Cyber phases of a hybrid war. Google stops a Judgment Panda campaign and Symantec tracks Daxin. CISA updates its Conti alert. An alleged REvil member is arraigned in Texas.
Dave Bittner: Prebunking a provocation. A spot report on the cyber phase of a hybrid war. Google stops a Judgment Panda campaign against U.S. government Gmail users. Symantec continues to track the origins and uses of the Daxin backdoor. CISA updates its Conti alert. Josh Ray from Accenture has tips on Log4J. Our guest is Chetan Conikee of ShiftLeft with strategies for reducing attackability. And law northeast of the Pecos, as an alleged member of REvil is arraigned in Texas.
Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Thursday, March 10, 2022.
Dave Bittner: The Russian advance into Ukraine remains difficult at best, stalled at worst. Russia's Belarusian ally seems to have grown increasingly reluctant to join the kinetic fight, although it's providing aid in cyberspace. Negotiations between the Russian and Ukrainian foreign ministers began in Turkey yesterday, but without much result. That's to be expected. It's noteworthy that, in the opening days of their invasion, both Putin and Lavrov had made Ukrainian surrender a precondition of negotiation. Moscow has clearly relaxed that hard line.
Dave Bittner: Western intelligence services, particularly in the U.S. and U.K., have been unusually open and forthcoming in their discussion of Russian actions against Ukraine. Much of that openness has been devoted to what some journalists have called prebunking, hitting the credibility of disinformation before it's found its legs and gained traction. Yesterday's warning by the White House that Russia may be planning to use chemical weapons seems to be another case of prebunking a building provocation the Kremlin may be preparing. Russian sources have claimed that Ukraine probably with American assistance has been preparing both biological and chemical weapons, and those claims have been seconded and amplified by Chinese media.
Dave Bittner: Western sources see this as an incipient provocation. The Atlantic Council describes the early stages of this information operation, as the Russian Foreign Ministry claims that Ukraine had intended to use the nuclear plants at Chernobyl and Zaporizhia for nuclear provocations. That same Ministry confirmed that it had proof that Ukraine, with U.S. support, had tried to destroy evidence of Ukraine's ongoing biological warfare program.
Dave Bittner: White House Press Secretary Psaki tweeted a U.S. response to Russian allegations, denying that any such biological or chemical weapons program existed, and pointing out Russia's use of its Novichok nerve agent in the attempted assassination of a GRU defector and its support of the Assad regime's use of chemical agents against internal enemies in Syria. She also noted that the disinformation fits Moscow's style of provocation. Quote, "Also, Russia has a track record of accusing the West of the very violations that Russia itself is perpetrating. In December, Russia falsely accused the U.S. of deploying contractors with chemical weapons in Ukraine," end quote.
Dave Bittner: Nuclear, biological and chemical weapons are the three traditional classes of weapons of mass destruction whose use has been either restricted or, in the case of biological weapons, prohibited entirely by international law. At the outset of his war, Mr. Putin alluded to NATO and Ukrainian nuclear ambitions as offering partial grounds for what he characterized as a defensive, protective, military operation.
Dave Bittner: The addition of chemical and biological weapons to the list of Russian charges is significant. Russia may or may not have a biological arsenal, and if it does, using it will probably prove difficult, perhaps difficult to the point of impossibility, but it would be more easily deniable than a chemical attack.
Dave Bittner: But Russia certainly does have a chemical arsenal and a well-articulated doctrine for that arsenal's use. The disinformation effort charging Ukraine with preparation for chemical and biological war may be designed to afford a pretext for the use of chemical weapons in particular.
Dave Bittner: Russia's war against Ukraine has yet to see the widespread and disabling cyberattacks many had predicted, but cyber-operations continue at a low but constant level.
Dave Bittner: Both sides seem to be making use of regular intelligence services as well as irregulars. The Ukrainian irregulars have tended to be hacktivists drawn to Kyiv's cause and at Kyiv's invitation. The Russian irregulars have tended to be familiar underworld privateers who've long operated at Moscow's sufferance. Fox News, citing sources in the U.S. intelligence community, reports that cyberattacks against U.S. companies active in the liquefied natural gas sector conducted two weeks before the invasion of Ukraine may have been battlespace preparation. CISA, the report says, is presently working to confirm that this is indeed what the attacks represented. Researchers at Resecurity had earlier made a similar claim.
