Liquidating Lviv botfarms. Notes on hybrid war. Digital frameups in India? The Lazarus Group’s new yet familiar phishbait. Warnings about ransomware.
Dave Bittner: Ukraine takes down two bot farms pushing panic. Thoughts on hybrid warfare. Russia and China explain how we ought to see the political and online worlds. Digital frame-ups are reported in India. Lazarus phishes with bogus job offers. Espionage services look for journalists' sources. David Dufour from Webroot ponders the metaverse. Our guest is Amanda Fennell, host of the "Security Sandbox" podcast. And public and private sector warnings about ransomware.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, February 10, 2022.
Dave Bittner: The Ukrainian SBU security service announced its liquidation of two bot farms in the Ukrainian city of Lviv, which the SBU says were operating under Russian direction. Three arrests were made. Two of the suspects are accused of lending their apartments to bot farming. The third maintained the equipment and software. The two farms controlled some 18,000 bots and were largely engaged in disruptive influence operations, spreading rumors of bombings and the placement of mines in critical infrastructure. The Record describes the bot farm's goal as spreading panic. The bomb threats may be connected to a wave of such threats Euromaidan reported near the end of January. The SBU, at that time, characterized the campaign as a preparatory operation in a Russian hybrid war.
Dave Bittner: An essay in the New Atlanticist argues that adversaries, Russia in particular, has the advantage over the U.S. with respect to hybrid warfare. Russian hybrid warfare isn't confined to the current situation in Ukraine. And the essay, in fact, emphasizes other earlier operations as varied as election influence and nerve agent assassination attempts. The essay sees five areas where the U.S. needs to improve its capabilities, doctrine and policies. They include timely attribution and its timely public release; pain points - the clear-eyed assessment of what the adversaries value and how those values may be vulnerable; tempo and sequencing - U.S. responses must be effective and close enough in time to the original offense to be correctly viewed as retaliatory; strategic coordination - that's in the first instance internal coordination with national strategy - the U.S. government has had some difficulty staying on message; and finally, effects-based messaging - the goal is to shape the adversary's behavior, and the messaging, in both words and action, should be designed to do so in a way consistent with overall strategy.
Dave Bittner: The Olympic Games meeting between presidents Putin and Xi resulted in a long communique, a "Joint Statement Of The Russian Federation And The People's Republic Of China On The International Relations Entering A New Era And The Global Sustainable Development." While it's easy to read too much into the meeting, an essay in Foreign Policy argues it's worth reading the joint statement as a summary of the worldview that Russia's government would advance. They note that Beijing's account of the session has been more muted than Moscow's. It's especially relevant in its implicit framing of Russia's ambitions with respect to Ukraine.
Dave Bittner: Fundamentally, Russia sees the dispute with NATO and Ukraine as an internal Russian matter. As the joint statement puts it, quote, "the sides reaffirm their strong mutual support for the protection of their core interests, state sovereignty and territorial integrity, and oppose interference by external forces in their internal affairs. Russia and China stand against attempts by external forces to undermine security and stability in their common adjacent regions, intend to counter interference by outside forces in the internal affairs of sovereign countries under any pretext, oppose color revolutions and will increase cooperation in the aforementioned areas," end quote.
Dave Bittner: Note the mention of common adjacent areas, which seems to suggest that a declared sphere of influence should be regarded as a matter of state sovereignty and not something other nations may legitimately meddle with - that is, a matter of big state sovereignty - a matter for what used to be called great powers. Looking ahead to other long-running conflicts, the joint statement includes a by-the-way warning about Taiwan. Quote, "the Russian side reaffirms its support for the One-China principle, confirms that Taiwan is an inalienable part of China and opposes any forms of independence of Taiwan," end quote.
Dave Bittner: The villain is NATO, frozen in its Cold War mindset and led by an America that's interested in replicating the malign NATO model in Asia and the Pacific with an assist from the U.K. and Australia. Respect for sovereignty is also cited as a core principle with respect to internet governance and information security. The diplomatic heavy-lifting is bucked up to the United Nations. There are some routine avowals about supporting an international convention that would address cybercrime, and this matter is also bucked up to the U.N.
