The CyberWire Daily Podcast 3.9.22
Ep 1531 | 3.9.22

Waiting for the Bears to come out. APT41 hits US state governments. A surge in mobile malware, and a look at yesterday’s Patch Tuesday.


Dave Bittner: Zelenskyy addresses the House of Commons. Cyber operations in Russia's war against Ukraine. Chinese cyberespionage campaigns hit six U.S. state governments. A surge in mobile malware. Joe Carrigan looks at restricting your software. Our guest, Bob Dudley, discusses cyberattacks against the European energy sector. And a quick look back at Patch Tuesday.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, March 9, 2022. 

Dave Bittner: Ukrainian President Zelenskyy addressed the British House of Commons by video link yesterday. He thanked the U.K. for its support and struck a deliberately Churchillian note - quote, "We will not give up, and we will not lose. We will fight to the end in the sea, in the air. We will fight for our land, whatever the costs. We will fight in the forests, in the fields, on the shores, in the streets," end quote. He asked for more support. Quote, "Please increase the pressure of sanctions against this country and please recognize this country as a terrorist state. And please make sure that our Ukrainian skies are safe. Please make sure that you do what needs to be done and what is stipulated by the greatness of your country," end quote. The Telegraph reports that the MPs gave him a standing ovation. 

Dave Bittner: Western nations - which include a number of geographically Eastern nations - have increased their sanctions against Russia, moving to block or at least significantly limit Russian oil and gas exports. Augmenting these formal sanctions has been a widespread exit of private companies from Russian markets. That exit extends across many, perhaps most, sectors. The effect on the Russian economy is already significant. Market Insider reports that Fitch has cut its rating of Russian debt from B to C and warned that default on Russian sovereign debt is imminent. 

Dave Bittner: The cyber phases of Russia's hybrid war continue to be far more limited and restrained than most had expected. An analysis in The Washington Post argues that this was to be expected, that offensive cyber operations have never been a war-winner and that therefore Russia's mingy DDoS and defacement attacks were about what we should have expected. There's something to the analysts' skepticism concerning cyber not being decisive. But then it's not usually the case that a particular capability in a particular domain is decisive. 

Dave Bittner: No one would seriously question the combat value of air power, but it would be difficult to make the case that air power alone has ever been decisive. And simple lack of decisive effect wouldn't seem to rule out the use of any capability. The analysts point out that earlier Russian disruptions of the Ukrainian power grid were temporary and relatively quickly remediated. But disruption of a grid, even if it lasts only a matter of hours, could be of considerable value in supporting a tactical operation. So the mystery remains - why hasn't Russia so far executed the disruptive attacks it's shown itself capable of, or the destructive capabilities that in all probability it has? 

Dave Bittner: For all that, U.S. and European policymakers continue to watch for a significant increase in the Russians' cyber threat, waiting, as the record puts it, for the other shoe to drop. In the EU, Reuters reports, the telecommunications ministers of the 27 members have called upon Europe to establish an emergency fund that would be used to respond to major cyberattacks. Citing the war in Ukraine, the ministers, who will meet today to discuss the proposal, said, "The current geopolitical landscape and its impacts in cyberspace strengthen the need for the EU to fully prepare to face large-scale cyberattacks. Such a fund will directly contribute to this objective," end quote. 

Dave Bittner: The U.S. intelligence community's recently released Annual Threat Report, for example, published as Russia was completing its preparations to invade Ukraine, highlights the threat in cyberspace and suggests that Russia would wish to avoid direct kinetic combat with the U.S. The report said, quote, "We assess that Russia does not want a direct conflict with U.S. forces. Russia seeks an accommodation with the United States on mutual non-interference in both countries' domestic affairs and U.S. recognition of Russia's claim sphere of influence over much of the former Soviet Union," end quote. 

Dave Bittner: In cyber proper, even excluding the related problem of what the ODNI calls malign influence, the report says, quote, "Russia is particularly focused on improving its ability to target critical infrastructure, including underwater cables and industrial control systems in the United States, as well as in allied and partner countries because compromising such infrastructure improves and demonstrates its ability to damage infrastructure during a crisis. Russia is also using cyber operations to attack entities it sees as working to undermine its interests or threaten the stability of the Russian government. Russia attempts to hack journalists and organizations worldwide that investigate Russian government activity and in several instances has leaked their information" - end quote. 

