The CyberWire Daily Podcast 3.21.22
Ep 1539 | 3.21.22

Hacktivism, protestware, and information operations in a hybrid war. Brazi-based cyber gangs active in extortion. Steganography opens a backdoor. A free decryptor for Diavol ransomware.


Dave Bittner: The widely expected intense Russian cyber campaign has yet to appear. Protestware as a dangerous turn in hacktivism. Information operations and the persistence of independent channels of news. Social media as an OPSEC problem. Lapsus$ may have hit Microsoft. A second Brazilian gang tries its hand at extortion. A snakey backdoor afflicts French organizations. AD Bryan Vorndran of the FBI Cyber Division on what the agency brings to the table in cyberspace. Rick Howard considers infrastructure as code. And Emsisoft offers a free decryptor.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 21, 2022. 

Dave Bittner: We open again with a brief note on the situation on the ground in Ukraine. On Saturday, Ukrainian President Zelenskyy called upon Russia to engage in meaningful peace talks. Russian ground forces are digging in, in place, along most of their avenues of advance, especially in the approaches to Kyiv, which suggests that the invasion continues to stall. The British Ministry of Defense's Friday evening spot report simply said, quote, "President Putin continues to wage war on the people of Ukraine by striking dense urban areas, killing and displacing innocent civilians with non-precision weapons," end quote. 

Dave Bittner: Apart from the widely reported distributed denial-of-service incidents and wiper attacks against Ukrainian targets, large-scale Russian cyberattacks have failed to materialize, although most governments remain on alert for some such campaign, which they fear would not remain confined to the combat theater. Security Affairs has a timeline of recent cyberactivity in the war. Its most recent entries mention Chinese cyber-espionage attempts against Ukraine's government. But these seem common, expected intelligence collection about an ongoing conflict and not an extraordinary campaign. The Times of Israel describes a conflict in which hacktivists and deniable criminal organizations have played the most prominent roles. Anonymous has been active on behalf of Ukraine, and the Conti gang - itself infiltrated by Ukrainian hacktivists - on behalf of Russia. 

Dave Bittner: The most significant incidents so far have been some disruption of Viasat ground station operations in Ukraine and some episodic GPS jamming, both of which remain under investigation but which appear circumstantially to represent Russian operators. Both U.S. and EU authorities have warned satellite communications operators to look to their defenses. So far, according to The Washington Post, StarLink has given Ukraine some surprisingly robust access to the internet and also the means of controlling some of its drones. Ars Technica reports that Western banks are also taking measures to protect themselves against Russian retaliation against the SWIFT interbank transfer system from which sanctions have excluded it. But again, so far, no attacks have surfaced. 

Dave Bittner: Hacktivists have generally favored the cause of Ukraine in the current war, and some of their methods have come under strong criticism. Last week, a hacktivist who goes by the hacker name RIAEvangelist wrote source code for an NPM package they called PeaceNotWar and distributed it within the open source by making it a dependency of a popular and widely used NPM module, thus affecting the software supply chain. PeaceNotWar was designed for use against systems in Belarus and Russia, but even if that form of supply chain attack were deemed legitimate, it seems indiscriminate and difficult to contain. 

Dave Bittner: Since then, Russian organizations have grown understandably warier of the possibility of software supply chain corruption. MIT Technology Review reports, quote, "in response to the threat, Sberbank, a Russian state-owned bank and the biggest in the country, advised Russians to temporarily not update any software due to the increased risk and to manually check the source code of software that is necessary - a level of vigilance that is unrealistic for most users," end quote. 

Dave Bittner: Hacktivism is susceptible to becoming indiscriminate and uncontrolled. It's also frequently criminal, albeit not usually criminal in the sense of being financially motivated. Computing points out that most Western authorities have discouraged individuals from engaging in hacktivism. Quote, "participating in Ukrainian cyberattacks from the U.S.A. or the U.K. could violate local laws, such as the Computer Fraud and Abuse Act in the U.S. and the Computer Misuse Act in the U.K.," end quote. Alan Woodward, a professor of cybersecurity at Surrey University, noted, "while I totally understand the sentiment behind the actions of many in this IT army, two wrongs do not make a right," end quote. He added that not only might it be illegal, but it also runs the risk of playing into Putin's hands, who could use the attacks to spread anti-Western rhetoric. Russian President Putin has vowed to purge Russia of scum and traitors insufficiently committed to the special military operation in Ukraine. The Kremlin has sought to crack down on both public protest and online dissent, both now fully criminalized, the Atlantic Council reports. But public protests, by Russian standards, have been surprisingly prominent. This suggests that news other than the official Kremlin line that the war is an ultimately defensive one waged against genocidal Nazis is getting through. 

Dave Bittner: Some of the channels in which it's circulating are surprising. Groups within the widely used Russian social media platform VK, In Touch, are serving as conduits for dissent and unofficial news. The groups involved are, according to Newsweek, longstanding groups focused on common interests such as art, sports, music and celebrities. VK is by no means a nest of dissenters. The executives who run it are close to the government and have themselves come under U.S. sanctions. The sharing of unofficial news on the war in Ukraine seems to be a function of the sheer difficulty of effective content moderation on a platform with more than 90 million users. 

