The CyberWire Daily Podcast 1.13.22
Ep 1494 | 1.13.22

A public-private conference takes up open source software security at the White House. MuddyWater attributed to Iran. Espionage and ransomware arrests.


Dave Bittner: A White House government industry summit today addresses open-source software security. The U.S. officially makes its second attribution of the week to a nation-state. Israel arrests five on charges related to spying for Iran. Citizen Lab finds Pegasus in Salvadoran phones. Ukraine arrests a ransomware gang. Thomas Etheridge from CrowdStrike on the importance of threat hunting for zero days. Our guest is Dr. David Bader of the New Jersey Institute of Technology discussing the challenges of securing massive-scale analytics. And ransomware hits U.S. state and local governments.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 13, 2022. 

Dave Bittner: The direct warning of a Russian threat to U.S. infrastructure that CISA, NSA and the FBI jointly issued earlier this week came after some weeks of work to find and remediate vulnerabilities in the Apache Foundation's vulnerable Log4j open-source library. Yesterday, U.S. Cyber Command formally attributed the activities of the threat group familiarly known as MuddyWater to Iran's intelligence agencies, specifically to the Ministry of Intelligence and Security. 

Dave Bittner: Among the tools the group uses are variants of the open-source PowGoop DLL side-loader. MuddyWater seems to have been more involved in espionage than sabotage, but its dependence on open-source tools is noteworthy. 

Dave Bittner: Government and industry leaders are meeting today in a White House open-source software security summit, where they will address the current threats to open-source software and seek ways of reducing risk. The issues with open-source security have gained prominence during the prolonged search for and remediation of Log4j vulnerabilities. 

Dave Bittner: CyberScoop reports the tech industry attendees include Akamai, Amazon, Apache Software Foundation, Apple, Cloudflare, Facebook/Meta, GitHub, Google, IBM, Linux Open Source Foundation (ph), Microsoft, Oracle, Red Hat and VMware. The U.S. government agencies in attendance include the Departments of Commerce, Defense, Energy and Homeland Security and such agencies as CISA, the National Institute of Standards and Technology, the National Science Foundation, the Office of the National Cyber Director and the White House Office of Science and Technology Policy. 

Dave Bittner: Log4j is a single case of a more widespread challenge. We saw Tuesday that the Apache Software Foundation intended to argue that downstream users of open-source software should play a larger role securing the supply chain in which so many of their products depend. 

Dave Bittner: Kent Walker, president, global affairs and chief legal officer of Google and Alphabet, this morning commended the administration's decision to convene the meeting. Walker said, quote, "given the importance of digital infrastructure in our lives, it's time to start thinking of it in the same way we do our physical infrastructure. Open-source software is a connective tissue for much of the online world. It deserves the same focus and funding we give to our roads and bridges. Today's meeting at the White House was both a recognition of the challenge and an important first step toward addressing it," end quote. 

Dave Bittner: U.S. Cyber Command's attribution of MuddyWater to Iran's Ministry of Intelligence and Security is the second formal attribution of malicious activity in cyberspace the U.S. has made this week, coming, as it does, shortly after the joint CISA-FBI-NSA warning of Russian activity against critical infrastructure. In the case of MuddyWater, U.S. Cyber Command shared details of the tools MuddyWater is known to be using and advises network operators that finding such tools in their systems may indicate the presence of Iranian malicious cyber actors. 

Dave Bittner: Other Iranian threat actors also make use of open-source tools. Check Point describes how APT35, also known as Charming Kitten, has been using Log4j vulnerabilities to distribute a new modular PowerShell toolkit. The tools both encrypt and exfiltrate data APT35 takes from its targets. 

Dave Bittner: Israel has arrested five people on charges connected with alleged Iranian espionage, Bloomberg reports. Four women and one man were arrested. Yahoo News says they were persuaded to spy on behalf of Tehran through a catphishing operation that used the bogus identity Rambod Namdar, which the phishers represented as a Jewish Iranian. The Israelis prospected in the operation were also Jews of Iranian origin, and so the operation appears to be a classic affinity scam of the kind long used by intelligence services seeking to recruit human assets. 

Dave Bittner: The University of Toronto's Citizen Lab reports that it's found NSO Group's Pegasus intercept tools in phones belonging to some 35 journalists, nongovernmental organizations and members of civil society in El Salvador. Two independent journalists were also affected and a third unnamed organization. 

Dave Bittner: Citizen Lab says, quote, "the hacking took place while the organizations were reporting on sensitive issues involving the administration of President Bukele, such as a scandal involving the government's negotiation of a pact with the MS-13 gang for a reduction in violence and electoral support," end quote. 

