Update on Russian cyber ops and disinformation around Ukraine. Ransomware disrupts European ports. Chinese intelligence services exploit a Zimbra zero-day.
Dave Bittner: Primitive Bear is snuffling around Ukraine, and Russia may be preparing deepfake video. European ports and other logistical installations are under attack by ransomware. Daniel Prince from Lancaster University on safeguarding IoT and health care. Our guest is Chris Wysopal of Veracode with research on increases in automation and componentization in software development. And a Chinese APT is said to be exploiting a Zimbra web mail cross-site-scripting zero day, so users beware.
Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, February 4, 2022.
Dave Bittner: We open again with some notes on Russia's pressure on Ukraine and its implication for cyberspace. Russian President Putin is in Beijing for discussions with Chinese President Xi Jinping. One purpose of the visit is to secure Chinese support for Russia's stance with respect to Ukraine. While troops remain poised in Russia and Belarus, staged near the Ukrainian border, those hoping to avoid a war see hopeful signs in Russia's apparent continuing openness to diplomacy. But tensions remain high, and the U.S. warns that Russia is preparing deepfake provocations to supply a casus belli.
Dave Bittner: Palo Alto Networks' Unit 42 reports that Gamaredon, also known as Primitive Bear, a threat actor associated with Russia's FSB, has been active against a Western government entity in Ukraine. Which government and which organization, Unit 42 hasn't said. But it does say it's been monitoring three clusters of Gamaredon infrastructure, collecting over 100 malware samples and finding 700 malicious domains and 215 IP addresses. Unit 42 writes, quote, "monitoring these clusters, we observed an attempt to compromise a Western government entity in Ukraine on January 19, 2022. We have also identified potential malware testing activity and reuse of historical techniques involving open-source virtual network computing software."
Dave Bittner: The campaign they observed relied on phishing for its initial access, and the phish bait was the familiar and surprisingly anodyne bogus job ad. The three infrastructure clusters Unit 42 observed it characterizes as Gamaredon downloader infrastructure - cluster one, file stealer - cluster two and Pteranodon - cluster three. And it cautions that there are probably other so-far undiscovered clusters in use.
Dave Bittner: The FSB's attentions to Ukraine are nothing new and are likely to continue, Unit 42 says. Quote, "Gamaredon has been targeting Ukrainian victims for almost a decade. As international tensions surrounding Ukraine remain unresolved, Gamaredon's operations are likely to continue to focus on Russian interests in the region," end quote. For further background on Gamaredon's recent activity, Unit 42 recommends the study Estonia's CERT-EE published early last week.
Dave Bittner: The United States yesterday said that Russia had begun to prepare the production of imagery, including video, that would present faked evidence of either a Ukrainian attack on Russian forces or Ukrainian atrocities committed against ethnic Russians in Ukraine. Quote, "we believe that Russia would produce a very graphic propaganda video, which would include corpses and actors that would be depicting mourners and images of destroyed locations, as well as military equipment at the hands of Ukraine or the West, even to the point where some of this equipment would be made to look like it was Western supplied." That's Defense Department press secretary John Kirby speaking Thursday during a Pentagon press briefing.
Dave Bittner: This is the third announcement by either the United States or the United Kingdom alleging Russian plans for provocations or deniable false-flag operations. These announcements have been warnings and preemptive in intent. The Washington Post lists the earlier allegations. On January 14, the U.S. said that Russia had staged covert operators into Ukraine, where they were positioned to conduct false-flag attacks against the nominally irregular alleged separatist forces Russia supports in Ukraine's Donetsk and Lugansk regions. A U.S. official explained, quote, "the operatives are trained in urban warfare and in using explosives to carry out acts of sabotage against Russia's own proxy forces," end quote.
Dave Bittner: On January 23, the British Foreign Office announced that Russia was advancing plans to install a pro-Russian government in Kyiv. Foreign Secretary Liz Truss said, quote, "The information being released today shines a light on the extent of Russian activity designed to subvert Ukraine and is an insight into Kremlin thinking," end quote. In none of these three cases did either the U.S. or U.K. provide details on the intelligence that supported their accusations, which, of course, Russia dismissed as nonsense. As preemptive announcements, however, the three accusations clearly have some utility. Should the Russian provocations occur, there's a chance they'll be recognized as such. Or better yet, if Moscow concluded the gaffe had been blown, the provocations might not take place at all. The story is developing, and we shall see.
Dave Bittner: Disruption of logistical choke points - petroleum distribution in Germany, port operations in Belgium and the Netherlands - continues to spread across Europe, Industrial Cyber reports. The record says that officials in the Netherlands don't believe the attacks are related. And SecurityWeek quotes Dutch authorities as saying that the attacks were probably committed with a criminal motive. The incidents are thought to be a ransomware attack, specifically with the Conti and BlackCat strains. According to Deutsche Welle, both Europol and national authorities are investigating. The consequences of the attacks against Belgian port facilities seems to have been contained and limited. Among the operators affected was SEA-Tank, which works in Antwerp. The BBC reports that SEA-Tank's corporate parent, SEA-Invest, has said that its operations worldwide have been affected by the incident.