Dave Bittner: Chinese cyberespionage operations have lately taken a close interest in European foreign ministries and aid organizations working to bring assistance to Ukraine. There are signs that this activity may be coordinated with Russia's campaign. Google researchers identify three state actors particularly engaged in collecting against Ukraine and governments sympathetic to Kyiv. Quote, "FancyBear/APT28, a threat actor attributed to Russia's GRU, has conducted several large credential phishing campaigns targeting ukr.net users. UkrNet is a Ukrainian media company. The phishing emails are sent from a large number of compromised accounts, non-Gmail and Google, and include links to attacker-controlled domains. Ghostwriter/UNC1151, a Belarusian threat actor, has conducted credential phishing campaigns over the past week against Polish and Ukrainian government and military organizations. Mustang Panda or Temp.Hex, a Chinese-based threat actor, targeted European entities with lures related to the Ukrainian invasion," end quote. Google also notes that nuisance-level distributed denial-of-service attacks have continued to affect Ukrainian government sites.
Dave Bittner: Hacktivists who identify themselves with the Anonymous collective and who've taken up Ukraine's cause are tweeting, Security Affairs reports, about various website defacement and text campaigns they're operating in the hope of degrading Russian morale. HS Today writes that Anonymous claims to now control over 400 Russian camera feeds. It's using the compromised feeds to distribute anti-propaganda to open eyes of Russian civilians. Companies have been taking measures to protect themselves from feared and expected Russian cyberattack. The large French bank BNP Paribas is one example. Evidently concerned with the possibility of insider threats, the bank has excluded its Russian workers from internal networks.
Dave Bittner: Security Week reports that Google claims to have blocked a Chinese espionage operation directed against Gmail users within the U.S. government. Shane Huntley of Google's Threat Analysis Group tweeted, quote, "in February, we detected an APT31 phishing campaign targeting high-profile Gmail users affiliated with the U.S. government. One hundred percent of these emails were automatically classified as spam and blocked by Google," end quote. APT31 is also known as Zirconium and Judgment Panda.
Dave Bittner: Symantec researchers continue to investigate the Daxin backdoor used by Chinese threat actors. SC Magazine cites Vikram Thakur of Symantec Threat Intelligence as saying that they've tracked the tool to a persona they're watching in Chinese forums. Symantec has posted updates to its research in two parts - one describing Daxin's driver initialization, networking, key exchange and backdoor functionality, the other covering its communications and networking features. Daxin has been used quietly for a decade.
Dave Bittner: CISA has revised the alert about the Conti ransomware gang it issued last September. Yesterday's updates include the addition of 98 domain names to CISA's list of indicators of compromise associated with Conti attacks. The new information does not appear derived from material provided by a Ukrainian researcher who succeeded in infiltrating the gang. BleepingComputer notes that despite the reputational and possibly operational hits Conti took from that infiltration, the gang hasn't trimmed its sails. Quote, "since the beginning of March, Conti listed on its website more than two dozen victims in the U.S., Canada, Germany, Switzerland, U.K., Italy, Serbia and Saudi Arabia," end quote.
Dave Bittner: And finally, the U.S. Department of Justice announced yesterday that a major defendant in the case of REvil/Sodinokibi ransomware operations has been arraigned in the U.S. District Court for the Northern District of Texas. One Yaroslav Vasinskyi, a Ukrainian national of 22 tender years, is alleged to have accessed the internal computer networks of several victim companies and deployed Sodinokibi/REvil ransomware to encrypt the data on the computers of victim companies. One of the alleged victims was Kaseya. And that incident affected a number of the software company's customers. Mr. Vasinskyi, who received his invitation to Club Fed courtesy of extradition from Poland, is charged with conspiracy to commit fraud and related activity in connection with computers, damage to protected computers and conspiracy to commit money laundering. If convicted of all counts, he faces a total penalty 115 years in prison.
Dave Bittner: Software development teams often struggle with prioritizing which vulnerabilities require their immediate attention and resources and which can be safely put off. Chetan Conikee is founder and chief technology officer at software security firm ShiftLeft, and he believes companies need to take an outside-looking-in approach that puts defenders in the attacker's shoes and determines how likely a vulnerability is to be successfully targeted, a process he calls reducing attackability.
