The CyberWire Daily Podcast 1.31.22
Ep 1505 | 1.31.22

The UN Security Council will take up Russia’s hybrid war against Ukraine as Western powers prepare sanctions. Other ransomware and social engineering campaigns.


Dave Bittner: The U.S. takes Russia to the U.N. Security Council over its threat to Ukraine, and, while Russian forces remain in assembly areas, a campaign of cyberattack and influence operations continues. Western powers, notably the U.K. and the U.S., are preparing sanctions against Russia - elsewhere, ongoing ransomware and social engineering. Dinah Davis from Arctic Wolf on Linux malware via IoT devices. Rick Howard shares his favorite sources for keeping up to date. And there's a pair of decisions in a long-running case involving HP Enterprise's purchase of autonomy.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, January 31, 2022. 

Dave Bittner: The United Nations Security Council is meeting today to discuss Russia's actions against Ukraine, The Washington Post reports. China voted with Russia against the meeting, but the U.S. proposal to meet passed nonetheless. The U.S. fully intends to put Russia on the defensive during the sessions, the AP reports. Russia is, of course, unhappy that the meeting is being called at all. Moscow's deputy U.N. ambassador Dmitry Polyansky tweeted a response. Quote, "I can't recall another occasion when a Security Council member proposed to discuss its own baseless allegations and assumptions as a threat to international order from someone else. Hopefully fellow UNSC members will not support this clear PR stunt, shameful for the reputation of U.N. Security Council," end quote. 

Dave Bittner: For all China's comments at the U.N. of the importance of quiet diplomacy and seeking a peaceful reduction of tension, Chinese social media operators, Beijing's Wolf Warriors, have been taking opportunistic advantage of the crisis, trolling the U.S. and the EU, Foreign Policy reports. 

Dave Bittner: Bilateral diplomacy also continues. According to Bloomberg, U.S. Secretary of State Blinken and Russian Foreign Minister Lavrov plan a phone call over the crisis tomorrow. 

Dave Bittner: On Friday, we heard about CrowdStrike's analysis of cyberattacks against Ukrainian targets by Voodoo Bear, a unit operating under the direction of Russia's GRU military intelligence service that has a long history of operations against Ukraine that goes back to 2014, the year Russia seized and annexed Crimea. As this week opens, we hear that other Russian services appear to have been active as well. Researchers at Symantec ascribe recent attacks to the threat group they track as Shuckworm, and that's otherwise known as Primitive Bear, Armageddon, or, most commonly, Gamaredon. Quote, "active since at least 2013, Shuckworm, specializes in cyber espionage campaigns mainly against entities in Ukraine. The group is known to use phishing emails to distribute either freely available remote access tools, including remote manipulator systems and UltraVNC, or customized malware called Pterodo/Pteranodon to targets. A recent report published by The Security Service of Ukraine noted that Shuckworm's attacks have grown in sophistication in recent times, with attackers now using living-off-the-land tools to steal credentials and move laterally on victim networks. Recent activity seen by Symantec is consistent with that documented by SSU," end quote. 

Dave Bittner: Ukraine's SSU security service this past November connected the group to Russia's FSB, and the group certainly has a record of carrying out operations in the furtherance of Russian interests. At the time, the SSU described the group - their preferred name for it is Armageddon - as follows. Quote, "the Armageddon hacker group is an FSB special project which specifically targeted Ukraine. This line of work is coordinated by the FSB's 18th Center - Information Security Center - based in Moscow. Since the Russian aggression in 2014, this unit has carried out over 5,000 cyberattacks and attempted to infect over 1,500 government computer systems. The attackers' goals were control over critical infrastructure, theft and collection of intelligence, including information with restricted access, informational and psychological influence, and blocking information systems," end quote. 

Dave Bittner: Looking forward at the possible escalation of the conflict, Politico thinks that Russian operators would be unlikely to show the discrimination in targeting they've so far exhibited and that there's no reason to believe that the effects of destructive cyberattacks would be confined within the borders of Ukraine. The Czech Republic has joined the U.K., Canada and the U.S. in warning of the likelihood of Russian cyberattacks. The Expat says that on Friday, the Czech National Cyber and Information Security Agency warned that, quote, "attacks could constitute cyber spying operations orchestrated by foreign powers or attacks to harvest Czech data. The agency called attention to 19 possible modes of attack and 14 frequently neglected vulnerabilities," end quote. 

