The CyberWire Daily Podcast 3.3.22
Ep 1527 | 3.3.22

Russia and Belarus exchange cyber operations with Ukraine. The US announces Task Force KleptoCapture. Vulnerable infusion pumps. TCP middlebox reflection. Notes on sanctions.


Dave Bittner: The U.N. condemns Russia's war in Ukraine. Ukraine cyber volunteers may be targeting Russian infrastructure. Belarusian cyber operators are phishing with stolen Ukrainian credentials. Task force KleptoCapture. Infusion pumps are found vulnerable to cyberattack. TeaBot is found in the Play Store. TCP middlebox reflection. Daniel Prince from Lancaster University on trustworthy autonomous systems. Our guest is John Shegerian from ERI on the security angle of e-recycling. And no more Harleys for Mr. Putin.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, March 3, 2022. 

Dave Bittner: Russian forces have intensified their conventional and, in practice, indiscriminate bombardments of Ukrainian cities. The Black Sea port of Kherson has fallen, the first Ukrainian city of any size to be taken by Russian forces. But the assault on Kyiv remains more stalled than ever, the BBC reports. The U.K.'s Ministry of Defence, in its daily public appreciation of the situation, says the Russian column advancing on Kyiv has made little discernible progress in over three days. The MOD puts this down to Ukrainian resistance but also to congestion and mechanical breakdown. 

Dave Bittner: The U.N. General Assembly voted yesterday to condemn Russia's invasion of Ukraine. In its official statement, the U.N. wrote, quote, "Deploring in the strongest terms its aggression against Ukraine in violation of the Charter of the United Nations, the assembly also demanded the Russian Federation immediately and unconditionally reverse its 21 February decision related to the status of certain areas of the Donetsk and Luhansk regions of Ukraine," end quote. Thus, not only the invasion itself was condemned, but so was the Russian recognition of the independence of the regions it styles the People's Republic of Donetsk and Luhansk. The resolution of condemnation had been introduced by Ukraine. The vote was 141 in favor of the resolution to 5 opposed, with 35 abstentions. The U.N. called the vote a clear reaffirmation of the 193-member world body's commitment to Ukraine's sovereignty, independence, unity and territorial integrity. The list of countries who voted nay is instructive - Belarus, North Korea, Eritrea, Syria and, of course, Russia. 

Dave Bittner: Ukraine's Ministry of Defense has recruited private operators to help wage a cyberwar against Russia. That recruitment isn't principally designed to provoke a cyber rave or cyber riot on that part of outraged sympathizers freelancing as volunteer militia, although that's also happened - certainly, in the case of website defacements and service interruptions conducted by Anonymous and others. There are reports that the ministry has asked a local cybersecurity expert and businessman, Yegor Aushev, to organize a cyber offensive that would go beyond DDoS and defacement and seek to cripple Russian infrastructure, with particular attention to railroads and the power grid. Ukrainian officials declined a request for comment by Reuters. 

Dave Bittner: The hacktivists continue to claim that they're counting coup against Russia, and some of their efforts may - and, we stress, may - go beyond vandalism and nuisance hacks. Homeland Security Today reports that Anonymous is crowing high over an effort directed against Russian space surveillance and reconnaissance systems, quoting the anonymous affiliated group NB65 as follows - quote, "The Russian space agency sure does love their satellite imaging" - they posted Tuesday morning. "Better yet, they sure do love their vehicle monitoring system. The WS02 was deleted, credentials were rotated, and the server is shut down. Network Battalion isn't going to give you the IP. That would be too easy now, wouldn't it? Have a nice Monday fixing your spying tech. Glory to Ukraine. We won't stop until you stop dropping bombs, killing civilians and trying to invade. Go the F back to Russia," end quote. 

Dave Bittner: Russia's cyber operations against Ukraine may be continuing to take advantage of services offered in the criminal-to-criminal market. Zscaler describes the way in which the malware-as-a-service platform DanaBot is being used to run a distributed denial-of-service attack against the Ukrainian Ministry of Defense. Zscaler's research report stops short of attribution. Quote, "it is unclear whether this is an act of individual hacktivism, state-sponsored or possibly a false flag operation," end quote. 

