The CyberWire Daily Podcast 5.6.22
Ep 1573 | 5.6.22

Victory Day approaches so shields up. Hackivists in the battlespace. Raspberry Robin and a USB worm. A carefully operated credential phishing campaign. Happy Mother’s Day (and stay safe online).


Dave Bittner: An update on the war in Ukraine as Victory Day approaches. Hactivists in the battle space. Raspberry Robin and a USB worm. A carefully operated credential phishing campaign. Another ICS security alert from CISA. Dinah Davis from Arctic Wolf on reflection amplification techniques. Carole Theriault examines zero trust architecture access policies. And happy Mother's Day but do stay safe online. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 6, 2022.

An update on the war in Ukraine as Victory Day approaches.

Dave Bittner: Monday is Russia's Victory Day holiday and an important informational milestone in the special military operation. As such, it would be prudent to expect an 11th-hour surge in Russian cyber and information operations.

Hackivists in the battlespace.

Dave Bittner: NSA's Rob Joyce, who heads the agency's cybersecurity directorate, expressed reservations about hacktivists taking an active role in warfare, including the present Russian war against Ukraine. Defense News quotes him as saying Wednesday at Vanderbilt University, I will tell you that the idea of the civil vigilantes joining in a nation-state attack is unwise, right? I really think it is. As you pointed out, it's illegal. But it's also unhelpful because one of the things we talked about is, we're trying to get Russia to take account for the ransomware attacks and hacks that come out of Russia and emanate. 

Raspberry Robin and a USB worm.

Dave Bittner: Security firm Red Canary is following some malicious activity it's calling Raspberry Robin, which distributes a worm that's often installed via USB drive. This activity cluster relies on msiexec.exe to call out to its infrastructure, often compromised QNAP devices, using HTTP requests that contain a victim's user and device name. Red Canary also observed Raspberry Robin using TOR exit nodes as additional command and control infrastructure. Who the threat actor is and what their objectives are remain obscure. Red Canary said, to date, we've observed Raspberry Robin in organizations with ties to technology and manufacturing. Though, it's not yet clear if there are other links among victims. We have several intelligence gaps around this cluster, including the operator's objectives. While we don't yet have the full picture, we want to share what we know about this activity cluster so far to enrich collective understanding of this threat and empower defenders to identify this activity. 

A carefully operated credential phishing campaign.

Dave Bittner: Menlo Labs  describes a credential phishing campaign that uses malicious html attachments in the course of gaining access to corporate networks. The researchers classify the well-automated operation as a Highly Evasive Adaptive Threat able to evade many legacy security tools. The lures used are carefully tailored to the targets. Researchers at Menlo Labs say, we believe that the initial HTML attachments are created using a kit to automatically generate these HTML payloads. Menlo Labs' researchers spent a significant amount of time looking for the kit but were ultimately unable to locate it. They're interested in hearing from other researchers who may be able to offer insight. CISA has released an industrial control system security advisory affecting Johnson Controls' Metasys. 


Happy Mother’s Day (and stay safe online).

Dave Bittner: This Sunday is Mother's Day in the U.S. and other jurisdictions where the greeting card companies writ runs. And Trend Micro offers some timely advice on avoiding being scammed in the course of rendering annual honors to mater. They flagged three scam websites in particular and point out that they bear the usual marks of fraud - unusual payment methods, like wire transfers, and inappropriate curiosity about personal information, misspellings and non-standard usage, no genuine customer reviews and the infallible - by this shall ye know the scammer - deal that's too good to be true. So stay safe online. Mom would want that for you. 

Zero trust remains a hot buzzword in cybersecurity, generating great interest from some and eye rolls from others. Our U.K. correspondent, Carole Theriault, takes a closer look at zero trust architecture access policies. 

Carole Theriault: A zero-trust architecture is an approach where inherent trust in a network is utterly removed. So when you design a new system, instead of assuming that the network is a safe hub, you assume that it's hostile. And this makes sense. Just because you're connected to a network, it doesn't mean you should be able to access everything on that network. You see, it's common in cybersecurity breaches to see an attacker gain a foothold on a network and then move laterally. So for example, they might be able to get an employee's username and password and use this as a springboard to access sensitive data or vital services because everyone and everything already on the network has been marked as trusted with access to the rest of the network. In zero-trust architecture, the network is treated as hostile, so every request for data or service access is continually verified against an access policy. 

Carole Theriault: So what of this access policy? According to the National Cyber Security Centre or the NCSC, zero trust, by design, relies on a few elements. One is strong authentication. So this is unique, hard-to-crack passwords, multifactor authentication, that sort of thing. And then there's authorization. So once a person has been authenticated, what are they allowed to see and do? A third is device health, so this is looking for unpatched vulnerabilities or seeing if defenses are turned off or not present. And perhaps the most interesting is this fourth one - value of the data being accessed. So if you're looking up the definition of an acronym, this might be considered to be much lower in value than your corporate bank account details. 