Dave Bittner: For all the attention ransomware attacks as a threat to data availability and privacy, it's worth noting the particular threat it poses to industrial systems. Claroty's recent report on the global state of industrial cybersecurity notes that of those who responded to their survey, about half reported an effect on operational technology and industrial control systems.
Dave Bittner: Volexity reports that a Chinese APT is exploiting a cross-site scripting vulnerability in Zimbra, an email platform organizations use as an alternative to Microsoft Exchange, against European governments. Volexity calls the campaign EmailThief, and it began in mid-December. The initial infestations arrive through phishing, and the emails use a two-step approach. The first email is technically benign. That is, it carries no malicious payload and contains no malicious links. Its purpose is reconnaissance. The operators want to see first if the email account is an actively monitored one. And if it is, they want to see whether the account user is ready and willing to open an email received out of the blue from some unfamiliar sender. Many users, we note, are willing to do that. And in many cases, opening emails received out of the blue is somebody's job. So those who open the message aren't necessarily slackers, suckers or slack-jawed doofuses. Once the operators have determined that they got a live one nibbling on the phish bait, they send a second email that contains the hook, usually a link to a malicious site that executes a cross-site scripting attack against their Zimbra web mail app. What follows can be readily imagined - compromise of emails, compromise of networks, hijacking of accounts, which can then be used in further phishing attacks, and so on. So it doesn't stop, alas, but keep plugging away out there, friends.
Dave Bittner: AppSec firm Veracode recently released their yearly State of Software Security report, tracking trends they see in their customers to see how application development processes are changing. Chris Wysopal is chief technology officer at Veracode.
Chris Wysopal: So we looked at all the applications over a 13-month period. This was 310,000 applications, and it included over 5 million scans of those applications, so the average was scanned six times. But we know that some apps are scanned daily and some are scanned yearly. But we looked at the makeup of those applications to understand how our application development trend's changing. And what we saw was the apps are getting smaller, and the development process is getting more automated. Some of these findings - you know, if you split apps into small, medium or large, we saw 143% growth of small applications. If you split the way people are invoking a testing service - are they manually doing this through a web interface? Are they doing it through an API? We saw there was 133% growth of the API method. So these things tell us apps are getting more componentized more microservice-oriented. Oriented and development pipelines are getting more automated.
Dave Bittner: And what do you suppose is driving this trend?
Chris Wysopal: Yeah, so I think it really is - it's two trends, right? It's the trend towards DevOps, which is, you know, any manual step in the process is sort of deemed a bug that needs to be fixed and automation be put in place of manual processes to make things more repeatable, more reliable and, of course, faster. So I think that's one major trend. The other one is the cloud-native application trend. Cloud-native applications are just built out of smaller executable code chunks called microservices with APIs on them, rather than, you know, the traditional data center application was more of a three tier architecture. So we see that the fact that apps are shrinking, we're assuming that those apps are becoming more componentized and more microservice-oriented.
Dave Bittner: What, if any, are the security implications of things heading in this direction?
Chris Wysopal: Yeah. So one implication is a growing attack surface, because all these microservices now have APIs on them which require input validation, authorization and authentication. That connection needs to be encrypted. When you break up a monolithic application, where everything is running in one process, into many different microservices, now you've got to think about - you have more attack surfaces, more edges that people can interact with your code from. And so that has to be thought through. It could be a negative unless you take care of it and have a consistent approach for building these microservices and securing them. It can be a positive. It's definitely a positive to see automation of security testing. Anything that is automated will be done, can be done, like, for every code deployment or perhaps every code change. And that basically leads to defects being found earlier in the development lifecycle. And things that - when you know about a problem earlier, it's both easier to fix and typically less expensive to fix. There's less people involved. There's less systems involved when you catch things as quick as possible after the defect has been created.
Dave Bittner: Well, based on the information that you gathered here, what are your recommendations for folks in the security side of the house? Should they be making some adjustments here with this reality?
Chris Wysopal: Yeah. So I think the trend towards microservices is something that your development teams are going to want to do. It's just a more reliable and more efficient way to build applications, especially when you have that cloud-native infrastructure. So that's something that you're going to just have to adjust to. But I think the thing that security teams can do is make sure they leverage all that automation that their development teams have built in their CI/CD pipeline. And make sure that any security testing they're doing that, you know, is automated can be integrated in in the right places in the - in that CI/CD pipeline. And I would say, even before that, if you can integrate into the IDE even before the code is built, that's even better. Use automation, use integrations and shift as far left as you can.
