The CyberWire Daily Podcast 4.11.22
Ep 1554 | 4.11.22

Cyber skirmishing as Russia redeploys in Ukraine. Spyware in senior EC official’s device. Sharkbot-infested apps ejected from Google Play. Advice from CISA.


Dave Bittner: Russian commanders seek to keep troops away from dangerous sections of the internet. Cyberattacks in Finland may be a shot across Helsinki's bow. CERT-UA warns of a phishing campaign. Hacktivists hit Russian organizations; Mixed reviews for U.S. pre-emptive measures against GRU botnets. SharkBot-infested apps have been ejected from Google Play; Johannes Ullrich from SANS on malicious ISO files embedded in HTML. Our guest is Neal Dennis from Cyware on threat intel sharing with members of the Auto-ISAC; and what you should do when your shields are up.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 11, 2022. 

Russian commanders seek to keep troops away from dangerous sections of the Internet.


Dave Bittner: Ukraine's military intelligence service has posted a file to its Facebook account that purports to be a Russian document complaining Ukrainian online attempts to influence on historical memory and manipulate opinions and to distribute false information about events and the situation on the ground. If the document is genuine - and The Telegraph hasn't yet been able to authenticate it - it would also provide more evidence of disaffection and poor morale in the ranks. According to the document, commanders of all ranks and a number of units have faced opposition from personnel expressing dissatisfaction with the conduct of the special military operation in Ukraine. The main source of such information are from the internet. The troops' internet use also presents, according to the posted document, an OPSEC challenge that the Russian army intends to address. They say in light of this, the Ministry of Defense, in conjunction with colleagues at the Center for Information Countermeasures, has decided to create an interagency commission for working with personnel on the internet, increase control of personnel and monitoring of changes in their moral, psychological conditions. 

YouTube kicks Duma TV off its platform.


Dave Bittner: Reuters reports that Duma TV, the streaming service run by Russia's Parliament, has been removed from YouTube, which cited a violation of YouTube's terms of service as grounds for the expulsion. Google said in an email to Reuters, if we find that an account violates our terms of service, we take appropriate action. This frames the expulsion as a matter of compliance with applicable law, including sanctions against Russia.

Cyberattacks in Finland may be a shot across Helsinki's bow.


Dave Bittner: On Friday, as Ukrainian President Zelenskyy addressed Finland's Parliament, Bloomberg reports that websites operated by Finland's Foreign and Defense Ministries were disrupted by a distributed denial-of-service attack. The attack was over quickly in about an hour. And while its timing suggests a Russian operation, Security Affairs says that Helsinki did not immediately attribute the attack to Russia. Their Ministry of Defense is investigating. Russia's war against Ukraine has made NATO membership attractive to some neutral European states, notably Finland and Sweden, both of whom NATO Secretary-General Stoltenberg said last week would be welcome in the alliance. 

CERT-UA warns of phishing campaign.


Dave Bittner: Ukraine's CERT has warned that a phishing campaign by the Armageddon threat group is targeting Ukrainian public authorities. The phishbait used is ironic but compelling - a document purporting to report Russian atrocities. The file has the lengthy and bureaucratic-sounding title - on cases of persecution and murder of Procurator’s Office officials by the Russian military in temporarily occupied areas. Armageddon is also known as Actinium, Gamaredon and Primitive Bear and thought to represent a unit of Russia's FSB. 

Hacktivists hit Russian organizations.


Dave Bittner: The Anonymous-associated group that styles itself Network Battalion 65, or NB65, has deployed compromised Conti ransomware code against Russian organizations. Bleeping Computer reports that the group is using the first leaked version of Conti ransomware. The group said in a statement that their expanded ransomware campaign is a direct reprisal for Russian atrocities at Bucha. Quote - "after Bucha, we elected to target certain companies that may be civilian owned but still would have an impact on Russia's ability to operate normally. The Russian popular support for Putin's war crimes is overwhelming. From the very beginning, we made it clear we are supporting Ukraine. We will honor our word. When Russia ceases all hostilities in Ukraine and ends this ridiculous war, NB65 will stop attacking Russian internet-facing assets and companies. Until then, [expletive] them. We will not be hitting any targets outside of Russia. Groups like Conti and Sandworm, along with other Russian APTs, have been hitting the West for years with ransomware, supply chain hits, SolarWinds or defense contractors. We figured it was time for them to deal with that themselves." 

Mixed reviews for US preemptive measures against GRU botnets.


