The CyberWire Daily Podcast 5.25.22
Ep 1586 | 5.25.22

More cyberespionage in Russia. Advice on conducting propaganda. Iranian group conducts DDoS against Port of London Authority. News from the underworld. CISA alerts. Operation Delilah.


Dave Bittner: More cyberespionage targets Russian networks. Lincoln Project veterans visit Ukraine with advice on conducting an influence campaign against President Putin. A politically motivated DDoS attack hits the Port of London Authority website. Is REvil back and looking into new criminal techniques, or is a recent DDoS campaign the work of impostors? RansomHouse may be operated by frustrated bounty hunters. Kevin Magee from Microsoft sets his security sights towards space. Our guest is Mathieu Gorge of VigiTrust to discuss the threat of printer hacks. And Operation Delilah trims SilverTerrier's locks.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 25, 2022. 

More cyberespionage, probably of Chinese origin, targets Russian networks.

Dave Bittner: Malwarebytes researchers have posted more information on a cyberespionage campaign being run against Russian organizations. The operation implants a remote access Trojan via phishing emails. The phishbait is a bogus security alert, and the emails caution recipients not to open or reply to suspicious emails, which seems a nice touch. A number of recipients appear to have been in the Russian media, notably working at RT TV. Malwarebytes is cautious about saying who's behind the campaign. There are some signs that point to Deep Panda, but there are also code overlaps with TrickBot and BazarLoader, and other weak indicators pointing to the Lazarus Group and Tropic Troopers. But some or all of these could be incidental or even deliberate false flags. The researchers conclude, attribution is difficult, and threat actors are known to use indicators from other groups as false flags. The attribution of the APT behind these campaigns is ongoing, but based on the infrastructure used, we assess with low confidence that this group is a Chinese actor. 

Lincoln Project veterans visit Ukraine with advice on conducting an influence campaign against President Putin.

Dave Bittner: Mike Madrid and Ron Steslow, co-founders of the anti-Trump Lincoln Project, which they exited as the group became fractious, are talking with Ukrainian officials about propaganda techniques that might work against authoritarians like Russia's President Putin. According to Newsweek, they're not taking money from Ukraine but are simply discussing a campaign of mutual interest. Madrid and Steslow see the central weakness of an authoritarian regime as its dependence on an image of intimidating competence. The way to beat these guys is to humiliate them, to turn them into a jester, turn them into a clown, they advise, and say it's a mistake to portray an authoritarian leader as demonic. Better to show them as a maligned Bozo than Milton's Satan. Or, if you prefer Martin Luther's advice from his table talk, the best way to drive out the devil, if he will not yield to texts of scripture, is to jeer and flout him, for he cannot bear scorn. 

Politically motivated DDoS attack on Port of London Authority website.

Dave Bittner: An Iranian group has claimed responsibility for a distributed denial-of-service attack that interfered with the Port of London Authority's website. The authority acknowledged the incident but said that operational systems were unaffected. The group that said it was behind the attack, the ALtahrea Team, is a nominally hacktivist group, HackRead says, that operates under the direction of the Iranian government. 

Is REvil back and looking into new criminal techniques, or is a recent DDoS campaign the work of impostors?

Dave Bittner: Akamai reports that one of its clients has fallen victim to a distributed denial-of-service attack at the hands of a threat actor claiming to be REvil. The attack contains a wave of HTTP/2 GET requests with demands for payment embedded in them, as well as a Bitcoin wallet. The attached Bitcoin wallet, however, has no history and no connection to REvil. Researchers noted that this attack seems smaller in scale than most REvil attacks and seems to have a political purpose, which is something not seen before with the group. It's also a DDoS attack, which is outside the old REvil playbook. REvil had been known for its ransomware-as-a-service offerings in the C2C market. Akamai thinks there are a number of possibilities here. Either the operation is an impostor trading on REvil's remaining reputational equity to spook its victims, or it's REvil revived, back and looking into new approaches to crime. Or perhaps it's a splinter group of REvil alumni getting part of the band back together. In any case, the recent attacks and the techniques they display bear watching. 

RansomHouse may be operated by frustrated bounty hunters.

Dave Bittner: RansomHouse, a new extortion gang, skips the data encryption customary with conventional ransomware operators and extorts victims by data theft and the threat of doxing. Researchers at Cyberint, been tracking the group, note that it claims an elevated purpose. RansomHouse objects to the way organizations don't devote enough resources to security and hopes to shove them in the direction of better practices. RansomHouse also objects to what it views as a cheapskate tendency with respect to bug bounties, and this suggests to Cyberint that the members of the gang may be frustrated bounty hunters, white hats gone bad. Cyberint says, throughout their entire introduction process, RansomHouse sees themselves as the ones who do what's right and makes excuses such as, the organizations are the ones to lead us to these actions, as they are avoiding taking any responsibility. RansomHouse is practically forcing penetration testing services on organizations that never used their services or rewarded bug bounties. And once they find any vulnerabilities, they fully exploit them to deal as much sensitive data as possible. Ironically, RansomHouse announced on their Onion site that they are pro-freedom and support the free market. But on the other hand, they punish organizations that choose to not invest in their protection systems. 

