The CyberWire Daily Podcast 3.30.22
Ep 1546 | 3.30.22

Taking down bot farms. Cyber aggression. Kinetic influence ops, Spamming yourself? CS control system advisories. Sanctions are also biting Russian cyber gangs.


Dave Bittner: Taking down bot farms; Russia says the U.S. is the aggressor in cyberspace; influence operations arriving at Mach 10; the call is coming from inside the house. Cyber incidents affect aviation services. CISA posts ICS control system advisories. I welcome Tim Eades from the Cyber Mentor Fund. Our guest is Alex Holland from HP Wolf Security describing a new wave of attacks. And sanctions are also biting Russian cyber gangs.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, March 30, 2022.

Taking down bot farms.

Dave Bittner: Bleeping Computer reports that Ukrainian authorities have taken down five bot farms that were operating tens of thousands of inauthentic social media accounts. The messaging was coordinated and consistent with disinformation about the progress of the war aimed at discouraging further Ukrainian resistance. The items seized in the raids included 100 sets of GSM gateways, 10,000 SIM cards for various mobile operators to disguise the fraudulent activity and laptops and computers used for controlling and coordinating the bots.

Russia says the US is the aggressor in cyberspace.

Reuters, citing stories in Russian official media, reports that Kremlin officials are pointing with concern at cyberattacks they say the U.S. is conducting against Russia. The cyberattacks are said to amount to hundreds of thousands every day. Kremlin representatives said the sources of attacks will be identified and the attackers will inevitably be held accountable for their actions in accordance with the law. Moscow appears to view Ukraine's semi-official part hacktivist, part volunteer and part contractor IT army as an American cat's paw.

Influence operations, arriving at Mach 10.

Dave Bittner: Have you heard about those hypersonic missiles Russia has been firing in Ukraine? They're very fast. And no, in Ukraine, they don't seem to really matter much to the battlefield. You might wonder what this has to do with cyber. After all, why are we interested in hypersonic weapons? Well, they're being deployed for their influence value for mindshare and not target destruction, which makes them first cousin to disinformation. Russian sources have said, and Western sources confirmed, that Russia has been using hypersonic missiles against Ukraine. Defense One has an account of the missiles' use, which the publication sees as a gesture intended to influence and intimidate. The article quotes the head of U.S. European Command, U.S. Air Force General Tod Wolters, as saying, "I think it was to demonstrate the capability and attempt to put fears in the hearts of the enemy. And I don't think they were successful." The air launched Kinzhal or dagger missiles are said to have been used against a Ukrainian ammunition storage site. Hypersonic missiles are extremely fast, moving at Mach 5 or more, and are also designed to be highly maneuverable. Russia claims the Kinzhal is capable of Mach 10 or just over 7,600 miles per hour. 

Dave Bittner: Hypersonic missiles are built for use against well-defended targets, like warships armed with point missile defense systems. So why use them against big, stationary, poorly defended targets, like the one said to have been struck in Ukraine? There's no real tactical reason. You might want a missile that could boogaloo like the Kinzhal if you were up against, say, an aircraft carrier battle group. But if you're striking ammunition bunkers or apartment buildings, schools, hospitals, theaters and so on, a Kinzhal is more than 7,000 miles per hour of excess force. General Wolters probably has it right. This is propaganda of the deed, not fire support. It's an information op that tries to persuade through kinetic effect. It also represents the expenditure of some pricey ordnance. You may not be interested in the hypersonic missiles, Moscow might say, but the hypersonic missiles are interested in you.

The call is coming from inside the house!

Dave Bittner: Some Verizon customers have been receiving spam texts that include a link to a Russian television provider. Free message, the spam begins, your bill is paid for March. Thanks. Here's a little gift for you. And the fishhook is a shortened URL that directs those who click to content provided by Russia's One TV, a channel whose majority owner is the Russian state. The spam is interesting in that it seems to come from the recipient's own number. Verizon says, according to The Verge, that bad actors are responsible and that it's cooperating with law enforcement investigation. Why it's happening is unclear. It could be an information operation or it could just be some hackers in it for the lulz. 

Cyber incidents affect aviation services.

