The CyberWire Daily Podcast 5.13.22
Ep 1578 | 5.13.22

War crimes in cyberspace? Iranian cyberespionage (and a possible APT side-hustle). A backdoor for Roblox. Darkweb C2C trader sentenced. eBay newsletter conspirator pleads guilty. CIA gets a CISO.


Dave Bittner: Ukraine holds its first war crimes trial. Are there war crimes in cyberspace? Iranian cyber-espionage. Roblox seems to have been used to introduce a backdoor. CISA issues ICS advisories. A dark web C2C trader's been sentenced. The last conspirator in the strange case of the eBay newsletter takes a guilty plea. Carole Theriault looks at Google's new approach to cookies in Europe. Our guest is Mary Writz of ForgeRock on the growing importance of mobile device authentication security. And CIA gets a CISO.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 13, 2022. 

Ukraine holds its first war crimes trial.

Dave Bittner: A captured Russian soldier has been placed on trial by Ukrainian authorities for the shooting of a civilian in the early days of the war. He's described variously in the press as a commander, even a tank division commander. But he's a 21-year-old sergeant, a tank commander, which makes him a vehicle operator, barely a leader at all. And note that a sergeant in the Russian army does not have the authority or discretion that sergeants, even young ones, are commonly entrusted with in Western armies. 

Dave Bittner: According to Deutsche Welle, the accused soldier's unit was fleeing Ukrainian forces east of Kyiv. His tank disabled, the soldier is said to have fired at, stopped and stolen a civilian car. As they were driving away seeking safety, the soldier is said to have shot and killed a 62-year-old man to prevent him from revealing their position. The soldier is said to have acknowledged the killing, but has yet to enter a plea. He's quoted as saying, "I was ordered to shoot. I shot one round at him. He falls, and we kept on going." It's not known who ordered him to shoot or how the order was received. 

Are there war crimes in cyberspace?

Dave Bittner: We open with this discussion because it establishes a context for a movement to hold Russian operators accountable as war criminals for their actions in cyberspace. The casual murder of civilians is obviously a war crime, and waging aggressive war is a recognized crime against peace. But what about cyberattacks? Under what conditions might a cyber operation constitute a war crime? 

Dave Bittner: WIRED reports that the Human Rights Center at UC Berkeley School of Law has formally requested that the Office of the Prosecutor for the International Criminal Court in The Hague consider prosecuting the GRU's Sandworm group for war crimes. Those crimes weren't committed during the present war, however. The alleged crimes were the December 2015 targeting of electric utilities in Western Ukraine and the 2016 takedown of portions of the grid around Kyiv, affecting hundreds of thousands of civilians. 

Dave Bittner: The Human Rights Center is interested in bringing cyberspace under the scope of international law and in securing recognition of cyberspace as a fifth domain of warfare. The GRU's two cyberattacks are attractive cases for such purposes because they're well attested and unambiguously attributed. They also had a clear kinetic effect. They disrupted power distribution in portions of Ukraine. And finally - and this is the most important for the laws of armed conflict - the attacks were indiscriminate, not directed against a military target, but instead directed against an essentially civilian population. 

Dave Bittner: The extension of international law to cyberspace and the deterrent effect this might have on other state actors are the goals of the Human Rights Center's request. Given that the Sandworm hackers have already been indicted under domestic law, including U.S. law, and have a price on their heads, as far as the individual operators are concerned, an ICC action would amount to making the legal ruble bounce. But the Human Rights Center is seeking to establish a principle. 

Iranian cyberespionage (and a possible APT side-hustle).

Dave Bittner: Fortinet describes a spearphishing effort against Jordanian diplomatic targets that was evidently conducted by Iran. The lure is a familiar please acknowledge receipt of this document come-on. But the payload is more sophisticated than the usual run of criminal phishing. The Excel macro in the phish hook may have been accompanied by anti-analysis features. The malware itself slept for 6 to 8 hours, and the attackers used DNS tunneling for command and control. Their three command-and-control servers were also used unusually intelligently. Two of them were tightly controlled and were brought up only at specific times. The third server was apparently used for misdirection to make attribution more difficult. Fortinet thinks the campaign was run by APT34, also known as Helix Kitten, an Iranian government-directed threat group. Another Iranian threat group, APT35 or Charming Kitten, has been, according to Hacker News, actively conducting ransomware attacks. The activity cluster is tracked by Secureworks as Cobalt Mirage. Two series of attacks are reported. One uses Bitlocker and DiskCryptor for financial gain. The other, while it also deployed ransomware opportunistically, is directed principally toward gaining access to and collecting intelligence from espionage targets. 