Dave Bittner: Proofpoint has published a report on a phishing campaign it's calling Asylum Ambuscade, and which it links to UNC1151, which Proofpoint associates with the Belarusian threat actor it tracks as TA445. That group is most familiar in its Ghostwriter guise in which, throughout 2021, it mounted influence campaigns against European targets, especially in Latvia, Lithuania and Poland. Proofpoint summarizes its key takeaways as follows. Quote, "Proofpoint has identified a likely nation-state-sponsored phishing campaign using a possible compromised Ukrainian armed service member's email account to target European government personnel involved in managing the logistics of refugees fleeing Ukraine. The email included a malicious macro attachment which attempted to download a malware dubbed SunSeed. The infection chain used in this campaign bears significant similarities to a historic campaign Proofpoint observed in July 2021, making it likely the same threat actor is behind both clusters of activity. Proofpoint is releasing this report in an effort to balance accuracy with responsibility to disclose actionable intelligence during a time of high-tempo conflict," end quote. Asylum Ambuscade represents an intelligence collection effort. It shows signs of being particularly interested in the movement of refugees around and out of Ukraine and is, The Record reports, paying particular attention to targeting European officials involved in refugee relief. 

Dave Bittner: The U.S. Department of Justice has formed an interagency task force, KleptoCapture, designed to investigate and prosecute white-collar crime with special attention to finding and denying the assets of Russian oligarchs, The Wall Street Journal reports. It has two objectives - sanctions enforcement, which will include educating companies who trade with Russia on the sanctions' scope and implications, and tracking down illicit assets, especially those useful in money-laundering, with special attention to cryptocurrency holdings and transactions. Recent U.S. enforcement actions against domestic money laundering operations - notably, the indictment of Razzlekhan and her consort - have shown that cryptocurrency wallets and transactions are not immune to tracking and confiscation. 

Dave Bittner: EU and U.S. policy toward Russia's oligarchs is now decidedly punitive, according to The Washington Post. The article's deck summarizes, quote, "Western allies plan to confiscate yachts, jets, luxury apartments from Russian elites in hopes of undercutting Moscow over invasion," end quote. Punishing the oligarchs was one of the talking points in U.S. President Biden's State of the Union speech this week. Quote, "tonight, I say to Russian oligarchs and the corrupt leaders who built billions off this violent regime, no more," he said. "We're coming for your ill-begotten gains," end quote. Task force KleptoCapture represents an early step in that approach. 

Dave Bittner: Not all the scary news is from Eastern Europe, even in these dark days of war. Palo Alto Networks' Unit 42 has published a report on vulnerabilities affecting medical infusion pumps, analyzing more than 200,000 pumps from seven different vendors. The research identified, quote, "over 40 different vulnerabilities and over 70 different security alerts among the devices, with one or more affecting 75% of the infusion pump devices we analyzed," end quote. More than half of the vulnerable pumps were affected by CVE-2019-12255, a buffer overflow vulnerability with a severity score of 9.8. 

Dave Bittner: Researchers at Cleafy warned that the TeaBot Android banking Trojan has been distributed via the Google Play Store. The researchers stated, quote, "On February 21, 2022, the Cleafy Threat Intelligence and Incident Response team was able to discover an application published on the official Google Play Store which was acting as a dropper application delivering TeaBot with a fake update procedure. The dropper lies behind a common QR code and barcode scanner, and at the time of writing, it has been downloaded over 10,000 times. All the reviews display the app as legitimate and well-functioning," end quote. Once downloaded, the malware will request accessibility services permissions in order to view and control the screen and perform actions on the phone. 

Dave Bittner: Akamai researchers have recently observed DDoS attacks using a new technique called TCP middlebox reflection to amplify the amount of traffic they can send. The researchers explain, quote, "this type of attack dangerously lowers the bar for DDoS attacks as the attacker needs as little as 1/75th the amount of bandwidth from a volumetric standpoint." 