Dave Bittner: Russia's aviation authority, Rosaviatsiya, is reported to have lost some 65 terabytes of data in an incident it sustained this week, Mentour Pilot reports. Business systems and records, including aircraft registration records, are said to have been affected. It's not clear exactly what the incident was or whether it was a cyberattack or an accident. Some sources in Russia are connecting the incident to IT problems induced by a recent change in agency leadership. Another aviation target was hit, this one in the U.S. state of Connecticut. Bradley International Airport, which serves Hartford, was affected by a distributed denial-of-service attack against its public website. In neither the Russian nor the U.S. incident was safety of flight at risk.

CISA posts ICS control system advisories.

Dave Bittner: CISA yesterday released six industrial control system advisories.

Sanctions are also biting Russian cyber gangs.

Dave Bittner: And finally, Digital Shadows has been keeping an eye on cybergangs' chatter in the dark web. And the word on that particular street is that the hoods are taking a financial bath as the ruble collapses under sanctions. With transfers of money blocked and with extensive restrictions on banking in place, criminals are finding it difficult to cash out cryptocurrencies and are having trouble getting hard currency. Digital Shadows describes the underworld's difficulty deciding what to do. They said, one user advised simply leaving the money where it was for six months if the questioner did not need to use it urgently for other purposes. A different user mocked this suggestion, writing, I hope you were joking about half a year. After half a year, your rubles will only be good for lighting a fire, and they will not be good for anything else. The user also questioned whether the Russian state could be trusted to allow the purchase of dollars after six months and worried that many Russian banks would go bankrupt. Other forum members considered the advisability of buying gold, although some noted that this method would incur losses due to the high trade fees and storage costs and would involve an expensive examination during the transaction process. 

Dave Bittner: Infosecurity Magazine points out two interesting results of Digital Shadows' investigation. First, carders, as one might expect, are particularly affected. And second, spare a thought for your poor local criminal - maybe. It turns out a lot of them are just moonlighting, that they all hold legit jobs in the straight world that they rely on to put food on the table. Those legitimate businesses are also being affected by sanctions, and they're feeling the pinch, too. 

Dave Bittner: HP Wolf Security recently released their latest quarterly threat insights report, which highlighted shifting tactics they've been tracking of attackers using features in Microsoft Excel to bypass detection. Alex Holland is a malware analyst with HP. 

Alex Holland: We saw a near sixfold increase in the volume of Microsoft Excel add-in files being used to deliver malware. And we saw these files being used to deliver seven families of malware, everything from kind of crimeware, including Dridex and IcedID, all the way down to commodity remote-access Trojans. And why we think this is significant is because it's part of a wider trend of attackers responding to Microsoft blocking features in Microsoft Office that have historically been abused by attackers to deliver malware. 

Dave Bittner: So is this in response to Microsoft, you know, making macros disabled by default? 

Alex Holland: You're right on the money. Yes. I'd say that this started in October last year, where Microsoft announced that they would be disabling Excel 4.0 macros by default by the end of 2021, which is an older macro technology that was first introduced in 1992. So it's been around for a long while. This trend has continued with the announcement last month of Microsoft's plan to block VBA macros in documents that have originated from the web from April this year onwards. So we think this surge in Excel add-in malware is evidence of attackers responding, essentially, to the slow death of malicious macros by experimenting with different techniques to deliver malware that aren't reliant on these technologies which are quickly being blocked. 

Dave Bittner: For folks who aren't familiar with exactly what Microsoft Excel add-in files are, can you explain to us how they work? 

Alex Holland: I describe them as macros on steroids. So essentially, what they allow you to do is to - for developers to write high-performance functions that can extend the functionality of Excel way beyond what are other macro languages - high-level macros languages can let you do - for example, VBA. For instance, Excel add-ins can support things like multithreading, which VBA cannot. 

Dave Bittner: Is there any sense for how effective this pivot has been for the threat actors? In other words, you know, moving to these add-in files, is their ability comparable to what they had when macros were enabled? Or does this really hamstring them? 

Alex Holland: I would say that in the short term, when we are analyzing threats, we split threats into two kind of attributes. And the first is intent, by which we mean an attacker's desire and expectation for an attack to succeed. And the second attribute is capability. And we're talking about knowledge and their resources to actually conduct an attack and execute it. And so this change, we think, affects their ability, their knowledge, their know-how in order to execute attacks properly. This is only a short-term change. And, in fact, we saw on underground forums, tools and services advertising XLL - Excel add-in malware - that delivers and automates delivery of malware. So people are already coming up with new tooling to get around macros being disabled. 

Dave Bittner: That's Alex Holland from HP Wolf Security. 

