The CyberWire Daily Podcast 6.22.22
Ep 1604 | 6.22.22

A Fancy Bear sighting. Why Russian cyberattacks against Ukraine have fallen short of expectations. ToddyCat APT discovered. ICEFALL ICS issues described. Europol collars 9. Say it ain’t so, Dmitry.


Dave Bittner: Fancy Bear is sighted in Ukrainian inboxes. Why Russian cyberattacks attacks against Ukraine have fallen short of expectations. The ToddyCat APT is active in European and Asian networks. ICEFALL ICS vulnerabilities are described. Europol makes nine collars. Andrea Little Limbago from Interos on the global state of data protection and sharing. Rick Howard speaks with Michelangelo Sidagni from NopSec on the future of vulnerability management. And we are shocked - shocked - to hear of corruption in the FSB.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 22, 2022. 

Fancy Bear sighted in Ukrainian in-boxes.

Dave Bittner: Let's start today with a question. What are you scared of? Dentists? The dark? Starting conversations with people you find attractive? Or how about nuclear terrorism and the taxman? 

Dave Bittner: Social engineers play on fear, hope, sympathy, vanity, greed and so forth, especially fear, a human emotion the GRU knows like the back of its paw. CERT-UA has warned that APT28, the GRU operators familiarly known as Fancy Bear, have opened a renewed campaign of exploitation against systems still vulnerable to Follina, the Microsoft diagnostic tool vulnerability tracked as CVE-2022-30190. Fancy Bear is running two distinct campaigns, Ukraine's SSSCIP warns, both of which use phishing as their modes of access. 

Dave Bittner: The phishbait appeals to two very different sets of fears. The first campaign, which Malwarebytes has also described, counts on an email recipient's fear of nuclear war (topical, given the ongoing Russian nuclear saber-rattling described by the Telegram. The malicious document, Nuclear Terrorism, A Very Real Threat, carries CredoMap malware as its payload, CERT-UA says. The other campaign uses a more proximate if less existential dread to induce the recipient to click - fear of the taxman. 

Dave Bittner: Anyone in wartime might be forgiven an understandable lapse of memory where paying taxes is concerned. The phishbait sample CERT-UA shares is sternly entitled Imposition of Penalties, and the malicious document carries a CobaltStrike beacon as its payload. The email's subject is notice of non-payment of tax. The goal of both campaigns appears to be espionage, although it's worth noting that CERT-UA sees the tax-themed campaign as directed against critical infrastructure. 

Why Russian cyberattacks against Ukraine have fallen short of expectations.

Dave Bittner: An Op-Ed in The Washington Post summarizes what's becoming consensus opinion about Russia's failure to deliver the devastating cyberattacks that were generally expected during the run-up to war. Ukrainian resilience, with appropriate and well-applied assistance from the private sector, was able to fend the Russian operators off. According to The Post, the close partnerships that have emerged between U.S. technology companies and Western cybersecurity agencies is one of the unheralded stories of the war. The public-private rift in the tech world that followed Edward Snowden's revelations in 2013 appears largely to be over because of the backlash against Russia's attacks on the 2016 and 2020 U.S. presidential elections and now its unprovoked invasion of Ukraine. 

ToddyCat APT is active in European and Asian networks.

Dave Bittner: Kaspersky describes ToddyCat, a hitherto unremarked APT active against high-profile European and Asian targets. The threat actor works against vulnerable Microsoft Exchange instances, has been active since late 2020 and deploys at least two distinctive tools - the Samurai backdoor and the Ninja Trojan. It's not clear whom ToddyCat is working for, and its disparate target list offers few obvious suggestions. The group is said to have been active against Taiwan, Vietnam, Afghanistan, India, Iran, Malaysia, Pakistan, Russia, Slovakia, Thailand, The United Kingdom, Kyrgyzstan, Uzbekistan and Indonesia. 

ICEFALL ICS vulnerabilities described.

Dave Bittner: Researchers at Forescout describe OT:ICEFALL, which they characterize as a set of 56 vulnerabilities affecting devices from 10 OT vendors. Forescout calls the affected systems insecure by design and divides the vulnerabilities into five categories. 

