The CyberWire Daily Podcast 6.14.22
Ep 1599 | 6.14.22

Dealing with Follina. SeaFlower steals cryptocurrencies. Cyber phases of a hybrid war, with some skeptical notes on Anonymous. And the war’s effect on the underworld.


Dave Bittner: Dealing with the GRU's exploitation of the Follina vulnerabilities. SeaFlower uses stolen seed phrases to rifle cryptocurrency wallets. Ukraine moves sensitive data abroad. Anonymous claims to have hacked Russia's drone suppliers and to have hit sensitive targets in Belarus. Rick Howard reports on an NSA briefing at the RSA conference. Our guest is Ricardo Amper from Incode with a look at biometrics in sports stadiums. And the effects of war on the cyber underworld.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 14, 2022. 

Dealing with the GRU's exploitation of the Follina vulnerabilities.

Dave Bittner: CERT-UA maintains its conclusion that Sandworm, a GRU operation, was responsible for exploiting Follina to compromise Ukrainian media organizations, Computing reports. Compromised Word documents are carrying the AsyncRAT Trojan as a malicious payload. 

Dave Bittner: Follina is a remote code execution vulnerability. It's listed as CVE-2022-30190, assigned a severity rating of 7.8 out of 10 by Microsoft, and it uses the Microsoft support diagnostic tool to download and execute malicious script. It's being called "low-interaction remote code execution," not zero-click because there's some interaction required for execution, but not much. All it takes is for a victim to preview a malicious file. Ars Technica notes that Microsoft has issued instructions for mitigation, explaining how to disable MSDT, but hasn't yet said whether it will issue a full patch. 

SeaFlower uses stolen seed phrases to rifle cryptocurrency wallets.

Dave Bittner: Security Week reports that digital advertising security company Confiant has discovered a campaign sending backdoored versions of iOS and Android Web3 wallets. The attackers have cloned the legitimate sites of the wallets and have included links to download them, which contain the app's legitimate functionality but which also exfiltrates the user's seed phrase in order to steal the victim's cryptocurrency. Confiant says that the cybercriminals running this campaign have not yet been identified but are likely Chinese, as much of the data found are in Chinese and contain information from Chinese and Hong Kong IP addresses. 

Ukraine moves sensitive data abroad.

Dave Bittner: The Wall Street Journal reports that Ukraine has begun to store sensitive data abroad, backing up its information to render it less vulnerable to Russian physical or cyberattack. George Dubinskiy, the country's deputy minister of digital transformation, said, to be on the safe side, we want to have our backups abroad. Among the earlier transfers was a program to back data up to a secure private cloud with servers located in Poland. Priority has been given to protecting VIP databases - that is, databases deemed essential to the operation of Ukraine's economy. 

Anonymous claims to have hacked Russia's drone suppliers...

Dave Bittner: Anonymous claims to have successfully hacked into Russia's drone suppliers, if not exactly the drones themselves. Tweets on behalf of the hacktivist collective include statements saying Russian UAV, drones, plans and tactics hacked. We hope this information will help the war to end as soon as possible. No war is justified. Accounts of exactly what Anonymous obtained are confused and unclear, but it does not appear to have been a direct attack on the Russian military, as some sources said. Images posted of files allegedly stolen appear to include promotional literature and a list of companies involved in the production or trade of the Kronstadt Group's Orion-E armed drone, an export model. Computing notes, sensibly, that the nature of Anonymous makes it impossible to ascertain if the hacked data is genuine, although cybersecurity experts do think that most of the collective claims of successful attacks are true. 

...and to have hit sensitive targets in Belarus.

Dave Bittner: Anonymous also claims to have engineered significant disruption of government activities in Belarus. They tweeted, access to 26 ministries, centers and banks of the Belarusian government has been restricted as a result of attacks by me, @YourAnonSpider. There are no independent reports of such activity, which have to be received with skepticism. Somebody would surely have noticed such widespread disturbances. 

The war's effects on the cyber underworld.

Dave Bittner: Kela Cybersecurity Intelligence has researched the effects Russia's war against Ukraine has been having on the cybercrime landscape, detailing new developments in the cybercriminal underground as a result of the conflict. The effects are being produced by new criminal opportunities, by the effect of Western sanctions and by new Russian restrictions on certain online services. 

Dave Bittner: Kela researchers have found, for example, that people are getting transportation out of Ukraine through hacking sites rather than through legitimate sites and services. And there has been an increase in demand for money transfer service as both Russia and Ukraine now have laws in place dictating limits on the amounts that can be transferred and the locations to which money may be transferred. These are the traditional services black markets have traditionally offered in wartime, and cybercriminals have not been slow to pivot from online fraud and carding to take advantage of the desperate. 

