Updates on the hybrid war in Ukraine. Industrial espionage in Germany, conventional espionage in Western Asia. C2C markets, social engineering, and scamware.
Dave Bittner: Cyber risk continues over Ukraine as the U.S. and NATO reject Russian demands. Emissary Panda's industrial espionage against German industry. Fancy Bear is spotted in western Asia. The C2C market's initial access broker Prophet Spider is selling access to unpatched VMware Horizon instances. Social engineering adapts to its marks. Thomas Etheridge from CrowdStrike on the power of identity and zero trust in stopping ransomware attacks. Our guest is Gary Guseinov of RealDefense to discuss M&A activity. And Dark Herring scamware is ejected from app stores, but not before hitting over 100 million victims.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 27, 2022.
Dave Bittner: There are concerns that any cyber operations accompanying the crisis in Ukraine will extend, by accident or by design, to civilian targets in many countries. As we open with a brief review of how that crisis is unfolding, we remind you that the U.S. Cybersecurity and Infrastructure Security Agency has urged infrastructure operators in particular to be on the alert and to look to their defenses.
Dave Bittner: Russia closed the January 21 talks in Geneva with a set of proposals that amounted to a soft ultimatum for NATO - that the Atlantic alliance would agree to rule out eventual Ukrainian or Georgian membership, that it would roll back troop deployments and infrastructure in the near abroad and the former Warsaw Pact, and that it would agree not to deploy certain classes of long-range strike weapons. It asked for a U.S. response in writing. The U.S. delivered that response yesterday, and it unambiguously rejected all the Russian demands, the AP reports. At a press conference, U.S. Secretary of State Blinken had this to say.
Antony Blinken: Today, Ambassador Sullivan delivered our written response in Moscow. All told, it sets out a serious diplomatic path forward, should Russia choose it. The document we've delivered includes concerns of the United States and our allies and partners about Russia's actions that undermine security, a principled and pragmatic evaluation of the concerns that Russia has raised and our own proposals for areas where we may be able to find common ground. We make clear that there are core principles that we are committed to uphold and defend, including Ukraine's sovereignty and territorial integrity and the right of states to choose their own security arrangements and alliances.
Dave Bittner: This was entirely foreseeable as the Russian proposals were, in NATO eyes, simply non-starters. The response, which the U.S. explained had been thoroughly coordinated with other members of NATO, offered no concessions but sought to offer, as the BBC quotes U.S. Secretary of State Blinken, "a serious diplomatic path forward, should Russia choose it." The challenge will be to arrive, if the U.S. and NATO diplomacy should prove successful, at a face-saving way for Russia to back away from its pressure on Ukraine. NATO delivered a response on behalf of the Atlantic alliance as a whole that was consistent with the U.S. position.
Dave Bittner: Russia said that it would continue diplomacy but that it's not optimistic, as the Guardian and others report. Russian Foreign Minister Lavrov said, quote, "if the West continues its aggressive course, Moscow will take the necessary retaliatory measures," end quote. And while it will continue to engage NATO diplomatically, there are limits to Russian patience. We won't allow our proposals to be drowned in endless discussions, Lavrov said. In the event of a Russian invasion, NATO's immediate response would, in all likelihood, prominently feature imposition of sanctions designed to cripple the Russian economy and to damage the personal financial interests and reputations of Russian leaders.
Dave Bittner: As Ukraine continues to investigate the data-wiping attack that hit government websites two weeks ago, the State Service of Special Communication and Information Protection of Ukraine says it's found signs of false-flag evidence planted to mislead investigators into suspecting a Ukrainian hacktivist group as opposed to Russian intelligence services. Ukraine has called that campaign Bleeding Bear, and Deep Instinct has a useful account of what's presently known about the attacks. Zero Day reports that the wiper used in the Bleeding Bear attacks was code repurposed from the WhiteBlackCrypt ransomware strain.
Dave Bittner: Other low-grade hacking continues in Ukraine. Reuters reports that a promotional website belonging to the Ukrainian foreign ministry was knocked offline yesterday for several hours by unidentified threat actors.
Dave Bittner: Electrical power grids would be attractive targets to cyber warriors on both sides. Concern about the grid's vulnerability has led the U.S. over the past three years to conduct a series of exercises on Plum Island, N.Y., an isolated and closed island in Long Island Sound that formerly served as a livestock quarantine and zoonotic disease research center. Plum Island is a useful site for such tests because its isolated power grid replicates in miniature most of the features of a regional grid. Bloomberg has an account of the drills and what the U.S. learned from them. Nor, according to sources talking to Fox Business, does the threat run in only one direction - the U.S. knows how to turn the lights off in Russia, too. Or so they say. Who knows? We don’t.