Dave Bittner: And finally, internet governance is to be internationalized in a way that establishes national control over information as a fundamental principle. Governments will decide what transits the web in their countries. Let every country erect its own Great Firewall - or at least let Moscow and Beijing do so.
Dave Bittner: SentinelLabs describes a long-running operation by an APT it calls ModifiedElephant. The group has been active since 2012 at least, and its targets have, for the most part, been located in India. It's been engaging in apparent frame-ups. Quote, "ModifiedElephant is responsible for targeting attacks on human rights activists, human rights defenders, academics and lawyers across India with the objective of planting incriminating digital evidence," end quote. The group uses commercially available remote access trojans and so may have connections with the commercial surveillance, or lawful intercept, industry. ModifiedElephant's preferred method of attack is the familiar spear-phishing campaign, with the payloads usually carried in malicious Microsoft Office files. The researchers are cautious about attribution, but they do say that ModifiedElephant activity aligns sharply with Indian state interests and that there is an observable correlation between ModifiedElephant attacks and the arrests of individuals in controversial, politically-charged cases.
Dave Bittner: North Korea's Lazarus Group continues its tiresome practice of phishing for victims with bogus job offers imputed to major defense and aerospace companies. Northrop Grumman and BAE have been impersonated in the past. More recently, ZDNet reports, it's been Lockheed Martin. Researchers at Qualys, who've tracked the activity, are calling this particular campaign LolZarus for its use of Lolbins - that is, living-off-the-land binaries. The phishbait is familiar, but this incident shows some evolution of capability on behalf of the Lazarus Group. As Qualys puts in its conclusion of their report, quote, "Lazarus continues to evolve its capabilities by utilizing lesser-known shellcode execution techniques and incorporating various Lolbins as part of its campaign. Qualys will continue to monitor for other similar phishing lures related to Lazarus," end quote.
Dave Bittner: What were the Chinese state actors after in their compromise of News Corp? - sources, apparently, and CPO Magazine reports that those state actors took a particular interest in Wall Street Journal reporters. The attribution of the cyberespionage to China remains tentative - a best guess on the basis of the available evidence. The interest in sources has an obvious motivation - an authoritarian government would regard talking to the media, especially the foreign media, as first cousin to espionage.
Dave Bittner: A joint advisory by Australian, British and U.S. authorities outlines the current state of the ransomware threat. They see more underworld cooperation - especially ransomware-as-a-service operations and 24/7 help centers that expedite ransom payment and restoration of encrypted systems or data - a greater focus on the cloud and more software supply chain attacks. They also say that double extortion remains common - the Australian Cyber Security Centre, in particular, is observing this - and that they're beginning to see more threat actors using triple extortion. In triple extortion, the threat actor does three things - it publicly releases sensitive information, it disrupts the victim's internet access, and it tells the victim's partners, shareholders or suppliers about the incident. The ransomware operators are also going after a managed service providers and industrial systems. And there's an interesting trend in timing. More ransomware approaches are being made on weekends and holidays when organizations are presumed to have relaxed, if not actually their vigilance, at least the level of security support they make available to their people.
Dave Bittner: There’s also a private-sector advisory on ransomware out today. The National Cybersecurity Alliance and the PCI Security Standards Council warn that such extortion is on the rise, and they offer some advice on best practices organizations should follow - train your people, keep your systems up-to-date and secure, monitor your networks, and back everything up. Sound advice all.
Dave Bittner: And I am pleased to welcome to the CyberWire Podcast Amanda Fennell. She is the host of the Security Sandbox podcast, which is joining these CyberWire network of podcasts. Amanda, welcome to the CyberWire.
Amanda Fennell: Thanks for having me. Excited.
Dave Bittner: Well, let's get started by learning a little bit about your podcast and you as well. Let's start out with the show here. What are you setting out to do here with Security Sandbox?
Amanda Fennell: Well, I think this began because there are a lot of security podcasts out there, and I guess I wasn't listening to a lot of them, and I started to wonder, why was I not listening? And I think there was a bit of like, OK, I think I've heard this particular topic before this way. And that's the thing in security. A lot of us have the same perspective because we've all been doing the same thing a long time. And so I was thinking about bringing in different perspectives to kind of throw into the mix, and that was the creation of Season 1, where we kind of put this creativity and curiosity from other areas that you're enjoying or you're passionate about, like archaeology, and you bring that into, how could we deploy some of these same concepts into cybersecurity?
