Potential cyber threats to agriculture. Cyber phases of Russia’s hybrid war. REvil prosecution at a stand (and it’s the Americans’ fault, say Russian sources). Microsoft mitigates Follima.

Dave Bittner: Sanctions, blockades and their effects on the world economy. Western nations remain on alert for Russian cyberattacks. REvil prosecution has reached a dead end. Microsoft issues mitigations for a recent zero-day. John Pescatore's Mr. Security Answer Person is back and looking at authentication. Joe Carrigan looks at new browser vulnerabilities. And notes from the underworld.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, May 31, 2022. 

Sanctions, blockades, and their effects on the world economy.

Dave Bittner: We begin by mentioning the progress of some sanctions and blockades imposed in the course of Russia's war against Ukraine. The European Union, after prolonged and difficult internal discussions, late yesterday agreed on an embargo of Russian oil. The reports that the EU will cut its purchases of Russian oil by about 90% over the next six months. Reuters notes that the EU has agreed to immediately halt delivery of Russian oil by tankers. Europe receives about two-thirds of its Russian oil by ship and the remainder through pipelines. So yesterday's decision amounts to an immediate embargo of two-thirds of all Russian oil exports to Europe. The New York Times points out that the effects of the embargo are likely to be significant but that they won't be felt in Russia immediately. The Russian blockade of Ukraine's Black Sea ports has begun to have an effect on world food supplies, particularly in Africa and the Middle East, where deliveries of both grain and fertilizer have been disrupted. 

Dave Bittner: On Sunday, the British Ministry of Defence reviewed the effects of sanctions and the Russian blockade of Ukrainian ports. They said, on 25 May, Russia's deputy foreign minister, Andrei Rudenko, said Russia is ready to provide a humanitarian corridor for vessels carrying food through the Black Sea in return for the lifting of sanctions. The minister also requested Ukraine demine the area around the Port of Odesa to allow the passage of ships. Rudenko's request for Ukraine to demine follows a core tenet of modern Russian messaging strategy, introducing alternative narratives, however unconvincing, to complicate audiences' understanding. In this instance, Ukraine has only deployed maritime mines because of the continued credible threat of Russian amphibious assaults from the Black Sea. Here's the MoD's bottom line - Russia has demonstrated it is prepared to leverage global food security for its own political aim and then present itself as the reasonable actor and blame the West for any failure. Russia's attempt to achieve a reduction in the severity of international sanctions also highlights the stresses sanctions are placing on the regime. 

Dave Bittner: This suggests that the agriculture sector could easily become a target in other ways. A small-scale event in Russia shows one way in which cyberattacks could affect agriculture. Ukrainian owners of tractors stolen by occupying forces and shipped back to Russia suggest the ways in which farm equipment itself could be held at risk. Some 27 agriculture machines were taken by Russian forces and carried off for use in the Chechnyan region of Russia, CSO reports. But their former owners have rendered them inoperable and useless, much as one might remotely brick a stolen laptop. What's networked can usually be remotely disabled by its owners, and tractors are no different in this respect from a tablet. 

Dave Bittner: Should Russia decide to increase its pushback against sanctions by exacerbating the food shortages its blockade has already induced, some observers have expressed concern that it could mount a general cyber campaign against the agriculture sector. The privateering against JBS Foods, ABC says, foreshadows what might be possible. They say JBS Foods, the world's biggest meat processor, was held ransom by Russian-based hackers for $11 million last year. 

Western nations remain on alert for Russian cyber attacks.

Dave Bittner: Bleeping Computer reports that Italian authorities warned yesterday that Italy could see more distributed denial-of-service attacks of the sort recently conducted by the Russian Killnet group, nominally independent patriotic hacktivists working in Russia's interest, but probably also receiving some direction from Moscow's security and intelligence services. Killnet declared Operation Panopticon - that is, the creation of a space in which everything is seen - last week and has since been seeking to rally sympathetic hackers to its cause. The original panopticon was proposed in the 18th century by the English utilitarian philosopher Jeremy Bentham, who intended it as a proposal for prison reform. Prisons ought to be designed, Bentham argued, with a central panopticon from which all of the prisoners could be observed continuously and without interruption. We leave the unpacking of Killnet's choice of metaphor as an exercise for you, our listener, but it seems to provide an instructive window on how they view the way the world ought to be organized - like, perhaps, a prison. 