Dave Bittner: Reuters reports that Germany's BfV has found an extensive industrial espionage effort mounted against the pharmaceutical and tech sectors. The threat actor the BfV accuses is APT27, Beijing's Emissary Panda. Trade secrets and other proprietary information are of principal interest to Emissary Panda, and the operators are seeking to scale their collection by gaining access to customer and service provider networks from whence they can pivot to new targets.
Dave Bittner: State-sponsored threat actors from Russia, Iran and North Korea who've been known to rattle the Olympic rings in the past have been unusually quiet during the run-up to this year's Winter Games. The reason for the good behavior, Recorded Future's Insikt Group writes, is apparently a desire not to get on the bad side of the host, China. There's trouble enough elsewhere without poking the Panda.
Dave Bittner: Trellix reports that a cyberespionage campaign against governments in Western Asia is in progress. It's a multistage attack designed to collect information. Quote, "the infection chain starts with the execution of an Excel downloader, most likely sent to the victim via email, which exploits an MSHTML remote code execution vulnerability to execute a malicious executable in memory," end quote. The second stage is a DLL downloader, and the third stage involves the installation of Graphite malware. In the fourth stage, a dynamic library file, Empire DLL loader, is put to work, preparing for the fifth and sixth stages, in which the Empire PowerShell C# Stager and the Empire HTTP PowerShell Stager are installed.
Dave Bittner: The researchers offer a tentative attribution to APT28, that is, Fancy Bear, Russia's GRU. The reason for the targeting is connected with tensions in the vicinity of the former Soviet Republics of Armenia and Azerbaijan, which if nothing else shows that the Bears haven’t forgotten the rest of the Near Abroad, as preoccupied as the leaders of the Bears seem to be with Ukraine.
Dave Bittner: Bitdefender is tracking a resurgence of FluBot and TrickBot malware, both of which are enjoying renewed popularity in the criminal-to-criminal market. Both vary their approach, with is this you in the video being as close to an evergreen as the criminals come. TeaBot has lately been particularly interested in gaining a distribution foothold in Google Play and other app stores.
Dave Bittner: While quick response and hard work at remediation have rendered the Log4j vulnerabilities less damaging than they might have been, the risk of exploitation remains. BlackBerry researchers have found that the criminal initial access broker tracked as Prophet Spider is trading in access to unpatched VMware Horizon instances.
Dave Bittner: Elsewhere in the C2C market, Zimperium describes a premium service abuse campaign they're calling Dark Herring. It has some 105 million victims. Distributed on Google Play before Mountain View recognized it for what it was and gave it the heave-ho, Dark Herring has also been available in third-party app stores. The Android unwanted app is scamware, malware whose operators inveigle the victims into unwittingly signing up for premium services. Dark Herring's social engineering has been more effective than some of its competitors for the care the hoods have taken to craft their bait to suit the geolocation of the victims, since K-pop hot-heads in Gangnam, for example, are probably interested in different things than are the good burghers of Saskatoon - or so we imagine. Both of them nice places in their own way.
Dave Bittner: The outlook for investment and M&A activity in the cybersecurity space remains strong in the year ahead, with plenty of opportunities for innovation and growth. Gary Guseinov is CEO of security software and services company Real Defense, and I checked in with him for his insights on what investors may be thinking.
Gary Guseinov: There's no area that I can think of where we're going to see a flattening environment where there's less demand or it becomes a commodity because threats are constantly evolving. And so if there were no bad people out there who wanted to steal your information, then you could make an argument that we won't need it anymore. We won't need cybersecurity. But that's not going to happen.
Dave Bittner: What's your advice for the folks out there who are in a startup situation who are, you know, looking to engage with those private equity firms? You know, given that we're in this environment that we're in when it comes to mergers and acquisitions, should they - how should they be considering this environment as they grow their company, as they consider their investment strategies?
Gary Guseinov: The one thing I would focus on is finding out the gaps in the technology stack as it relates to whatever - whoever the consumer is. So, for instance, if it's enterprise, figure out what is not being covered by existing solutions, and create a product for that. Look at existing enterprise platforms within the technology stack, and see if there's opportunities how to make it better, optimized, make it faster, you know, more productive, cheaper, better, you know, ways to deliver a solution, etc.
