A new loader variant for wiper campaigns. Sanctions, hacktivism, and disinformation. Conti’s toxic branding. Happy birthday, US Cyber Command.
Dave Bittner: There's a new loader identified in wiper campaigns. President Putin complains of sanctions and cyberattacks and vows to increase Russia's cybersecurity. Coordinated inauthenticity at scale, Killnet crows large over Italian operations. Conti's dissolution doesn't mean its operators' disappearance. Rick Howard looks at software defined perimeters. Dinah Davis from Arctic Wolf on how ransomware groups are upping their game to nation-state levels. And happy birthday, U.S. Cyber Command. But we're not necessarily wishing you a moonshot for your birthday present.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, May 23, 2022.
New loader identified in wiper campaigns.
Dave Bittner: The GRU's Sandworm group has deployed a new version of its ArguePatch loader, ESET reports. ArguePatch had seen previous use in both Industroyer and CaddyWiper attacks against Ukrainian targets. The new variant of ArguePatch, named so by the Computer Emergency Response Team of Ukraine - that's CERT-UA - and detected by ESET products as Win32/Agent.AEGY, now includes a feature to execute the next stage of an attack at a specified time. This bypasses the need for setting up a scheduled task in Windows and is likely intended to help the attackers stay under the radar.
President Putin complains of sanctions and cyberattacks, and vows to increase Russia's cybersecurity.
Dave Bittner: Reuters reports that last Friday, President Putin complained to his Security Council that cyberattacks against Russia had increased. Mr. Putin also reprehended the way in which sanctions had affected the country's IT capabilities. Reuters says restrictions on foreign IT, software and products have become one of the tools of sanctions pressure on Russia. A number of Western suppliers have unilaterally stopped technical support of their equipment in Russia. President Putin says Russia needs to shore up its cyberdefenses. He put a bold face on the situation, as Mashable quotes him - "already today, we can say that cyber aggression against us, as well as in general the sanctions attack on Russia, have failed."
Russian disinformation in Ukraine.
Dave Bittner: Russian disinformation efforts against Ukraine have been both heavy and heavy-handed, in some cases using a playbook almost out of the 1930s. The New Yorker described them last week. Russian armored vehicles drove along Melitopol's central avenues with loudspeakers blaring, the military-civilian administration of Melitopol, in order to prevent lawbreaking and to ensure public order, temporarily prohibits rallies and demonstrations.
Dave Bittner: In general, Ukrainian messaging has been more effective and internationally successful. Russian messaging has found principally a domestic audience, as Moscow's international isolation grows with the duration, brutality and incompetence of its war.
Coordinated inauthenticity at scale.
Dave Bittner: Coordinated, inauthentic behavior is a different matter. Many have seen the Fronton botnet as principally a tool for distributed denial-of-service attacks. While it certainly has that capability, it's more remarkable for its ability to create synthetic personae in social media and marshal them in campaigns that push specific lines of disinformation. The Russian FSB Security Service is believed to have purchased Fronton from a contractor, 0Day Technologies.
Dave Bittner: Researchers at Nisos have studied Fronton and found that its real novelty lies elsewhere - in its ability to push disinformation. The Fronton toolkit enables not merely an array of coordinated posts but also likes, reposts and comments. And it provides feedback on the effectiveness of its operations in achieving reach, currency and amplification, all of which can be used for the further tuning of disinformation campaigns. As the Hacker News points out,, it's unclear whether Fronton has been used in active campaigns or whether it remains under development or in reserve, but the botnet's capabilities are interesting.
Killnet crows large over Italian operations.
Dave Bittner: The Wall Street Journal reports that even as Italian police sought to verify Killnet's claim of responsibility for attacks against various Italian websites, the Russian hacktivist group, or at least a nominal deniable hacktivist group, claimed in its Telegram channels to have killed Italy like a mosquito. And Anonymous has taken official notice in its decentralized anarcho-syndicalist way. Infosecurity Magazine, for what it's worth, reports Anonymous claims that it's declared war on Killnet.
Conti's dissolution doesn't mean its operators' disappearance.
Dave Bittner: AdvIntel on Friday described what they're observing with the Conti ransomware operation as the retirement of a brand but not necessarily the dissolution of a gang and almost certainly not the retirement of the gang's members. The admin panel of its shame blog Conti News has shut down. The blog itself persists as a shadow of its former self, but its posts are now merely poorly written anti-American screeds. There are no significant signs of Conti News' former role as a site that pressured victims to pay.
Dave Bittner: AdvIntel sees the gang's dismantling itself into smaller affiliates as a business move. Conti's brand was under pressure from law enforcement, and its public adherence to the Russian cause in the war against Ukraine seems to have made it more difficult to receive ransom payments. Its high-profile attack against the Costa Rican government then seems to have been misdirection for spin-out and rebranding as opposed to a serious attempt to foment insurrection..