Dave Bittner: Observers in the U.S. and U.K. also continue to express concern about the prospects of major Russian offensive cyber campaigns, although so far at least, no such successful campaigns have developed. Some warn of a potential for attacks against industrial control systems, using Pipedream malware tools. Others see more risk of distributed denial-of-service attacks organized by Gamaredon, also known as APT53 or Primitive Bear. Ukrainian hacktivists continue to conduct nuisance-level attacks against Russian targets. Sberbank, Russia's largest bank, remains a favorite target, the Telegraph reports. 

REvil prosecution has reached a dead end.

Dave Bittner: Remember when Russian authorities arrested some alleged leaders of the REvil ransomware gang back on January 14? It would seem that their prosecution is now at a standstill. And moreover, it's the Americans' fault, or so the word on the courthouse steps in Moscow has it. The Russian media outlet Kommersant reported Friday that America did nothing and suggests that this is a disappointment for the Russian authorities. Russia did its best in good faith with a commitment to procedural equality, but the Americans failed to deliver the evidence they promised, so says Kommersant. 

Dave Bittner: The U.S. suspended its cooperation with Russian law enforcement after the special military operation in Ukraine began. And so the Russian prosecution can now proceed no further. Cyberscoop points out that this is basically the defense attorney's perspective and that perhaps it should be taken with a grain of salt. Anyway, defense counsel has apparently suggested that the alleged leaders of REvil are patriots willing to turn from their young, misguided life of crime and that they're in a unique position to render assistance to Russia in her hour of cyber need. They've got the chops for it, apparently, having honed their skills as privateers - or if you prefer, criminals. 

Microsoft issues mitigations for Follina zero-day.

Dave Bittner: Malware researchers describe a zero-day vulnerability that could allow attackers to achieve remote code execution in Windows systems. Exploitation of Follina, as the researchers call the bug, circumvents Microsoft's protected view and anti-malware detection. The attack vector uses the Word remote template feature to retrieve an HTML file from a remote web server. It goes on to use the MS-MSDT protocol URI scheme to load some code and then execute some PowerShell. Microsoft addressed the issue yesterday. Malwarebytes says, on Monday, May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability. The workaround offered by Microsoft consists of an alternative method to unregister the MSDT URL protocol. In full disclosure, we note that Microsoft is a CyberWire partner. 

Notes from the underworld.

Dave Bittner: NCC Group has been tracking the return of CL0P ransomware, which last month emerged from its temporary hibernation to hit 21 targets. NCC Group noted the most targeted sector for CL0P was industrials, which made up 45% of CL0P's attacks, followed by technology with 27%. This is roughly along the lines of the target selection NCC Group observed on the part of Conti and Lockbit, although CL0P is a bit more interested in the tech sector than are its criminal competitors. Bleeping Computer reports that CL0P exploited Accellion's legacy file transfer appliance to exfiltrate large quantities of data from the companies it victimized. 

Dave Bittner: CSO takes a look at Conti, which may or may not be breaking up or rebranding but which seems likely to persist in some form or another. Among their observations is that Conti has been, relatively speaking, less concerned than its competitors with delivering on promises made to victims, which suggests the gang either has a different revenue model or is pursuing goals other than simple immediate profit. 

Unidentified Person #1: Mister. 

Unidentified Person #2: Security. 

Unidentified Person #3: Answer. 

Unidentified Person #4: Person. 

Unidentified Person #1: Mister. 

Unidentified Person #2: Security. 

Unidentified Person #3: Answer. 

Unidentified Person #4: Person. 

John Pescatore: This is John Pescatore, and welcome to Ask Mr. Security Answer Person, short drill-downs at the timely security issues with a lot of hype-busting. Now, let's see what today's question is. Here's our question from Curious Listener. (Reading) Earlier this year, the U.S. Internal Revenue Service announced it would start requiring taxpayers to use a commercial facial recognition service to access their tax records. Seemingly within minutes, after intense backlash, the IRS backed off, and it looks like strong authentication is off the table once again. Are we ever going to see the U.S. federal government move away from reusable passwords to something more secure? 

John Pescatore: Well, unfortunately, Curious Listener, the short answer is no. The federal government will never make any progress in this area if they take the same approach the IRS did here. The way the IRS first went about this violated two very important laws of nature. First, if you want to cook a frog, put it in a pot of lukewarm water, and slowly turn up the temperature. Don't try to throw a frog in a pot of boiling water. It'll just jump out. Next, if you're going to hit someone with a rubber mallet just below the top of their kneecap, don't put your face in front of their foot. With no advance notice, as in forgetting to warm the water, the IRS came out with a mandate to use facial recognition, a very privacy-sensitive form of biometrics and run by a private firm. Insert knee-jerk reaction square to the jaw here. 