Dave Bittner: Yeah, I mean, looking through and listening to some of the episodes from your first season there, it seems to me like you're really focusing on the human side of things, the people bringing a bit of themselves to this work.
Amanda Fennell: You know, it's true. And for as much as I love the tech, the tech is always easy to, you know, either procure or implement or configure and so on. It's the human element that always ends up making it successful or not. And I think that's where Season 2 really went and is going now. Like, we know it's about people. Now it's less about random passions that might be able to come in. Now it's about how are these people using the technology in combination to be successful for securing environment?
Dave Bittner: Well, tell us a little bit about yourself. How did you get your start and what led you to where you are today?
Amanda Fennell: I feel like if you go back through Season 1, you'll find out what all of my random jobs were as a kid.
Amanda Fennell: So I worked at Starbucks at one point, so coffee is a big passion. I went undergrad in archeology, so that was an episode - specialized in human remains. And then when I started to go through grad school, I found out there just was not a really large market for archaeologists out there. And also, once I started doing the work, I was like, wow, this is not Indiana Jones or Lara Croft at all. It's living in a hotel room, and you have a very small brush and a trowel. So I started to look for different programs for my masters to move into that would be more security job - like, to have one and to get paid and be able to pay off my student loans. And at the time, digital forensics had just come out. And I specialized, like I said, in human remains, which was forensic anthropology. So it wasn't a far jump for me to say, well, what's this digital forensics? You're using the word forensics, and the word forensics comes from Latin forensis - before the people and having to prove a case.
Amanda Fennell: So I was intrigued. I went and talked to them and switched over to digital forensics. And the first semester into it, I got recruited from Guidance Software for EnCase. And it just went from there. And then it was government and Fortune 50s (ph), managing security stuff. And I think after a while, I decided I had a voice that I thought could be helpful. And I think that's really what I think the podcast is about. Like, I think that we have something here we can say that we think will be helpful, and it is founded in the same curiosity today that I had 20 years ago.
Dave Bittner: Well, as you say, Season 2 is about to kick off here. Can you give us a preview of some of the things we can look forward to?
Amanda Fennell: I will. I'll say that the first episode that's coming out is this great conversation with Perry Carpenter. And I'm sure a lot of people already know Perry Carpenter. He's very well known. But he is the host of the "8th Layer Insights" podcast, and he's an author, security researcher, all of these different things. And he's also behavioral science, and that is his enthusiasm. So love it. This is the area that I was - I read the book, and I was like, oh, my gosh, this gentleman is just as emphatic about humans being the strongest link as I am, but in a very fresh way.
Amanda Fennell: And so we came to it there with Marcin Swiety, who's my director of global security and IT. And he's in Poland. And we chat about just effective training technology and support that can get everyone invested in how they'll protect your organization. So how will those things all come together?
Amanda Fennell: And I always, like, go back to "300," which is, like, one of my favorite movies, which is tragic. I literally named my firstborn child Leonidas. I get it. I know. It's that bad.
Dave Bittner: (Laughter) Oh, my.
Amanda Fennell: But I love the - I know. But I love the idea of, like, how they were able to hold off - so 30,000, a million, however many troops that were coming into the hot gates, and it was just 300 men. How were they able to do that was because they had - trust in the person to their left and right was just as strong and cared just as much as they did. And that is how I think cybersecurity needs to be. We are holding off millions of threats every day. You have to trust the person to your left and right and not just because they're on the security team.
Dave Bittner: Yeah. You know, it strikes me that in this world that cybersecurity people inhabit, where there's so many ones and zeros and the, you know, the alarms are always going off, that there's a real hunger for these stories of human connection and being able to tap into that side of things. So I really think you're onto something here.
Amanda Fennell: I hope so. I do think that there is always a technical aspect to each episode, as there should be. We'll never get away from the tech. But how we're implementing that tech to become something that's much more merged with humans - I mean, honestly, that's where we go in the direction when we talk about AI, right? This is exactly why that'll be one of the other topics that we tackle - about, like, what is the real role of AI in the future in cyber? We know that automation and machine learning is happening in the cyber realm with adversaries. How are we fighting that battle, and what would be the future for that?