Dave Bittner: Breaking into smaller groups has both business and security advantages as the Record observes, but AdvIntel sees the root cause of Conti's decision in the toxicity the brand has developed. They say this situation presents the first and foremost reason for Conti's timely end - toxic branding. Indeed, the first two months of 2022 left a major mark on the Conti name. While there is no tangible evidence to suggest that the well-known Conti leaks had any impact on the group's operations, the event which provoked the leak, Conti's claim to support the Russian government, seems to have been the fatal blow for the group despite being revoked almost immediately.
Dave Bittner: Conti alumni will, no doubt, however, continue to enjoy the toleration and enablement that the Russian government has long extended to privateers operating from its territory. As long as they hit enemies of the regime and stayed deniable, the gangs will be permitted to profit.
Dave Bittner: Why did Conti choose Costa Rica for its last hurrah? The country was a target of opportunity, TechCrunch explains. Its online services were wreckable, and there was money to be made from wrecking them. And so Conti wrecked them.
Happy birthday, US Cyber Command...
Dave Bittner: Cyber Command dates its founding to May 21st, 2010, when two task forces merged under U.S. Strategic Command. Since then, it's grown into a full-spectrum combatant command. So happy 12th birthday to U.S. Cyber Command.
...but we're not necessarily wishing you a moonshot for your birthday present.
Dave Bittner: A Newsweek op-ed last week called for a Manhattan Project for Cybersecurity. The gist of their argument is much like the World War II-era Manhattan Project, which ensured the U.S. won the race to nuclear weapons - we should confront our current dangerous moment by launching a cyber Manhattan Project to make revolutionary leaps ahead in cyberspace, understanding that complete technical overmatch against our adversaries is the surest path to deterring bad actors. The metaphor has been used before, along with the similar moonshot or Project Apollo metaphors.
Dave Bittner: The op-ed, while it offers a thoughtful account of cyberthreats that pose considerable risk to national well-being, has come under criticism from, among others, the Washington Post's Cyber 202, which finds the central metaphor wayward and unhelpful. The Post doesn't put it quite this way, emphasizing instead that spending on cybersecurity probably already outstrips General Groves' budget and that ordinary human error plays a prominent, perhaps dominant role in cyber risk.
Dave Bittner: But consider - both the Manhattan Project, which developed the first nuclear weapon during World War II, and the Apollo program, which put a human being on the moon in the 1960s, were directed at the solution of large, difficult, complex but fundamentally unified problems. One knew, with no ambiguity, whether Fat Man worked when it was detonated. One knew beyond any reasonable doubt that Apollo 11 had reached the moon and that Armstrong and Aldrin had walked there. Cybersecurity is also a complex problem, but it - like, say, the problems of crime or war or perhaps cancer - are not fundamentally unified in this way. The Greek poet Archilochus is said to have written, a fox knows many things, but a hedgehog knows one big thing. Moonshots and Manhattan Projects are hedgehogs' problems. Cybersecurity is for foxes.
Dave Bittner: And joining me once again is Rick Howard. He is the CyberWire's chief security officer and also our chief analyst. Rick, it's always great to have you back.
Rick Howard: Hey, Dave.
Dave Bittner: You know, there's a trend that I have been tracking in the news these past couple of years. And this is where both marketing people and tech leaders alike have started to add this one little tech phrase to everything. And it's...
Rick Howard: (Laughter) Yeah...
Dave Bittner: ...Software-defined.
Rick Howard: Yeah.
Dave Bittner: Software-defined - so we've got software-defined networking, software-defined storage, software-defined data centers. And it kind of takes me back to the old days when Apple started putting the letter i in front of everything.
Rick Howard: (Laughter) I do remember.
Dave Bittner: They had iPod, iMac, iPad, and then other Silicon Valley companies started doing the same thing. I mean, in fact, you actually worked for one of those companies...
Rick Howard: I did.
Dave Bittner: ...iDefense from back in the day, right?
Rick Howard: Yes, I did.
Dave Bittner: So I say all of that to bring us to this, which is that you are talking about one of these specifically on this week's "CSO Perspectives" podcast, which, of course, is over on the Pro side of the CyberWire. And this is software-defined perimeter.
Rick Howard: Yep.
Dave Bittner: Now, what does that mean, all of these software-defined things? Do they all work the same?
Rick Howard: Well, you know, in general, yes - OK? - because as the cloud has become the place where we all do the bulk of our work these days - you know, as opposed to the way we used to do it, say, before 2010, when we all had big iron tucked away in data centers that we had to manage ourselves with network managers and IT managers running around. You know, they had to manually configure everything.