Dave Bittner: First, remote code execution - this allows an attacker to execute arbitrary code on the impacted device, but the code may be executed in different specialized processors in different contexts within a processor. So an RCE does not always mean full control of a device. This is usually achieved by insecure firmware or logic update functions that allow the attacker to supply arbitrary code. Next is denial of service. This allows an attacker to either take a device completely offline or to prevent access to some function. Then there's file, firmware or configuration manipulation. This allows an attacker to change important aspects of a device, such as files stored within it, the firmware running on it or its specific configurations. This is usually achieved via critical functions lacking the proper authentication or authorization or integrity checking that would prevent attackers from tampering with the device. They next list compromise of credentials. This allows an attacker to obtain credentials to device functions, usually either because they are stored or transmitted insecurely. And finally, authentication bypass - this allows an attacker to bypass existing authentication functions and invoke desired functionality on the target device. Completely mitigating the Icefall vulnerability will require vendor-delivered patches. In the meantime, network isolation, restricting network connections to specifically selected engineering workstations and, of course, focusing on consequence reduction are all encouraged. 

CISA issues ICS vulnerability advisories.

Dave Bittner: CISA continues its program of alerting operators to industrial control system issues. The agency yesterday released six ICS security advisories.


Europol makes nine collars.

Dave Bittner: Bravo, Europol. The International Police Agency, working with its Dutch and Belgian colleagues, yesterday bagged nine miscreants involved in a phishing operation that had winkled its victims out of millions of euros. The arrests, all in the Netherlands but under a Belgian warrant, were made in the course of 24 house searches that also netted a lot of ill-gotten swag, including firearms, ammunition, jewelry, electronic devices, cash and cryptocurrency, which seemed to be the usual desires of cybercriminals nowadays. All that's missing is the snazzy and ostentatious sports car. But perhaps cybercriminals in the low countries are more given to riding bicycles than their Russian, Nigerian or, for that matter, American counterparts are. What's with all the jewelry? Is the typical cybercriminal a fashionista? The world wonders. If you are a cybercriminal, why not call Europol and let them know what it is about jewellery that draws you so? We're sure they'd love to talk to you. 


We are shocked, shocked, to hear of corruption in the FSB.

Dave Bittner: And finally, TASS is authorized to disclose that they just aren't making siloviki the way they used to and it's a shame. An FSB officer has been arrested for stealing cryptocurrency from some hoods he was supposed to be arresting. We note, parenthetically, that this would never happen in the Netherlands. TASS quotes its official sources as saying the 235th Garrison Military Court a month ago arrested Dmitry Demin, lieutenant colonel of the Federal Security Service for the Samarra region, on charges of especially large-scale fraud. And on June 21, his detention was extended until early August. Lieutenant Colonel Demin apparently shook the goon, one A.O. Mochalov, down for his crypto during the course of an investigation. And when Mr. Mochalov was later arrested by others, he apparently asked the cops what happened to that crypto the lieutenant colonel took from him. Time to lawyer up, comrade lieutenant colonel. 

Dave Bittner: Anyhoo, Russia is particularly troubled by corruption. And while it's less common over here than over there, it happens to you, too, yankee. Back in 2015, the FBI bagged a Secret Service and a DEA special agent in Baltimore on charges of ripping off the Silk Road crooks they were supposed to be investigating. It was a poor career move for the duo who should have known better. By the time the Justice Department issued its press release on the indictments, the two were already described as former federal agents. We imagine Lieutenant Colonel Demin will soon be described as a former FSB officer. 

Dave Bittner: The CyberWire's own Rick Howard recently sat down with Michelangelo Sidagni. He's chief technology officer at NopSec. Their discussion centered on the future of vulnerability management. 

Rick Howard: I'm joined by Michelangelo Sidagni, the CTO and co-founder of NopSec. Michelangelo, thanks for coming on the show. 

Michelangelo Sidagni: Thanks, Rick. Glad to be here. And, you know, hope to come back many times. 

Rick Howard: Absolutely. We will put you on the rotating roster. We're talking about vulnerability management today. And I've been doing vulnerability management in the various places I've worked since the internet was young, you know, for the last 30 years or so. And on the surface, to me, it doesn't appear that the community is getting any better at this never-ending task. But that can't be true, right? I mean, I'm sure there's been advances over the years. Can you give us a sketch of how the industry does vulnerability management today? 

Michelangelo Sidagni: It's really like - you know, what the industry does these days is not like big organization - it's not what it's supposed to be. First of all, the industry identify vulnerability management doing only a part of it, which is vulnerability assessment, which is the art or the science of finding vulnerability using an infrastructure network scanner or a web application scanner. So basically you point these tools, this software to the - your web application, and soon enough a bunch of vulnerabilities are going to come back. 

