The CyberWire Daily Podcast 6.29.22
Ep 1609 | 6.29.22

Article 5? It’s complicated. Influence ops for economic advantage. SOHO routers under attack. YTStealer described. RansomHouse hits AMD. A NetWalker affiliate cops a plea.


Dave Bittner: NATO's response to Killnet's cyberattacks on Lithuania. Influence operations in the interest of national market share. SOHO routers are under attack. YTStealer is out and active in the wild. RansomHouse AMD. CISA releases six ICS security advisories. The most dangerous software weaknesses. Betsy Carmelite from Booz Allen Hamilton takes a look back at Biden's executive order on cyber. Our guest is Philippe Humeau of CrowdSec on taking a collaborative approach to security. And a guilty plea in the case of the NetWalker affiliate.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 29, 2022. 

NATO's response to Killnet's cyberattacks on Lithuania.

Dave Bittner: Sky News asks the inflammatory question - could the Russian cyberattack on Lithuania draw a military response from NATO? - and then gives the more ironic answer, not so fast. An opinion piece frames the issue like this - a NATO member is under attack. Normally, the meaning of this would be frighteningly clear, but this is an attack with a difference - not a physical attack, but a cyberattack. And working out what a cyberattack means is never simple. 

Dave Bittner: The issues involve responsibility - Killnet presents itself as a patriotic hacktivist, operating independently of Russian government control; and proportionality - the cyberattacks haven't been particularly damaging, and in any case, have fallen short of producing kinetic effects - consequences in real life. 

Influence operations in the interest of national market share.

Dave Bittner: Reuters reports that China has been engaging in an influence operation directed at arousing popular protests against Australian, Canadian and U.S. rare-earth mining companies. The sector is one in which China has a significant national interest, and the firms singled out for intention include Lynas Rare Earths Ltd, Appia Rare Earths and Uranium Corporation and USA Rare Earth. The campaign, Dragonbridge, discovered and named by Mandiant, seems aimed at market dominance. It makes heavy use of inauthentic social media. Mandiant said in its report, the campaign used inauthentic social media and forum accounts, including those posing as residents in Texas, to feign concern over environmental and health issues surrounding the plant, including via posts to a public social media group predisposed to be receptive to that content. Dragonbridge doesn't seem, so far, to have been particularly effective, but Mandiant thinks the approach on display, particularly the micro-targeting of the audience it seeks to reach, bears watching. 

SOHO routers under attack.

Dave Bittner: Lumen's Black Lotus Labs report that small office/home office - that's SOHO routers - are under active attack by operators using the ZuoRAT remote access Trojan. The operators are after bigger fish than home offices. Remote work has made SOHO routers an attractive point of entry into larger networks, and that appears to be the case here. Lumen's report says, the sudden shift to remote work spurred by the pandemic allowed a sophisticated adversary to seize this opportunity to subvert the traditional defense-in-depth posture of many well-established organizations. The capabilities demonstrated in this campaign - gaining access to SOHO devices of different makes and models, collecting host and LAN information to inform targeting, sampling and hijacking network communications to gain potentially persistent access to inland devices and intentionally stealth C2 infrastructure leveraging multistage siloed router-to-router communications - well, that points to a highly sophisticated actor that we hypothesize has been living undetected on the edge of targeted networks for years. 

YTStealer discovered, out and active in the wild. 

Dave Bittner: Intezer this morning announced its discovery of malware it's calling YTStealer. The malware has been aptly named as the sole function is to steal authentication cookies from YouTube content creators. YTStealer is different from other malware in that it only harvests credentials for YouTube and not any other service. If authentication codes are found in a browser's database files in the user's profile folder, the malware launches the browser in headless mode on the infected operating system and adds the cookie to the cookie store. The malware then uses a library called Rod to control the browser, and it navigates to the creator's YouTube Studio page and steals information about the channel and encrypts it, sending it to a command and control center whose domain name is YouBot Solutions appears to be a company registered in New Mexico that describes itself by saying that it provides unique solutions for getting and monetizing targeted traffic. YouBot may well be connected outside the American Southwest. Its red eye logo that appears on its a Google business listing could be found, Intezer points out, on, an Iranian video sharing website. 

Dave Bittner: YTStealer is a C2C play. The researchers say that YTStealer is probably sold to other threat actors. They note that YTStealer often isn't the only dropped malware on a device. RedLine and Vidar have been seen alongside the YTStealer malware. Much of the dropped malware is disguised as pirated versions of video and image software and game mods and cheats. Using only legitimate versions of software is a good way to have better control over what ends up on your computer, researchers conclude. The Hacker News has a summary of Intezer's report

RansomHouse hits AMD.