Dave Bittner: Well, the podcast is titled "Security Sandbox," and it's hosted by Amanda Fennell. Thank you so much for joining us.
Dave Bittner: And I'm pleased to be joined once again by David Dufour. He is the vice president of engineering and cybersecurity at OpenText. David, always great to have you back on the show. I am really looking forward to checking in with you because I want to get your take on what the heck you think about this new thing coming down the pike. I've heard it mentioned. It's called the metaverse.
David Dufour: Yes, the metaverse. Well, it's a lot of things to a lot of people. So I think the good news is, David, we're in those early days where no one's exactly sure what it looks like. And the other good news is we have a template, I think, in how to do it 100% correctly. If we look back over the last 20 years on how well humanity has executed social media, I think we can't lose with the metaverse.
Dave Bittner: Sure, and the pedigree of the company that's leading it - right? - has been completely flawless.
David Dufour: That...
Dave Bittner: Yeah.
David Dufour: That's exactly - I mean, it's going to be a friendly, open place where everyone gets along and there are...
Dave Bittner: Right.
David Dufour: ...You know, no trolls or anything like that.
Dave Bittner: No, it's going to be Skittles and rainbows the whole way.
David Dufour: Exactly.
Dave Bittner: So what are your concerns coming into this sort of new thing from a security point of view?
David Dufour: Yeah. So first of all, we do need to articulate, there's a handful of key things appearing. You know, there's VR. So if you say metaverse, some people think of virtual reality. You say metaverse, some people think of gaming environments where they can go in and socialize. Some people think of these new platforms where they're going in and buying land, and it's tied to cryptocurrencies that - you know, and blockchain. And I think we're going to see some amalgamation of all of that. And so the beauty is for our good friends, the cybercriminals, David, is there's going to be a litany of places they'll be able to steal from, hack into and things of that nature. And no one's going to listen to you and I. But let's just say it today. We really need to take a security-first perspective on how we approach this 'cause there's going to be a lot of transactions, a lot of money that's going on in this in the next five to 10 years. And we need to secure it now 'cause it's easier than retrofitting later.
Dave Bittner: Well, speak for yourself. But I think that - or I wonder if, you know, the lessons that we have learned from social media are going to be applied here. Can we be so optimistic as to say that any of those lessons are going to be learned and this next wave of online interaction will come with more security baked in?
David Dufour: To be completely forthright, of course. There's going to be things where we see better, you know, protection for children, where we see better security around transactions. But, you know, one of the biggest moneymakers in cryptocurrency right now is stealing people's crypto wallets, right? It's not actually making money on the currency. So there's a lot of that that we have to pay attention to now. And, you know, it's kind of tongue in cheek to say how rough social media has been. I do think we will go into this with some eyes wide open on how to proceed. And the hope is some good thought is put into how to proceed, not government regulation. You know, I'm not advocating for that - but where people really try to do the right thing up front and facilitate this moving forward from both a socially acceptable perspective and security perspective.
Dave Bittner: Do you have your goggles ready, or are you ready to be an early adopter here?
David Dufour: So joking aside, several months back, I put on a kids - a friend of mine - I have a couple of boys, and one of their friends had a VR headset. I put it on, and I literally went out and bought one that night. It, to me...
Dave Bittner: Really?
David Dufour: Yes. The VR component to this is mind-blowing. And the potential there - you know, all the drawbacks to using - you know, I don't want to say Zoom - but not Zoom itself, but all the Zooms, the GoToMeetings, the Teams - all of those products are - using the communication products we use today virtually, when you put on a headset and it's three dimensional and you can look around, and in five years, David, you and I can say, hey, let's meet in Central Park on the bench at this crossroads, and we can both put on our headsets and do that - that's going to be, like, huge. And the ability to whiteboard and do things you would do in an office - it's a big deal. And it's the early days. There's a lot coming. And I really think this will be the next wave, not just from a, you know, post pictures of your kitties, you know, in virtual reality.
Dave Bittner: Yeah.
David Dufour: But I do think there's a lot to this coming.
Dave Bittner: All right. Well, David Dufour - bullish on the metaverse - thanks so much for joining us.
David Dufour: Hey, great to be here, David.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.