Updates on the hybrid war: hacktivism and hunting forward. Election security. Trends in phishing. The return of Emotet.
Dave Bittner: Another hacked broadcast in a hybrid war. Hunting forward as an exercise in threat intelligence collection and sharing. Cyber threats to the U.S. midterm elections. Phishing for cryptocurrency. FakeCrack delivers a malicious payload to the unwary. Vacations are back. So is travel-themed phish bait. Ann Johnson from Microsoft shares insights on the trends she's tracking here at RSA. Johannes Ullrich brings highlights from his RSA Conference panel discussion. And Emotet returns in the company of some old, familiar criminal collaborators.
Dave Bittner: From the RSA Conference in San Francisco, where I've left my heart and a good bit of my expense account, I'm Dave Bittner with your CyberWire summary for Thursday, June 9, 2022.
Another hacked broadcast in a hybrid war.
Dave Bittner: Another broadcast has been hacked in the course of Russia's hybrid war. The last such interference was in the Russian interest and interrupted the televised presentation of the Ukraine-Wales match in the World Cup qualifying round. This most recent incident appears to be the work of pro-Ukrainian hacktivists. BBC reporter Francis Scarr tweeted that a news broadcast carried by the Russian radio station Kommersant FM was interrupted to play the Ukrainian patriotic song “Oh, the Red Viburnum in the Meadow." The Washington Post adds that the feed was also interrupted with an anti-war song. The station has resumed normal operations and said it was investigating the incident.
Hunting forward as an exercise in threat intelligence collection and sharing.
Dave Bittner: Sky News, following up its interview with U.S. Cyber Command's General Nakasone, concentrates on a discussion of what hunt forward means in the context of cyber conflict. It involves the collection of threat intelligence and friendly cooperating networks, finding malware samples and other evidence of hostile activity and sharing that intelligence to inoculate friendly networks against such attacks. General Nakasone said, this ability for us to work at the behest of a foreign government, to go and hunt with them on their networks, then releasing the information. We have released over 90 different malware samples to a series of private sector cybersecurity firms. What does that do? It provides inoculation for all of us that operate in the domain, and I think that's an example of where this public-private partnership is so important.
Dave Bittner: General Nakasone also credited Ukraine with considerable resilience in cyberspace. He said, one of the things that we certainly learned is the importance that the Ukrainians have placed on having a resilient network. If all that's said in terms of what's gone on in this conflict, one of the things that I think is sometimes missed is that the Ukrainians have maintained their internet and being able to communicate. And this is a great tribute to them.
Cyber threats to the US midterm elections.
Dave Bittner: The U.S. midterm elections will be held this coming November, and experts are outlining the cybersecurity risk to those elections. At the RSA Conference yesterday, CyberScoop reports, industry experts reminded election officials that phishing and email doxxing had been major threats in 2016 and that those shouldn't be overlooked in the current election season. But the way the threat landscape has shifted suggests that election officials should be particularly alert for ransomware attacks.
Dave Bittner: Among the U.S. federal agencies that are involved in securing the vote, the Cybersecurity and Infrastructure Security Agency has the leading role. NSA's cybersecurity director Rob Joyce said that his organization would be supporting CISA. Joyce said, the worry in all of election security is trust and confidence that we've delivered a safe and secure election. And if you know if elections are subject to ransomware or if there's a botnet that runs a denial of service, what you'll find is that's probably going to, in this day and age, escalate to be an issue of trust. He pointed out that working against botnets and ransomware were squarely in NSA's wheelhouse, so Fort Meade support can be expected to work primarily against those two classes of threat.
Phishing for cryptocurrency.
Dave Bittner: This morning Proofpoint published a study of criminal attempts against cryptocurrency holdings. They divide the operations into three categories - cryptocurrency credential harvesting, cryptocurrency transfer solicitation and commodity stealers that target cryptocurrency values. As is so often the case, the tools for this kind of cybercrime are traded in the underworld's criminal-to-criminal markets. Phishing kits, prepackaged sets of files that contain all the code, graphics and configuration files to be deployed to make a credential capture webpage are popular offerings.