Dave Bittner: Researchers at Mandiant report that the Chinese government threat actor APT41 - also known as Barium, Winnti or Wicked Panda - has succeeded in gaining access to the governments of at least six U.S. states. Some of the attacks exploited Log4j vulnerabilities. The campaign's goals are unclear, but there seems to have been some attempt to collect personal identifiable information. This might serve espionage, but APT41 has also been known to engage in financially motivated APT side hustles. Security firm Proofpoint describes a surge in mobile malware afflicting Europe in particular, up by 500% since last month. They say, quote, "most mobile malware is still downloaded from app stores, but over the past year or so, we've seen an increase in campaigns that use SMS and mobile messaging as their delivery mechanism. Of the two big mobile smartphone platforms, the latter is a far more popular target for cybercriminals" - end quote The common strains of malware being observed include FluBot, TeaBot, TangleBot, MoqHao, BRATA, TianySpy and KeepSpy. 

Dave Bittner: The Zero Day Initiative summarizes yesterday's Patch Tuesday. Microsoft issued 71 patches in addition to the 21 issues Microsoft Edge fixed earlier this month, which brings the total number of March fixes to 92. Three of the vulnerabilities are rated critical, which the Zero Day Initiative thinks for the second month running is curiously low. Sixty-eight others are rated important. Adobe issued three patches that affected Adobe Photoshop, Illustrator and After Effects. None of these vulnerabilities is known to be under active attack in the wild, either. And finally, CISA issued three ICS security advisories yesterday. So get out there and get patching friends. 

Dave Bittner: Bob Dudley is former CEO of BP and is currently chairman of the board of directors at risk management software provider Axio. I checked in with him for insights on the European response to cyberthreats to critical infrastructure, especially given the ongoing situation in Ukraine. 

Bob Dudley: Well, like we saw in North America with the Colonial Pipeline, and we've seen the indications are that ransomware attacks are - do appear to be opportunistic. They are, of course, to make money. They appear to be emanating from Eastern Europe or Russia or in those areas. No one's quite sure. Oftentimes, in an attempt to raise money, it's a little bit like they're not quite sure of the tiger they've grabbed by the tail. So they may not have a full understanding of the implications it has for movement of fuel. And it isn't apparent to people that this is really to disrupt fuel movements. It's to make money. But sometimes, the economic impacts are so great that they actually don't want that sort of attention. So it's hard to say right now. 

Dave Bittner: And of course, I think everyone is a bit on edge due to the situation in Ukraine. How has that affected the industry? Is - I suspect there's enhanced vigilance at this moment. 

Bob Dudley: Well, yeah, cyber is something you should always have vigilance on all the time. Governments have issued warnings to not only energy but all industry and all companies that they should expect a heightened level of cyberactivity, and they should be absolutely vigilant and ready to respond. So at the moment, you know, companies have their defenses. They have their ways of doing this, and I think they've got their finger on the triggers and the buttons to be able to respond. And, you know, for your listeners, sometimes I call it, you know, be ready to unplug things. And that's not exactly what happens, but be able to separate your systems very, very quickly so things don't spread through. And I know there's a heightened level of awareness. And to be honest, companies have different levels of preparedness here. Big companies tend to have large, you know, teams that can be ready. Smaller companies - and like some of the stuff that's happened recently in terms of distribution of fuel, these are not really large companies. Hopefully, there will be a dissemination of lessons learned from this around industry and energy. 

Dave Bittner: What about on the diplomacy side of things? I mean, are we seeing, you know, pushes from governments that these sorts of things, critical infrastructure, should be off limits for this sort of privateering on behalf of the bad guys? 

Bob Dudley: Well, I think it's hard to put your finger on who the bad guys are. I mean, you know, there are those who believe it's opportunistic people trying to raise money and take money for ransom. And there are some that believe it's connected to state actors. And I think maybe there's a combination of both. I think the big question in terms of diplomacy is also from governments signaling, you know, they can respond as well. And so do you want to set off a tit-for-tat set of responses? And what do you want to let other governments know? I don't know of a single state actor in this country that has yet admitted that any of these things are related to the state. So that makes diplomacy quite tricky if they would be involved. 

Dave Bittner: Yeah. I mean, it's an interesting situation - isn't it? - where you have these - you know, these private companies, but obviously the protection of critical infrastructure is of a national interest. Is it fair to say that makes some of the lines a little fuzzy? 

Bob Dudley: Yes, of course it does. And the legal lines here are also - and regulatory lines are also a bit fuzzy. You know, I'll take the United States, which has, you know, probably the most - to be kind here - the most developed litigious system in the world. 

Dave Bittner: (Laughter). 

Bob Dudley: So companies can be held liable even if they're doing everything correctly. It's less so in Europe, which is why I think there's more information sharing. But there is a lot of - it's not only infrastructure, critical infrastructure; it's also about customer data. And energy companies are involved in that, and there's huge fines in both Europe and the U.S. if customer data is somehow compromised. So it creates - and governments rarely tell a company what to do. They want to know what's going on, but they can't give them advice. You know, do you pay ransomware? If you pay ransomware to sanctioned organizations or individuals somewhere, then a company can be subject to somehow cooperating on this and have fines. So we have a ways to evolve both yet, to evolve in Europe and in North America between governments and companies on exactly how to respond and what to do. 