Dave Bittner: Russian disinformation in the service of influence operations designed to split Ukrainian society continues, and the Atlantic Council's Digital Forensic Research Lab has done a commendable job in tracking some of its characteristic themes. Those themes exhibit some of the typical inconsistencies that have long marked Russian influence campaigns. For example, on the one hand, NATO's provision of weapons, notably anti-armor rockets to Ukraine, is an intolerable provocation and amounts to placing a dagger in the hands of Kyiv, which intends aggression against, at the very least, Russophone populations, if not Russia itself. But on the other hand, the weapons are junk and can't hit the broad side of a barn or even an old Soviet tank. On a large scale, it seems that these efforts may have fallen short of their mark, with pro-Russian sentiment sharply down in the large, predominantly Russian-speaking city of Kharkiv, close to Ukraine's eastern border with Russia. Both The Wall Street Journal and The Washington Post report the ongoing pressure on Ukraine seems to have increased national unity even in those regions that had shown some ethnic and linguistic affinity with Russia. 

Dave Bittner: Both the U.S. and the U.K. are preparing new sanctions against Russia should it not pull back from its threatening posture with respect to Ukraine, Bloomberg reports. The most serious sanctions would be reserved as a response to an invasion. This round of sanctions will, in all likelihood, be designed to have a strong effect on individuals. British Foreign Secretary Liz Truss told the BBC that, quote, "We're going to be introducing new legislation so that we can hit targets, including those who are key to the Kremlin's continuation and the continuation of the Russian regime. There will be severe costs on an invasion into Ukraine, and we would target Russian financial institutions. We would target energy companies. We will target oligarchs close to the Kremlin," end quote. In the U.S., a bill introduced in the Senate is consistent with earlier administration statements on sanctions. According to The Wall Street Journal, quote, "The legislation under negotiation among members of the Senate Foreign Relations Committee and others would target major Russian banks, hit Russians' savings and pensions and limit the market for Russia's sovereign debt, among other elements, Chairman Senator Bob Menendez, Democrat from New Jersey, said Sunday," end quote. 

Dave Bittner: North Korea's Lazarus Group has been actively prospecting marks by using phony job notices that the threat actor represents as being from Lockheed Martin. The attack, described late last week by Malwarebytes, begins with malicious macros embedded in Word documents. And it abuses the Windows Update client to bypass security detection mechanisms. 

Dave Bittner: The BlackCat ransomware-as-a-service gang, described in detail last week by Palo Alto Networks Unit 42, is regarded as unusual for its way of using private access key tokens. KrebsOnSecurity has an interesting account of contacts with criminal actors who may or may not be behind BlackCat. It's a Russophone group and a criminal group. And there are a few suspects, but there's no definitive attribution. 

Dave Bittner: Proofpoint describes a new malicious hybrid cloud campaign named OiVaVoii. The campaign prospects board members and C-suites with hijacked Office 365 tenants and a varied array of social engineering ploys. 

Dave Bittner: BleepingComputer reports that Finland's National Cyber Security Centre warns of an ongoing campaign to hijack Facebook accounts. The attackers use social engineering and Facebook chats. Victims receive messages from operators pretending to be online acquaintances, then ask for phone numbers and an SMS-delivered verification number. Once the attackers have these, they establish control over the account for use in further scams. 

Dave Bittner: According to The Verge, the decentralized finance platform Qubit Finance was hit by thieves last week, losing some $80 million in the cryptocurrency it handled. Qubit said that the attackers abused the QBridge deposit function on the Ethereum network. 

Dave Bittner: And in the courts, the long-running dispute between HP and former Autonomy CEO Mike Lynch has reached two milestones. Bloomberg says that a judge in the U.K. has decided against him in the civil fraud action HP brought in 2015 against Dr. Lynch for what HP characterized as fraud in the sale of Autonomy to HP Enterprise in 2011. HP asked for $5 billion in damage. The judge acknowledged that any actual award would, in all probability, be substantially less than that. Of perhaps greater concern to Dr. Lynch is the home secretary's decision to extradite him to the U.S., where he faces criminal charges related to the alleged fraud. 

