The CyberWire Daily Podcast 4.6.22
Ep 1551 | 4.6.22

Fire and cyber in Ukraine. Stone Panda (Cicada, APT10) expands its interests. Bogus e-commerce sites harvest banking credentials. Advice and guidance from CISA.


Dave Bittner: The U.S. provides cyber assistance to Ukraine. The Cicada call of Stone Panda. Phony e-commerce sites seek to harvest banking credentials. CISA offers some advice and some guidance. The Hydra Market's been sanctioned. Awais Rashid from Bristol University on anonymous communication systems. Our guest is Armaan Mahbod of DTEX Systems with a look at supermalicious insiders. And the most popular password is...

Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Wednesday, April 6, 2022.

Russian cyberattacks continue.

Dave Bittner: Russian cyber operations in Moscow's war against Ukraine haven't developed in the expected directions. Those expected directions included crippling attacks against Ukrainian infrastructure, attacks against countries sympathetic to Ukraine and widespread damaging attacks that would spread globally and indiscriminately like WannaCry and NotPetya did in May and June of 2017. 

Dave Bittner: But of course, Russian cyber-operations have taken place at lower levels, especially in the form of nuisance-level distributed denial-of-service attacks and attempts to push disinformation through accessible channels. An essay in Foreign Affairs argues that in fact Russian cyber-operations were both extensive and successful, and that it would be naive to underestimate them simply because they didn't unfold as expected. Extensive seems correct, but successful is less clear. It may be that the cyber-operations' success was lost in the general noise of Russian tactical ineptitude. The authors maintain that Russian cyber-operators performed as planned, and that the failure was a general strategic one. 

Dave Bittner: In addition to the DDoS attacks, the Foreign Affairs piece mentions the wiper attack against Viasat customers. There has also been Russian interference with GPS. Simple Flying reports that France’s civil aviation authority has attributed interference with GPS signals near Finland to Russian jamming. That jamming has been ongoing since early last month, and is probably intended as a hedge against attacks against Russian forces by precision-guided weapons. And of course, there have also been cyberattacks against Ukrainian telecommunications infrastructure, notably the March 28 attack on Ukrtelecom. The Wall Street Journal reports that both Microsoft and Cisco have been helping Ukrainian telcos with remediation. 

Dave Bittner: But this doesn't change the fact that Western expectations of the damage Russian cyberattacks would produce were inflated. And it also seems inarguable that Ukrainian networks have proven more resilient than expected, and that Ukraine has probably received more foreign assistance than Moscow anticipated.

US has been providing cyber assistance to Ukraine. 

Dave Bittner: General Paul M. Nakasone, commander, U.S. Cyber Command, yesterday delivered his organization's Posture Statement to the 117th Congress. Prominent among the threats and responses he outlined were those presented by Russia's invasion of Ukraine. Russia, in Cyber Command's estimation, is using a broad range of its capabilities against Ukraine. Nakasone said, Russia’s invasion of Ukraine demonstrated Moscow’s determination to violate Ukraine’s sovereignty and territorial integrity, forcibly impose its will on its neighbors and challenge the North Atlantic Treaty Organization. Russia's military and intelligence forces are employing a range of cyber capabilities, to include espionage, influence and attack units, to support its invasion and to defend Russian actions with a worldwide propaganda campaign. 

Dave Bittner: General Nakasone also described the response by Cyber Command and the NSA to the invasion. That response extends to readiness and intelligence services to the U.S. and its allies, but also to direct support of Ukraine. That support included assistance with network hardening and threat hunting. 

The Cicada call of Stone Panda. 

Dave Bittner: Researchers at Symantec have found renewed cyberespionage on the part of the Chinese APT it calls Cicada - also known as APT10 or Stone Panda. Among the victims are government, legal, religious, and non-governmental organizations in multiple countries around the world, including in Europe, Asia and North America. Symantec thinks the expansion of the APT’s interests significant. It had formerly been most concerned with Japanese companies. Symantec says this campaign does appear to indicate a further widening of Cicada's targeting. The attribution is based on finding a custom loader and custom malware believed to be used only by Stone Panda.

Phony e-commerce sites seek to harvest banking credentials. 

Dave Bittner: ESET reports finding seven bogus e-commerce websites that impersonate legitimate Malaysian businesses - six of them cleaning services, the seventh, a pet store. The sites dangle the offer of an app, as opposed to an opportunity, to make immediate purchases. The criminals' aim is to harvest banking credentials. For now, at least, the problem is confined to Malaysia, but users anywhere should be alert to the possibility of this kind of scam. CISA, yesterday, issued four industrial control system advisories. They also added four vulnerabilities to their Known Exploited Vulnerabilities Catalog. U.S. federal civilian agencies that CISA oversees have until April 25 to address them. So hop to it, CISOs. 

