruling on this. 

Dave Bittner: Yeah. I was just - so that's my next question. How does a judge respond when an organization like Meta puts this in front of them? 

Ben Yelin: Well, in a couple of ways. I mean, if it's an implausible claim that doesn't allege a proper violation of the law, then the judge can just dismiss the case. And I could very well see that happening. If there is not an allegation that makes this worth going through our court system, a judge might just say, all right, this is a waste of time. 

Dave Bittner: Yeah (laughter). 

Ben Yelin: Let's dismiss this... 

Dave Bittner: Knock it off. 

Ben Yelin: ...Before this goes any further. 

Dave Bittner: Right. OK. 

Ben Yelin: What they rarely do but what they sometimes do is say to these companies or to these attorneys, this is frivolous. You're wasting my time. Let's impose some sanctions. 

Dave Bittner: Yeah. 

Ben Yelin: So we've seen that in a number of circumstances, where lawsuits are so frivolous, where, you know, you have to basically prove that the lawyers knew that the suit was intended to be a publicity stunt or a messaging stunt. 

Dave Bittner: I see. 

Ben Yelin: And, you know, then you can try and get those lawyers disbarred or at least impose fines. You know, I don't know enough about this. I doubt we're going to get to that level. But I could easily see a judge just reading this over and dismissing it without commenting on the merits... 

Dave Bittner: Yeah. 

Ben Yelin: ...Of the phishing scheme. 

Dave Bittner: What if the judge goes along with it and says, absolutely; here's your ruling? Meta has that in hand. What do they do with it? 

Ben Yelin: That's a great question. I mean, we do get rulings on anonymous individuals all the time. And you can enforce it, dependent on the statute of limitations, you know, if you ever get information on who that individual is. 

Dave Bittner: So if they're ever unmasked, they could be charged or whatever or fined. 

Ben Yelin: Right. 

Dave Bittner: This is a civil suit, right? 

Ben Yelin: It's a civil suit. 

Dave Bittner: Yeah. 

Ben Yelin: So yeah, they'd be fined. They'd be assessed damages. 

Dave Bittner: OK. 

Ben Yelin: So yeah, I mean, if you're out there and your identity is unmasked, if they were successful in this lawsuit, you know, that means that wherever this person is, if we have an extradition treaty with them and they're overseas, then they could be brought into the United States and forced to pay the civil penalty. 

Dave Bittner: I see. So it could put that shadow over them, maybe make them think twice about continuing their operations if they have this specter of potential action against them. 

Ben Yelin: Exactly. And I think that's ultimately the most that's going to be done here. 

Dave Bittner: I see. 

Ben Yelin: You know, I also think it might go in the other direction, where if a judge dismisses the suit, people, you know, will say, well, as long as I can maintain my anonymity and collect from these phishing schemes and, you know, make a little bit of money, I'm going to be pretty well shielded from legal liability. So, you know... 

Dave Bittner: Yeah. 

Ben Yelin: ...Might as well just stay the course on this one. 

Dave Bittner: (Laughter) OK. 

Ben Yelin: Which, you know, could be dangerous. I think it's a gamble on the part of Meta. But, you know, I see why they're doing it. It's about their brand, and it's also about setting a precedent that these types of phishing attacks are not going to be acceptable on their networks. 

Dave Bittner: Yeah. All right. Well, interesting development. Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White (ph), Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.