FakeCrack delivers a malicious payload to the unwary.
Dave Bittner: FakeCrack, a criminal operation that distributes malware to its victims' devices, works by offering a shady come-on - free cracked software. Avast explains that the campaign is designed to compromise and steal two classes of sensitive data, personal information and cryptocurrency holdings. It's another reason to avoid gray market software.
Vacations are back. So is travel-themed phishbait.
Dave Bittner: Bitdefender reports that travel-themed spam has been seen hitting users since March 2022 and has been primarily seen targeting the United States, Ireland, India and the United Kingdom. The spam can be found in the form of ads and phishing emails, with the emails containing buzzwords related to summer vacation and many well-known airlines. The researchers also found that malicious domains and URLs are in play. These are used to trick victims into downloading infected invoices and credit card transactions. The phishbait is topical. Not only is the summer travel season upon us, but the pandemic has abated enough to render vacation travel more feasible than it has been for the last two summers.
Emotet returns, in the company of some old familiar criminal collaborators.
Dave Bittner: Deep Instinct reported today that Emotet has seen a resurgence in 2022. Emotet reemerged in late 2021 and has seen a 27-fold increase in detections in early 2022. Companies in Japan were targeted in phishing campaigns utilizing Emotet in February and March of this year, and more regions have been found to be targets in April and May, including Italy and the United States. The Trickbot gang has been observed helping Emotet deploy to infected devices to download the new variants of the malware. Deep Instinct writes, the threat actors behind Emotet have been credited as one of the first criminal groups to provide Malware-as-a-Service. They successfully utilized their MaaS to create a massive botnet of infected systems and sold access to third parties, an enterprise that proved so effective it was soon being used by criminal entities such as the Ryuk and Conti ransomware gangs. Emotet also has a history of collaborating with Trickbot, famous for their info-stealing trojan, and Qakbot, another well-known banking Trojan. So it seems that old gangs never or rarely die. They just fade into rebranding or disperse into other criminal crews.
Dave Bittner: One of the highlights of the RSA conference is running into friends new and old. Ann Johnson is a corporate vice president at Microsoft and host of "Afternoon Cyber Tea," right here on the CyberWire network. She dropped by our meeting space at the conference to share her thoughts on the show.
Ann Johnson: You know, RSA Conference - and this is my 20th, 21st year at RSA Conference - so let me give you one side note.
Dave Bittner: Yeah.
Ann Johnson: Because it's June and not February, the weather is outstanding. It's not raining. It's been a lovely week.
Dave Bittner: Right.
Ann Johnson: But that aside, the vibe feels much the same. It's - I think it's a smaller conference this year because the date changed and people are still coming out of COVID and thinking about travel, but the vibe is still the same. We still have a bunch of passionate industry professionals who are dedicated to their mission and trying to solve really hard problems and having really deep conversations as late as, like, 10, 11 o'clock at night, you know? It is a wonderful community, as you know. And everyone - I'm seeing lots of friends on the street, people I haven't seen in a few years. And it just feels wonderful to be here.
Dave Bittner: Yeah. Yeah. As you walk around, what sort of trends are you noticing? You know, we've had years where everything was artificial intelligence and then years where it was the human element. And any idea what this year's theme is?
Ann Johnson: Oh, yeah. It's the year of XDR. If - I have seen, like...
Dave Bittner: Yeah. Yeah.
Ann Johnson: ...Windows, storefronts, sidewalks, every bit of branding. I was joking with a friend in the industry. And I don't drink alcohol, but I said I'll take a drink of, you know, a ginger ale or Diet Coke every time I see a XDR sign, you know, and you can have a shot of beer or whatever it is.
Dave Bittner: Right. You have to take frequent bathroom breaks if you do.
