Moscow poorly served by its intelligence services, say London and Washington. Cyber phases of the hybrid war. A new zero-day, and some resurgent criminal activity.
Dave Bittner: Russian cyber operators collect against domestic targets. More details on the Viasat hack. Ukrainian hacktivists say they can interfere with Russian geolocation. Spring4shell is another remote-code-execution problem. The Remcos Trojan is seeing a resurgence. Malicious links distribute via Calendly. Johannes Ullrich from SANS on attack surface detection. Our guest is Fleming Shi from Barracuda on cybersecurity champions. Phishing with emergency data requests. And Lapsus$ may be back from vacation.
Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Thursday, March 31, 2022.
Dave Bittner: Citing research by Malwarebytes, BleepingComputer describes a large-scale phishing campaign directed against potential Russian dissidents. It seems to be an internal security measure intended to keep an eye on dissatisfaction with the war and to offer a measure of insurance against the possibility of insurrection or a coup d'etat. A malicious RTF file attached to a phishing email carries either a CobaltStrike or PowerShell payload. Employees of certain agencies are of particular interest to those carrying out the campaign, and it's interesting to see how many of them work for either educational organizations or regional authorities.
Dave Bittner: Viasat has provided more information on the cyberattack against ground terminals that knocked its satellite internet service offline in Ukraine, and in other parts of Europe, during the early stages of the Russian invasion.
Dave Bittner: The company says it's working to fully restore service to affected customers, and that it's taking other steps to shore up its resilience. Those steps it's prudently not sharing, since it doesn't wish to give the attackers insight into Viasat's own defenses.
Dave Bittner: Defense One reports that Ukrainian operators, hacktivists of the CyberPan Ukraine group, say they've found weaknesses in Russian tactical battle management systems that render them susceptible to disruption by interfering with their ability to use GLONASS systems. GLONASS is the Russian equivalent of the more familiar U.S. GPS. They also hint that they're exploring ways of directly interfering with Russian artillery computers, and that they've identified some possibly exploitable weaknesses in those systems. This wouldn't be surprising - Russia did it to the Ukrainians a few years ago. During the early stages of the Donbas insurrection Russia fomented and supported, CrowdStrike reported that Russian operators were able to gain access to Ukrainian fire direction systems.
Dave Bittner: Russia's war against Ukraine has yet to spill over in any significant ways to other sections of cyberspace, but the U.S. remains on alert, C4ISR reports.
Dave Bittner: And, of course, cyber threats continue to active in and around the active theater of war. Google's Threat Analysis Group has published an update on cyber threats in Eastern Europe. Some are criminal, and some are state-directed. Among the state-directed activity is an uptick in Chinese cyberespionage seeking to collect intelligence on the war.
Dave Bittner: Sonatype and Contrast Security report confirmation of the Spring4shell remote-code-execution zero-day. It’s a vulnerability in Spring Core, a widely used framework for building Java-based enterprise applications, and a proof-of-concept has been circulated online. Praetorian researchers say that the exploit bypasses an incomplete patch for CVE-2010-1622, which is an old code injection vulnerability in Spring Core that affects Spring Core on Java Development Kit version 9 or later. It’s serious, but, as Help Net Security notes, it’s not grounds for panic, and remediations are available.
Dave Bittner: Security firm Morphisec has discerned a resurgence in the Remcos Trojan. The phishing emails represent themselves as payment remittances from financial institutions, including Wells Fargo, FIS Global and ACH payment. The phishhook is a malicious Excel file.
Dave Bittner: Security firm INKY this morning described how criminals have been able to abuse Calendly, a freemium calendaring hub, by inserting malicious links into event invitations. The crooks are using brand impersonation to distribute a credential-harvesting link. Many of the invitations are arriving from compromised email accounts, which has enabled them to slip by some defenses.