Hydra Market sanctioned.

Dave Bittner: Following the takedown of the Hydra Market by German Federal Police this week, the U.S. Treasury Department's Office of Foreign Assets Control has sanctioned the Russian-language Hydra Market and has identified over 100 virtual currency addresses associated with the criminal operation. Contraband traded in Hydra Market include ransomware-as-a-service, hacking services and software, stolen personal information, counterfeit currency, stolen virtual currency and illicit drugs. Treasury pointedly notes that Russia is a haven for cybercriminals. Decipher reports that experts think data seized from Hydra's market servers will inform further investigations into the cyber underworld.

Envelope, please.

And finally, here's a proverbial dog-bites-man story. What do you think is the most common password nowadays? Wait for it. According to a CyberNews study, 123456 is apparently still the world's most common password. But you saw that one coming, didn't you?

Dave Bittner: DTEX Systems is a workforce cyber intelligence and security company, and they recently released their 2022 Insider Risk Report. One element the report highlights is what they describe as the rise of the super malicious insider. Armaan Mahbod is Director of Security and Business Intelligence at DTEX Systems. 

Armaan Mahbod: Compared to a normal, malicious individual, the super malicious person is more technical, understands the risks and concerns that are out there that businesses are already looking for and essentially are the type of individual to know those risks, know how to kind of get behind or pass those risks and essentially seem to be more normal than others, right? They understand the TTPs that are out there and all those behaviors. So their goal and intent is to essentially - hey, I know that this is already looking for that. You know, I'm going to take these measures, these other steps to essentially bypass those things and not go detected as much as possible. 

Dave Bittner: And so what should the security people be on the lookout for? 

Armaan Mahbod: I think it's a range of behaviors, right? There's a lot more with the super malicious. What we've noticed is although they may try to use social engineering tactics and do things to essentially push work onto others, in many cases, they - other people are still not able to be convinced that they should exfiltrate that data, right? So I may have access, for example, to data, and I may be very knowledgeable on what is actually worth something and what is not, so, maybe, you would contact me and try to make friends with me in the business, try to perform a little social engineering, to get me to provide you some data. Maybe you're trying to get a leg up in your business or your department, right? And you're like, hey, maybe this is a mutual benefit for both of us, right? Those are some incidents that we've seen over the past years where, essentially, they'll still have to identify others, still communicate with others, but they'll try to skip the reconnaissance and utilize social engineering as their way to circumvent - right? - to bypass and not seem the blame to be on them for taking this out or aggregating it. But they still generally need to exfiltrate that. 

Armaan Mahbod: So what we've seen is a high spike in burner emails, instant messaging tools, other things of that nature. Even, actually, the tools that organizations provide are actually a very, very hot topic because things like Slack, things like Zoom, communication tools have a lot more features in them. But also what those features entail is less visibility for an organization. And what I mean by that is, for example, what we've seen is a higher rise in Slack and communication tool usage, obviously, with remote working occurring. But what actually is a slight byproduct of that is people are more comfortable sharing documents through these methodologies as well. And it's really simple now where, you know, hey, I can send a Slack message to myself and actually go on my phone and download that file, right? And I can clean the stores. And I think it's really important to - for organizations to be more aware and cognizant of those means. 

Dave Bittner: Are we looking for behaviors? Is that where we're focused here? Or is this a matter of putting specific filters in place? Or is it a combination of all those things? 

Armaan Mahbod: That's a great question. You know, what we have is we have very compliance-driven organizations and very innovative and a mix of the two. And especially in the innovative space, they feel as though these lockdown measures can be a hindrance to the business, right? So I think it's a - it's always a mix of both, depending on the appetite of the business. But what we see is that there should be at least a level of understanding and monitoring still of what's being shared and maybe at least consideration, to your point, tweaking the thresholds, right? How much can you actually send through this means, right? I think that's really important. 

Dave Bittner: I suppose also that the tone that you have matters a lot as well. I mean, it's - you know, to go and slap someone on the wrist is different than saying, hey, we noticed that you're using Dropbox here. Is - you know, is there something that you need to - are there capabilities you need to get your work done that we're not providing you with? You know, we want to help you stay on the straight and narrow here. 

