The CyberWire Daily Podcast 6.16.22
Ep 1601 | 6.16.22

Interpol scores against BEC, online fraud, and money laundering. Developments in C2C markets. Versioning vulnerability. Cyber war and cyber escalation.


Dave Bittner: Interpol coordinates international enforcement action against scammers. A new version of IceXLoader is observed. Exploiting versioning limits to render files inaccessible. Reflections on the first large-scale hybrid war. Kelly Shortridge from Fastly on why behavioral science and economics matter for InfoSec. Patrick Orzechowski from DeepWatch on Russian IoCs and critical infrastructure. And the possibility of cyber escalation in Russia's hybrid war against Ukraine.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, June 16, 2022. 

Interpol coordinates international enforcement action against scammers.

Dave Bittner: Interpol has announced that its Operation First Light 2022, directed against telecommunication fraud, business email compromise and the money laundering associated with them, has yielded a significant haul. Results are still coming in, but so far, Interpol says the operations tally is 1,770 locations raided worldwide, some 3,000 suspects identified, some 2,000 operators, fraudsters and money launderers arrested, some 4,000 bank accounts frozen and some USD 50 million worth of illicit funds intercepted. Law enforcement organizations in 76 countries were involved, a remarkably large cooperative effort. Four countries conducted the raids - China, Singapore, Papua New Guinea and Portugal. The crimes involved were varied, ranging from human trafficking to Ponzi schemes built around bogus job ads. So bravo, Interpol and bravo to its cooperating partners. 

A new version of IceXLoader is observed.

Dave Bittner: Researchers at Fortinet describe a new version of IceXLoader being hawked in criminal-to-criminal markets. The researchers say IceXLoader is a commercial malware used to download and deploy additional malware on infected machines. The latest version is written in Nim, a relatively new language utilized by threat actors the past two years, most notably by the NimzaLoader variant of BazarLoader used by the TrickBot group. The new version is more evasive and difficult to detect than its predecessors, and of course, successful infection exposes the victims to deployment of other, more damaging malware. 

Exploiting versioning limits to render files inaccessible.

Dave Bittner: Proofpoint researchers have  discovered  a Microsoft 365 functionality that allows ransomware to encrypt SharePoint and OneDrive files and make them unrecoverable without backups or a decryption key. Researchers explain that threat actors can gain access to a user account through compromising or hijacking credentials then can lower versioning limits on files on OneDrive and SharePoint down to something as low as one, encrypt the files twice and if they feel so inclined, can exfiltrate the unencrypted files and ask for a ransom. Another option for encrypting the files doesn't involve changing the versioning settings. The default version limit is 500, so a file can be edited 501 times, rendering the original unrestorable (ph) because as the 501st version, it exceeds that limitation by one. The malicious actor could then encrypt the files after each of the 501 edits and increasing the version limit post-attack cannot restore the file. Proofpoint disclosed this information to Microsoft, which explained first that the versioning settings configuration workflow is working as intended, and second, that older versions of files can be recovered and restored for 14 days by using Microsoft Support. While the versioning settings configuration functionality is working as designed, Proofpoint says that it can still be abused by malicious actors. The researchers also reported difficulty recovering older versions of some files through Microsoft Support. In full disclosure, Microsoft is a CyberWire partner. 

Reflections on the first large-scale hybrid war.

Dave Bittner: The Atlantic Council has an essay by Yurii Shchyhol, head of Ukraine's State Service of Special Communications and Information Protection. Mr. Shchyhol discusses Russia's war against Ukraine as the first cyber war - that is, the first major war in which cyber operations have been integrated fully into planning and operations. One of its conclusions is that the war has rendered obvious what's long been known by close observers of cyber gangs - the place the Russian cyber underworld occupies in Moscow's order of battle. Mr. Shchyhol says, the current war has confirmed that while Russian hackers often exist outside of official state structures, they are highly integrated into the country's security apparatus, and their work is closely coordinated with other military operations. Much as mercenary military forces such as the Wagner Group are used by the Kremlin to blur the lines between state and non-state actors, hackers form an unofficial but important branch of modern Russia's offensive capabilities. Shchyhol also notes that the war has revealed Russian limitations as well as Russian capabilities. Ukraine's infrastructure has shown significant resilience under Russian cyberattack. 