CISA advisories, and updates to the Known Exploited Vulnerabilities Catalog.

Dave Bittner: Yesterday, the U.S. Cybersecurity and Infrastructure Security Agency issued four industrial control system security advisories. And for immediate action by U.S. federal civilian executive agencies, CISA yesterday added 20 issues to its Known Exploited Vulnerabilities Catalog, joining the 21 vulnerabilities added Tuesday. The agencies CISA oversees are expected to scan for and fix the vulnerabilities and to report completion by June 14 and June 13, respectively. 

Operation Delilah trims SilverTerrier’s locks.

Dave Bittner: And finally, a joint operation by Interpol and the cybercrime unit of the Nigeria Police Force have concluded a year-long investigation into the SilverTerrier business email compromise gang by arresting the man they believe is the gang's leader. The investigation, which the police called Operation Delilah, was assisted by three private companies, Palo Alto Networks, Group-IB and Trend Micro. Palo Alto's Unit 42 blog  provinces some interesting perspective on how closely and relentlessly the investigators tracked the unnamed suspect's activities. Emailed comments from Group-IB highlighted the benefits of public-private cooperation in breaking cybercrime cases. The company's CEO, Dmitry Volkov, said in a statement, prompt threat intelligence sharing, private public partnership and effective multi-party coordination by Interpol's cybercrime directorate were crucial to the success of the operation. Congratulations to Interpol, the Nigeria Police Force, and their private sector partners. And may you make many additional collars. 

Dave Bittner: For nearly as long as there have been computers in business settings, there have been printers. Those of us of a certain age may have fond memories of tractor-fed dot matrix printers or even daisy wheels. These days, many printers are computers in their own right, often with network access. And that means they deserve security scrutiny. Mathieu Gorge is founder and CEO of security risk management firm VigiTrust. 

Mathieu Gorge: They're often forgotten as one of the devices that actually is used to either transfer, manipulate or store data. And then on top of that, a lot of the printers are now wireless printers. And some of them are even smart printers in a way that they belong to the deployment of a smart office or a smart home. So as you can see, the risk surface that started with some sort of a very private connection for one single function is now completely different. We've got, like, risk exposure because, if you don't purge the hard drive, you can actually replay all of the jobs that have been printed or scanned or whatever. You can link a document from a printer into your email or your fax service. And therefore, those services are probably part of your disaster recovery and business continuity plan. So all of the data is backed up. And you can see that you can start with one document with confidential information, and that document ends up on your cloud storage facility. It might end up on your email service and so on and so on. So you went from one single piece of data to multiple pieces of data, some of which will never be protected. 

Dave Bittner: So what are your recommendations in terms of both making a purchasing decision, but then also securing that device once it becomes part of your network? 

Mathieu Gorge: Right. Well, I mean, it's like any time you add some new functionality that is IT based, you increase your risk surface. So there's always kind of a disconnect between making employees' lives easier, because they can work faster, they can be more productive and so on, and the security that goes with it. So the first thing to do is to minimize the blind spots. So the same way as you do an asset inventory and you will include all of the end points, like the cell phones, the iPads, the laptops and so on, you also need to include those devices that are multi-functional, printing and document capture devices. They, granted it doesn't sound half as sexy as looking at, managing 10,000 remote points, but it's actually super important. The next thing to do is to treat them a little bit like a firewall, right? 

Mathieu Gorge: So with a firewall, you only let the traffic in and out if you think there's a business justification, and then you put in security levels on top of it - multifactor authentication, increased login, maybe file integrity software, that type of stuff. You can do the same with the printers. Your printers - obviously, your network printers or the networks used to - so the printers used to deal with confidential data must be behind the firewall. I would recommend that you use some functionality such as FollowMe printing, which is where let's say I'm traveling from Dublin to New York and I have to go to a meeting with - to negotiate contracts and so on. Instead of printing the contracts, bringing them with me, and I could lose them at any point during the trip, I go to my office in New York. I authenticate the job is there. It's encrypted. Nobody else could get it. And at least it's there in the office, and I didn't have to travel with it. 

Mathieu Gorge: I would also recommend that you use the native login functionality that comes with the multifunctional device and of course that you purge the hard drive automatically at a very regular interval - probably every 30 minutes would be the norm in the industry, but it could be shorter than that depending on the data. You should also include secure printing and secure document capture best practices in your security awareness training. Same way as you train people to not fall for phishing scams, they should be aware of what's happening at the printing device level. And of course, that's - the overall process needs to be incorporated in your technical policies and procedures and in any type of incident response plan because an incident could be linked to an issue with the printer or with the device, maybe somebody stole the device, maybe the device wasn't purged in time or whatever. So that could potentially become an incident for your organization. So it needs to be part of the incident response plan. 

Dave Bittner: That's Mathieu Gorge from VigiTrust. 