Dave Bittner: And finally, back to Russia for some economic and cultural news. Western companies continue to exit the Russian market as the country's financial system reels on the verge of collapse. The AP reports that Russia has become a commercial pariah as the rest of the world increasingly refuses to do business there. Tech companies are largely out, and social media platforms have shuttered operations rather than accede to Moscow's insistence on censorship and positive control of the content they distribute. 

Dave Bittner: One interesting business departure is that of Harley-Davidson. President Putin has been famously devoted to his hog, which he rides helmetless like he's some kind of a centerfold, an outlaw biker or iron horse. Let those who ride decide, we suppose, although the three-wheeler we've seen pictures of him tooling around on looks sort of like what the Hells Angels would call a garbage wagon. Anyhoo, no more Harleys for you, sir - back to that old Ural Gear Up. But Bikes and Beards say it's a pretty unreliable ride, so bring your toolkit and some spare spark plugs. 

Dave Bittner: Most of us who've been in the industry for a while have a story or two about some old, forgotten piece of equipment that, through benign neglect, ends up being improperly disposed of. Years ago, I fished an old laptop out of the dumpster behind my office, and the personal information it contained on the nonprofit CEO to whom it had once belonged was chilling. And yet end-of-life disposal of e-waste often remains an afterthought, and that has security implications. John Shegerian is chairman and CEO and co-founder of ERI, Electronic Recyclers International. 

John Shegerian: So we all became very socialized to the wonderful shredder trucks that would cross this country in North America, showing up at our facilities, our companies, and shredding the data on paper that came out of the companies or organizations we work for. What we didn't think about is, as the trend of paperless office was overtaking our work environments, who was thinking about the data that was embedded in and around our hardware? And that has still not been addressed on a widespread basis yet in the United States or around the world. And in many cases, these issues of benign neglect have led to very dire consequences for the organizations that were victimized. 

Dave Bittner: Can you give us an example? I mean, what sort of stories have you run into with the folks that you deal with? 

John Shegerian: Well, just recently, it was very publicly made aware that Morgan Stanley years ago had a very bad data breach that was due to the inappropriate disposal of some of their server equipment. They got fined in Europe. They got fined by numerous organizations for that mishandling of their servers and other hardware. Other organizations which haven't made the cover of the Wall Street Journal or the New York Times - they come to us for help. I'll give you a few examples - federal agencies who found their employees unwittingly, when their laptops or other electronic devices came to their natural end of life, put these items up for sale on eBay or Craigslist, putting at risk not only the agencies they work for but, in many instances, the Homeland Security of our great country. Those examples are growing and been well-documented. 

Dave Bittner: Help me understand the spectrum of disposition and disposal that are available. I mean, I think a lot of us imagine, you know, taking that old laptop out to the parking lot with a hammer and having at it ourselves. But there's more to it than that. 

John Shegerian: Yeah, there's more to it. A, unfortunately, electronics shouldn't be mishandled by anyone because most of them contain arsenic, beryllium lead, cadmium, mercury, a whole host of trace hazardous materials that people don't want to get either into their own body or into the ecosystem, which could then leach into groundwater supplies or vegetation or animals and again back into people because it gets into our water supply and other things. So electronics, when they come to end of life, should be responsibly handled. Now, whether that means wiped, retested and resold, appropriately wiped or fully destroyed is based on the organization or the level of risk that that person is engaged with. 

John Shegerian: So, for instance, we have many organizations that come to us and say, hey, John, we want you to wipe all the data, and then we want you to put it in your shredders - we have the world's largest shredders at our facilities - and shred it, and then we know that all of your commodities are sold, and that shredded material goes away into new products anyway. We're very happy with that. 

John Shegerian: Others come to us and say, listen; we're going to get you 10,000 used cellphones, laptops, tablets every month. It's going to be consistent in number. You're going to wipe them. You're going to retest them. You're going to check them for data again, then you're going to repackage them and resell them. 