Armaan Mahbod: Yeah, no, you're right. Business is a spectrum, right? There's a varying degree of compliance and regulation and corporate policy and all of that kind of stuff in place. And also, you know, your people - you know, as humans, we all have different emotions. We all react differently. And usually, it's good to let the manager in on it and have them take on this level of human aspect that we don't want to lose because we want to make sure the relationship between security folks and employees is not just virtual, right? It's a human thing. We are here. We're here to help you make sure that you have the tools in place to be more successful. If you're going to use Dropbox, oh, you know, we actually have this other service and you can utilize it in this way. If you're doing it for personal means, then obviously we would look at the corporate policy and if that aligns with the business practices that we have today, you know, and thinking about it in that way and making it more - instead of it generic, making it a little bit more authentic and one-to-one is what we've seen done, you know, wonders for organizations. 

Dave Bittner: That's Armaan Mahbod from DTEX Systems. 

Dave Bittner: And joining me once again is professor Awais Rashid. He's the director of the National Research Centre on Privacy, Harm Reduction and Adversarial Influence Online at the University of Bristol. Awais, it's always great to have you back. I wanted to touch base with you today on this whole notion of anonymous communication systems and, you know, the work that you're doing there at the National Research Centre on Privacy, Harm Reduction and Adversarial Influence falls right into this. With everything going on in the world today, it seems as though there's been quite a focus on the ability for people to communicate anonymously. 

Awais Rashid: Yes, indeed. And one of the things is that, you know, kind of end-to-end encryption and anonymous communication systems have been in the news for various reasons, you know. And you can go from the discussion about, for example, protecting children online, an area in which I have worked myself quite a lot, and potentially the use by criminals in sharing imagery relating to children using potentially anonymous communication and end-to-end encryption systems to also the other end, you know, in the case of, for example, geopolitical conflict, you know, where people are able to actually communicate with the outside world in a private and secure fashion because they have these tools and applications readily available to them. And that really brings to the front this really interesting point, that it's actually not technology itself or the techniques that provide a positive or negative consequence. It's how they are potentially used. 

Awais Rashid: But there is also a fundamental question that underpins them. When you are using an end-to-end encryption system or you are using an anonymous communication system, how do you really know for sure what kind of properties it is preserving or not? Is it really preserving your privacy and under what conditions? And that's really what we are trying to do here. At the moment, we are working on a big effort to build what we call a privacy test bed, where, for example, application developers or potentially users of applications in due course or privacy professionals can run large-scale analyses on these kind of applications without to - without really having to deploy any specialist infrastructure on their own or having to access several potentially costly devices. This allows you to then simulate effectively information flows on a large scale around these kind of systems and then analyze if they are potentially leaking any privacy-sensitive information. 

Dave Bittner: You know, you and I have spoken previously about supply chain risk management, and it seems to me like that applies to this technology as well, to your point, you know? If I want to use a secure messaging platform, how do I know that the claims that they are making are actually so? Is there some sort of chain of custody that can verify that? 

Awais Rashid: Absolutely. And there is a - this is really interesting case in point that you mentioned, because I would sort of call in a previous discussion with you also. At the start of the pandemic, we talked about the cybersecurity risks arising from home-working and things like that. And at that point, you might recall, there was a lot of debate in the media about whether Zoom-based communications were end-to-end encrypted or not. And it is quite interesting that when, for example, we would talk about something being end-to-end encrypted, in this case, we know that the content of the message, depending on the protocol that they are using, would not be visible. 

Awais Rashid: But there is also, of course, metadata that exists alongside the content of the message, and that metadata may be possibly accessible. And that's why there was a lot of backlash against, you know, WhatsApp since WhatsApp's decision to update their privacy policy, that they would be sharing information, for example, with Facebook - being the same parent company - and a lot of users started to migrate to Signal because they were very concerned. But it was also quite interesting that a lot of that migration was from a misconception that their - the content of their message could be read, rather than that it's the metadata that was being shared. So for example, you know, WhatsApp knows to whom you talk at one point, but they don't know the content of the message because they can't read it because they use the signal protocol. And it is these kind of things that are hard to establish unless you are an expert. 

Awais Rashid: So what we are trying to do is that if you're a software developer and you are implementing such systems - such features in your applications - then you can deploy in the test bed to see whether it actually really works as you thought it would. If you are a system administrator, in this case, you know, deploying an end-to-end communication system in your organization, then you can test whether it actually preserves the properties that it's claiming to preserve. But also if you're a privacy professional and you want to see whether an application really delivers on its promises with regards to privacy and anonymity, then you can actually also deploy it and test. And again, this goes to the heart of some of the discussions we - again, that were in the media around contact tracing and centralized and decentralized contact tracing and so on. And it would have been wonderful at that time to have a test bed like this, for us to really test all these things. But, you know, as they say, better late than never. So we are building something now, and it's quite an exciting time. 

Dave Bittner: All right. Well, Professor Awais Rashid, thank you for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.