Dave Bittner: That's Chris Wysopal from Veracode.
Dave Bittner: And I'm pleased to be joined once again by Daniel Prince. He's a senior lecturer in security and protection science at Lancaster University. Daniel, it's always great to have you back. I wanted to touch base with you today on some of the things I know you're tracking when it comes to IoT devices and specifically IoT devices that have to do with the health care side of things. What sort of things have you been tracking lately?
Daniel Prince: So we've recently started a project here at Lancaster University to look at how can we improve the security in developing health IoT devices. And one of the challenges that we've come across, like many, many IoT and industrial control system kind of environments, is this balance between safety and security and the tensions between the two. And one of the things that we've been looking at is, how do we actually help developers really develop a good understanding of that balance for the products they're developing and the user and the communities they're trying to serve? And we've developed this concept of safeguarding. And it's this idea that you can really use security as a protection mechanism for the safety aspects of your product. And, you know, it sounds very obvious upfront, but, you know, this idea of security as a safeguarding mechanism and using that as a tool to help developers understand the kind of features that they need to have in their health IoT products is something that we're really working to develop interventions on.
Dave Bittner: Can you walk us through the types of things that you're recommending here? What exactly are you laying out?
Daniel Prince: So as part of the project, what we're trying to do is work with health IoT developers to get them to understand at a very early stage the types of threats that they might face from the attackers. So who are the attackers and why might they attack their system? And then from that, we're helping them to develop approaches to take a balanced view about where to put their constrained resources. We've seen a boom of health IoT products from, you know, very large companies, but a lot of very small startup companies coming along. And they've got what we call constrained developer resource. You know, it might be two, three people.
Daniel Prince: And so when you've got that limited resource, how do you actually allocate developing of new features for the consumer alongside developing the aspects of the system that need protection and develop the safeguarding of the safety of the system, whether that be the data of the individual or more physical aspects such as, you know, thinking about a pacemaker, for example, is a classic cybersecurity scenario? So what we're trying to do is develop interventions and new approaches that the developers can really think about how to balance, you know, the idea of developing new features to gain more commercial ground with the protective elements that protect the safety of the individuals using their products.
Dave Bittner: Is part of this making the case that it's in their long-term interest to do so, that, you know, despite the pressures to release the product, to ship the product, that in the long run, they're going to be better off if they're mindful of these things?
Daniel Prince: Yeah, definitely. I mean, there's been quite a lot of work done on the economics of security in systems. And so people like Hal Varian - building on the work of how Hal Varian, Ross Anderson, Bruce Schneier, these have looked at the economics of cybersecurity. And, you know, there's some really rational decisions around being first to market, getting the good features, making it easy for complimenters (ph) to use your product because that helps drive a monopoly within a particular sector. And so what we're trying to do is also have - balance that with this long-term view that, actually, you're going to have to protect your consumers and ultimately, at the end, customers that are using your products because they're the ones that are going to be vulnerable and need these health care devices.
Daniel Prince: So we need to be able to have that - take a bit more of a long-term view, but balance that with the commercial incentive to be able to get the new features out there, to be able to sell your product. And so it's entirely right to think that we need to have these approaches built in through the lifecycle of developing the device so that - to enable developers to take this long-term view, because after all, one of the classic problems with security is you never know when a security failure might occur. But you definitely know very early on what features the user wants to buy.
Daniel Prince: So, you know, it's balancing something that may never happen with something that you definitely know is going to happen and will actually help the business grow. But actually, you're turning the whole thing round and saying, actually, security and safeguarding is a particularly important aspect of your product and service. And how do you actually market and sell that is something else that we're working on.
Dave Bittner: Do you find that that's resonating with the people that you're talking to, that they're finding security - is it a place where it's a competitive advantage?
Daniel Prince: Yes and no. I think one of the thing that when we're talking to the health care - the health IoT companies, they're aware that they have to really make sure that their product is safe, particularly those health IoT products which have a direct impact on physical well-being. So, you know, your classic insulin pumps and so on, the things that really directly affect the body, all those that affect the environment, for example, looking after older people so that they can remain in their home. And so you've got this real understanding that we need to build products that are safe for those to use.
Daniel Prince: So the idea of how to turn security into that kind of also a message that sits alongside saying that this is a safe product which is underpinned by digital technology, and we've gone through a really rigorous development approach to ensure that security, is something that the companies we're working with are really kind of focusing on and saying, yeah, this is exactly the type of intervention and support that we need long term, so that we can improve and gain that commercial advantage.
Dave Bittner: All right. Well, Daniel Prince, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's "Research Saturday" and my conversation with Danny Adamitis from Lumen’s Black Lotus Labs. We're discussing the new Kony campaign that kicks off the New Year by targeting Russian Ministry of Foreign Affairs. That's "Research Saturday." Check it out.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.