Dave Bittner: That's Bob Dudley. He's former CEO of BP and currently chairman of the board of directors at risk management software provider Axio. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Article caught my eye - this is from Paul Ducklin over at the Naked Security blog from Sophos. 

Joe Carrigan: Old Duck. 

Dave Bittner: Good old Duck, yep. And it's titled, "Ransomware with a difference: Derestrict your software, or else." 

Joe Carrigan: Right. 

Dave Bittner: What's going on here, Joe? 

Joe Carrigan: Well, it's all about cryptocurrencies, Dave. 

Dave Bittner: Yeah. 

Joe Carrigan: Some cryptocurrencies, like Bitcoin and Ethereum and others that are based on similar technologies, have a model called proof of work in order to determine who gets to create the next block. 

Dave Bittner: OK. 

Joe Carrigan: And that process is called mining, and that process is essentially a hashing algorithm where you have to get a hash below a certain value. 

Dave Bittner: OK. 

Joe Carrigan: That is, for all intents and purposes, effectively a random process... 

Dave Bittner: All right. 

Joe Carrigan: ...Meaning that you have to demonstrate that you've done enough work to find this to merit putting a block on the chain. 

Dave Bittner: OK. 

Joe Carrigan: Now, it's done all throughout the network. So the first person to find the next block wins, and they actually get a cryptocurrency reward given to them. 

Dave Bittner: OK. 

Joe Carrigan: So that's a financial incentive, so people go out and they buy these graphics cards because your CPU can do the work, but a graphics card can do it a lot faster. 

Dave Bittner: And this whole process is extraordinarily computationally intensive. 

Joe Carrigan: Very computationally intensive, exactly. 

Dave Bittner: Right. OK. 

Joe Carrigan: And it's computationally simple as well. So it's a lot of work that can be done by small processors like the thousands of processors, stream processors, that are in a GPU. 

Dave Bittner: Right, so massive parallel processing versus the more serial processing that goes through a regular CPU. GPU are massively parallel. 

Joe Carrigan: Correct. 

Dave Bittner: Right. OK. 

Joe Carrigan: OK. So that means people can actually go out and buy a $1,500 graphics card and make a profit off of it. What does that do to the graphics card market? 

Dave Bittner: Oh, I can tell you. I have a friend who does 3D rendering. He does, you know, like, animation for NASA. And they have, for a couple of years now, had a real hard time buying graphics cards that they need to do their work because they're all getting scooped up by the crypto miners. 

Joe Carrigan: It's remarkably difficult. 

Dave Bittner: Yeah, and the prices have gone through the roof. 

Joe Carrigan: Right. I bought a GTX 1080 four years ago, five years ago. 

Dave Bittner: Yeah. 

Joe Carrigan: It was $700. 

Dave Bittner: OK. 

Joe Carrigan: The current price for a comparable line model is, like, 1,600 bucks. 

Dave Bittner: Wow. 

Joe Carrigan: And that's retail. 

Dave Bittner: Yeah. 

Joe Carrigan: So I still run my GTX 1080 (laughter). 

Dave Bittner: OK. 

Joe Carrigan: The crypto mining has jacked this up. So NVIDIA's response to this was, May of last year, they started putting hardware into these cards that allowed them to limit the hash rate. When the card sees that it's doing hash rate limit - hashing of Ethereum blockchain, it limits the hash rate. 

Dave Bittner: OK. 

Joe Carrigan: And that is a change that can be activated by a driver. 

Dave Bittner: So NVIDIA was saying, in order to do a better job with supply and demand, we're going to make these cards less attractive to crypto miners so that the folks who need them as GPUs, gamers or animators or whoever... 

Joe Carrigan: Right. 

Dave Bittner: ...They will be able to get their hands on them. 

Joe Carrigan: Absolutely. 

Dave Bittner: OK. 

Joe Carrigan: That's exactly right. 

Dave Bittner: All right. 

Joe Carrigan: Now, they're also marketing a new crypto mining line as well based on similar processors. But this doesn't do any video output. It just does crypto mining. 

Dave Bittner: I see. 

Joe Carrigan: Now, those cards are five grand. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? 

Dave Bittner: Premium cards. 

Joe Carrigan: Right. 

Dave Bittner: OK. 