John Pescatore: Let's start with the basics. Replacing reusable passwords with stronger authentication is the single most effective action we can take to reduce security incidents. In 2019, Microsoft analyzed over 300 million logins to their cloud services. And the data showed that the use of two-factor authentication, such as cell phone messages or an authenticator app, would have prevented 99.9% of phishing attacks from succeeding. Using biometrics adds at least one more nine to that figure. That was the math that caused the IRS to finally act - the ability to cut successful account compromises by a factor of a thousand through this one move. But unfortunately, they didn't do the prep work. They tried to build a bridge starting from the top, and that never works out well. 

John Pescatore: I can hear the roar of yawns from here. Yeah, yeah, yeah. We all know passwords are the root of all evil. But users love them, and any form of stronger authentication causes management to scream. It also seems to always cause breakage across applications, often requiring double logins. When we try, we can never go from test bed to a mass rollout because of the pushback from all levels. 

John Pescatore: Well, the times - they are changing. First, the Mercator survey showed that 41% of consumers were already using biometrics on their cellphones in 2021. Another study showed a similar percentage for overall use of multifactor authentication, as many financial services have begun requiring it if a user logs in from a new device. I've asked boards of directors many times if they use text messaging two-factor authentication or the fingerprint sensor in their mobile phones in their personal lives, and nearly 100% do. Resistance is much lower than it was a few years ago. 

John Pescatore: The breakage interoperability issue has been real. But in early May, Apple, Google and Microsoft announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the Worldwide Web Consortium. OK, before the yawns start again, yes, the big guys have made announcements like this before around adopting common standards but never these three dominant players all at the same time and never on a timeline as short as the one year they all announced for this effort. The promise - your user with an iPad, an Android phone and a corporate Windows PC would be able to log in across Apple, Google and Microsoft apps and services from any of those devices without ever once using an oh-so-phishable password. So dig into multi-device FIDO credentials and passkeys to understand the details and start working with IT to try a rollout at least across the security team and possibly a few security-friendly IT admin folks to see what wrinkles remain and to see if they do get ironed out over the next year. To avoid knee-jerk reactions, start doing an internal messaging campaign about the impact of phishing on users at home and how MFA can break that cycle of identity theft pain. 

John Pescatore: Of course, strong authentication is not penicillin. It will not cure all security ills, and there will be vulnerabilities found that need to be fixed. But just imagine if 99.9% of phishing attacks against you failed to obtain your user's credentials. Your security resources could focus on the remaining complex and dangerous attacks and reduce time to detect and time to respond dramatically. 

John Pescatore: It really feels different this time. Phishing is costing the tech platforms and their customers too much money for them to sit still. Money talks, and I think we'll see progress. So the water is warming. Throw your frog in and start turning up the heat. 

John Pescatore: Thanks for listening. I'm John Pescatore, Mr. Security Answer Person. 

Dave Bittner: Mr. Security Answer Person with John Pescatore airs the last Tuesday of each month right here on the CyberWire. Send in your questions for Mr. Security Answer Person to questions@thecyberwire.com. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Saw some interesting coverage over on Forbes. This was written by Davey Winder. And he had some news from the recent Pwn2Own event in Vancouver. What was going on here, Joe? 

Joe Carrigan: Well, there is a - let's call him a security researcher. That's the term I'm looking for. His name is Manfred Paul. 

Dave Bittner: Yeah. 

Joe Carrigan: And he is a very good security researcher. 

Dave Bittner: Yeah. 

Joe Carrigan: And he found two critical vulnerabilities in Mozilla. And these were JavaScript vulnerabilities that - one of them is a prototype pollution in - top-level await implementation is what it's called. 

Dave Bittner: OK. 

Joe Carrigan: It allows an attacker who corrupted an array object in JavaScript to execute code in a privileged context. 

Dave Bittner: OK. 

Joe Carrigan: OK? And then there's another one that is untrusted input used in JavaScript object indexing, which leads to prototype pollution, again, allowing you to get back to the original exploit. The key is that you can run any kind of JavaScript you want in a privileged setting. 

Dave Bittner: OK. 

Joe Carrigan: So that's really, really bad. 

Dave Bittner: Yeah. 

Joe Carrigan: Firefox has already fixed these... 