Dave Bittner: And I'm pleased to welcome to the show Tim Eades. He is the CEO at vArmour and co-founder of the Cyber Mentor Fund. Tim, it is great to welcome you to the CyberWire. I want to start off introducing you to our audience. Can you give us a quick little version of your bio? 

Tim Eades: Yeah, sure. Absolutely wonderful to be here, Dave. Love CyberWire. It's just absolutely awesome, really, for everybody that listens. Everybody should get this every day, but - certainly I do. So I'm the CEO of vArmour - serial entrepreneur. This is my third company I'm running. I'm on the board of a few others and just, you know, love to be in the cybersecurity world because I think it's a mission that I really believe in - to try and secure the country, try and secure the enterprises. And it's a mission that never goes away, but it's one that you can always aspire to do better in. And then I'm also the co-founder - very fortunate to be the co-founder of a thing called Cyber Mentor Fund, which is a very early seed and series A venture capital fund where we partner with the VCs, but we really partner hardcore with the entrepreneurs. As they come up with these crazy ideas and, you know, they want to go to the moon, and our job is to help them, give them a better chance of success by sharing wisdom and partnering with them to - whether it comes from architecture to fundraising to understanding financials, you know, to understanding the climate and even getting feedback from the early adopted customers. So two parts to my life, but with the same mission, basically secure the enterprises and secure the country. 

Dave Bittner: Well, let's dig into some of the details about the Cyber Mentor Fund. I mean, first of all, fundamentally, what differentiates a mentorship fund from some of the other avenues of funding that companies might have available to them? 

Tim Eades: Yeah. So the Cyber Mentor Fund really does go early. I mean, it's two guys and an idea, and where they turn and they're like, hey, I think I can do this. What do you think? Is this ever going to happen? On occasions, you know, we will even go interview customers and come back with architecture diagrams with them, on occasion, literally set up the URL by the - help their lawyers set up the LLC. We partner with some great law firms on that, like Cooley. And from that, they start to shape, literally, the company. And, you know, we have a little marketing services arm that helps them launch the company. So it's all the way - the early stuff. And so - and because we're not the largest yet, we partner with wonderful people like Jay Leek at SYN Ventures. We partner with Matt Bigge at Crosslink. We partner with Charles Beeler. All the early-stage guys - we kind of partner with them. And young, early-stage startups are like kids, right? When they're young, they need you all the time and everything else. But when they get older, they only call you if they've crashed their car, they need money or they're going through a divorce or something. So early on, you can do this real mentorship, but then they grow up and become a wonderful company. But those early formative stage is where we specialize just because that's where they need the most help. And I think from there, that's what we do really, really well. 

Dave Bittner: What attracts you to that particular stage of a company's development? 

Tim Eades: I'm attracted by it - and I know the team at Cyber Mentor Fund is attracted by it - is because the sense of accomplishment. And the curiosity that you get by some of these entrepreneurs is amazing. There's a great one with SynSaber - right? - where Jori and Ron come to us, and they're like, hey, I think I could do this. And we helped them. We guided them. You know, they're going and getting their first few customers at the moment. And now they got funded by the venture community and, you know, again, and off they're running. But your ability to - the sense of accomplishment and the sense of shaping and partnership is great. It's not for everyone because, you know, sometimes it's - you know, you really have to lean in. They have to be curious. They have to be kind. They have to be really good at communicating. And so - I think Cyber Mentor Fund has done 28 investments over the last three years, four exits, and just about everything is marked up because we come in so early. 

Dave Bittner: I suspect you find yourself being a bit of a matchmaker as well, yes? 

Tim Eades: A matchmaker across the board - a matchmaker with some of the early-stage employees because we help them with that, matchmaker with the law firms that they need to choose, which is really important, sometimes some financial - some outsource financial help, and doing that all the way through to, you know, the venture guys that we partner with, which has been really, really rewarding to see how that works. And then, you know, like I said, we've sold four. I've been in the cybersecurity industry a very long time now, multiple decades. And so we tend to know the CEOs of all the large companies - whether it's Gary Steele who's now over at Proofpoint or, you know, Peter Bauer at Mimecast or wherever it is. You know, and so we can - if there is an exit on the horizon or a decision on the horizon, our ability to actually have a conversation with a potential acquirer and do it in a non-crazy way, just in a very kind way - say, hey, this company is going to look to exit. Is this something that you should be looking towards? 

Dave Bittner: All right. Well, Tim Eades, thanks so much for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Seby, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.