Michelangelo Sidagni: But that's only part of the story. The most important parts are having a comprehensive asset inventory. Part of vulnerability management is called vulnerability assessment. The third part is, like, very, very important - prioritization. I mean, after, like, I find hundreds of thousands of vulnerabilities which are high-end critical, what am I supposed to do? Am I, like, to fix all the critical and leave alone the medium or low? Well, it's not as clear cut because not all vulnerability are created equal. For example, there are critical vulnerabilities, and that's where the prioritization comes in, that basically - like, they're critical in the CVSS score scale, but they've never been exploited. There's no indication of exploit that are available in the wild. They're never been used because and never tried to be exploited because they're so hard to basically - for, like, a motivated attacker to build a stable exploit. And there are others that are, like, medium or low that - they are used all the time as jumping around to actually find - mounting, like, a more sophisticated attack, so basically exploiting one vulnerability and then chain it to another. If you prioritize correctly vulnerability, you don't have to patch 100%. You only patch vulnerabilities that are critical for your system, for your network. 

Rick Howard: Let's unpack some of that, right? So first of all, you're talking about just discovery of unknown software that's running out there. Like, you were talking about somebody throws up a web server in AWS that you didn't know about, so you have to discover those things. The other one, though, and it's become more prominent here this last year, is just keeping track of the software components that we're all running. You know, and that is the software that we develop ourselves, plus the commercial software that we use, like Microsoft or whatever it is. But the thing that's come into the front this year is supply chain software, all the components that everybody's using from open-source software. We talked about Log4j that came out last December. Everybody was scrambling to see if we were running that component in our software. So that's a huge job. Have we gotten better at being able to keep track of all that stuff? 

Michelangelo Sidagni: It depends, obviously, on the security material of an organization. Basically, like, attackers, they're getting smarter, and they take the path of least resistance. It's really hard, for example, like, to hack a government up front. But if you take the supply chain route, it might be actually easier for the compromise and obtain the same result. 

Rick Howard: You mentioned prioritizing the work here, and you referred to it in some of the things you've written as risk-based vulnerability management. So can you elaborate on what that means exactly? 

Michelangelo Sidagni: Risk is basically - can be split in, like, really two areas. One is threat-based risk prioritization. So that means that, again, like, not all the vulnerabilities are created equal. Some, they'll never be exploited. Some are hard to be exploited. Some are currently used as part of, like, threat intelligence information. 

Rick Howard: I agree that the criticality of the vulnerability feeds into the risk equation, but I'm not sure that's the most important part. If I was going to base decisions on what work to do over other kinds of work, I would base it on data or systems that are material to my business. So if I know what those are, and then there's a critical vulnerability that pops up, then clearly we need to work on that one first. But if it's worrying about the - you know, the menu from the cafeteria down in the basement, maybe we don't worry about that one so much. 

Michelangelo Sidagni: The second part is what I call contextual risk. So basically it's based on the - your organization existing controls. That means it's very important to perform threat modeling on the vulnerability. So calculate and visualize the attack type on vulnerable system. But also, of two system, they are actually reachable from the attacker. 

Rick Howard: This is all good stuff, Michelangelo, but we're going to have to leave it there. That's Michelangelo Sidagni, the CTO and co-founder of NopSec. Thanks for coming on the show. 

Dave Bittner: And I'm pleased to be joined once again by Andrea Little Limbago. She is the senior vice president of research and analysis at Interos. Andrea, it's always great to welcome you back to the show. I want to start off today just by sort of checking in with you, if we could do a broad check-in on the state of the world. And I know that's a lot. But maybe let's start big and then go a little smaller. When it comes to, you know, democracies, authoritarianism and how that's affecting our ability to connect with each other online, where are we right now? 

Andrea Little Limbago: Yeah. I think we're continuing to see a lot of the trends that have been accelerating over the last few years, so it's a great question. And I look at - really, the broad geopolitical fault lines are starting to become more embedded. And then along those, you see the technological fault lines basically are starting to follow suit with the geopolitical. And that's why they are so intertwined. And when you think about either the role of emerging technologies, both in society and in modern warfare, they're just so crucial in the foundation onto both components that when you do start seeing some of the geopolitical fault lines start to emerge - natural, almost, to see that those are also going to lead to divides along technology, along approaches to data - and that's where we're seeing a big aspect of it - and approaches to what's viewed as a trusted network. And, you know, at a very high level, we are still seeing China really leading the way on more of the digital authoritarian model. And that does still continue to gain traction. We still see, you know, additional laws starting to pop up from Cambodia and Thailand and really across the globe that are putting more restrictions and censorship on data. 