Ann Johnson: That's exactly right. But I think that, you know, it's the year of XDR, but again, trying to solve really hard problems - if you don't have that visibility end to end across your estate that XDR could give you - like, Microsoft XDR would give it to you across our platform - and with third-party solutions, you can't solve hard problems because you're not seeing. You have to - the biggest problem customers try to solve is visibility. And theoretically, that's what XDR is going to bring to them, is that promise of visibility and correlation of threats across the entirety of your environment.
Dave Bittner: Is now the right time for XDR? I guess - let me say that another way. Why XDR at this moment being - having the popularity it does?
Ann Johnson: I think it's because a lot of organizations are going - are now both hybrid and cloud. And so visibility becomes a really different conversation for them, right? They're trying to figure out what's still in their estate on premises, and then they're trying to figure out what they have in the cloud. And that dream of us - you know, I'll just - I'll use the Microsoft example, right? Microsoft Defender for Endpoint, looking at what is on premises or on your endpoints, as opposed to Microsoft Defender for Cloud or Microsoft Defender for Identity - we can look across the entirety of your estate and say these threats are coming in from the cloud, these threats are coming in from on premises, and we can correlate those. And that's, I believe, why there is such just impetus for it now, is because customers' estates have gotten much more complex. In addition to that, threat actors have ramped up and have figured out where the soft, chewy center is - whether the soft, chewy center is externally in a cloud or whether the soft chewy center is still on premises. So being able to detect really quickly - time to detection is the most important thing. And XDR should be able to reduce your time to detection, which gives you a better opportunity to defend your environment.
Dave Bittner: As I'm wandering around the show floor here, I'm seeing a lot of young, fresh faces, people who are looking to find their place in the community here. Are you seeing the same thing, and what kind of energy do you see them bringing to things?
Ann Johnson: I had so much fun last night. I was one of the experts at the RSA Scholars dinner.
Dave Bittner: Oh, wow, OK. Yeah.
Ann Johnson: Yes. Yes. Yes.
Dave Bittner: Terrific. Yeah.
Ann Johnson: Yeah. So the RSA Scholars dinner - we bring in college students who are mostly postgraduate. They're, you know, master's or Ph.D. students. I had so much fun with them. I actually said to one of the students - you know, he was talking about how he's writing CTFs, how he's helping write grants for students to go to cybersecurity education. And I'm like, when I was in college, I was thinking about where the next party was. I wasn't thinking about, like...
Dave Bittner: I'm with you (laughter).
Ann Johnson: Seriously.
Dave Bittner: Yeah. I'm with you.
Ann Johnson: This - they are so committed. When we were in college, cybersecurity wasn't an industry, right?
Dave Bittner: No. It wasn't. No.
Ann Johnson: But they were so passionate. I was talking to somebody who was doing embedded work on embedded systems and risks for nuclear power plants. These kids - they're going to save us all because they are so passionate (inaudible) and they're digital natives. So they're so much further ahead than we were in understanding the landscape.
Dave Bittner: I think another element, for me anyways - I'd like to get the word out that for those folks who are coming up, don't be shy. Come up and introduce yourself. If - you know - and I know you - this is something you feel as well. You're willing to take the time to have those conversations, help people along the way.
Ann Johnson: You know, I was talking to a member of my team this morning. And I said, if someone is, and I'll say it, brave enough to walk up to me...
Dave Bittner: Right.
Ann Johnson: ...I'm going to give them time.
Dave Bittner: Right.
Ann Johnson: If you want to send me a LinkedIn message, I'm going to give you a few minutes. Maybe I'll ultimately - because I - and I like to do quality things, like you, right?
Dave Bittner: Yeah.
Ann Johnson: So maybe if I feel like I don't have enough time, I'm going to ask you to meet with someone after that. But I'm going to give you time. I want to get the next generation passionate. You know, I've been doing this for over 20 years. You've been doing it for a long time. I want the next generation to be as passionate as we are because they're going to have harder problems to solve, and they're going to come with fresh ideas. And we need fresh ideas.
Dave Bittner: You are the host of the podcast "Afternoon Cyber Tea." Can you give us a preview of what's coming up there?
