The CyberWire Daily Podcast 5.3.22
Ep 1570 | 5.3.22

Hybrid war and disinfo from the swamp. Stormous hacks on behalf of Russia. DNS poisoning risk. Updates on Chinese cyberespionage campaigns. Notes on ransomware operations.


Dave Bittner: Hey, everybody. Dave here. Excited to let you know that we've added a great show to the CyberWire Podcast Network. Check out Devo's new podcast "Cyber CEOs Decoded," hosted by their CEO Mark van Zadelhoff. "Cyber CEOs Decoded" will bring you CEO-to-CEO conversations with leaders from established security giants to up-and-coming disruptors. This insightful show explores what makes cyber CEOs tick and the lessons they've learned from building cyber companies and sharing stories of success and failure in an ever-evolving technology landscape. Be sure to check it out.

Dave Bittner: Russia reroutes internet traffic in occupied regions of Ukraine through Russian services. The Stormous gang, hacking on behalf of Russia. Risks of DNS poisoning. Updates on Chinese cyberespionage campaigns. Our guests Chetan Mathur of Next Pathway finds similarities between the cloud industry and the 1849 California Gold Rush. Eldan Ben-Haim of Apiiro on why cybersecurity is largely a culture issue. And some more notes on ransomware operations. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, May 3, 2022. 

Russia reroutes Internet traffic in occupied regions of Ukraine through Russian services.

Dave Bittner: Inside Defense reports that Microsoft foresees an increase in Russian attempts to conduct disruptive cyberattacks. Meanwhile, Russia has rerouted internet traffic in occupied regions of Ukraine through Russian services. The occupiers shut down the internet in Kherson over the weekend and then restored it by routing traffic through Russian infrastructure. Netblocks  reports that "On 1 May, hours after the internet blackout in Kherson, regional provider Skynet (Khersontelecom) partially restored access. However, connectivity on the network has been routed via Russia’s internet instead of Ukrainian telecoms infrastructure and is hence likely now subject to Russian internet regulations, surveillance, and censorship."

The Stormous gang, hacking on behalf of Russia.

Dave Bittner: Trustwave has been tracking the activity of Stormous, a group largely unknown before Russia's invasion of Ukraine and which, since February, has announced ransomware attacks against Western targets. The attacks are designed to work in the interest of Russia by disrupting or otherwise discrediting Western brands, prominent companies and other organizations. An attack it claimed against Coca-Cola is representative - flashy and unconfirmed. Stormous has been received skeptically by the security industry, as many analysts regard them as scavengers of old leaks and not as exhibiting any genuine ransomware chops. They remind Trustwave of another wild-card outfit, Lapsu$. Trustwave says the group's motivating principles and behavior somewhat resemble the Lapsus$ hacker group, which targets entities mainly in the Western Hemisphere. Like Lapsu$, Stormous is quite loud online and looks to attract attention to itself, making splashy proclamations on the dark web and utilizing Telegram to communicate with its audience and organize to determine who to hack next. 

Dave Bittner: While Lapsu$ seems to have been motivated by cash and cachet, the lulz and money, Stormous' motivations appear political. They say they are hacking in the Russian cause. And there's no reason not to take them on their word. But the group may have experienced a setback. Trustwave updated its report late yesterday and says the Trustwave SpiderLabs team has noted Stormous' underground website became inaccessible on April 29. At this time, it is not known why the site is down. We will continue to monitor for additional threat intelligence. 

Update on the attack against Ukrposhta.

Dave Bittner: Security Scorecard has released a summary of its study of the distributed denial-of-service attack against Ukrposhta, Ukraine's national postal service. The attack seems to have represented a reprisal for Ukrposhta's issue of a stamp commemorating the Snake Island middle finger of defiance - Russian warship, go F yourself, and the subsequent destruction of the Russian warship in question, Black Sea Fleet flagship Moskva. Some of the key points Security Scorecard brings out include the attack lasted just over 16 hours and was launched by nearly 1,000 bots, which are now considered to be part of the Zhadnost botnet. The majority of the botnets were MicroTik routers located in Indonesia, Thailand and the Philippines. And the DDoS attack used DNS amplification, similar to previous Zhadnost attacks on Ukrainian government and financial websites  in February. Ukrposhta was able to recover from the attack without undue difficulty. Security Scorecard thinks it sees signs that the Zhadnost botnet may be running out of resources. They say, SSC observes the first-time use of Russia-based bots and the re-use of Zhadnost infrastructure, a possible indication that Zhadnost is starting to exhaust its inventory of unique infrastructure. 