Chetan Conikee: Today, if you look at how things are done, often an application is assessed to identify vulnerabilities. And these vulnerabilities are further on categorized into high, medium and low severity. And often engineers try to sort order and pick those that matter the most, which is the high severity ones, to address and mitigate. In certain cases, there are many, many such high severity vulnerabilities, because when you examine things inside out, what essentially happens is every vulnerability that is of high risk is categorized as high risk.
Chetan Conikee: But in certain cases, you need to further look to see whether a particular exploiter or an attacker can touch that vulnerability in order to trigger that exploit. When I use the word touch, it actually means, can they call or invoke an API on your application? And after they invoke the API, can they send a data point through that pathway of the application in order to touch that vulnerability and further on exploit it? And what I just said in summary means, is your vulnerability that is deemed as high severe exposed for an attacker to firstly enumerate and secondly exploit? So think of this as a filter that looks for these two characteristics in your application, where it identifies something of high severity, meaning that you're using, say, Log4j. And if you're using Log4j, is there any API endpoint that would enable an attacker to send a parameter that is touching or invoking Log4j without being filtered, sanitized, transformed, et cetera, et cetera?
Dave Bittner: Help me understand why organizations come up short when it comes to doing this sort of process on their own. What are the blind spots that they typically have?
Chetan Conikee: There are many such blind spots - but, you know, just to try to identify the most critical ones. When it comes to application security, there is often no incentive mapped for engineers to go triage, fix and improve the security posture of. Often engineers are hired to write code - code which produces value to your customers, and that value is incrementally provided through features, new releases and so on and so forth. So when you have a satisfied customer, the company is generating revenue, and as a consequence, an engineer gets incentives as bonus payouts, stock grants, equity options, etc. You never see or we have not heard of an organization focusing on security saying that I am going to provide or map the incentives to the number of bugs that are identified or security incidents that have been resolved and triaged in the associated application. So given that all of us, as engineers, typically mostly are inspired and mapped to incentives, and if there are no incentives, we don't have any reason to go and triage and resolve these issues.
Chetan Conikee: Secondly, majority of these tools - you know, there's a broad spectrum in the world of application security, from code analysis to runtime. Now, when each of these tools are producing alerts and all these alerts are plenty, without effective ways to prioritize, that would lead to alert fatigue. Now, you can imagine an engineer who's not incented has to go and essentially look at all these alerts and figure out what matters. So as a consequence, it gets left behind. If it gets left behind, it turns into an exploit in production. And then you work backwards in urgency to go and resolve it. So this is one of the reasons why we have to fundamentally change the way we prioritize security in the early stages of the lifecycle.
Dave Bittner: That's Chetan Conikee from ShiftLeft. A program note - I recently recorded a "Career Notes" segment with Chetan Conikee. Be sure to check that out as well.
Dave Bittner: And joining me once again is Josh Ray. He is a managing director and global cyber defense lead at Accenture Security. Josh, always great to have you back on the program. You know, as you and I record this, we are about a month or so give or take with the revelation that we are going to be dealing with the Log4j vulnerability. And I just wanted to touch base with you. Now that it's - we've had a little distance between us and that initial discovery, what sort of perspective is it giving you and your folks there in terms of this kind of vulnerability?
Josh Ray: Yeah, Dave. And, first, thanks for having me back. And, you know this, this Log4j vulnerability is one of the nastier ones I've seen in my career. But, you know, what's been really, I think, a positive takeaway for me is that the community as a whole, both public and private sector, have really rallied together to take this on. And the client conversations that we've been having have been really good. I mean, they're making good progress. I think people are, you know, applying the right level of attention to this. And teams, you know, especially working over the holidays, have been really working hard to mitigate this.
Josh Ray: You know, this is really one of these things that takes a very holistic and agile approach. And what we've been talking to clients most about not just on the vulnerability management side but really from a - if you're thinking about it from a breach readiness, threat hunting and incident response standpoint, some of the things that you really need to kind of take into consideration. So as much as anything today, you know, what I wanted to do for the listenership is just provide almost a PSA of, you know, five things that we've been thinking about or talking to clients about that, you know, hopefully people can use in their own environment or just to kind of help organize their approach more moving forward.