Dave Bittner: Oh, OK. 

Joe Carrigan: ...And released patches for them. 

Dave Bittner: OK. 

Joe Carrigan: So one of the things I wanted to talk about in this story is that, how often do you see when you're using your browser - whether it's Chrome, whether it's Edge or whether it's Firefox - it has a little update alert up in the upper right corner? 

Dave Bittner: Right. 

Joe Carrigan: And Chrome starts off with a green one, then it goes yellow and then it goes red to catch your eye for it. But as soon as I see the green one, I make a habit of just stopping what I'm doing and hitting that button and updating it because vulnerabilities like this are remarkably bad. What's interesting about this one is that vulnerability is also present in the Tor Browser because Tor is built on top of Mozilla. 

Dave Bittner: OK. 

Joe Carrigan: And if you're in a place where you need to be - keep your IP hidden from the oppressive regime that's watching you - right? -... 

Dave Bittner: Right, right. 

Joe Carrigan: ...You know, you need to protect your identity online. You don't want to go to some malicious website that has this - that allows them to de-anonymize you. 

Dave Bittner: Yeah. 

Joe Carrigan: They can actually get your actual IP address. 

Dave Bittner: I see. 

Joe Carrigan: Now, one of the things about Tor is that the browser comes with JavaScript disabled by default, I believe. So you have to actually go on and enable it. 

Dave Bittner: Right. 

Joe Carrigan: But if you're browsing the open net, you pretty much have to do that for many of these pages to be usable. 

Dave Bittner: You have to turn JavaScript on. 

Joe Carrigan: You have to turn JavaScript on, correct. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: So I can absolutely see where this would be a problem for people. 

Dave Bittner: Now, Manfred Paul here, the researcher who took advantage of this, he had a pretty good day here, didn't he? 

Joe Carrigan: Right. He had a pretty good 8 seconds. 

(LAUGHTER) 

Dave Bittner: OK. 

Joe Carrigan: Because it's Pwn2Own, you get cash when you find these things. He got a hundred thousand dollars in - by exploiting this - demonstrating this vulnerability. 

Dave Bittner: Wow. 

Joe Carrigan: It's kind of like a bug bounty program. 

Dave Bittner: Yeah. 

Joe Carrigan: And it's - he gets a hundred - I - you want to say he gets a hundred thousand dollars for 8 seconds of work, but he doesn't get that. He put a lot of time into developing the exploit. 

Dave Bittner: Yeah. It's 8 seconds that he spent a career - a lifetime career learning... 

Joe Carrigan: Right. 

Dave Bittner: ...How to do the thing that took - that ultimately took 8 seconds to do. 

Joe Carrigan: Right. It's just an automated attack. I mean, those things take no time at all. 

Dave Bittner: Right. 

Joe Carrigan: The skill comes in developing the attack. 

Dave Bittner: Yeah. 

Joe Carrigan: So, yeah. Good for Manfred here. 

Dave Bittner: Yeah. It says later in the same day, he went on to win another $50,000... 

Joe Carrigan: Right, with Safari. 

Dave Bittner: ...For a zero-day exploit in Safari. Yeah. So Manfred's buying the first round at... 

Joe Carrigan: Right. 

(LAUGHTER) 

Dave Bittner: ...The Pwn2Own bar that evening. What do you make of these sort of hacking events, Joe? Is this... 

Joe Carrigan: I love it. 

Dave Bittner: Yeah? 

Joe Carrigan: I think they're great. This is what we need to have as a security community. And this is the kind of attitude we have to have. So this bounty money comes from the event organizers, right? They probably go out and get sponsorships from all these different companies... 

Dave Bittner: Right. 

Joe Carrigan: ...That are sponsors. But other companies have their own bug bounty program. And then there are actually companies out there like HackerOne that manage bug bounty programs for other companies... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Which is great. So events like this that bring legitimate security research to the forefront are fantastic. 

Dave Bittner: And, you know, you - at Hopkins, you work with a lot of students. These are great events for them to attend, as well. 

Joe Carrigan: Yes. If they can get to them, they can do some exploitations. Absolutely. They should - and - or just go to learn. 

Dave Bittner: Right. 

Joe Carrigan: That's why you go... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Really. 

Dave Bittner: Yeah. All right. Well, this is an article from Forbes, again, written by Davey Winder. It's titled "Firefox Browser Hacked in 8 Seconds Using 2 Critical Security Flaws." Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand, Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.