John Shegerian: So there's lots of protocols that can be done, but the whole essence of the matter, David, is that people need to choose a responsible company. Just like Shred-it and Iron Mountain and other responsible brands shred data on paper, the same thing goes for when people choose vendors to shred data that's embedded in hardware. And whether the hardware means their wearables or the other gadgets in their homes that are now collecting data, such as Ring and Nest and other things that should be destroyed at some point when they come to their end of life, or just their old hard drives, desktops, laptops, tablets or server farms, a responsible party, a responsible vendor, one that's NAID certified - NAID stands for National Association of Information Destruction. That's the platinum standard that any vendor that handles your old electronics should be certified to. And if they're not certified to that - that goes for both data on paper and data in hardware. And if they're not certified for that, they shouldn't be handling your data materials that are on paper or in hardware. 

Dave Bittner: That's John Shegerian from ERI, Electronic Recyclers International. 

Dave Bittner: And I'm pleased to be joined once again by Daniel Prince. He's a senior lecturer in security and protection science at Lancaster University. Daniel, always great to welcome you back to the show. I know a topic that you have been working on there at Lancaster is this notion of trustworthy autonomous systems and complexity in the network stack. Can you share with us what sort of things are you all working on there? 

Daniel Prince: So I'm part of a project here funded by the EPSRC that's looking specifically at trustworthy autonomous systems. It's one of a number of projects that are research nodes within the U.K. And the part of the work that I'm looking at is really the role of the network stack within these autonomous systems and how network stacks - so IP communications and so on - form part of this autonomous system and work towards the trustworthy nature of that autonomous system. Specifically, obviously, the network stack is the way that the autonomous systems communicate with each other. And so if we can disrupt the way they communicate, can we also understand how that affects their decision-making capability and their trustworthiness as an autonomous system? 

Daniel Prince: And one of the things that we're looking at and trying to understand is that if, you know, at the operational plane at the higher levels, you've got things like AI and machine learning making decisions for the autonomy of the overall system - say, for example, a, you know, a swarm of drones or a fleet of self-driving cars - what are the aspects of the network stack that actually go into influencing the decision-making elements of the machine learning of the autonomous system that we might not be aware of? So, for example, is there - are there specific network delays, aspects of jitter in the way the packets are delivered that we're not aware of that have become implicit features in the datasets of the autonomous systems we're using to make decisions? And if we have a better understanding of that, then we can understand more the robustness of the - what the network stack needs to be and the level of robustness required for autonomous systems to be able to make trustworthy decisions. 

Dave Bittner: Are those elements in the network stack - like, you mentioned things like delays. Because those are elements of the systems themselves rather than, you know, part of the software that the developers are creating, does that create a bit of a blind spot for the folks who are building these autonomous systems? 

Daniel Prince: Well, I mean, that's one of the things that we're really trying to investigate. In some ways, it's going back to classic quality of service in networks and understanding the implications of the quality of service on the roles of the applications. Now, the autonomous system that's layered on top of that is, you know, a decision-making application. And it's using features of the network in terms of its quality service - or that's how we're perceiving it - to be able to make those decisions. And at the moment, what we're trying to understand is how many - how much of that quality of service features, if you like, are implicitly part of the dataset that the autonomous system is using to make decisions? 

Daniel Prince: And so what we're trying to understand is, instead of targeting or perhaps attacking the data that's been transmitted around the network for the autonomous system to be able to make the decisions, are there elements in the way that the network is working that we could disrupt, which would disrupt the trustworthiness of the decision-making within an autonomous system? And if we can understand that, then we'll be able to make more robust systems to be able to make decisions within the kind of networks that we're looking at - so the peer-to-peer kind of drone networks or self-driving cars. 

Dave Bittner: Sort of a fail-safe system built in. 

Daniel Prince: Yeah. So one of the - yeah. So one of the things - if we know that the limits of the autonomous system are within these, say, for example, quality of service parameters, then what we can say is that if those parameters are breached, you know, the composition of that network is breached beyond the safe operating parameters of the autonomous system, then we can put in these fail-safes, as you say, so that, again, you know, the operators will have trust in the system that it can be used in a safe way without - yeah, and respond to any potential disruption that might occur either accidentally because of the operating environment or maliciously if there is an attacker that goes after the - yeah, the fleet of drones delivering your parcels or shopping. 

Dave Bittner: All right - interesting stuff for sure. Daniel Prince, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Trey Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.