Dave Bittner: The social media platform Telegram has surged in Russia, where it's continued to operate without the interruption and blockage experienced by Instagram, Twitter and the like. Telegram originated in Russia, which may be why it's been permitted to operate. The Wall Street Journal quotes Ivan Kolpakov, editor in chief and co-founder of the now-blocked Russian independent media outlet Meduza, which is itself surviving in its Telegram feed. Quote, "Telegram isn't perceived as a total enemy resource. It's not perceived as a tool of information war against Russia. In Russia, a huge culture of uncensored journalism and so-called journalism appears on Telegram." Telegram itself told the Journal it didn't know why it hadn't been blocked, and it didn't know if it would be blocked in the future. But, quote, "we believe in freedom of speech and are proud we can serve people in different countries in difficult times," end quote. 

Dave Bittner: The Daily Mail says the Royal Army has told its troops to stay off WhatsApp, regarding the platform as receiving too much attention from Russian intelligence services. Troops are chatty, and people tend to be disinhibited online. 

Dave Bittner: Reports circulating in Reddit and elsewhere suggest that the Lapsus$ group has posted then deleted material that suggests an attempt against Microsoft. Cyber Kendra reports - and points out that the story is early and so far unconfirmed - that Lapsus$ may have compromised an Azure DevOps account. Microsoft told BleepingComputer that they were investigating the gang's claims of successfully penetrating the company. 

Dave Bittner: The Register last week offered a brief history of the relatively young gang, which is thought to be based in Brazil and which has made a specialty of hitting targets in the tech sector. Lapsus$ is thought to be a new group, not merely a rebranding of an existing criminal gang. Their approach is unusual in that they don't deploy ransomware but rather steal source code and threaten to release it. In disclosure, we note that Microsoft is a CyberWire partner. 

Dave Bittner: TransUnion disclosed a data breach late last week when a gang identifying itself as N4ughtysecTU succeeded in accessing one of the credit bureau's South African servers. The gang - which, like Lapsus$, is thought to be based in Brazil - demanded $15 million in ransom. SecurityWeek reports that TransUnion has said it won't be paying. Tech Central says the South African Banking Risk Information Center is working with the country's banks to protect consumers who might be affected by the breach. 

Dave Bittner: Proofpoint reports that a new back door is being installed in French targets. The attack is unusual in its use of steganography. Proofpoint says in their report that the attack represents new targeted activity impacting French entities in the construction and government sectors. The threat actor used macro-enabled Microsoft Word documents to distribute the Chocolatey installer package, an open-source package installer. Various parts of the VBA macro include ASCII art and depict a snake. It's crudely drawn as benefits an ASCII picture, but a snake it is. The attackers' identity and motives are so far unknown. 

Dave Bittner: And finally, bravo, Emsisoft. The company has released a free decryptor for Diavol ransomware. 

Dave Bittner: And I'm pleased to be joined once again by Rick Howard. He is the CyberWire's chief security officer and also our chief analyst. Rick, it's always great to have you back. 

Rick Howard: Hey, Dave. 

Dave Bittner: I don't know if I'm misreading things here, and I - honestly, I don't know where the time has gone. But according to the notes I have in front of me, you are finishing up the last episode in Season 8 of the "CSO Perspectives" podcast. I feel like I'm still, like, putting away ornaments from my Christmas tree. 

Rick Howard: (Laughter). 

Dave Bittner: How did you get through an entire season without me hardly noticing? What do you have in store for us on this last episode? 

Rick Howard: I know exactly what you mean. I mean, I turn around twice and spring arrived. It's like, gee whiz, what's been going on, you know? So... 

Dave Bittner: Yeah. 

Rick Howard: All right, so for this last episode of the season, I'm delivering some good news - something we can all use in these crazy days of this year. 

Dave Bittner: I'm listening. 

Rick Howard: (Laughter) Well, when I started this podcast about two years ago, I did an entire episode on how DevOps, or DevSecOps if you like, was going to be the way forward to deploy some of these first principle strategies that I keep yammering on about. But I was frustrated because it seemed to me that the IT people doing DevOps had kind of left the security people in the dust, you know? In other words, they didn't bring us along. They - as they made progress in building these continuous integration, continuous delivery pipelines, or CICD pipelines for short. And the security community wasn't smart enough to tag along with them. So back then, the gap was widening between what the DevOps teams were doing and what the security teams were doing. 

Rick Howard: Well, I'm here to tell you that it looks like both sides of the equation had come to that conclusion themselves and have started to make the necessary course corrections. It's too soon to say that we've got the problem solved, but the one key indicator is that the folks over at Gartner, you know, the folks that do the hype charts about different things... 

Dave Bittner: Right. 

Rick Howard: ...They placed DevSecOps as just coming out of the trough of disillusionment. 

Dave Bittner: (Laughter). 

Rick Howard: So they're slowly put DevOps in the slope of enlightenment, and it's about, according to them, you know, 5 to 10 years away from reaching the plateau of productivity, all right? So... 

Dave Bittner: Who has that kind of time? 