Dave Bittner: A Bloomberg op-ed notes that last week's U.S. disabling of GRU command and control over malware deployed to corporate networks, while welcome as an aggressive defensive measure and while covered by U.S. federal warrants, was nonetheless a risky move precisely because of its aggressive quality. The operation involved entering corporate networks without their owners' knowledge or cooperation.  The piece argues what's remarkable about this operation is the decision to surreptitiously enter company's computer networks. It's one thing to have the police show up to your house when you aren't at home to investigate and detain an intruder. It's another thing entirely to cart away the intruder and never tell you about it. While U.S. allies might not mind, corporations both foreign and domestic could be forgiven for being alarmed at the prospect of U.S. authorities secretly rummaging around in their computers, hunting for malware, even if it's for a good cause. One concern is that such actions could erode the public-private cooperation, generally seen as essential to effective whole-of-nation defense against nation-state cyberattacks. 

Preserving digital records in Ukraine.


Dave Bittner: In what amounts to a massive backup effort, librarians are working to preserve digital records of cultural or historical importance to Ukraine, the Washington Post reports. Other digital archives are likely to prove important in the event war crimes charges are brought against Russian invaders and their commanders. WIRED describes the work of an attorney in Ukraine who's archiving social media posts that recount Russian atrocities in territories they fought over or occupied. 

Senior European Commission officials said to be targeted by spyware.


Dave Bittner: A Reuters exclusive reports that senior European Union officials were targeted by an unknown actor using spyware thought to have been developed by one of two Israeli vendors. Didier Reynders, since 2019 European Justice Commissioner, is the most prominent official believed to have been affected. A small number of staffers at the European Commission are also said to have been affected. The exploit used to deploy the spyware is thought to have been ForcedEntry. NSO Group denies that its products would have been capable of the exploitation reported. The other vendor, QuaDream, which is said to offer a virtually identical product, did not comment to Reuters. 

Sharkbot-infested apps ejected from Google Play.


Dave Bittner: Recent Sharkbot Trojan infestations tracked by Check Point researchers and earlier noted by NCC Group as representing a new-generation Android banking Trojan have been found in Android antivirus apps distributed through Google Play. Security Affairs reports that Sharkbot's code employs a geofencing feature to prevent it from executing in China, India, Romania, Russia, Ukraine and Belarus. Google has removed the malicious apps. 

What should you do when your Shields are Up?


Dave Bittner: What should you be doing when your shields are up? Well, if you see something, say something. During the current Shields Up condition, the U.S. Cybersecurity and Infrastructure Security Agency has released a brief crib sheet on how organizations should observe, act and report when they undergo a cyber incident. The kinds of activities CISA would like you to be alert for includes unauthorized access to your system; denial of service attacks that last more than 12 hours; malicious code on your systems, including variants if known; targeted and repeated scans against services on your systems; repeated attempts to gain unauthorized access to your system; email or mobile messages associated with phishing attempts or successes and, finally, ransomware against critical infrastructure. The emphasis is definitely on reporting. 

Rest in peace, Michael Murry.


Dave Bittner: And finally, we end on a sad note today. Our sincerest condolences go out to Scope Security, who lost their founder and CEO last week. Michael Murray passed away on April 6. May his family, friends and colleagues find consolation in their grief. 

Dave Bittner: Information sharing and analysis centers, better known as ISACs, are generally considered a success story in the security world, enabling members of industry verticals to collaborate and share relevant information on emerging threats. Neal Dennis is a senior threat intelligence specialist at Cyware, and he and his team have been instrumental in partnering with the Auto-ISAC to help share actionable intelligence for the automotive community. 

Neal Dennis: ISACs are what's called information sharing and analysis centers. They are kind of a legal conglomeration of sector-specific communities. This kind of came about in the '90s with some legislation around some fun things for information sharing and collaboration rights - so FS-ISAC being the old dogs in the room and then several others come out. But very industry-specific, vertical-specific. In this case with the Auto-ISAC, it can include things from the, you know, companies up in Detroit - you know, like Dodge, GMC, so on and so forth - all the way down to the manufacturers producing spark plugs and floor mats if you want to. But if you're in the auto industry as a whole doing something for the auto industry, you now have this sharing facilitator for you for cybersecurity and other things as well. 

Dave Bittner: Yeah. One of the things that strikes me about ISACs is that it's a way for folks who may be competitors to collaborate on this common task of making a safer community. 

