The CyberWire Daily Podcast 5.20.22
Ep 1583 | 5.20.22

Is Conti rebranding? Commercial spyware scrutinized. Notes from the cyber phases of a hybrid war. Notes on the underworld. Software supply chain attack. Canada will exclude Huawei from 5G.


Dave Bittner: Was Conti's digital insurrection in Costa Rica misdirection? Google assesses a commercial spyware threat with high confidence. Continuing expectations of escalation in cyberspace. The limitations of an alliance of convenience. Fronton botnet shows versatility. Russian hacktivists hit Italian targets again. The Lazarus Group undertakes new SolarWinds exploitation. Crypters in the C2C market. CrateDepression supply chain attack. Johannes Ullrich describes an advance fee scam hitting crypto markets. Our guest is Marty Roesch, CEO of Netography and inventor of Snort. And Canada is going to exclude Huawei from 5G networks on security grounds.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 20, 2022. 

Was Conti’s digital insurrection in Costa Rica misdirection?

Dave Bittner: Conti's ransomware attack against Costa Rica, accompanied by calls for a general insurrection to force the government to pay its outsized ransom, may have been misdirection. BleepingComputer reports that Conti may be breaking into smaller gangs and rebranding itself in the process and that its noisy operation against Costa Rica may have been intended as a distraction. Researchers at Advanced Intel tweeted yesterday that, while some of Conti's public-facing sites, like the Conti News dump site and its negotiation portal, remain up, the group's Tor infrastructure has been shuttered. It seems to be a rebranding, not a retirement. And the splintering seems intended to escape the increasing heat Conti is feeling from Western law enforcement organizations. But the baddies behind the brand haven't gone straight, and they'll surely be back. 

Google assesses a commercial spyware threat “with high confidence.

Dave Bittner: Recent discussions and investigations of commercial spyware and its alleged abuse by governments and other actors have focused on NSO Group and its Pegasus product. But NSO isn't the only player in this field. Google's Threat Analysis Group yesterday outlined five zero-days in Chrome and in Android that have been employed against Android users. Google thinks the North Macedonian lawful intercept vendor Cytrox is responsible for creating the tools used to exploit the vulnerabilities. Google's Threat Analysis Group writes, we assess with high confidence that these exploits were packaged by a single commercial surveillance company, Cytrox, and sold to different government-backed actors, who used them in at least the three campaigns discussed below. Consistent with findings from CitizenLab, we assess government-backed actors purchasing these exploits are located at least in Egypt, Armenia, Greece, Madagascar, Cote d'Ivoire, Serbia, Spain and Indonesia." Companies like Cytrox deploy capabilities formerly achievable only by governments. But then if you look at the customer list, effectively, they're functioning as contractors. Google says, our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits. Google thoroughly disapproves of the way this sector is doing business. They say, tackling the harmful practices of the commercial surveillance industry will require a robust, comprehensive approach that includes cooperation among threat intelligence teams, network defenders, academic researchers and technology platforms. We look forward to continuing our work in this space and advancing the safety and security of our users around the world. 

Continuing expectations of escalation in cyberspace

Dave Bittner: Microsoft President Brad Smith, speaking yesterday in London at the Microsoft Envision conference, renewed calls for laws of conflict in cyberspace, Infosecurity Magazine reports. The rules he envisions are essentially transpositions of traditional jus in bello considerations, proportionality, discrimination and the avoidance of perfidy. They're nonetheless sound for being familiar. Smith sees the hybrid war in Ukraine as having lent new urgency to the development of international norms. The cyber phases of Russia's hybrid war have shown some correlation with kinetic operations, but less than many had expected. PCMag describes the ways in which cyber operations appear to have been conducted without close coordination with conventional forces. 

The limitations of an alliance of convenience.

Dave Bittner: China has generally supported Russia's invasion of Ukraine, but that support has limits. And Chinese cyber-espionage against Russian targets has continued. Security Affairs reports that a cyber-espionage group, Space Pirates, is targeting the Russian aerospace industry. Active since at least 2017, the group is believed to be associated with China-linked APT groups, including APT41, Winnti, Mustang Panda and APT27. Positive Technologies discovered the attacks in 2019, targeting a Russian aerospace enterprise. They've seen the malware reappear in 2020 against Russian government organizations and again in 2021 against another Russian enterprise. Positive Technologies stopped short of directly attributing the activity to Beijing, but circumstantial evidence points in that direction. Check Point has also observed the activity, and they're not reticent about either attribution or identifying victims. A report yesterday details a targeted campaign that has been using sanctions-related baits to attack Russian defense institutes, part of the Rostec Corporation. The investigation shows that this campaign is part of a larger Chinese espionage operation that has been ongoing against Russian-related entities for several months. CPR researchers estimate with high confidence that the campaign has been carried out by an experienced and sophisticated Chinese nation-state APT. They think the activity bears significant similarities to earlier campaigns by Twisted Panda. The goal is evidently theft of intellectual property, and the choice of sanctions, as phishbait shows once again how quickly Chinese espionage actors adapt and adjust to world events, using the most relevant and up-to-date lures to maximize their chances of success. 