Andrea Little Limbago: But at the same time, we still see the reverse trend of over 100 different data privacy laws popping up across the globe. And those are interesting in that some are under the auspices of national security and so, actually, are almost - they sound very similar to something like the GDPR, which is intended for having protected individual data rights. But you actually do see aspects of the GDPR in China's data privacy law. And so there are some similarities along that line as far as, you know, data minimization and what kind of data different companies can have access to in its flow across borders. But where you see differences are - you know, it's almost like the devil's in the details. Like, for China's law, for instance, there is governmental access allowed pretty much without any kind of judicial review or oversight or accountability. And so that's where you start seeing some very big differences. But there is, you know, really, across the globe, still a push towards greater data protection, data privacy, which is a nice movement. 

Dave Bittner: How is this affecting the big global companies - you know, the Apples of the world - who are doing business across the world but, of course, China, a hugely important market for them? 

Andrea Little Limbago: Yeah. You know, it's really making companies across the globe really rethink their global footprint. And on the one hand, it's much easier said than done. You know, for companies like Apple, who have invested decades in their manufacturing plants, for instance, in China, you can't just pick up and move a manufacturing plant and find that labor, you know, anywhere else - that that actually - you know, that takes a decent amount of time to rebuild out elsewhere. But at the same time, Apple is starting to rethink some of that. And it's not just Apple. We've seen other companies either, you know, starting to minimize their footprint - and I would say, you know, it's not a, you know, full-out, complete withdrawal, but there's a decoupling going on where companies are rethinking, you know, what data they have, what some of their core components of their - you know, across their supply chain and trying to lessen their dependency on China for those very reasons. And so we'll see what happens. The - you know, there has been a big increase in, you know, reshoring and decoupling over the last few years from China. And that really started to - you know, it kicked off really during the start of the trade wars during - you know, around 2016. So it's - the pandemic accelerated it when everyone started to realize just how big their concentration risks were when there was a lockdown. 

Dave Bittner: Right. 

Andrea Little Limbago: And I would say, for a lot of those companies, there is a geopolitical component to it, but it's also the aspect of not having all your eggs in one basket from a supply chain perspective. So even if they're not necessarily bought into the shifting geopolitical dynamics, companies are bought into the notion that they realized that they had a single source of failure and are trying to diversify from that. 

Dave Bittner: Yeah. Where do you see the trend lines headed? What do you - where do you think we're going here? 

Andrea Little Limbago: Yeah, you know, I do think that we're entering this new normal, and that's, you know, whatever we call it. You know, I think it's that - post-pandemic new normal, whatever this era ends up getting named. But it is. You know, it's a different global order than what we've seen in the past. It's - you know, I think there's a sort of easy trend to thinking that, oh, maybe it's going to be like the Cold War. We'll call it (unintelligible) in the U.S. Cold War and make it easy because that's fairly familiar for, you know, people who have been around or have studied the history of that. But it's not the Cold War. And that's one of the things that I try and reinforce over and over again because you're really under a very different system. One technology that changes everything, the internet and various forms of emerging technology, artificial intelligence, all that really makes it a game changer just on the aspect of what warfare and technology will - how that will contribute to any kind of geopolitical tensions. 

Andrea Little Limbago: And then also, you know, it's much more of a multipolar system. And there's much more entanglement of the economies. And so if you think about during the Cold War, the economies were fairly distinct. Now there's just so much - you know, it used to be called mutually assured economic destruction, because the Chinese and the U.S. economies were so tightly controlled, no one ever thought that there could be a war. And so it will be interesting to see what happens with some of this decoupling. But - the decoupling, you know, if done well, should be prioritized in areas of national security interest and social aspects of Social Security as far as, you know, health security and so forth, like we saw during the pandemic, and focus on those areas. But there are still areas where there can be mutual gains. And so hopefully, there are some - those still remain a component that keeps some links between the different countries. But there is the decoupling. It's going to take a long time. I really don't think it'll be an entire decoupling, but it is, you know, where the U.S. and China go, it really does spill over into the rest of the world. 

Andrea Little Limbago: And then what you see with Russia's invasion of Ukraine, you see Europe really coming together much faster. And that actually, you know, it really decreased a lot of the tensions across U.S. and Europe as well and brought the EU and U.S. really a lot more tightly coordinated than they ever had been for recent history. So we do - we are seeing some push factors that also are pushing a lot of the democracies closer together in ways they hadn't been before. There was just an Indo-Pacific economic agreement introduced probably a few weeks ago in May timeframe, and that also is getting additional economic ties. And that kind of overlays with the Quad Alliance that also has supply chain and technological ties. And we're seeing just really a restructuring, and I think a lot of that will be along, you know, technology and rules and regulations of the internet will really become the driving forces that are binding different groups together. 

Dave Bittner: All right. Well, Andrea Little Limbago, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Rachel Gelfand, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.