Ann Johnson: Yeah. So "Afternoon Cyber Tea" is - I talk about it in the terms of I like to humanize cybersecurity. I like to bring on really interesting guests. So we have a really interesting guest coming up who is not in the cybersecurity industry. He is actually in the media and entertainment industry, but he is going to talk about an initiative he has started - it's based in Tulsa - called Black Tech Street, to get folks into technology careers. So he's going to talk about how he has, you know, stepped out of a little bit to the media entertainment industry to really invest in making this a reality. So we have guests like that. We have industry luminaries on, you know?
Dave Bittner: Yeah.
Ann Johnson: We have up-and-comers. We'd love to have up-and-comers on the show, talking about young talent. We like to give visibility to somebody who's just starting out. So it is probably one of my favorite things to do. And, of course, it's hosted on CyberWire.
Dave Bittner: And is our honor to do so. Ann Johnson, thanks for joining us.
Ann Johnson: Thank you. Have wonderful day.
Dave Bittner: That's Ann Johnson from Microsoft.
Dave Bittner: And joining me once again is Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the ISC StormCast podcast. Johannes, always great to welcome you back.
Johannes Ullrich: Yeah. Good to see each other in person this time.
Dave Bittner: I know. We are here at the RSA Conference face to face, which is certainly a treat. You just finished a presentation here at RSA. Can you give us a little overview? What was the presentation about?
Johannes Ullrich: Yes. I was really part of a panel with Ed Skoudis, Katie Nickels, Heather Mahalik and Rob Lee. And we sort of always try to summarize once here at RSA what the biggest hacks are that we see coming. So it's not just looking back versus what they are right now. Part of it is that as well, but also a little bit looking forward.
Dave Bittner: So what are the things on the horizon for you all?
Johannes Ullrich: Well, first of all, Katie talked about that living-off-the-cloud idea. It's something I've certainly observed. Like, when we look at the reports we're getting in with Storm Center and such where people are using cloud services against you, where they're using server like ngrok or even, like, simple things like Dropbox and such still to exfiltrate data to use it as a command control channel because, particularly, from the network point of view, that blends in really nicely with the normal traffic that you're seeing.
Dave Bittner: Because so much is coming and going from the cloud and everyday operations, it's sort of masked by default.
Johannes Ullrich: Correct. And these are services that have legitimate uses, too. So you can't just outright block them.
Dave Bittner: I see.
Johannes Ullrich: Or if you block them, then you have angry users that...
Dave Bittner: Right (laughter).
Johannes Ullrich: ...Also not so nice.
Dave Bittner: Right. Right. Angry users are the bane of security practitioners everywhere. What other things did you all discuss?
Johannes Ullrich: Yeah. I talked a little bit about how, actually, the infrastructure you're building for backups could potentially be used against you. Because if you think about it, you're installing agents on all of your endpoints to collect the data that you are backing up. You're typically exfiltrating it to some kind of cloud service.
Dave Bittner: Right.
Johannes Ullrich: So what about an attacker that will just take it over and configure it for you, not necessarily how we intend to configure it, but use that same software to steal your data and just send it to a different cloud endpoint - in particular, since a lot of these cloud systems have had vulnerabilities in the past, so it's not necessarily that that they're foolproof either.
Dave Bittner: Yeah.
Johannes Ullrich: And sometimes they're just not configured right because it's boring. Backups are boring.
Dave Bittner: Right.
Johannes Ullrich: So that's why they're often ignored until you actually need them. And they're also, like, your last line of defense for ransomware in many cases. So particularly if you're looking at the modern ransomware that often has the extortion component to it, they'll just take the data and maybe even use then the endpoints, the software that you installed on your clients as part of a backup system to do some of the encryption for you because they often have encryption capability because encrypted backups are good.
Dave Bittner: Right.
Johannes Ullrich: Just you usually like to have the clear text version around as well.
(LAUGHTER)
Dave Bittner: Well, and is this also a matter of, from the user's point of view, that it appears as though your backup software is doing everything that you configured it to do? It's sending stuff off somewhere to a cloud, and it's easy to overlook which cloud where.