Dave Bittner: Computing has an essay arguing that in wartime, nations now have as much to fear from cyberattacks as they do from kinetic attacks. At first look, this seems to be overstated. After all, cyberattacks become lethal only when they have kinetic attacks. A ransomware attack, for example, as such is very far from being an artillery barrage. And a corrupted database isn't the same thing in real life as an artillery preparation. Unless we become gnostics who believe the physical world is less real than the information space, few would go that far. But reading past the headline, that's not the essay's point. Its argument, rather, is that modern infrastructure is now so inextricably intertwined with and dependent on information technology that cyberattack can and do have physical kinetic effects. 

Dave Bittner: Computing quotes Ian Hill, director of cybersecurity at BGL Insurance, who said at the magazine's conference last week, "the real world and the virtual world have become so interdependent. Our physical world, certainly in the context of Western society, has pretty much got to the point of no return, where our dependence on technology and technology's dependence on the internet, that the economy cannot exist without them. If anything happens to the internet or some connected technology, we've got a real problem." 

The possibility of cyber escalation.

Dave Bittner: Observers continue to debate why Russian cyberattacks haven't been more widespread and more destructive than they proved so far to be. If Shchyhol is correct, as he seems to be, that Russian cyber operators are about as concerned with abiding by the norms of proportionality and discrimination embodied in international laws of armed conflict as Russian infantry and artillery have shown themselves to be, then the apparent restraint Moscow has exhibited seems to require explanation. An essay in Cyber Security Hub concludes that a partial explanation can be found in deterrence. President Putin doesn't want a full war with NATO and has been concerned to avoid attacks on critical infrastructure that would provoke a kinetic response from the Atlantic Alliance. 

Dave Bittner: If Russia has maintained the complete conquest of Ukraine as its objective, as many observers think it has, can deterrence be expected to hold in cyberspace as the war inevitably escalates on the ground? An assessment in GIS concludes that it may not. They say Russia's red lines and escalation strategy could further change in the weeks and months ahead. How the military, political and economic aspects evolve and war aims change will influence how the Kremlin decides to use its cyber capabilities in the conflict. Speaking this week at Defense One's Tech Summit, Neal Higgins, the deputy national cyber director for national cybersecurity at the White House's Office of the National Cyber Director, said I do think there is a risk that the deeper you get into this conflict that the Russians will be pressed to resort to more aggressive operations. If you're acting quickly and desiring a large impact, there is a risk that you lose control and that did occur. It certainly is a risk that we continue to monitor across the government. 

Dave Bittner: Kelly Shortridge is a senior principal at Fastly and co-author of the book "Security Chaos Engineering." I met up with her at the RSA Conference for insights on why behavioral science and behavioral economics matter. 

Kelly Shortridge: The presentation was really diving into how the lizard brain and also philosoraptor (ph) manage in information security. So there are a few great examples. One is questioning folk wisdom, which is maybe a provocative thing to say at RSA. But for instance, you hear all the time, you know, stock prices are hurt when a breach happens. Well, if you look at the data, that's not necessarily the case. So be aware that this is called availability bias, that just because something is familiar and it's repeated often, that doesn't mean it's true. It just means there's very good marketing. 

Kelly Shortridge: But you can also leverage that to your advantage when you're thinking about things like security awareness in your organization or you want to encourage secure behavior. You need to create those pithy messages. You need to make sure they're repeated. You almost need to have this - the same sort of principles as, like, a political slogan or marketing slogan. But we don't always think that way. Again, we present these kind of like very logical, drawn-out arguments for why security matters. But, really, what people need, they just need, like, quick advice they can remember. So that's a simple example of kind of how you can see on each side of the equation that this stuff matters. 

Dave Bittner: Is there a fundamental issue here that the lizard brain takes priority over the more rational side of the brain, so it screams the loudest and the quickest? 

Kelly Shortridge: It does, yes. And this is why it's actually useful, again, to kind of harness the lizard brain almost against itself. So there's a paper I'm actually working on with Josiah Dykstra, which is around opportunity cost, which can be very elaborate. You have to think about here are all of the alternative options. You know, let's say it's spending six hours of your time. What are all the things you can do with it? Turns out, it's a lot. That's way too much thinky-thinky (ph), right? The lizard brain's like, I don't want to deal with all that. However, you can create this heuristic of like, OK, but what if I did nothing? This becomes very powerful in information security. So consider application security testing, one of those tools. Use that heuristic, what we call the null baseline. Like, what happens if we did nothing? Maybe you would be releasing software to production faster. Maybe your developers would be less cranky. Maybe that's good for the organization. 