Dave Bittner: And it's always my pleasure to welcome back to the show Rick Howard, the CyberWire's chief security officer and chief analyst. Rick, always good to have you back. 

Rick Howard: Hey, Dave. 

Dave Bittner: So last week on "CSO Perspectives," you gave us a review on some of the sources of infosec content that you find valuable and would recommend for our audience to check out in 2022. Now, I know that your stuff always generates a lot of feedback, and I'm curious if you heard from any of our listeners about any of your recommendations, and specifically, did anybody suggest sources that you hadn't considered? 

Rick Howard: Why of course. That's what's great about this show, Dave. Our listeners always have great ideas and perspectives and, by the way, aren't afraid to share their thoughts with us, which, you know, I really appreciate. And as I said last week, I get my infosec information from all kinds of sources. But my go-to's are podcasts and audio books because I just like the convenience of it. But as our listeners pointed out, there are many other sources that they prefer. 

Dave Bittner: Yeah, you know, after you and I wrapped up our conversation last week, I was thinking, and I realized that one thing you didn't mention was movies and documentaries as well. Any anything from our listeners from those two sources? 

Rick Howard: Well, it's funny you should think about that. I got multiple listener recommendations about two HBO documentaries, right? And the first one's called "The Perfect Weapon." And I can't believe I left this one off my list last week. It's a documentary based on a book, a cybersecurity canon hall of fame-winner, by the way, written by New York Times journalist David Sanger, which I highly recommend. It's about the evolution of what he calls continuous, low-level cyber conflict between the Big Five nations - the U.S., Russia, China, North Korea and Iran. And with the things going on today between Russia and Ukraine, this book seems especially relevant. But if you don't have time to listen to 12 hours from the recorded audio book like I did, this little 90-minute documentary from HBO is an excellent Reader's Digest version. You talked to Sanger last year when he wrote the book, right Dave? 

Dave Bittner: Yeah, yeah, absolutely. No, he's always a good guest to have. And, as you mentioned, great book. 

Rick Howard: So the second HBO documentary is called "Kill Chain: The Cyber War on America's Elections." It was released in May 2020, just prior to the U.S. presidential elections. And if you were worried about the integrity of the U.S. elections apparatus before the presidential election, this documentary will make you aware of just how fragile the entire system is for the next congressional elections coming up in 2022, not from hacking per se, but attacks from within the country, from our own national and local politicians who are trying to limit the franchise. It's really pretty scary. So for this next CSO Perspectives episode, we sit down at the Hash Table with a couple of subject matter experts to discuss these documentaries and another complete set of sources that you might find valuable in 2022. 

Dave Bittner: All right, sounds interesting. You know, I remember the last RSA that you and I were at, which was, I think, the last RSA, you know... 

Rick Howard: (Laughter) Yeah. 

Dave Bittner: ...The last pre-COVID RSA conference in San Francisco, when COVID was just starting to sort of make its way around... 

Rick Howard: We were just trying to think, should we stay home or should we do something else? Yeah, we were right there. Yeah. 

Dave Bittner: Right. But that was right before the elections as well. And I spoke to a couple folks from the FBI there who were hot and heavy into a lot of that election stuff. And it was interesting to pull them aside and kind of say, hey, listen, I'm in Maryland. You know, how... 

Rick Howard: Yeah, what's the deal? 

Dave Bittner: And he was like - and the guy I spoke with, he was like, yeah, Maryland's good. Maryland's good. 

Rick Howard: Well, I just want to say up front, the government did fantastic about protecting the election from hacking and those kinds of things. They did a phenomenal job, all right? What we're talking about here is really attacks against the idea of the franchise, which is, you know, at a whole nother (ph) level. 

Dave Bittner: No, it's a whole different thing. Well, do check it out. It is CSO Perspectives, and that is part of CyberWire Pro. You can learn all about that on our website, Rick Howard, thanks for joining us. 