Fronton botnet shows versatility.

Dave Bittner: Fronton, a botnet allegedly built by a subcontractor of Russia's Federal Security Service, is much more versatile than initially thought, ZDNet reports. When the botnet was first exposed by a hacktivist group in 2020, its primary goal was presumed to be launching DDoS attacks. Now researchers at Nisos say  the botnet is more properly viewed as a system developed for coordinated, inauthentic behavior on a massive scale. Nisos explains that Fronton includes a web-based dashboard known as SANA that enables a user to formulate and deploy trending social media events en masse. 

Russian hacktivists hit Italian targets, again.

Dave Bittner: Late last night, Russia-aligned hacktivists of the Killnet group and its Legion affiliate hit another series of Italian targets, specifically websites operated by the Italian foreign ministry and its National Magistrates Association, Reuters reports. The group last week had conducted a similar operation against Italian organizations. Those were organized as retaliation for Russia's exclusion from the Eurovision Song Contest. The nature of the attacks hasn't been further specified. 

Lazarus Group undertakes new SolarWinds exploitation.

Dave Bittner: North Korea's Lazarus Group is exploiting the Log4j vulnerability to target unpatched VMware Horizon Apache Tomcat servers, BleepingComputer reports.. Researchers at ASEC observed the attacks last month, saying the attackers are deploying either the NukeSped backdoor or the Jin Miner cryptominer on the compromised servers. In the cases where NukeSped was used, the goal of the attack was assessed to be information gathering. 

Crypters in the C2C market.

Dave Bittner: IBM X-Force researchers have analyzed 13 crypters created by cybercriminal group ITG23 that have been used with malware by ITG23 and its third-party distributors. Crypters are applications that encrypt and obscure malware so that it isn't detected by antivirus software and malware analysts. One crypter has seen repeated use with the Qakbot banking Trojan, with one notable appearance with the Gozi banking Trojan. X-Force found evidence that ITG23 had been scaling up their crypter efforts by mid-2021, with some use by Emotet and IcedID malware, which suggests a possible link between ITG23 and Emotet and IcedID operators. 

CrateDepression supply chain attack.

Dave Bittner: Researchers at SentinelLabs describe a supply-chain attack against the Rust development community that they're calling CrateDepression. They write, the malicious dependency checks for environment variables that suggest a singular interest in GitLab Continuous Integration pipelines. Infected CI pipelines are served a second-stage payload. We have identified these payloads as Go binaries built on the red-teaming framework Mythic. Given the nature of the victims targeted, this attack would serve as an enabler for subsequent supply-chain attacks at a larger scale relative to the development pipelines infected. The campaign appears to use some social engineering. SentinelLabs said, we suspect that the campaign includes the impersonation of a known Rust developer to poison the well with source code that relies on the typosquatted malicious dependency and sets off the infection chain. 

Canada to exclude Huawei from 5G networks on security grounds.

Dave Bittner: And Reuters reports that Canada will join the other members of the Five Eyes in banning Huawei from its 5G infrastructure. Industry Minister Francois-Philippe Champagne said, we intend to exclude Huawei and ZTE from our 5G networks. Providers who already have this equipment installed will be required to cease its use and remove it under the plans we're announcing today. 

Dave Bittner: Marty Roesch is CEO of Netography, a network security company that's looking to take on the challenge of today's distributed dispersed networks and users - what they refer to as the atomized network. Before joining Netography, Marty Roesch was the founder and CEO of Sourcefire and, before that, the creator of the open-source project Snort. 

Marty Roesch: Well, actually, when I started writing it - this is back in late 1998 - I was just doing it as kind of a rainy days and weekends project. I was using it to monitor my home cable modem, and I was basically teaching myself security because, you know, back in the '90s, if you wanted to be in cybersecurity, you basically, you know, you taught yourself. So yeah, I was kind of just horsing around, and I eventually decided that I would release it as an open-source project just to see if anybody would use it. And maybe I thought I'd get a few emails, and it would be fun. And so no, I had absolutely no idea what was about to happen. And it just - you know, it absolutely exploded within the first - really the first year. It just completely took off. 

Dave Bittner: Yeah. And then that led to the founding of Sourcefire, and I suppose it's fair to say the rest is history. 