Dave Bittner: Like animals.
Rick Howard: Like the beasts that they are.
Dave Bittner: Right. Right.
Rick Howard: And I used to be one, so I appreciate that.
Dave Bittner: Yeah.
Rick Howard: So - but when we hear the phrase software-defined, that generally is marketing speak for services running out of the cloud somewhere and being controlled by software. But it does cause some confusion, especially for what we're talking about this week - software-defined perimeter - because this architecture is not about perimeter defense at all in the classic sense. In fact, I would say that the architecture completely demolishes the perimeter defense model altogether, and it's probably the most innovative and important zero trust and identity management tactic that most of us have never heard of, right? So for this "CSO Perspectives" episode, we're going to break out the Rick the Toolman toolbox, explain how everything works and discuss why it's superior to anything we have seen so far since the early 1990s.
Dave Bittner: All right. I look forward to that. Before I let you go, what is the word of the week on your "Word Notes" podcast?
Rick Howard: Yeah. For this week, we're talking about identity orchestration, which is kind of a subset of the notion of security orchestration, which is all of those things we have to do to manage and maintain all that stuff we have in the security stack. And I know that's a mouthful, but it turns - you know, it's just the way it is with the cybersecurity dudes around here.
Dave Bittner: Yeah. Yeah. Yeah.
Rick Howard: So it turns out, though, if you're serious about deploying a zero-trust strategy, then identity and access management is the key and essential piece to get it right. So in this episode, we discussed the current state of managing all of that identity and access infrastructure in the most efficient way.
Dave Bittner: All right. Well, Rick Howard - he is the chief security officer and chief analyst here at the CyberWire. But more importantly, he is the host of "CSO Perspectives," part of CyberWire Pro. You can learn all about that on our website, thecyberwire.com. Rick Howard, thanks for joining us.
Rick Howard: Thank you, sir.
Dave Bittner: And I'm pleased to be joined once again by Dinah Davis. She is the VP of R&D operations at Arctic Wolf. Dinah, it's always great to welcome you back to the show.
Dave Bittner: You know, we've been tracking ransomware groups, of course, and one of the things that strikes me about them is the ever-increasing amount of sophistication with which they operate. I mean, it seems to me like, you know, they are really - many - some of them, it's fair to say - that they're on par with some of the nation-state actors out there. What's your take on this?
Dinah Davis: Yeah, for sure. This year, I really got into learning more about zero-day vulnerabilities. I read the book "This is How They Tell Me the World Ends: The Cyberweapons Arms Race" by Nicole Perlroth. And it's really good - really, really good. And, you know, when she wrote that book, a lot of, you know, talking about zero-days and who would buy them - it was all nation-states, right? And just to take a step back, you know, a zero-day vulnerability is a software vulnerability discovered by attackers before the vendor has any idea, OK? So it's very popular for a nation-state to use this to spy. So they want to assume, you know, people are all - countries are all using very common software - you know, Microsoft or iPhones, Google Cloud, whatever. And if they can find a vulnerability in one of those things and spy with it, then that's really good for them, right?
Dave Bittner: Right.
Dinah Davis: But we've seen this huge uptick on ransomware, right? And these ransomware gangs are starting to make some serious amount of money. And they want more and more ways so that they can deploy their ransomware into different systems. And what we're finding is that they are now becoming as big of a buyer of these zero-day vulnerabilities as nation-states. Previously, they would never have been able to afford them, right?
Dinah Davis: I found some interesting information there that a company called Zerodium, who's a zero-day vendor - they actually sell zero-day bugs or vulnerabilities - they have a standing offer to pay $2.5 million for any zero-day that gives hackers control of an Android device. So, like, that's just - you know, that's for one hack. If you have that - and the here's the thing. They have to make a profit on that. So they're going to buy that from some hacker and then sell that at a higher price, right? So it gives you an idea of how much a lot of these zero-days can cost. So - and then it always is going to come back to ROI, right? What's your return on investment? And, like, sadly, it seems like the ransomware gangs are getting pretty high ROIs here if they're spending that much money on it.
Dave Bittner: Yeah. Yeah. I mean, it's not the kids in the basement anymore just banging away on their keyboards. I mean, these are sophisticated groups with sophisticated tools.
Dinah Davis: Yeah, yeah, exactly. And so, you know, you want to look to prevent yourself from being attacked from these. It's going to be, you know, the same thing over and over - patch, patch, patch, patch and multi-factor authentication and train your people. It's the same mantra always.
Dave Bittner: Yeah, yeah, absolutely. All right. Well, Dinah Davis, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com.
Dave Bittner: Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand, Liz Irvin, Elliot Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you all back here tomorrow.