Joe Carrigan: So somebody was irritated by NVIDIA doing this. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: And they have broken into NVIDIA's systems. And they claim to have downloaded a terabyte of data. And now they're threatening NVIDIA with releasing this data if NVIDIA doesn't disable the - what they call LHR, which is limited hash rate, I think. So now NVIDIA has a - I guess, a dilemma. I mean, do they... 

Dave Bittner: (Laughter) I mean, it's a new wrinkle on ransomware, right? 

Joe Carrigan: It is. 

Dave Bittner: Rather than asking for money, they're asking for a feature to be enabled. 

Joe Carrigan: Right. Or asking for the feature to be disabled... 

Dave Bittner: Yeah. 

Joe Carrigan: ...The hash rate limiting feature to be disabled. 

Dave Bittner: Right. 

Joe Carrigan: Now, here's the interesting dynamic here - right? - normally I say, you should never let the threat of a data release be part of your calculus for whether or not you pay the ransom or comply with the demands, right? 

Dave Bittner: OK. 

Joe Carrigan: But here's the thing - NVIDIA actually could say, OK, we'll comply with your demands if you never release our data. But if we ever see that data released, we're going to go ahead and just reissue the patch. I don't know if that will have any impact, but that's my initial assessment. 

Dave Bittner: You could have a bunch of unpatched systems... 

Joe Carrigan: Right. Yeah. 

Dave Bittner: ...That are not connected to the internet that wouldn't get an automatic firmware update. 

Joe Carrigan: Right. 

Dave Bittner: So they would be fine. 

Joe Carrigan: They would be - yeah, they would definitely... 

Dave Bittner: On the other hand, you know, like anything in electronics, GPUs - they age. 

Joe Carrigan: Right. 

Dave Bittner: And today's hot GPU is not yesterday's hot GPU... 

Joe Carrigan: Right. 

Dave Bittner: ...And is not tomorrow's hot GPU. 

Joe Carrigan: Correct. 

Dave Bittner: So there's that as well. 

Joe Carrigan: So - yeah, so NVIDIA does have leverage here if they decide they're going to comply. I don't think they're going to comply. 

Dave Bittner: Yeah. 

Joe Carrigan: And I'm not sure I would comply for this. You know, one of the big problems right now is we're having a hard time getting chips. You know, NVIDIA is no different. They just cannot meet the demand that's caused by these cryptocurrency miners out there. The cryptocurrency miners are - whenever they see a card, they'll buy it up because they do the calculation, and they find out that there's a return on investment. 

Dave Bittner: Yeah. 

Joe Carrigan: So they just buy them up. Scalpers go out, and they but the cards and then wait for the supply to run out and then charge double to gamers or to miners for the cards. The people who get the - you know, who take it here the worst are the people who just want to buy a graphics card for playing games. 

Dave Bittner: Right. Right. 

Joe Carrigan: You know? And I have done cryptocurrency mining. I don't do it anymore. I just - it's just not profitable, so no sense in me doing it. 

Dave Bittner: Yeah. 

Joe Carrigan: It's interesting that they're not blocking bitcoin mining, though. But I don't think bitcoin mining is at all profitable because there are actually hardware miners that do a really good job of mining bitcoin. 

Dave Bittner: Yeah. Well, there's also the environmental consideration, too. 

Joe Carrigan: There is - yeah, that's a different concern. These... 

Dave Bittner: The amount of power these - that's required... 

Joe Carrigan: Right. 

Dave Bittner: ...To do all of this is extraordinary. 

Joe Carrigan: If there were only five people in the world, or even if there were only a million people in the world, or a million processors in the world who were doing the proof of work effort, then this would not be an issue. But now there are billions of processors doing it. 

Dave Bittner: Yeah. 

Joe Carrigan: There are mining pools out there that collaborate on these proof of work things. There's another way you can determine who generates the next block, and that's with an algorithm called proof of stake, where that doesn't require nearly the amount of power. I mean, it's orders of magnitude better for the consumption of power. There are cryptocurrencies out there that are proof of stake as opposed to proof of work. Of course, there's always the talk amongst the users of these cryptocurrencies and the development community whether or not they should move from a proof of work to a proof of stake. I think that's something that should definitely be considered by all of these currencies. 

Dave Bittner: Yeah. Yeah. All right, well, it's an interesting story for sure, as I say, a wrinkle on ransomware. 

Joe Carrigan: It's going to be really interesting to see how this unfolds. 

Dave Bittner: Yeah. 

Joe Carrigan: I'll make a prediction. I don't think NVIDIA caves. 

Dave Bittner: Yeah. All right, again, that's over on the Naked Security blog by Sophos. Paul Ducklin wrote that one. Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: Our amazing CyberWire team is Elliot Peltzman, Tre Hester, Brendon Karpf, Eliana White, Paru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.