Marty Roesch: Yeah, pretty much. Yep. Two years later, I started Sourcefire. Snort had become so popular that I went to work for a startup. I got recruited to work at a startup on the kind of the power of being the guy who wrote Snort. And then I left there after not too long and found myself in a position that I was looking for a job. And, you know, Snort had gotten so popular that eventually, it kind of dawned on me that if I didn't figure out how to make money on this, somebody else would. So I decided to give it a shot. And I spent a few months thinking of business plans that might, you know, get people to want to pay for something that's free. And then I launched Sourcefire. 

Dave Bittner: Now, Cisco acquired Sourcefire back in 2013. And so you joined Cisco - I believe you were the chief architect of their security business group. What was that blending of companies like, and what was going on at Cisco at the time? 

Marty Roesch: So Cisco, you know, was getting pressure in the firewall world, specifically next-generation firewalls from some upstart companies like Palo Alto Networks. So they were looking to us to help them, you know, bring our great technology into their great organization and kind of have this very virtuous effect of, you know, taking our great stuff, pairing it with great Cisco technology and then, you know, selling it through the Cisco sales machine. I learned all sorts of really interesting things when I got there because, you know, it is such a big company, and it is such a big business. The firewall business alone was three times the size of Sourcefire's business when we got there. So it was... 

Dave Bittner: Wow. 

Marty Roesch: ...A little bit humbling. So it's really a fascinating place to work. 

Dave Bittner: Now, today, you are CEO of Netography. Can you give us some insights there? I mean, it strikes me that with the success that you had, you were probably in a position to be able to choose what you wanted to do next. What drove this decision? 

Marty Roesch: I started talking to Barrett Lyon, who's the co-founder and was the CEO of the company, a little over a year ago about joining the company. And, you know, yeah, I did have a lot of optionality, so I was trying to figure out if I wanted to join. You know, why Netography? Why would I want to join Netography? And what the company has built is this network metadata analysis platform. And, you know, that's a lot of big, juicy words, but what's it mean practically? Well, practically speaking, what we're able to do is we're able to take information from the network about the network and kind of figure out what you've got, what it's doing, what's happening to it, the attacks that we're seeing and the effects of attacks that are taking place in the network environment. And we do it without having to deploy any hardware or software. So what that means practically - if you think about network traffic, like, you know, envelopes with letters inside of them, the envelopes have addresses on them. They go from point A to point B. Then the computers open up the envelope and see - you know, read the letter. That's kind of the way packets on networks work, you know, kind of very basically. And the problem is that, you know, the letters are going to be encrypted. So we could still see the envelopes going back and forth, but we couldn't see what was inside them anymore. And, you know, that breaks Snort and a lot of other technologies like Snort when that happens. Well, one of the fundamental premises that zero trust is built on is we're going to encrypt everything out of the gate. And to decrypt it, you have to be authorized to be there. So that's one of the primary enforcement mechanisms for doing this. Well, that was really bad for anything that does the packet inspection because it effectively blinds it. So we knew about this back in the Cisco days, and I wrote a report shortly before I left the company about what happens if, you know, the networks go dark, as we called it. They become encrypted, and we can't really interpret what's going on in them anymore. And I basically had three conclusions. And one of them was you have to build a network metadata platform so that we can use the information that's still there on the network to tell us about the network. So that's what Netography does, and I was really intrigued by that. And then, you know, I started looking at the competitive picture, and I realized that all the competitors that were out there that were doing things similar to Netography were still on the old appliance architecture and the old deep packet inspection architecture, which meant, practically speaking, their days were numbered. So I saw a big opportunity there. 

Dave Bittner: You know, getting your start when you did - and I guess cybersecurity is one of those industries where, you know, the success of Snort starting back in the late '90s qualifies you as technically being an old-timer - what have you seen in terms of change? I mean, the professionalization of the industry - what are some of the things that strike you? 

Marty Roesch: Well, you can actually learn it in a university now. So that's... 

Dave Bittner: Yeah. 

Marty Roesch: That's new. You don't have to just teach yourself. It's still really good to sit down and get hands-on experience with, you know, how attack and defense work and, you know, how risk management works and policy and, you know, all the other pieces of the puzzle. So that's changed a lot, and it's been much more professionalized. The tools have gotten more sophisticated. The problem has gotten a lot harder, too, you know, because more and more stuff runs software these days. Every place there's software, there is opportunity for bugs that are security bugs, and it never goes away. In fact, it just gets bigger and bigger because the problem gets bigger and bigger as people, you know, deploy software and do all the other things that we like to do. As, you know, the Andreessen Horowitz guys say, software is eating the world. Well, that's like, permanent employment for security people. 