DNS poisoning risk.

Dave Bittner: Nozomi Networks reports finding a vulnerability that affects the domain name system implementation of all versions of uClibc and uClibc-ng. This involves a C standard library widely used in IoT products. The vulnerability opens affected devices to DNS poisoning attacks. 

Updates on Chinese cyberespionage campaigns.

Dave Bittner: Sentinel Labs has been following the activities of Moshen Dragon, which they describe as a Chinese-aligned cyberespionage threat actor, operating in Central Asia. Moshen Dragon's approach is interesting, involving trial and error abuse of traditional antivirus products to attempt to sideload malicious DLLs. Another Chinese APT, variously called Lotus Panda, Override Panda or Naikon, has resurfaced. Cluster25 is tracking the APT's cyberespionage against ASEAN nations. 

Notes on ransomware operations.

Dave Bittner: Security Week reports that security firms see evidence suggesting links between the recently observed BlackBasta ransomware operation and the Conti gang. BlackBasta's high-profile victims have  Deutsche Windtechnik and the American Dental Association. Researchers at Minerva believe each BlackBasta sample is specially created for a specific victim, as a company ID is hardcoded into the ransom note as well as a public key. 

Dave Bittner: And finally, Cisco Talos researchers have released the results of their study of leaked Conti and Hive ransomware gang chats. Both groups do extensive pre-attack research into prospective victims, and both gangs negotiate their demands and are quick to lower them, presumably on the proverbial grounds that half a loaf is better than none. Conti is hands-down the more professional of the two, with Hive exhibiting a crudely direct approach to extortion as well as slipshod opsec. 

Dave Bittner: The shift to the cloud is progressing full speed ahead, picking up momentum like a snowball rolling downhill. But for many organizations, particularly those with substantial legacy assets, cloud migration is not so straightforward. Chetan Mathur is CEO at Next Pathway, a company that helps automate organizations' cloud migrations. And he thinks the move to the cloud is not unlike a gold rush from days gone by. 

Chetan Mathur: I call it a revolution in technology, Dave. And specifically, what I mean by that is our clients and enterprises all over the world are realizing what an absolute benefit it is to migrate to the cloud. And I'll give you two examples of what the benefits are there. For the first time in our lives, we have literally unlimited computing power. And then also, we have unlimited storage capacity at a very cost-effective price. So it, to me, is the panning of gold and getting everything migrated over to the cloud, where people can literally save, you know, millions of dollars on infrastructure costs once they have migrated over to the cloud. 

Dave Bittner: Well, where do you suppose we stand right now? I mean, I think it's fair to say that we're a few years into this migration. How would you describe the state of things? 

Chetan Mathur: The state of things is very complex. I think we're in early years of migration. We've recently conducted a survey of 1,200 IT professionals around the world, and our data shows that only about a third of folks' enterprises around the world have migrated applications to the cloud. And I suspect that these are probably some of the easier ones. And therefore, I believe that the journey is going to be at least another five to seven years before we have completely migrated everything to the cloud, perhaps even longer. 

Dave Bittner: And what do you suppose is keeping people from jumping on the bandwagon? 

Chetan Mathur: Yeah, absolutely. There's a couple of things that we're finding, and these aren't criticisms. These are just facts of legacy systems that have evolved over 20, 30, 40 years in large financial institutions, perhaps, that are very complex and very intertwined. And so I use the analogy a bowl of spaghetti. So if you want to migrate something over to the cloud, you first have to understand what you want to migrate over because you certainly don't want to lift everything and migrate it over. That just doesn't make good business sense. It would be very expensive to do so and operating it. So unraveling the spaghetti, so to speak, Dave, is really the first and most complex problem in understanding the planning of your migration. Once that's understood, then clients can intelligently start to plan their migration journey over the next X number of years. 

Dave Bittner: I suppose any size organization, but particularly medium and large-sized organizations over the years, they've accumulated so much digital stuff that it has to be a little bit intimidating to even take something like this on. 