Kelly Shortridge: So you start to kind of uncover these hidden potential benefits or hidden costs of actually pursuing something security-wise that can make sure that you're not introducing unintended consequences in your organization. The lizard brain's like, security is the most important. Like, clearly this is my priority. So, like, everyone else, you know, that doesn't care about security, clearly they're wrong and irrational and can you believe them? But instead, it's almost like, you're harnessing this new lizard brain tactic of like, OK, but let me just really quickly consider what if I did none of this instead in order to almost trick yourself into being more of a philosoraptor? 

Dave Bittner: What about the threat actors, the bad folks out there who are intentionally trying to trip that lizard brain side, who are trying to get you into an emotional state and not think rationally? How do we train people to be aware of that and be able to counter it? 

Kelly Shortridge: We don't. As a security industry, we have to start designing, again, tools and workflows and procedures that try to help. We can't expect users to be experts. We can't expect them to have their thinky-thinky hat on all the time because we don't have it on all the time either. And, frankly, if you're looking - most people are dealing with external emails constantly. And now we're saying, OK, 95% of the time when you click on this link from an external sender, it's going to be totally fine, but now you have to slow yourself down and maybe read, you know, 20% fewer emails every day just for security. They're going to get fired probably because they're not going to be as productive. You can't ask them to do that. And training only goes so far. 

Kelly Shortridge: And I think if we were exposed to more training outside of security ourselves, we would realize like, oh, yeah, I totally forgot that training message at some point. So I think the answer is we don't. And frankly, these hackers are just using the same tricks you see in advertising and marketing. You know, like, click now, the sale will end soon, like, all of those behavioral tricks to get you to, like, buy more and buy faster. 

Dave Bittner: Right. 

Kelly Shortridge: That's just what attackers are using. So until we get rid of all of that, it's almost like whatever training we do is just going to be undone by the general commerce and, you know, even business emails. How many times have you had your boss say, like, you need to finish this by end of day, you need to, like, click and view this thing and review it for me? An attacker can just leverage that. So you're now saying like, OK, you got to train something that has to completely override, again, commerce, business culture, all that. I don't think it's going to work. 

Dave Bittner: In general, would you say that the folks who are developing these tools, the developers in general, are they more lizard brain or philosoraptor dominant? 

Kelly Shortridge: Every human's more lizard brain dominant. That's just how we're designed as a species. And that's part of the reason why we love, you know, like, sweet and salty snacks and, like, immediate rewards and, you know, all the stuff, the shiny stuff we see at the conference, right? I think the key thing - there's this kind of unfortunate feedback loop in the industry where people designing security tools have to satisfy the requirements of their customers. So that's the security teams. Security teams still have their lizard brain mindset of like, oh, my gosh, everything's a threat, we're vulnerable, we have to protect it at all costs. And, you know, as I say, like, they don't really care if, like, the money printer stops going, like, brrrr (ph). Like, they're fine if it shuts down if it means it's secure. It's obviously - the business disagrees, but that means that if you're developing tool and you want to succeed, for the most part, you have to cater to those requirements. And then, of course, the customers see more of the chatter about, like, eliminate all threats. Like, prevent everything, which is not - again, that's lizard brain sort of framing. 

Dave Bittner: Right. 

Kelly Shortridge: So there's kind of, like, symbiosis around, like, OK, stop everything at all costs and don't think about how to make things easy, fast and simple for users. Like, just have those, like, really annoying bolt-ons for everyone else. Save yourself some work upfront even though maybe down the line during the incident, it's going to be extra messy. It's really unfortunate. Of course, I know we're talking more about the talk today, but my co-author, Aaron Rinehart and I are trying to change that with security chaos engineering and start to hopefully make more of that philosoraptor and, you know, longer term thinky-thinky more automatic through a set of kind of principles and practices. 

Dave Bittner: That's Kelly Shortridge from Fastly. 

Dave Bittner: Patrick Orzechowski is co-founder of cybersecurity firm Deepwatch, where he works directly with oil and gas and pipeline operators around the country to detect and respond to threats and attacks. At last week's RSA Conference, Patrick's presentation centered on Russian IOCs hitting critical infrastructure in the U.S. during the Ukraine crisis and how this compares to other big attacks like Colonial Pipeline. We got together to discuss his findings. 