Dave Bittner: There's a single customer of Pegasus in El Salvador, unidentified, but which Citizen Lab calls TOROGOZ. There's no clear attribution of TOROGOZ, but Citizen Lab argues that circumstantial evidence points to the government. While there is no conclusive technical evidence that TOROGOZ represents the Salvadoran government, the strong country-specific focus of the infections suggests that this is very likely. Additionally, in the single case of hacking in this investigation in which Citizen Lab recovered the domain names of the Pegasus servers used, the TOROGOZ operator was implicated. 

Dave Bittner: Ukrainian authorities have arrested five alleged members of a ransomware gang that operated internationally. Exactly what ransomware group they're associated with is unclear, but Ukrainian police say that they operated against at least 50 targets and used a variety of identities on the dark web. A man said to be the leader of the group was arrested, along with his wife and three alleged accomplices. The police also seized bank cards, phones, computers, flash drives and - it hardly needs be mentioned - three cars, because cybercriminals like their cars. 

Dave Bittner: And finally, ransomware attacks continue to hit a broad range of U.S. state and municipal agencies, including health departments and schools. The state of Maryland has confirmed that a cyber incident that began on December 4 was indeed a ransomware attack against the state's Department of Health. The department's IT staff noticed anomalous behavior in a server and reported it to responsible state authorities who worked to contain and remediate the incident. The state is satisfied that the damage has been contained but that it's exercising caution in restoring services. 

Dave Bittner: Bernalillo County, N.M., has been working to recover from last week's ransomware attack, with many services still disrupted. The Verge reports that among the affected institutions was the Metropolitan Detention Center, the Albuquerque jail, which has effectively been forced into a lockdown. 

Dave Bittner: And KRQE reports that a cyberattack's effects have spread to the Albuquerque public schools, which have had to close today. Details on this particular attack are still sparse, and while officials hope to be able to reopen tomorrow, they're still working to fix systems they regard as essential to both instruction and student safety. 

Dave Bittner: When considering the data computers collect - everything from system logs to medical information, atmospheric measurements to personal location data - a phrase you'll hear often used is a fire hose of data, the notion that there's so much data coming at us, it's a challenge to even channel and contain it. But that, my friends, is where the data scientists come in. Wrangling data just happens to be their superpower. 

Dave Bittner: Dr. David Bader is distinguished professor and founder of the Department of Data Science at the New Jersey Institute of Technology and also inaugural director of the Institute for Data Science at NGI. 

DAVID Bader: When we look around the world, we see data being collected from sensors, from health records, from network traffic in many different places. And what I try to do is to make sense of this information and to be able to act on this data in some meaningful way. The area that I work in is high-performance data analytics, where, often, we design hardware and software solutions and new algorithms to be able to make decisions based on the analytics of these massive datasets. 

Dave Bittner: And is that the fundamental challenge, the scale of these datasets that you're dealing with and how do you - how you come at them in an efficient, practical way? 

DAVID Bader: That's right. The scale becomes very challenging. Many of our tools for data science - for instance, we may use our Jupyter notebook and run Python on our laptops. And that's great when our dataset fits on our laptop. But when we have datasets that are much larger - for instance, terabytes in size - that no longer is feasible, and we need to design new solutions. So that scale is a challenge as well as the interactivity with analyzing these massive datasets - so being able to ask a query and get an answer back as you sit there - as well as some of the algorithms need to handle the fidelity that you need to see when you get to these large datasets. 

Dave Bittner: Can you give us an example of this sort of thing that people would be able to wrap their heads around? What sort of, you know, applications does this have in the - I don't - I guess I'll use the word real world, even though that might not be the best term for it. 

DAVID Bader: Sure. That's a great question, and we regularly work with datasets coming from many different disciplines. For instance, in health care, rather than looking at just an individual patient, we may be working with an entire database of hundreds of thousands of patient records and trying to understand individual patterns among those patients. So it really gives you the power to analyze across these really large datasets. 

DAVID Bader: But also, in cybersecurity, we often have system logs, and these system logs could go back in a very long amount of time in previous history and really cover many different areas within an organization. So rather than just taking the last day of logs, we could look at the last 10 years of logs. 

DAVID Bader: And we also want to move from just reporting any time an intrusion occurs to really predicting and understanding concerns before some egregious event happens. So for instance, after an intrusion, we may collect logs to understand how the intruder got in. What did they touch? What did they exfiltrate? What did they damage? - and learn from that. Where we'd like to get to is being able to use all of these logs and data in near real time, not to report the news after something bad happens but to predict and to really have the capability to stop future attacks. 

Dave Bittner: As you and your colleagues are doing the work that you do, what part do considerations of security and privacy play? 

DAVID Bader: Security and privacy clearly are a part of everything that we do. When we've worked on problems, for instance, insider threats within large organizations, we normally worked with datasets where individuals within the organization were explicitly informed that they would be monitored within those organizations. We've also designed data structures where we have fields that will record the provenance of data and help maintain access control within very sensitive datasets. It's always a concern in data science for understanding security and privacy of these datasets, and we aim to push the conversation as we move to analyzing these massive datasets. 