Dave Bittner: That's Marty Roesch from Netography. There's more to our conversation. In fact, you'll find extended versions of many of our CyberWire interviews over on CyberWire Pro on our website, 

Dave Bittner: And joining me once again is Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the ISC "Stormcast" podcast. Johannes, it's always great to have you back. You know, you have been tracking some interesting goings on when it comes to some folks sort of targeting their phishing efforts toward some cryptocurrency folks. What's going on here? 

Johannes Ullrich: Yes. And good to be back here again. This is something that our volunteer handler Jan Kopriva ran into. And it's sort of a little bit a convoluted scam. It starts out kind of like you would a phishing scam to expect starting out. You get the link to a obviously fake crypto coin trading platform, but there's a little twist to it. You actually get a username and password to log in. The email states that they just transferred some money and, you know, to check out your account. Hey, here is your username and password. So it kind of looks like... 

Dave Bittner: Good news. Good news. (Laughter). 

Johannes Ullrich: Yeah. It's crypto, after all. Who cares about security? So... 

Dave Bittner: Right. 

Johannes Ullrich: And so far, it looks a little bit legit and kind of like one of those misrouted emails. So it really sort of appeals now to the greed of the recipient. And, of course, greed is always a very powerful motivator. After you log into this crypto trading platform, you'll notice there's actually some bitcoins in the account, and there is a feature that allows you to transfer that bitcoin amount into a checking account. Now, OK, what's next? You know... 

Dave Bittner: So far, so good (laughter). 

Johannes Ullrich: ...Let's click that button and see what happens there. 

Dave Bittner: Right. 

Johannes Ullrich: So you click the button. You want those bitcoins. But there is a little hitch here. While there's a pretty good amount of bitcoins in the account, something a little short of 30 bitcoins, they tell you, hey, we actually have like, a minimum amount that you need to withdraw, so - which is 30 bitcoins. And that's sort of where the scam now starts, where they're telling you, hey, you know, just top off your account, and we'll make sure you get those 30 bitcoins. So what are you going to do? They're giving a quick QR code we had sent the bitcoin to in order to top off your account. And off your bitcoins go, never to be seen again. 

Dave Bittner: So is there like - I don't know - 29.5 bitcoins in there, and you have to top off (laughter)? 

Johannes Ullrich: There's something close to it, yeah, because they want to make sure that the amount you need to top off is small enough where people typically have that sitting around their wallet. Like, you know, 30 bitcoins is, even at today's prices, still more than most people have sitting in their account. They also go initially through a little validation, very sort of transmit, like, .00001 one bitcoin - or at least they claim - to do verify that your account is working. So they make you jump through quite a few hoops here to get to your bitcoins but all kind of in an effort to make sure that you sort of stick with them. You actually give them a valid address later in order to transfer your bitcoins from. 

Dave Bittner: Now, if you are someone who's trying to make your way through this, if you look at the bitcoins that they're offering up as the lure, are they legit? Like, could you go look up and check to see, is this a real - is the lure that they're using, you know, a real source of some of these funds? 

Johannes Ullrich: I don't know if that bitcoin - actually, I doubt they exist. I doubt those bitcoins exist. I'm not sure if they actually give you like, the actual account ID, that sort of public key here where these bitcoins are sitting. 

Johannes Ullrich: Right. 

Johannes Ullrich: They obviously give you then a public ID as they're asking you for - to transfer the money. I haven't had a chance to look into that to see if that's - there's actually something short of 30 bitcoins in there... 

Dave Bittner: Yeah. 

Johannes Ullrich: ...Or how many people actually transferred money to it. That would be another interesting thing to look at. 

Dave Bittner: Yeah. No, it's an interesting technique for sure. I mean, obviously the suggestions here are to check yourself when you're feeling a little bit greedy, right? What else? 

Johannes Ullrich: Yes (laughter) Yeah, I think that's really it. It's one of these typical advance fee scams where the attacker wants a little bit money in order to give you a lot of money. And the lot of money you're supposed to get is, yeah, usually not there. And also, there's always this sort of little bit illicit part that sort of will prevent you asking for help from others to check whether or not it is valid. The - I compare it always to the good old parking lot scam where someone says, hey, they found this big wallet of money. For $50, they'll tell you where it is, kind of. Yeah. And people fall for that, as well, in the real world. 

Dave Bittner: Yeah. 

Johannes Ullrich: And so - and it's always greed plus that illicit aspect where it basically makes it less likely for people also to complain if they fall for it. 

Dave Bittner: Right, right, right. And they count on your embarrassment to not check in with law enforcement. All right. Well, Johannes Ullrich, thanks for joining us. And that's the CyberWire. For links to all of today's stories, check out our daily briefing at Don't miss this weekend's "Research Saturday" and my conversation with Yanir Tsarimi of Orca Security. We're discussing AutoWarp, critical cross-account vulnerability in Microsoft Azure Automation Service. That's "Research Saturday." Check it out. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand, Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.