Dave Bittner: And I'm pleased to be joined once again by Dinah Davis. She is the VP of R&D operations at Arctic Wolf and also the founder of Code Like a Girl. Dinah, always great to have you back. 

Dinah Davis: Thank you. 

Dave Bittner: You know, you and I were recently talking about smart speakers, and that got me thinking about IoT devices and some of the things that folks need to be concerned about as we pepper our homes, our places of work and beyond with these devices. I know this is something you've had your eye on. What can you share with us today? 

Dinah Davis: Yeah. So I was interested to see that, you know, Linux malware has seen a 35% growth during 2021, and it's mostly because of IoT devices. I was like, oh, yeah, OK, Linux malware is increasing. I'm like, OK, they're probably going to start going up, but it's because of IoT devices. That's really interesting, right? It's because it's common to recruit IoT devices for distributed denial-of-service attacks. We all know it - like, a denial-of-service attack is basically flooding a website or something to make it impossible for it to actually compute. And now what they're doing is trying to leverage all of these various IoT devices from different parts to do that. And that was actually an attack on some major websites a few years ago was run exactly that way from doing a distributed denial-of-service attack from webcams. With the Internet of Things, they're typically, you know, underpowered smart devices, right? So they're running various different Linux distributions. They don't have anything more than that on them because they're trying to go, you know, pretty cheap and basic and all of that stuff because these are just, like, small things and then they limit the functionality, right? The attackers basically take all of these systems together and launch stuff to do these either distributed denial of service attacks or things like mining cryptocurrency, right? That's high compute. And if there's all this, like, small bits of compute available on all these tiny IoT devices, they can leverage that to mine cryptocurrency or facilitate, like, spam mail campaigns, even sometimes act as command and control servers. The last one is kind of the worst, you know, act as an entry point to corporate networks - right? - these IoT devices, especially if they're connected to your main network. So do you have any connected devices in your house, Dave? 

Dave Bittner: Oh, it's easier to list the devices I don't have that are connected in my house, Dinah. 


Dave Bittner: Yes, yes. My understanding is that the devices continue to function their primary function. So that security camera is going to - it's just still functioning up there being a security camera, but it's using those excess processor cycles that are available to do the alternate things that the hackers have come in to get it to do. 

Dinah Davis: Yeah. And you have no idea. You have no idea. 

Dave Bittner: Right. Right. So what's to be done here? 

Dinah Davis: Yeah. So a few basic things - change the default passwords and settings, right? So a lot of the time, you know, they're going to go for the path of least resistance here. And oftentimes, they're just looking for the IoT devices that are still in their original state. Like, it might have some security and password, but it'll be the manufacturer's default. So always, always change that. That's going to go a really big way to protecting you from this. Use strong passwords as well. That's always - I mean, I feel like that's just on repeat all the time - use strong passwords. So avoid using public Wi-Fi when you're accessing your IoT network. So let's say you're, like, on a trip and you're coming home and you want your Nest to warm up your house, right? 

Dave Bittner: Right. 

Dinah Davis: And don't use the the airport open Wi-Fi to then do that because you're opening it up - like, you're making connections back home from this open Wi-Fi. I mean, in general, I would have to say do not use open Wi-Fi. It's not a good idea at all, ever. It's a last resort. So just pop off that. Use your cell data or a trusted network before you, you know, talk to anything in your home network. And use guest networks at home. So make sure you're using it for any visitors that come in. Don't let them come on your regular network that has all of your own family's things in it. And use it for as many of your IoT devices as possible. That way, if one of the IoT devices is compromised and it goes searching for other devices on the network, it's not getting any of your important things, right? And then always use strong encryption for your Wi-Fi access at home. And take special care to secure the top-level controls of your IoT network. So if you've got a larger network and you've got things connected, you know, make sure you have strong password two-factor authentication to get into the places where it's going to manage them - right? - especially around if you have a security system or anything like that. So there's a lot of good reasons to sometimes have IoT in your house. You just need to, you know, treat it with respect and know that, you know, you have to secure it properly. 

Dave Bittner: All right. Well, good advice, as always. Dinah Davis, thanks for joining us. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Paru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.