Dave Bittner: You know, you mentioned doing work through things like DARPA grants and so on and so forth. Is there a certain amount of national pride in the work that we're doing here, that we remain a leader in this area? 

DAVID Bader: I think so. The United States is really poised to accelerate what we're doing with high-performance computing and especially for problems in cybersecurity and nation-scale security. I was a part of the Obama administration's national strategic computing initiative that really laid out a strategic plan that was updated by the Trump administration in 2019 and then the FACE program from the current administration for really pushing what we do in terms of partnerships and industry in academia and in government for making the United States the leader for strategic computing. 

DAVID Bader: So this is a place where we have an advantage. We have great minds. We have some of the leading vendors who are building the systems, both hardware and software. And also, we're training a workforce in the United States. In fact, at the New Jersey Institute of Technology, we have an Institute for Future Technologies, and we have programs in cybersecurity that are really training the next generation of a diverse workforce that's able to solve the needs of this cybersecurity community. 

Dave Bittner: That's Dr. David Bader. He is professor and founder of the department of data science at the New Jersey Institute of Technology. 

Dave Bittner: And I'm pleased to be joined once again by Thomas Etheridge. He's senior vice president of services at CrowdStrike. Thomas, it's always great to have you back. 

Dave Bittner: You know, you and I have touched on the topic of threat hunting before, and I really want to dig in with that with you today. When a new zero-day comes out, what part does threat hunting play in an organization's response plan? 

Thomas Etheridge: Thanks, Dave. Great to be here. I think threat hunting's absolutely essential to being able to address some of the issues we see today in the market related to the zero-day vulnerabilities that are published quite frequently these days. Threat hunting allows an organization to look past the exploitation of the vulnerability into what a threat actor could be doing in an environment after that exploit's occurred. 

Thomas Etheridge: And doing that in collaboration with an organization's existing security team is important. Organizations have their own level of context and detail about the environment that they're responsible for monitoring, and a lot of threat-hunting organizations - CrowdStrike's included - has a lot of great context around the tactics and techniques that threat actors are employing to carry out their trade craft. And they understand the tooling that they're using as well. 

Dave Bittner: How do you make the case for folks who may be new to threat hunting? What - how do you, you know, convince them that this is something that needs to be a part of their regular operations? 

Thomas Etheridge: Dave, the best way for me to describe the impact that threat hunting can have on an organization is that there is no perfect solution, from a endpoint detection capability, to be able to solve for every vulnerability or every exploit that exists in the market today or that will exist in the market in the future. The need to be able to look past initial entry of a threat actor into an environment and be able to understand what tooling the threat actor is using and/or deploying in the environment, what their motivations are, bringing intelligence and an understanding of threat actor tactics and techniques to that contextual understanding of what the threat actor could be doing to carry out their mission is really critical. 

Thomas Etheridge: And threat hunting is important at a more mass level as well because a lot of organizations can build threat-hunting capabilities in their environment but not understand the context of what might be happening in the same industry vertical or in the same region or geography. To bring that context to a threat hunt is really critical. 

Dave Bittner: When it comes to organizations dialing in their implementation of threat hunting, what are your recommendations there? You know, everyone has a limited amount of time. They have a limited amount of budget. You know, when they're turning those knobs as to what they're allocating their resources towards, where does threat hunting fit in? 

Thomas Etheridge: Well, then you get to look at the landscape and have an understanding of what's going on in the market. In the telemetry that CrowdStrike collects, in the last year, approximately 75% of the intrusion attempts we saw in 2021 have been associated with e-crime threat actors. Those are actors that are financially motivated. They're looking to deploy malware, ransomware into an environment, possibly exfil data that they can use to extort a ransom payment. 

Thomas Etheridge: The threat actors on the e-crime side have been prolific, and that's not new news. But understanding where you're vulnerable in your environment is important as well. Eighty-eight-point-four-one percent of the intrusion attempts we looked at in 2021 from a threat-hunting perspective targeted the Windows operating system. So if you're a prolific Windows shop, understanding, you know, the security impact level of those assets, whether or not they're vulnerable to an attack - those are things that are important to invest in from a threat-hunting perspective. 

Thomas Etheridge: Last thing I could point out is the toolset that threat actors are using. It's not uncommon for threat actors to use similar tools and technologies that exist in many of the environments today using PsExec, Cobalt Strike, Mimikatz, BloodHound, Defender Control. A lot of those tools are pretty standardized in a lot of organizations today, but threat actors are able to take advantage of those tools to remain persistent in an environment. Being able to monitor and threat hunt against those types of tools and understand how they're being used is really critical. 

Dave Bittner: All right. Well, Thomas Etheridge, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.