Patrick Orzechowski: The APTs are really living off of the land, and they are using known vulnerabilities mostly. So, you know, we hear things about zero days and catching behavioral things, which is great. I mean, those products need to be there to protect EDR and behavior analytics, things like that. But, you know, these actors are actually using traditional techniques and low-hanging fruit to attack systems, you know, CVEs that might have been around for six months that just haven't been patched yet. So, you know, I think those traditional kind of firewall techniques and air gap techniques are kind of false sense of security for some of the traditional businesses, manufacturing businesses, oil and gas. And they're now realizing that they have to accelerate their patching and accelerate, you know, their protection of their systems. 

Dave Bittner: Yeah. Beyond patching, what are some of the other things that you're highlighting here in terms of mitigation? 

Patrick Orzechowski: Yeah. You know, from a detection standpoint versus mitigation, I would say looking at the infrastructure, traditional data sources that have been too noisy to look at. DNS, for example. If you go back to the SolarWinds attack, you know, those actors used DNS as the main culprit for command and control. Right? They kept track of their victims using DGA domain subdomains, and they - their infrastructure was built around DNS. So a lot of folks, you know, kind of ignore DNS even from a forensic standpoint. 

Dave Bittner: Right. 

Patrick Orzechowski: I think we need to start looking at that from, you know, an operations standpoint, day to day, week to week, month to month, to look at that data because the actors need to use DNS as well to ride that infrastructure. 

Dave Bittner: Interesting. OK. What else? 

Patrick Orzechowski: East-West traffic, so understanding what's going on in a network. You know, like I said, traditional firewall techniques, those types of things, actors will figure out what holes are in those internal firewalls as well. 

Dave Bittner: OK. 

Patrick Orzechowski: You know, you have ICS OT networks that are separated by data diodes traditionally. 

Dave Bittner: Right. 

Patrick Orzechowski: But, you know, a lot of those things, like if you look at the water attack in Tampa... 

Dave Bittner: Yeah. 

Patrick Orzechowski: ...Right? Using TeamViewer, those workstations had special access to the water control systems. And that's how they got so far in. So, you know, the actors will find ways in, and those holes that have been opened over the years, you know, you have security turnover, you have folks who poked holes and firewalls, it's working, don't touch it. Those actors will exploit those holes that are in the systems now to actually get into those manufacturing and OT systems. 

Dave Bittner: Help me understand, I mean, to what degree the fact that the nature of this sector is - there's a lot of one-offs. How much of an issue is that? 

Patrick Orzechowski: Huge. It's a huge issue because, you know, even same manufacturer. Like, Siemens has 15 different models to do the same thing, right? 

Dave Bittner: OK. 

Patrick Orzechowski: So 15 different pieces of firmware that need to be analyzed. It's a very niche area of security. 

Dave Bittner: Right. 

Patrick Orzechowski: You know, OT has their own conference that they just had down in Miami. And, you know, it's kind of been ignored until the recent, you know, Colonial and the recent hacks that have happened. You have folks like Dragos doing great things. Rob Lee was on "60 Minutes," right? So, you know, at least it's getting out there that this critical infrastructure needs to be protected. So, you know, it's - I think it is a huge issue that it is specialized, but we do need more services and products specifically around OT ICS to protect those things. You know, you don't have the CrowdStrikes and SentinelOnes that you can throw on a controller that's, you know, $50,000 that does switching and things like that. 

Dave Bittner: Right. Right. Based on the data that you've gathered here, what are your recommendations? What should people be doing to gain some ground? 

Patrick Orzechowski: Yeah. Like I said, I would say looking at the infrastructure data is critically important, whether that's with a real-time product like a Splunk or a SIM product, whether that's a long tail product, some of the ML stuff that we're building in AWS looks at that data. I think, you know, just like we had a layered approach to defense, we need a layered approach to detection as well now, right? You have, you know, one hour, one day, one week. And each one of those detection windows has a different use case. So if you're looking at six months' worth of data - and this kind of generated out of the SolarWinds stuff. It's like, how did we miss this for six months, right? You need that data. You have to look at that data as a whole to say and start picking out those things that are weird, right? Because the - you know, the attackers will, like I said, live off the land. They tend not to drop malware now. They tend to use the tools that are built in - PowerShell, for example, in a Windows environment. 

Patrick Orzechowski: So we need to gather all that data and analyze it. So, you know, those are the things that folks can do outside of the traditional enterprise things of locking it down. I think having visibility into those systems, whatever data you can get, right? Like I said, you can't throw an endpoint product on a controller, but you might be able to get all the DNS that's coming out of that network and put it in a single place. It's going to be a lot of data, but at least you'll have some visibility into what those systems are doing. 

Dave Bittner: That's Patrick Orzechowski from Deepwatch. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.