Rick Howard: Yeah, I know, OK? But it's better than what I thought, all right? 

Dave Bittner: (Laughter). 

Rick Howard: That's all I'm saying. 

Dave Bittner: OK. 

Rick Howard: So in this episode, we're going to talk about how we got here and the steps that the senior security executives should be taking right now to take advantage of this kind of new development. 

Dave Bittner: All right. Well, we will check that out for sure. It is the final episode of Season 8 of "CSO Perspectives." That is part of CyberWire Pro. You can find out all about that on our website, Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And I'm pleased to welcome back to our show Bryan Vorndran. He is the assistant director of the FBI's cyber division. Mr. Vorndran, welcome back to the CyberWire. I want to touch today on some of the things that the FBI brings to the table when it comes to your cyber division. Specifically, you know, I think there are a lot of private organizations out there. And I'm thinking particularly of the small to medium-sized businesses. When they are hit with some sort of cyber incident, I think a lot of them think that maybe they're too small to reach out to their local FBI field office, that they don't warrant the attention of an organization at the federal level. Is that a misperception on their part? 

Bryan Vorndran: Dave, thanks for the question. Let me start by saying, the best assessment that we have within the U.S. government is that we receive reporting on between 20 and 25% of the total computer intrusions that occur against organizations in the country. And so when we're operating with a data set that's only 20 to 25% deep, it does prevent us as the U.S. government - and that includes all members of the intelligence community - from being more effective at preventing additional victimizations against individuals, corporations or organizations that may not know their next target. 

Bryan Vorndran: And I would ask those that are evaluating whether there are too small to warrant the attention to change the question in their mind to this - if I choose to engage the FBI, it may prevent someone else from being a victim, and because of that, do I want to engage the FBI? And we're hopeful that the answer to that question is yes, not in the spirit of are they small, too small to warrant the services. The question is can they contribute to the data set? Can they contribute to us understanding trends, vulnerabilities that will allow us to protect others? And because of that, we have a clear answer to the reporting question, which is that we would encourage everyone to report, because it really does put us in a better position to help potential future victims. 

Dave Bittner: Can you give us some insights? You know, if I report something to the ICC website or I call my local field office with an incident or a question, what should I expect in terms of a response? 

Bryan Vorndran: So I'm going to provide two answers to that question, Dave. One is information-specific. One of the questions we get routinely is what type of information does the FBI or other agencies need - other agencies being CISA or Secret Service - need to really do meaningful work with our computer intrusion? So information such as malware variant, initial vector of attack, whether it affects the IT system only or the IT and the OT, whether we know if there's any unique malware signatures, the variant of ransomware if appropriate, when and if the systems were segregated. Are there viable backups? This is the type of specificity and detail that will help us align the right resources quickly for the benefit of the victim. We often get the question about - and we call it - we name it myth-busting - about, how is the FBI going to show up to my place of work? You know, simple questions - are there going to be black Suburbans? Are there going to be raid jackets? 

Dave Bittner: (Laughter) Right. Right. Are you going to start going through all of my paperwork, right? (Laughter). 

Bryan Vorndran: Right. And the answer to that question is absolutely not. But I'm going to make some recommendations here and then walk you through what it will actually be. The recommendations would be develop that incident response plan and bring your inside counsel - or your outside counsel - into that incident response planning, exercise functionality on a very routine basis and work through your concerns and work through your concerns with the FBI before there's actually an incident. What we say is, let's lower the barriers to sharing so that we can simply build trust in the moment of a critical incident very, very quickly. So those are steps that can be taken today with inside or outside counsel that would very much lower the temperature at the moment of a cyber incident. But in terms of our work, when we show up, we're very, very flexible. We're happy to engage in conversations about memorandums of understanding or legal documentation that puts a company's mind at ease. We are certainly not after PII of employees or clients. We are certainly not after sensitive information for a company or intellectual property. We are simply looking for elements and evidence and intelligence of criminal activity, so that we can bring people to justice or so that we can inform the larger intelligence community ecosystem. And so those are very different paradigms than thinking the FBI is going to show up in a very pronounced, loud fashion. That is not the way we conduct our business. And I'll give you two other examples. We've received requests as simple as, hey, can you help us safely take down servers? - because we're not sure how to ensure that we don't ruin our information on our systems that was hit by a ransomware attack, and we don't want to affect evidence that you need. The answers to those questions are always going to be yes. We've received questions to help with controlling media inquiries to companies who have become the victim of a ransomware attack. Hey, Bryan, or hey, FBI, can you help us take all the inbound media inquiries while we're trying to do meaningful incident response? The answer to those questions is absolutely. We will issue press statements to direct all media inquiries to us. So really, the breadth of our options to provide support is quite broad. We even have a victim services division that if employees are really, really struggling with what they're going through as a result of a cyber intrusion, we'd be happy to get our victim services involved to help specific employees who are really struggling. So the options that we have are much deeper than technical. But the common thread is respect for what's at stake for the company, and I do think we do that quite well. 

Dave Bittner: All right. Well, assistant director Bryan Vorndran from the FBI's Cyber Division. Thanks so much for joining us. 

Bryan Vorndran: Thank you, Dave. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Seby, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.