Dave Bittner: What's made legitimate remittances harder has also made criminal transactions more difficult. The blind eye the Russians have traditionally turned toward money laundering, for example, is now seeing a bit more clearly. And life has grown a bit more challenging for the underworld. And, of course, Western sanctions have made it difficult, in some cases difficult to the point of impossibility for, say, ransomware victims to pay their extortionists, especially when the ransomware operators are working from Russia, as so many of them do. 

Dave Bittner: VPN services have also seen a spike in demand. Kela writes, the spike can be caused by the arrival of new users hoping to acquire accounts for reliable VPN services, especially since Russia has started to block URLs linked to some of them while to legally pay for remaining VPNs is hard without having non-Russia-issued Visa and MasterCard credit cards. There's nothing inherently illegal about VPNs. But they're restricted in Russia, where the government has enacted censorship laws to stifle access to sites that offer what the Kremlin regards as disinformation - that is, comment and reporting that don't reflect the official Russian line on the special military operation. 

Dave Bittner: Facebook and Instagram are among the platforms being censored, and the cyber underworld has been quick to offer illicit VPN services. To those who want to see the news, the government would rather go unreported or at least unheard. Kela has also found that the war is affecting both cybercriminal online communities and C2C markets for ransomware and other crimeware. The actors behind the Raccoon Stealer malware reported on a forum that their core developers are unable to continue to produce the malware because of a special operation and that work on Raccoon Stealer has been suspended. The gang hints that the suspension is due to the war. 

Dave Bittner: Chatter about the effects of war has also appeared on the Russophone cybercrime forum. There's some debate there about the nature and justification of Russia's war, despite the forum's rules against such political discussion. And, of course, as we've seen, ransomware gangs have taken sides in the war, usually Russia's side. Conti is the most famous of these. Some of the gangs wishing for freedom to pursue criminal gain have sought to keep operations as normal as possible by declaring their neutrality. Whether that will work for them seems an open question. It's tough to continue operating when your protection has grown shaky. 

Dave Bittner: There is a natural tension between security and convenience. And one of the places where that manifests itself is at large events - stadiums, arenas or theaters where thousands of people need to get in and out of a facility in a way that ideally is both efficient and secure. Ricardo Amper is CEO of Incode Technologies, a company that's using biometrics to keep those lines moving securely. 

Ricardo Amper: The trick to making it right is that it has to be a combination of a number of things. First of all, it has to be secure. So we use the same technology that major banks - you know, the top three digital digital banks use healthcare, et cetera. So it has to be secure. And the second one that you mention - it has to be able to streamline entrances while making sure that it's secure and, at the same time, provide a platform to further use - expand the use cases and then become a complete engagement platform for fans. 

Dave Bittner: You know, in preparation for our conversation today, I was thinking about some of the biometric methods that we use in our daily lives. And I was thinking about, you know, something like Face ID on an iOS device where, you know, it is extraordinarily reliable. But in the off case that it doesn't work, you have a password to fall back on. Is it similar here where the biometric authentication, the face scan allows you to get in quickly but you still bring your ticket along just in case? 

Ricardo Amper: Look. There's different ways how this can be implemented. Our favorite one is one that's great for privacy. So after you prove your identity, we generate a QR code where your biometric is embedded there. It's not on the server. It's not anywhere where it can be stolen. And so when you come to this stadium, you scan the QR code, and then with a device that's offline, that's not connected to the internet, extracts that kind of biometric data from your QR code, reads your face at the time of entrance, and then matches up, and then deletes it. So it's incredible because no one knows that you're there. No one is using facial recognition in any creepy way. But it's actually a super private centric way to be able to streamline the entrance. And you can tie your ticket. You can tie your credit card. And so once the identity is there, then there's a number of experiences that open up. 

Dave Bittner: Let's talk about privacy. I mean, what are the things that are in place there to ensure that people feel comfortable with it? 

Ricardo Amper: First of all, privacy is our North Star. Everything that we develop, it's developed around privacy. So what does that mean is that we always ask for consent. So we don't sell or support any use cases that are surveillance or something that's not without consent. Secondly, the data is yours, and you can extract it, delete it, transfer it as you want. No. 3, the biometric is not stored as a picture. It's stored as two-kilobyte string, which, even if it was hacked, would have been impossible to deduce your face from it. And four, in the specific case it's not stored in the cloud, it's just stored your QR code that's on your phone. And so this is - these are a number of sort of privacy measures that can allow these type of experiences which provide a lot more security, but at the same time, enhance privacy - even more that if human beings would check it. 

Dave Bittner: Now, what about the actual security at the facility? Say, for example, there is some sort of incident, you know, where there's someone - there's a disagreement, there's a physical altercation, something like that. Would stadium security be able to have access to this to help them do the things they need to do? 

Ricardo Amper: Yes, absolutely. So our system allows for stadium personnel to be able to block people if they generate some type of problem or if other people have generated in the past and you have kind of frames or videos from - that you can feed into the system. And so when that person either tries to get their fan ID or is standing in front of the stadium, as the person tries to enter with his face, he will be stopped. So there's a number of ways you can create these blacklists, and it creates the right incentive for people to behave well. 