Roblox seems to have been used to introduce a backdoor.

Dave Bittner: Avanan reports that a Trojan file hidden within a legitimate scripting engine that's used for cheat code is affecting users of the popular gaming platform Roblox. The tool, Synapse X, installs an executable file that installs library files into the Windows System folder, giving the program the potential to break applications, corrupt or remove data or send information back to the hacker. Synapse X has legitimate uses, but in this case it's serving as a dropper, and one of the files it's dropping is a backdoor. The evident goal is to use Roblox as a way into networks of interest. It's not simply a hack designed to annoy gamers. 

CISA issues ICS advisories.

Dave Bittner: CISA yesterday released an unusually large number of industrial control system (ICS) advisories.

Darkweb C2C trader sentenced.

Dave Bittner: The U.S. attorney for the middle district of Florida has announced the sentencing of Glib Oleksandr Ivanov-Tolpintsev, a resident of Chernivtsi, Ukraine, to four years in federal prison for conspiring to traffic in unauthorized access devices and computer passwords. He's also been ordered to forfeit the $82,000 he earned through his crimes. Polish authorities arrested the suspect on October 3, 2020, and subsequently extradited him to the United States. He copped a guilty plea on February 22 of this year. It's a small but noteworthy blow against the C2C dark web markets. Most of his criminal customers were interested in ransomware attacks and tax fraud. They'll now need to shop elsewhere. 

The last conspirator in the strange case of the eBay newsletter takes a guilty plea.

Dave Bittner: Reuters reports that David Harville, formerly eBay's director of global resiliency, has taken a guilty plea to five counts of conspiracy and stalking. He is the last of seven former eBay personnel to admit wrongdoing in the very strange case of stalking. The victims were a mom-and-pop e-commerce newsletter, EcommerceBytes, run from Natick, Massachusetts, whose observations about eBay, nothing particularly harsh or out of the ordinary for online reviews, for some reason became a burr under the online auction giant's saddle. The entire affair is very difficult to understand. Were the perpetrators so caught up in the little theater of their imagination that they lost the self-awareness that would have led them to see that what they were doing was criminal? 

CIA gets a CISO.

Dave Bittner: And finally, to turn from crime and end on a high note, congratulations to Rich Baich, CISO at AIG, who has agreed to return to government service. He'll be assuming duties as the Central Intelligence Agency's chief information security officer and director of the office of cybersecurity. Our best wishes for a successful tour of duty. 

Dave Bittner: It's fair to say that for many of us, our mobile devices are taking an ever-increasing percentage of the time we spend online and even tending to day-to-day business tasks. With that being the reality, the security of those devices is of paramount importance. Mary Writz is vice president of product strategy for consumer identity at authentication technology provider ForgeRock. 

Mary Writz: Twenty-one percent of millennials open one of their mobile apps 50 times a day. The rest of us open them up about 11 times a day. But our lives are just moving online. And organizations are more susceptible to cyberattacks as they shift their operations to adjust to that digital world. 

Dave Bittner: So where do we stand in terms of what's available to us in terms of, you know, authentication on those mobile devices? 

Mary Writz: So you basically have two options if you want to make it more secure than just a username and password. So you can go with MFA or you can go with true passwordless authentication. And both of those will reduce your risk, about 99.9% of the attacks. The big attacks are account takeover attempts, phishing, man in the middle of attacks type thing. MFA and passwordless. And there's some pros and cons with this. 

Dave Bittner: Well, let's dig into each of those. Can you give us a little bit of a rundown? 

Mary Writz: Yeah. MFA is the most understood. You know, MFA is a countermeasure. It doesn't reduce the likelihood of an attack, but it lowers the impact of phishing, brute force credential stuffing. And so when you think about MFA, think about one time passcodes to your cell phone or your email or like a push notification that comes into your phone. So these are things that validate that you really are who you say you are. 

Dave Bittner: And then in terms of, you know, biometric verifications, I think most of us are familiar with things like face ID or touch ID and the, you know, the equivalents on the various platforms. 

Mary Writz: Yeah, biometrics are becoming much more popular. And they're great because the form factor is so easy to use. What's interesting is the security under the hood when you use them can vary from mobile application to mobile application. So the premier gold standard is FIDO WebAuthn, which is where you can remove, you know, passwords altogether. 