Johannes Ullrich: Exactly. And, you know, the attacker may even use the same cloud as you're using. So that makes it even more difficult. And because you're typically dealing with a lot of data, you often, again, exempt it from network monitoring, for example, because I don't want to bog down your network monitoring solution with lots of traffic that you really don't care about because, you know, it's just a backup software. It's going from your backup server to that S3 bucket or whatever. But really, all you're often caring about is that it's going to Amazon or whatever service you configured.
Dave Bittner: What are your recommendations, then? I mean, given that backups are boring, how do you prioritize, give them the attention they deserve?
Johannes Ullrich: Well, I always say, as a security practitioner, I like boring because when it gets exciting, it's usually not that good.
Dave Bittner: Right (laughter).
Johannes Ullrich: But, yeah, give them the extension they deserve. That's really what it comes down to. And review configurations. Moderate configurations. Like, how do you change management on backup configurations? Who has access to those processes and is allowed to make or authorized to make changes? So really, by tying them more into your overall security practices, that's a good start. And, of course, like, keep that stuff updated like everything else.
Dave Bittner: Yeah.
Johannes Ullrich: It's a little bit of those one-off solutions. So, like, it's not like your Windows updates, where you have, like, you know, thousands of them. And it's not as mechanical as that. But, yeah, don't ignore it.
Dave Bittner: Any other particular items from the presentation that deserves attention?
Johannes Ullrich: We had two more. So Heather Mahalik - she was talking about stalkerware, which is, like, a huge issue, also, like, some of the more advanced exploits that you have here against mobile devices. NSO Group, even though they are sort of fading away - but their exploits, their tools are sticking around. And then Rob Lee was talking about some of the attacks against satellite systems we have seen in Ukraine. Now, a lot of it has been written about now how it has affected or didn't affect the effects of the wind power systems in Germany and such.
Johannes Ullrich: But the one sort of not well-publicized effect of this was that actually, these communication systems the Ukrainian army used in part of its sort of artillery targeting systems where someone at the frontline could send a message back that they found some Russian tank or something like this. And the way Rob describes, like, an Uber for artillery there...
Dave Bittner: (Laughter).
Johannes Ullrich: Then the system automatically found the closest artillery battery to then...
Dave Bittner: Right.
Johannes Ullrich: ...Launch shells at them, which, you know, is not going to have sub-minute kind of response times. And that was shut down by shutting down those Viacom (ph) modems. Then, of course, Elon Musk stepped in...
Dave Bittner: Right, right.
Johannes Ullrich: ...And gave them his satellite system, which sort of was basically private sector, now fulfilling an important military role...
Dave Bittner: Right.
Johannes Ullrich: ...Which...
Dave Bittner: Things get a little fuzzy now; don't they?
Johannes Ullrich: Things get fuzzy. And now it's a part of Chinese military doctrine to - hey; if you ever fight the Ukraine - not the Ukraine - the U.S., the first thing we probably want to do is take out SpaceX or StarLink. So you have this - we always had this when it comes to cyber, where there is no clear delineation between sort of, you know, private industry and government. Most government networks use privately owned or commercial connectivity.
Dave Bittner: Right.
Johannes Ullrich: They're not usually running their own wires.
Dave Bittner: Right.
Johannes Ullrich: So - and this becomes really obvious here. I'm going to get to space, and - which is literally now the new high ground in warfare. You can't get any higher than some satellite.
Dave Bittner: Yeah, yeah - geosynchronous orbit or whatever. Yeah.
Johannes Ullrich: And if you sort of look at some of the news from Ukraine, how effectively this is sometimes used, sort of the connectivity between drones and artillery - so there's immediate feedback and targeting.
Dave Bittner: Right. Right. Well, I have to say it's great to be back here in person to see people face to face, and delighted that you made time for us today. Johannes Ullrich, thanks for joining us.
Johannes Ullrich: Thank you.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand, Liz Irvin, Eliott Peltzman, Tre Hester, Brendan Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.