Dave Bittner: What's the reaction been so far? I mean, biometrics is certainly not without controversy. How's the adoption rate going for you? 

Ricardo Amper: Yeah, there's a lot of controversy because there's a lot of - there's a massive lack of knowledge and confusion. So when you talk about biometrics for facial recognition, there's two parts. The surveillance side, which is against every privacy law, it's trying to recognize you, you don't know that's happening, you never gave consent, you don't get access to the data. And so it's creepy, and it should be actually regulated and eliminated in most of the cases. When it comes to our technology, it's always with consent. And so once you go into the stadium, you go with your consent that you participate in the program, that you're using your biometric to get in. And so it's a way, once people get authenticated and, you know, they have the incentive to perform well, but every economic activity gets just easier and more productive. 

Dave Bittner: That's Ricardo Amper from Incode Technologies. And joining me here is Rick Howard. He is the CyberWire's chief security officer, also our chief analyst. Rick, you and I and several other members of our CyberWire team were in full force last week at the RSA '22 conference. And as part of that, you were invited to attend a press conference that was put on by the NSA. Who was there? 

Rick Howard: Yeah, it was late in the afternoon on my last day of the conference. And we were tucked away on the third floor of the Moscone Center. I mean, there was nobody up there at that point. There is a long table down the middle of the room with me and three other journalists on one side and the NSA contingent on the other. Rob Joyce was there. He's the director of cybersecurity strategy and oversees the NSA cybersecurity directorate. And their mission is to prevent and eradicate cyber threats to the Department of Defense, national security systems and the defense industrial base, or the DIB, as the cool kids call it. They had - Natalie Pittore was there. He's the chief of the NSA's Enduring Security Framework, essentially, the intelligence sharing function between the NSA and the feds, plus the DIB. And Kristina Walter, she's the chief of defense for the DIB. 

Dave Bittner: And so you're saying DIB here. What exactly is DIB? 

Rick Howard: Well, as you can imagine, the federal government uses a lot of commercial contractors and, according to the CISA website, more than 100,000 defense, industrial-based companies and their subcontractors. And many of these companies run material systems for the government, both on the unclassified and classified networks. And so these companies make up the DIB. 

Dave Bittner: And the DIB has its own ISAC, their Information Sharing and Analysis Center, right? 

Rick Howard: Yeah. It's called the National Defense ISAC, and it's part of the NSA's job to share intelligence and provide security and intelligence products with the DIB community. For example, according to Natalie Pittore, besides intelligence on the latest threats, the NSA's Enduring Security Framework provides white papers to the DIB - and to the public, by the way - on thorny security topics like security guidance for 5G cloud infrastructure in terms of integrity, data protection, network isolation, lateral movement detection and just general-purpose threats to 5G in general. And then Morgan Adamski, she's the chief of the Cybersecurity Collaboration Center, she talked about the NSA offering of protective domain name system services that is injected with NSA's unique threat intel. And this is a free service to all the DIB companies. So those are the kinds of things those folks provide to those groups. 

Dave Bittner: Well, looking at the intelligence sharing side of things, how are they doing there? 

Rick Howard: Well, the DIB intelligence sharing program has been around for a long time. And I asked Rob to give us an update on the current status and future direction. My takeaway from that exchange was that the National Defense ISAC is in the same boat as many of the other ISACs and ISAOs in existence out there. They're all pretty good at sharing IOCs with each other - indicators of compromise - probably not as good as sharing intrusion kill chain tactics, techniques and procedures for known adversary campaigns, you know, along the lines of the MITRE ATT&CK framework. And they're all struggling with automating the process. Remember, the DIB companies range in size from giant Silicon Valley security vendors like Cisco to mom-and-pop startups who provide key services as a subcontractor to the larger primes. So establishing a level playing field of resources, it's a really tough problem, but they've made huge strides since their founding in May - have made progress every day. And the protective DNS service is a great example of that. They have other security services like that on the table discussing about those kinds of things for future deployment. 

Dave Bittner: How interesting is it to you that you were invited to this at all? I mean, this sort of outreach - I'm not speaking you personally. I'm just saying, this type of outreach... 

Rick Howard: Yeah, why the hell were you there, Rick? 


Dave Bittner: Yeah. Don't they know who you are - I mean, or aren't? But this sort of outreach is a bit of a pivot for some of these agencies, right? 

Rick Howard: Well, I mean, for this, you know, the government - the federal government has been talking about the private-public collaboration - OK - for years. And this effort at the RSA Conference is one way they can get the information out to show people that they are contributing to this effort. And, you know, when we started doing this way back in the early 2000s, there wasn't a lot of sharing going on between the commercial sector and the government. And like I said before, we've made huge strides in that area. 

Dave Bittner: Yeah. All right. Well, thanks for keeping us up to date here. Rick Howard, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand, Liz Ervin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.