Dave Bittner: And in terms of that being available to people, where do we stand? 

Mary Writz: It's ubiquitous in its support in both the device and the browser. And again, it's the strongest form of authentication. And it's a really nice form factor. It's just your face or your finger. The adoption is coming along. It's increasing. But I will say, when it comes to adding authentication that's both safe and simple, different demographics have different preferences. So I think what we see enterprises doing right now is kind of defaulting to MFA and starting to move closer and closer to passwordless over time by first introducing it as an option. 

Dave Bittner: Yeah, that's fascinating. And so for those folks who are out there who are app developers, who are looking to include these sorts of things in the programs that they're working on, how should they go about doing that? I mean, what are your recommendations? 

Mary Writz: It's a great question because authentication is something that's really important to get right. And it's hard to make sure all of your app developers understand the intricacies and nuance of how authentication works. So the easiest way, you know, is to use a vendor like ForgeRock who can provide an SDK to embed those options into your application really easy. So then you could embed your MFA options or a passwordless option right into your app, just being assured that it's installed and configured the right way. 

Dave Bittner: You know, there's a lot of talk about supply chain issues. And so, I mean, I suppose there's give and take there, right? I mean, on the one hand, you can trust a third party to provide that service for you. But on the other hand, now you need to be concerned about what they're doing behind the scenes themselves. 

Mary Writz: Yeah, the supply chain right now is currently the weakest link. And when we look at a lot of these attacks, MFA was not in place, and MFA would have dramatically improved. So that's a first place to look. And, you know, it needs to be a part of the requirement. When you look at your supply chain, you need to require that they use MFA in order to authenticate into your systems at very minimum. 

Dave Bittner: That's Mary Writz from ForgeRock. There's a lot more to this conversation. If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects, where you get access to this and many more extended interviews. 

Dave Bittner: You may have noticed that after the GDPR went into effect, we all started seeing more pop-ups regarding website cookie policies. Whether or not that's a direct effect of GDPR is arguable, but there's no doubt cookies play an important role in online privacy. So when Google announced they were updating their approach to handling cookies in the EU, that caught the attention of our own Carole Theriault. 

Carole Theriault: Last month, Google announced changes on how it makes use of cookies in Europe. You listeners outside Europe might not know this, but for more than a decade, if you visited a website from Europe, you would typically see a cookie consent banner. Now, cookies, as we know, help sites remember information about your previous visits, so they can do things like display texts in your preferred language, deliver stuff appropriate to your geography, remember previous actions. They grease the wheels during a service request. The problem is that it caused a bit of a privacy fraca. What if U.S. user don't want a website to grab this info without your consent? And over a decade ago, Europe agreed. And the European cookie consent banner was born and mandated, meaning that when a European-based user opened a website, they had to be presented with a choice to allow or deny the cookies from tracking them. And Google complied, well, kind of. Google allowed users to accept all tracking cookies with a single click, but it forced people to click through various menus to reject them all. Basically, they had greased the wheels for acceptance and made it complicated and annoying for those that wanted to block the cookies. This asymmetry was unlawful, said CNIL, France's data protection agency, steering users into accepting cookies to the ultimate benefit of Google's advertising business. It was so awful that CNIL fined Google 150 million euros, or $170 million, for deploying confusing language in cookie banners. And $170 million may sound like a steep fine, but it is really a teeny-tiny drop in Google's financial ocean. Yet they decided to play ball. To remedy this, writes Google on its blog, Google's new cookie banner gives clear, balanced choices. Reject all, accept all, or more options. This new menu will appear on Google Search and YouTube if users are not signed into an account. We've kicked off the launch in France and we will be extending this experience across the rest of the European Economic Area, the U.K. and Switzerland, wrote Google in a blog post announcing the changes. Now, between you and me, Google is a pretty big fish. But there are quite a few other sizable fish out there that have followed in Google's data-snarfling shoes and are currently massaging their cookie banners to obfuscate the reject all options. To you I say, take heed. It is only a matter of time before you are in the EU's data protection headlights. And the fine may not seem like chump change to you. This was Carole Theriault for the CyberWire. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at Don't miss this weekend's "Research Saturday" and my conversation with Dr. May Wang from Palo Alto Networks. We're discussing their research Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization." That's "Research Saturday." Do check it out. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, Tribe, where they're building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand, Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.