Dave Bittner: Bloomberg reported late yesterday that forged emergency data requests last year induced Apple and Meta to surrender basic subscriber details, such as a customer's address, phone number and IP address. None of the companies who were affected by the scam are without experience in handling requests from law enforcement. And they all have policies in place to prevent this sort of thing from happening. But emergency data requests are a bit different. They're issued in special circumstances by law enforcement agencies when they're concerned about a clear, imminent danger. And they can be issued without the usual legal and judicial review. So urgency here, as in so many other cases, seems to have served to lower the victim's guard. Researchers suspect that some, perhaps all, of those responsible for the caper were minors in the U.K. and the U.S., some of whom may also be involved with the Lapsus$ group, others with the Recursion Team.
Dave Bittner: And finally, speaking of Lapsus$ - the gang, or someone claiming to be the gang, seems to have returned from the vacation it took after seven of its alleged script-kiddy leaders were arrested last week. TechCrunch describes the group's attack on software consultancy Globant. Lapsus$ has pushed a 70-gigabyte torrent file in its Telegram channel that the gang claims to have stolen from Globant. The hackers also say their take included global corporate customers' source code.
Dave Bittner: As the focus on security and software development continues to increase, some say it's time to assign an official cybersecurity champion role to someone on the development team. Fleming Shi is chief technology officer at Barracuda Networks. He shares his perspective on security champions.
Fleming Shi: To me, it's actually for every department that has anything to do with software development or any type of operational components. The champion's job is not in a way to block things, but actually assert cybersecurity practices, you know, what we call the best practices in the very early stages of either design or planning. So it's less of a behind-the-scene person, but more of - involved in a conversation in initial architecture of doing any type of digital work.
Fleming Shi: So to me, for engineers, for example, cybersecurity champions will be the ones that identify certain behaviors and maybe identify certain data-processing, you know, behaviors or software behaviors, even vendors that needs to be used or maybe open source projects that's going to be included in the design. You know, basically have a conversation around that. So build up the security awareness or compliance awareness. Sometimes, you know, could be in the form of describing certain security practices or policies. Sometimes could be also identifying the classification of the data. Could it be critical, you know, in terms, versus, you know, data that's intransient? Those type of, you know, conversations needs to happen early. So the champion's job is to nurture and really kind of drive awareness in the very early stages of the software development cycle.
Dave Bittner: It seems to me like a certain amount of diplomacy would serve someone well in this role is as well, you know, so the team doesn't see this person coming and say to themselves, oh, boy, here comes, you know...
Fleming Shi: (Laughter).
Dave Bittner: Here comes cybersecurity champion Bob or Betty. And, you know, let's all run the other way.
Fleming Shi: That's right. I a hundred percent agree with you. So there's a lot of diplomacy required or basically soft skills required to actually do this type of work and do it successfully because we have talked about this in the past where security sometimes is viewed as a disrupter in innovation, right? So I think you want to innovate with security in mind. And that's why we need to kind of weave together and can kind of get the team working together.
Fleming Shi: Sometimes a cybersecurity champion could actually see it from existing development team or operations team where they're starting to build up that level of awareness and understanding. So, you know, even if you do this early, there's going to be much more clearer path for you to actually get to market - right? - because if you do this early, you will have a plan for how it is processed. And you can also talk about other open-source components and why you chose this path because it's better for security and compliance, right?
Fleming Shi: So once you have all those in place, actually, the job gets easier towards that because you have transparency. You have information. You have the ability to really kind of, you know, ensure your legal department or your - to your customers. You have certifications that you can get to quicker. So I believe doing it upfront is better instead of kind of just - oh, go do a whole bunch of things and do some pen testing and hope it's OK (laughter). You know what I mean?
Dave Bittner: Right. How do you measure success? How do you, you know, know that the programs you put in place are being effective?