Gary Guseinov: In the consumer space, same thing - there are a lot of gaps currently. And if you look at it holistically, look at all the devices connected to your internet environment at home, how you travel and how you connect to your other devices like your car and home automation, there are all kinds of gaps there in terms of security. And be really good at that one area. Don't try to build an antivirus company. Don't go and build a identity protection company today. There's too many of them. There are lots of overlapping technologies and solutions. There's no need for for new players to come in.
Gary Guseinov: But there's lots of gaps in the cybersecurity space on the enterprise side and the consumer side - plenty of them. And focus on the gaps. Figure out what they are. Create a market fit - product market fit. Find good engineers. That's super-important. That's probably the most important. And then go to market. There's plenty of interest out there. Consumers are willing to pay for it. Enterprises are certainly willing to pay for it. The cost of not doing it is too high. The opportunity costs are too high. The risks are too high.
Gary Guseinov: Someone breaks into your bank account, steals 100,000. Would you be willing to spend a thousand dollars to protect 100,000? Of course you would. And businesses look at it the same way, and we're still underspending as a whole globally on cybersecurity as it compares to global economies combined and total assets that are being managed by some form of technology. So we still have a ways to go. I mean, we should be spending half a trillion dollars on cybersecurity globally a year if we really want to protect us from threats.
Gary Guseinov: And we're just at the cusp of these threats. We're seeing a lot of crypto-related scams and crimes. And those are going to grow exponentially because they're - to some extent, you know, no one's being harmed by it physically. There's no bank robbery taking place. No one's using a gun. Criminals think that way, too. They say, well, I didn't hurt anyone, so my crime is OK, you know? So it's - you've got a lot of people thinking that way. And so more criminals become criminals, and you've got more crime. And so that's where we're at.
Dave Bittner: That's Gary Guseinov from Real Defense.
Dave Bittner: And I'm pleased to be joined once again by Thomas Etheridge. He's senior vice president of services at CrowdStrike. Tom, it's always great to have you back on the show. I wanted to check in with you today. You know, there's been no slowdown when it comes to ransomware attacks. And I'm curious what your perspective is when it comes to implementing things like identity management and, of course, you know, hot topic of zero trust these days to protect organizations against ransomware.
Thomas Etheridge: Thanks, Dave - great to be here. I agree. Ransomware is a huge, prolific problem out there in the market. CrowdStrike's been talking about big-game hunting and the proliferation of ransomware across every industry vertical and across the globe, really. Big-game hunting incidents so far in the telemetry that we collect show that there's been about 2,400-plus big-game hunting incidents so far this year, and that's equivalent to about 52 targeted ransomware events every single week. And the impact is pretty substantial, as well, with the average ransom demand being roughly around $6 million. Big impact.
Dave Bittner: So in an organization's response to these attacks, what part does identity play?
Thomas Etheridge: I think it's really important, Dave. In the recent data from our customer-based index and our threat graph, more than half of the detections that we analyzed were not malware-based, meaning companies need to provide a more holistic approach to their breach prevention capabilities and strategy. A lot of the initial entry points for malware deployment or the deployment of ransomware in an environment is through the leverage of compromised credentials. We see that week in and week out with victims that we respond to. Understanding identity in your environment, understanding the access levels that individuals within the organization have and what your remote access capabilities are, as well, is critical to being able to implement the right defensive strategy to make sure these events don't happen. Zero trust is a big part of that.
Dave Bittner: Well, let's talk zero trust, then. What part does that play in all this?
Thomas Etheridge: Well, zero trust really requires all the users in an environment, whether in or outside the organization's network, to be continuously authenticated, authorized and validated before being granted access to applications and data in an environment, really putting strong governance and controls around how folks access infrastructure and applications from within an environment but also if you're coming in from outside the environment. And implementing a zero trust strategy really puts better controls in the hands of the defenders in terms of understanding if somebody's credentials have been compromised, we would be able to detect that and know it to be able to shut down an attack in the event one started.
Dave Bittner: Is my understanding correct that zero trust really requires a certain amount of maturity from an organization, that proper implementation of this isn't something - it's not something you do at the beginner's stage of your security journey?
Thomas Etheridge: Absolutely. I mean, we look at zero trust as a journey. It's not something that you flip a switch and implement, although there are tools and technologies that can help you implement that a lot faster. Once you gain an understanding of where those risks are at, how credentials are being provisioned within an environment and where you may have at-risk credentials, things like service accounts, which are prolific in terms of the use by threat actors in navigating across an environment or compromising applications within an infrastructure.
Dave Bittner: All right. Well, Thomas Etheridge, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.