Carole Theriault: So how did zero-trust architecture even come about, or why are people implementing it? Well, the answer ultimately, says the NCSC, came down to companies choosing zero trust out of necessity, often after an attack. So maybe zero trust is worth a look. And the NCSC has published guidance on zero-trust architecture for organizations, and I would agree it's a great place to start if you're unsure whether it's the right option for your company. Plus, all the information is free. So you know, why not? This was Carole Theriault for the CyberWire. 

Dave Bittner: And I'm pleased to be joined once again by Dinah Davis. She is the VP of R&D operations at Arctic Wolf. Dinah, it is always great to welcome you back to the show. I wanted to touch base with you today on this whole notion of reflection amplification attacks, sort of get a little base-level understanding of what these are all about. Can you help us out here? 

Dinah Davis: Yeah. So they're basically two different types of attacks combined together to make a super attack - (laughter) - the way I like to call it. 

Dave Bittner: Not so super if you're on the receiving end of it, right? (Laughter). 

Dinah Davis: No. Very not super if you're on the receiving end of it. So basically, it's a technique that's going to allow attackers to both like, magnify the amount of malicious traffic they can generate and obscure where it came from. So - and this is most commonly used in a DDoS or like, a distributed denial-of-service attack, where you're trying to just overwhelm the victim with packets. 

Dave Bittner: Right. 

Dinah Davis: So the reflection attack basically is - the goal of that is to obscure the source of an attack. So what they do is they start sending a whole bunch of packets to a server, and they spoof where it's coming from. So they change the IP address of where it's coming from to something else so that it doesn't look like it's coming from them. And when we send mail, we put the to address and the return sender address on a piece of mail, right? And we assume that you're actually sending it from the return address, right? 

Dave Bittner: Yeah. 

Dinah Davis: Instead, what happens - if you wanted to like - if I wanted to, like, just make your house full of mail, I could send mail from all different places to a fake address and have the return address be your house. And all of this bad mail gets returned to your house. And you then get flooded with bags of mail of the, like, Miracle on 64th Street kind of, you know, visualization there, where Santa got all these - all this mail, right? 

Dave Bittner: Right. Right. 

Dinah Davis: And so it could have come from all over. You don't know. You don't know where this came from. They can't track it. The return address says your house, so it got sent back to your house. This is what they do with the IP address, right? So they send a request into a random server - OK? - somewhere, anywhere, and say, I would like access to this. And it pings back to the return address that you have put in there, which is not actually yours, and starts flooding that return address, OK? So that's a reflection attack. Basically, it's obscuring the ability to see where that came from because the return IP address is not the one it's supposed to be. It's the one that you're actually trying to attack, right? 

Dave Bittner: Right. OK, makes sense. 

Dinah Davis: OK. So then you have an amplification attack, right? So what this is, is trying to either send way more messages than possible or, with each message, sending huge messages, OK? So it's trying to amplify how much gets sent to the victim's, you know, address or servers and stuff like that, right? So yeah, you're generating a high volume of packets to overwhelm the target site. So how do they do this? Basically, they send requests to those servers using their nice, little reflection technique. That's going to result in a large number of replies or multiple replies. And this is often called the trigger packet. So we're sending this one. And then it's like, wait, what do we do with this? And maybe there's a vulnerability that then, you know, causes it to send 50 messages from that one message, like, oh, we have to check these - all these things because of this message that just came in. So not only are we spoofing it, but we're amplifying the attack by calling sites and things like that that are going to make it - make either the packets really, really, really big or send lots and lots and lots of packets. So attackers go looking for CVEs that can help them generate these amplifications they're looking for. And they combine those two together to create a amplification reflection attack. And the interesting thing that I saw, how I got into checking this out at all, was that in March 2022, attackers were able to leverage a vulnerability tracked as CVE-2022-26143. You know that one, right? 

Dave Bittner: Yeah. It just rolls right off the tongue. 

Dinah Davis: Yeah. And it was in a driver used by Mitel devices, OK? And so by using that CVE, they were able to get an amplification attack were the ratio was about 4.3 billion packets to one. 

Dave Bittner: I'm sorry. Billion with a B? 

Dinah Davis: Yes, billion with a B. 

Dave Bittner: Wow. 

Dinah Davis: Yeah. So that's what - I saw that headline. And I'm like, wow, this is interesting. Dave is going to want to know about this. 

Dave Bittner: (Laughter). 

Dinah Davis: And then I - so I did some research. But I found that incredible, incredible. So I've never really thought of looking at vulnerabilities before for just trying to DDoS people, like, vulnerabilities that help you flood somebody else's sites, basically. 

Dave Bittner: Yeah. Yeah. All right. Well, interesting stuff, for sure. And as you say, I mean, this is primarily focused on DDoS attacks. All right. Well, Dinah Davis, thanks for joining us. And that's the CyberWire. For links to all of today's stories, check out our daily briefing at Be sure to check out this weekend's Research Saturday and my conversation with Tushar Richabadas from Barracuda. We're going to be discussing their findings detailed in their report, Threat Spotlight Attacks on Log for Shell Vulnerabilities. That's Research Saturday. Check it out. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.