Chetan Mathur: Absolutely. And I think that the - I don't want to call it hesitation because I don't think it's hesitation. I think it's just good diligence and planning. I just think that folks have been trying to do that manually and is, as you can imagine, it would be very complex. And just to give you a quick statistic, we just finished a very large scan, a crawl of a financial institution, and we came up with over 30 million permutations and combinations on just a couple of their data warehouses, for example. So you can just imagine, if you were trying to do that in a manual fashion, there's just no way that you'd be able to do it. 

Dave Bittner: How do you dial in the things that can be and should be automated and the things that really deserve a closer look by, you know, a human to really, you know, figure things out on an individual level? 

Chetan Mathur: Yeah. If a client is - so there's two things that we do. We have this notion of what we call lift and optimize that I just mentioned, which is taking kind of exactly on an as-is basis, Dave, and migrating it over to the cloud. And those use cases are typically end of life of an appliance. I don't want to renew my licenses with whichever vendor's providing me that technology. However, there's also something called lift and modernize. And so in an example - a lift and modernize would be is if a client wants to build a completely new enterprise data model, for example. In that case, we would be looking at it, and there would be some more manual intervention into that, which is still - better parts of it are still automatable, but in the lift and optimize case, it could be nearly 100% automatable, where in the lift and modernize, it would be, you know, a little bit less than that. Just have to rethink the way that our clients would be wanting to create their new data structures on the cloud. 

Dave Bittner: That's Chetan Mathur from Next Pathway. 

Dave Bittner: A common challenge developers face is keeping meaningful communications open between various departments in the software development lifecycle. Eldan Ben-Haim is chief architect at software supply chain security firm Apiiro, and he makes the case that software supply chain security is largely an issue of corporate culture. 

Eldan Ben-Haim: The thing is that many software development shops have partitioning or, you know, siloed security organizations versus development organizations. And if you think about it, application developers, you know, they make tons of potentially security-impacting decisions every day. So, you know, taking application security and making it someone else's job is very similar to deciding that, you know, application performance or concurrency correctness, someone - is someone else's job. Now, in many teams, you would have a concurrency or performance expert, which is fine and helpful because they are like, you know, subject matter expert. But this does not mean that day-to-day development work can put aside information security and specifically application security. 

Dave Bittner: Where do we stand today when it comes to the siloing of those different groups? Is this recognized as being an issue, and are there efforts to break down those walls? 

Eldan Ben-Haim: I think that there are efforts to break those walls. I think some organizations have adopted an approach where there are, you know, security champions embedded in development teams, which is probably a step in the right direction. I think that there is some recognition of the notion that, you know, basic security training is something that developers should have. But still, I think that there's some way to go. I mean, I think that our expectations for developers, as far as security is concerned, are still lower than what they could be. I think that it makes sense to expect developers to understand method of operations of cybersecurity attacks and understand, you know, vulnerability types and their mitigations and understand all of these in depth. Obviously, we need to help them with this understanding by, you know, proper training and making this part of their day-to-day conversation in the development shop. 

Eldan Ben-Haim: In addition to understanding the attack methods and mitigation techniques, I think that it's important to nurture a culture where developers remain, you know, up to speed and they constantly consume news and state-of-the-art information about application security and cybersecurity et al. And then it's very important for development shops to - for developers - sorry - to gain a thorough understanding of the APIs and services and third-party services and products that they consume so that they understand their overall impacts on the system that they're designing. So Log4shell is probably a very good example of what could go wrong if you did not take into account the full capabilities and consequences of the APIs and services that you're using. I'm talking about, you know, the Log4shell thing versus the Java Runtime. 

Dave Bittner: What about people who are going to resist this? You know, people generally don't like change, and they're used to doing things the way that they're used to doing them. How do we get those people to come along? 

Eldan Ben-Haim: People often get it when you explain the importance. And I have found, you know, the analogy of saying, you know, security is just part of the job as much as, you know, understanding concurrency or understanding performance or correctness is part of the job. We need to simply explain that, you know, just like it is now very clear to most developers that code without unit testing is incomplete because, you know, testing the code is simply part of the code, we need to make people realize that the same applies to application security. 

Dave Bittner: That's Eldan Ben-Haim from Apiiro. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.