Dave Bittner: All right. Well, let's jump in together here. Take us down that list.
Josh Ray: The first is really kind of the notion of eliminating the tax service, right? Obviously, this is very difficult to do and has to do with removing the vulnerability and patching it or implementing those, you know, compensating mitigations - right? - using things like your vuln scanners and working with your vendors appliances to make sure that you get that right level of visibility and mitigation upfront. But this is really, you know, again, the attack surface piece starting with externally facing devices both on prem and in the cloud and really working your way from there.
Josh Ray: The next piece is really about control - right? - so using hardening tools and configurations to control those attacker actions from being successful post-exploitation. So restricting egress and recursive DNS on servers is very important, especially because actors will attempt to leverage that - you know, web application servers to resolve and call out to download second and third tertiary code. So restricting that network access is very important, especially looking at things like hardening and updating operating systems, legacy systems that, you know, will increase your exposure. This is especially true for Log4j, where production workloads running in the cloud-native infrastructure of Linux servers really, you know, lacked that visibility for protections that you might have, you know, under EDR - so making sure that those things are locked down as well from a control standpoint.
Dave Bittner: What else?
Josh Ray: Well, now we kind of start to get into that monitoring hunt and kind of exercise. So we've kind of covered down on, you know, eliminating the attack surface, controlling and hardening the environment. Now, you know, how do we gain that situational awareness? And log and analyze everything is what we say. So, you know, you can't eliminate - that you can't eliminate or control, right? Having that situational awareness on your network is absolutely critical and making sure that systems that lack visibility or that centralized, you know, logging - making sure that those things are all getting centralized in some type of EDR or SIEM. You know, many of our clients are struggling with this as their Linux production workloads were running on, you know, end-of-life operating systems that really, you know, couldn't be supported in their EDR and didn't have good logging enabled, such as, like, you know, auditd or such like that.
Josh Ray: So then being able to perform a - really a strong forensic view of the servers of the identified exposure period for post-exploitation actions. So that's kind of that monitoring piece that I think is talked about a lot but sometimes, you know, not executed with the right level of diligence.
Josh Ray: And then we move into this notion of hunt - right? - for everything that you can't eliminate or control or monitor using threat intelligence approach, right? So act of hunting, you know, looking for signs of post-exploitation, such as, you know, privilege escalation, lateral movement. Some of the things that our CIFR team, you know, has seen include, you know, installation of web shells, reverse shells, installation of miners and then, you know, other instances of, say, like Cobalt Strike or other types of - or PowerShell activity. Really - but again, it's about kind of actively looking in your environment because as we've seen, especially with things like Log4j, the actor - you know, within hours of that proof-of-concept code becoming available, there was active scanning looking for vulnerable systems. So you need to be on your front foot driving that active hunt program.
Josh Ray: And then finally, really, it's about exercising, so making your - making sure that your teams have that muscle memory and are ready to go, leveraging that crisis simulations and purple team exercises and then using those consequence-driven scenarios that really stretch outside the security organization and require organizational-wide, company-wide response and mitigation activities.
Dave Bittner: Yeah. I'm curious. When something like this happens, when a Log4j hits the airwaves - you know, so it's both high-impact, but high-profile as well - does that present an opportunity for the defenders out there? I mean, I'm curious. Do you have folks coming to you as a provider and say, hey, you know, Log4j is bad, but the good news is this has got the attention of my board, and they have greenlit that budget I've been asking for for all this time?
Josh Ray: Yeah, I mean, they do say never let, you know, a good crisis go to waste. But, I mean, the fact of the matter is that, I mean, you can look across the industry now, and you can point to the crisis of the day. So, you know, if you're waiting for the next big Log4j to, you know, to happen so you can get that budget approved, I would say responsible business owners and folks that, you know, that now see this as part of their - you know, the broader risks that they need to manage as part of, you know, operating a business for their stakeholders, they understand that, you know, these organizations or security organizations need to be properly funded.
Josh Ray: But, absolutely, having that crisis-management approach and that notion where you're able to bring together multiple stakeholders in the business to kind of achieve the - you know, get back to the operational normalcy I think is absolutely critical. And that's - that, in and of itself, is an opportunity that should not be missed by the security teams.
Dave Bittner: All right. Well, Josh Ray, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.