Fleming Shi: I think that's a great question, partially because it's something new. I will say you have to really kind of apply it based on the context. So for software development, obviously, adding security - one way I will measure is adding security towards the end, maybe going through months and months of pen testing back and forth and fixing things versus, if you do it early, you probably have a shorter development cycle to get to market, right? That's one way to measure it - is basically doing it early, having everything ready. By the time you're getting to the point where you're doing the pen testing, outcome is amazing.
Fleming Shi: We actually had that kind of experience at Barracuda where we were surprised how secure the product is when it's done because we had applied security all along from an architectural perspective to design to implementation to - you know, all the functional requirements and all the things added together. So point there is that you can measure based on the success of delivery of the software. The other one is obviously using metrics that you can gain, you know, along the way from - you know, testing security on top of, like, pen testing is absolutely still required. And from that point on, you just get to that agile component of the development cycle, and hopefully, security doesn't become a friction for you.
Dave Bittner: That's Fleming Shi from Barracuda Networks.
Dave Bittner: And I'm pleased to be joined once again by Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the ISC's "StormCast" podcast. Johannes, it's always great to have you back on the show. I wanted to touch today on tech surface detection. What can you share with us?
Johannes Ullrich: Yes. So one problem a lot of smaller businesses and enterprises are struggling with is, what are we exposing to the internet? Now, for enterprises, that usually means hiring some fairly expensive service and software in order to do that for you. But for smaller businesses, there are a couple of cheap or even free options that you can use in order to figure out what are you exposing to the internet.
Dave Bittner: What kind of stuff do you recommend?
Johannes Ullrich: So actually, my favorite, even though that requires more work kind of to set up is Zeek. Zeek is really an intrusion detection system. It sort of summarizes everything that's sort of happening on your network, but it has a couple neat reports or logs it generates of all the known services it sees, new hosts it sees your network or other software, so software versions and such. It does that by looking at the banners. If you want a little bit simpler set up here, there is something called Security Onion, which is a bootable Linux CD, also as a virtual machine, that sort of has Zeek and a bunch of other tools preconfigured for you to not just detect attacks but also any new services that you have. On the more active side, doing occasional scans with tools like Nmap of your network aren't a bad idea. Of course, in order to do that, you need to know what IP addresses you have. For a smaller organization, it's usually not a big problem. For enterprises, this can be a real issue.
Johannes Ullrich: One question here I have also for people who are doing this, how you're dealing sort of with people working from home, are you scanning your home users occasionally? Because the kid may have set up some gaming platform or whatever in the same network that's now being exposing ports here.
Dave Bittner: Yes (laughter).
Johannes Ullrich: Yes (laughter).
Dave Bittner: Yes.
Johannes Ullrich: You have seen it happen.
Dave Bittner: Yes.
Johannes Ullrich: But, of course, the - there are couple of legal and technical issues you may want to - you don't want to take down the kids' gaming platform.
Dave Bittner: No.
Johannes Ullrich: (Laughter) I know with service level agreements with home networks, all a little bit tricky there.
Dave Bittner: Right.
Johannes Ullrich: And then there are actually some servers that actually do it for you, like, Shodan, Census and RiskIQ and such collect some of that data, some of it you can get for free, some of it relatively cheaply. But you basically tell them, hey, these are the IP addresses that I have. Just send me an email whenever you find something new with that.
Dave Bittner: What degree of technical expertise do you have to have to use something like this? You know, I'm thinking of that mom-and-pop shop who kind of sits at the lower end and can't afford to have a full-time IT person. Is this something they could likely handle?
Johannes Ullrich: Maybe. Like, Shodan and such, these platforms are roughly easy to set up. The problem comes once you get an email from them alerting you of an exposed service. How do you really make sense of that? How do you figure out what you're exposing here? I would hope that a company like this may have some IT person that is sort of managing some of that for them on a part-time basis or sort of as a managed service.
Dave Bittner: Yeah. Yeah. Money well spent - right? - to know a person to have on call. All right. Well, Johannes Ullrich, thanks so much for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.