Dave Bittner: And joining me once again is Kevin Magee. He is the chief security officer at Microsoft Canada. Kevin, it's always great to welcome you back to the show. I wanted to touch today on some of the developments that we are seeing when it comes to space. You know, on our side of the border, we have famously spun up a space force, and it seems like more and more communications. You know, we've got internet providers, Elon Musk's big activity of launching all of his satellites into space. So it's sort of a hot area right now. And I wanted to check in with you to see what kind of stuff you and your colleagues are tracking when it comes to space. 

Kevin Magee: Thanks for having me back, Dave. And I thought "Space Force" was canceled on Netflix or whatnot? 

Dave Bittner: (Laughter). 

Kevin Magee: Like, I thought I heard that, but I don't keep up on these things. But I really think we are at this moment with space technology about 1993, '94 with the internet, where we're developing all of these new technologies. They're starting to go mainstream in commercial businesses, and it's only a matter of time before we start launching the Raspberry Pi equivalent of satellites. And I think it's going to happen sooner rather than later. So there's an opportunity right now to start thinking about - how do we correct the mistakes we made with an open internet and having to sort of revamp security as we went? As we rush into the space era, how do we start to build it secure by design? And I'm starting to have many, many more discussions with senior leaders about these very topics as we see space technology, GPS, communications satellites start to weave their way into, you know, critical business processes. 

Dave Bittner: What sort of things are you seeing here? I mean, what are - can you give us an example of a use case where satellite communications are critical to someone's business? 

Kevin Magee: Sure thing. I had my first epiphany - I think, like, "Ghost Fleet" moment as Peter Singer and August Cole would say - when I read "Ghost Fleet," and the opening chapter was sort of a thought experiment about how an adversary would attack the U.S. And the first thing they did was take out the communication satellites. And when you say take out communications, that's kind of a broad term. When you start to really dig in and what effect that would have, it wouldn't just affect the military. It would affect businesses. It would affect hospitals. It would have incredible additional effects. So I started using this in my boardroom cyber-risk education sessions, as I call them, rapid-fire tabletop exercises, where I throw out a scenario and say a solar flare - not even an adversary but a solar flare - takes out a large portion of the communication satellites, you know, of the world. How would that affect your organization? And the initial response is, it wouldn't. But as we start to take apart major critical business situations, we see bank ATMs are updated primarily with satellites in remote locations, satellite phones, all sorts of critical business systems are unknowingly running through satellites that we're not aware of. And if we're not building that into our resiliency plans as organizations, then we're leaving a huge gap open to these potential technologies right now. Imagine where we'll be in 10, 15 years reliant on space technologies. 

Dave Bittner: Well, who do you suppose should take responsibility for this function? I mean, is this a government thing? Is this - you know, again, here in the States, would this be a federal communications type of thing? Is this NASA, the military? Who should lead the way? 

Kevin Magee: Well, I think we all have a role to play. When - private sector, of course, when we're building these products, we should build them secure by design. Microsoft is beginning to develop some of these products. And we're - we've actually come out with a preview, something they call the Azure Orbital ground station platform. And we're going to cloud-enable your ability to build out a satellite infrastructure. We're actually - launched a new software that's a service version of this product as well, too. So we're leveraging new technologies and new design platforms that we can build in secure by design. So leveraging some of these platforms like cloud and whatnot to build secure by design is going to be key as well. On the legislation side, interesting, the U.S. has a Satellite Cybersecurity Act, which I think is quite interesting, that has asked the government to go back and look over a year of what effectiveness the efforts of the federal government is having in improving security for satellites, what resources are being made available to the public, but more importantly, to what extent commercial satellite systems are reliant or being relied on by critical infrastructure, and analyzing, you know, what the threats are to your overall critical infrastructure and what contingency plans could be put in place. So I like this act because it's asking the right questions at the right time. I'd like to see more larger organizations, especially critical infrastructure organizations, just ask the similar questions. And I think you'll be stunned by some of the answers that are coming up much faster in this area than you believe. 

Dave Bittner: Is this the kind of thing where, you know, the folks who are sitting on boards of organizations should bring this up as a discussion point? You know, hey, this may sound out of left field but to what degree are we relying on space infrastructure? 

Kevin Magee: I think that's the role of boards in governance is to really run through some of those scenarios and often to - we go to what we know, which is finance and risk and whatnot. And some of these attempts to, you know, discuss it might feel a little weird at first. We're, like - I mentioned "Ghost Fleet" earlier, which is Peter Singer and August Cole's work - is storytelling to really communicate some of these ideas and to try to bring home some of these concerns. So if you can talk to your board about this and you can bring in some real use cases, or you can bring in some representative news stories or whatnot to really tell the story of what is happening out there other than go into Star Wars and how you could have better protected the Death Star - how can we make it real for them? How can we make them understand it? How can we attach it to risks associated with real business processes? 

Dave Bittner: Yeah. Just make sure you don't have an exhaust port that's only two meters wide, right? 

Kevin Magee: And if you're going to have that exhaust port, Dave, don't put a stateful inspection firewall that'll let one proton torpedo through. 

Dave Bittner: (Laughter) Fair enough. All right. Kevin Magee, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand, Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.