Neal Dennis: Yes. Yeah, I love this. So I've worked in an ISAC prior, many years back. And I think that was one of the fun things to see just in general. To your point, on paper, at the stock market, wherever we're at, we're competitors. Obviously, we want to make the best product for whatever it is that we have - you know, best car, best truck, best spark plug, whatever it may be. But when it comes down to cybersecurity, people have really started to understand that this isn't a solo act. This isn't meant to be my company versus your company. People understand that if we're able to stop a threat at company A, we're also, hopefully, able to stop it at B, C and D. And so this is very much all about community involvement, noncompetitive nature, people coming together to make the security environment a much better place, thankfully. 

Dave Bittner: Where do you suppose this is going? I mean, it seems to me like ISACs have been established, and there's general consensus that they're a good thing. What's the next level here? Where do you suspect we're headed? 

Neal Dennis: ISACs have already had the opportunities to really share with each other, like the ISAC analyst to analyst, right? So I think the next step is really solidifying that effort. I see this a little bit in some of the communities there that I talk with where the analysts at, you know, Health-ISAC, the analyst at Auto-ISAC or wherever I pick an ISAC - they're all starting to come together on a regular basis. They're all starting to show the impact of community from their own side and not just trying to get their members to get involved. Right? So I think that's kind of step one. Their own interactions are bearing fruit. They're showing through action, not through words alone, what it means to do this and what it means to get involved in a community gathering like this. And I think that's where they're going. The other piece of this is, to make this more effective, the next echelons of information sharing need to be more focused on automation and more focused on machine-enabled information sharing to get out in front of whatever threats may be there. And, you know, whether they're as simple as an IP address or as more complicated as trying to share TTPs and actual threat actor information, all of that needs to eventually find its way into a more machine-enabled sharing mentality with the humans coming in to discuss, you know, kind of more after actions and the insights around all that when they can, right? 

Dave Bittner: That's Neal Dennis from Cyware. 

Dave Bittner: And joining me once again is Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the ISC "StormCast" podcast. Johannes, always great to welcome you back to the show. Interesting thing you and your colleagues have had an eye on - you've been seeing some small ISO files that have been embedded in HTML pages. What's going on here? 

Johannes Ullrich: Now when you think about ISO files, you're usually thinking about DVDs, CDs - so fairly massive files. But really, all an ISO file is - it's a file system represented as one file, so they can get relatively small. What we have seen is where we had malicious emails that were HTML emails, so nothing really that exciting. But inside, there were links that redirected your browser to a page that then ran JavaScript - again, nothing really that special. And this JavaScript then dynamically created an ISO file using a Base64 encoded string that was embedded in the HTML. The size here was tens of kilobytes, so nothing really that large as far as HTML pages go. Most HTML pages are larger than that. But it bypasses a lot of protections that you may have in place. 

Dave Bittner: Yeah. I mean, is - do most systems regard an ISO file as being fairly benign? 

Johannes Ullrich: Exactly. That's - first of all, they regard it as benign. So you just download the file, and it now shows up as a disk image, just like any other ISO file would, on your system that you can mount by just double clicking it. Then you have access to these files. Where this gets interesting is your operating system - if you have a Mac or Windows, it will add what's called a mark of the web to content that you downloaded from the internet. On Windows, this mark of the web is applied only if you're using the NTFS file system because you need to have actually a way to sort of store this metadata with the file. But now you have an ISO file that you opened. That ISO file has another file system on it. So any file inside that ISO files - they will be considered safe and local. So your system doesn't necessarily realize that these files were downloaded from the internet. You may have heard - I think this week Microsoft announced that they will disable macros for a large part. And, of course, macros are one of the main ways how malicious code runs on systems. If you're loading a file from an ISO file like this, like a - if this ISO file contains an Excel spreadsheet, this mark of the web won't be applied. And this new security feature won't be applied to those files. So I'm pretty sure that whoever is behind Emotet or whatever it is these days is paying attention here and listening and is going to send you ISO files next. 

Dave Bittner: So how can we protect against this. Is there - should we be flagging ISO files in general? 

Johannes Ullrich: You probably should flag ISO files. The hard thing is, like, you would want to detect them in the download process. And that's difficult here with all the JavaScript obfuscation that's happening. On the system itself, you definitely want to monitor what's happening with ISO files. There are benign ISO files, of course, that you have to deal with but probably less so on your normal office worker workstation. On a home system, yeah, ISO files - and you'll often deal with them when you're dealing, like, with movie downloads and such. So it may be difficult to really distinguish a malicious one from a from a benign one. 

Dave Bittner: Yeah. All right. Well, interesting for sure. Johannes Ullrich, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Hah! I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks," where all the fine podcasts are listed. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.