Dave Bittner: RansomHouse, a data extortion gang relatively new on the cyber crime scene, has claimed a successful breach of Advanced Micro Devices, AMD, the well-known chip manufacturer. RestorePrivacy reports that RansomHouse posted what it claims represents a small sample of the data stolen to its dark web site. RansomHouse, which announced itself to the world this past December with some immodest bragging about its website, and the gang teased its AMD breach last week with a riddle. So name a company that pretty much everyone knows. Its name consists of three characters. The first character is A. 

Dave Bittner: Players were invited to send their guesses in the channel to get a link and a private message. The gang this week revealed that the victim was AMD, and the company yesterday sent RestorePrivacy a note acknowledging an incident. The chip maker said, AMD is aware of a bad actor claiming to be in possession of stolen data from AMD. An investigation is currently underway. 

Dave Bittner: The Register reports some industry consensus that RansomHouse seems unlikely to become a major player on the ransomware scene. The skepticism seems largely to consist of disapproval of the gang's swaggering self-promotion, which does indeed come across as a bit skid-like, and RansomHouse's poor attention to detail. Those 450 gigabytes of company data they claim to have, for example, are those gigabytes or gigabits? A proper member of the underworld would know the difference. 

CISA releases six ICS security advisories.

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency yesterday released six industrial control systems security advisories, details of which may be found at the usual place - 

Most dangerous software weaknesses. 

Dave Bittner: The Homeland Security Systems Engineering and Development Institute, sponsored by CISA and operated by MITRE, has released the 2022 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses. It's a new publication, and, the institute explains, this list demonstrates the currently most common and impactful software weaknesses. Often easy to find and exploit, these can lead to exploitable vulnerabilities that allow adversaries to completely take over a system, steal data, or prevent applications from working. The report includes recommended mitigations for the vulnerabilities listed. 

A guilty plea in the case of the NetWwalker affiliate.

Dave Bittner: And finally, there is a guilty plea in the case of the Canadian NetWalker affiliate, Sebastien Vachon-Desjardins. Monsieur Vachon-Desjardins specifically copped to four charges - conspiracy to commit computer fraud, conspiracy to commit wire fraud, intentional damage to a protected computer, and transmitting a demand in retaliation to damaging a protected computer. His sentence could total up to 40 years, but some allusion to offers of cooperation suggests that his sabbatical at Club Fed could be substantially lower than this, should he give law enforcement enough leads on his underworld friends. 

Dave Bittner: The accused had an interesting, if not unheard of work life, before the Royal Canadian Mounted Police got their man at his home in Quebec last year, he'd worked as an IT consultant for Canadian government agencies while he was moonlighting as a ransomware operator, the Record reports. A Canadian court already sentenced him to seven years before sending him south of the border to give the Yankees their shot at him. He'll be doing time somewhere in North America. How much of it will be stateside is now up to the U.S. District Court for the Middle District of Florida, Tampa Division. 

Dave Bittner: Security company CrowdSec is taking an innovative approach to collaborative security, releasing a lightweight open-source user agent that detects intrusions and shares what it finds with the community. Philippe Humeau is CEO of CrowdSec, and he explains that a good way to wrap your head around this project is to think of the popular GPS navigation app, Waze. 

Philippe Humeau: Your smartphone would share your position, your heading, your speed, and you would eventually, as a human, add all this stuff like I saw something happening on the road or a speed trap or whatever. We are very similar in this in the way that we are sharing with each other what aggression we are facing and blocking so that all the others can benefit from the sightings. And this is a collaborative network in this sense. So if you are protecting yourself from attacks, then you're also protecting the next-door hospital or this retirement house or this media outlet and so on and so forth. 

Dave Bittner: What's going on behind the scenes here to collaborate this sort of sharing? 

Philippe Humeau: Yeah. Well, what we saw is that people are mostly willingly willing to help each other. What happens is that they don't have any product or tools to help them in doing so. So the first thing we thought about is it has to be free 'cause if Waze would have cost, like, just one euro, it would never have become the network we know about. So yeah, it had to be open source and free so that the majority of the people could access it. And what we see is that the bad guys, they are collaborating with each other - all of them. All the meaningful cybercriminal groups are collaborating with each other, and we are not. We are behaving as single entities facing an army, and that just doesn't work. We need to team together if we want to tackle these large-scale problems. As for every complex problem, you need a collaboration. Like, a complex problem in sending people to the moon - you cannot possibly do it by yourself, whereas a complicated problem is a problem that is maybe very difficult, but you can solve it on your own. So here we are facing a complex problem, and we need tools for that. 

Dave Bittner: How does it get managed? How does - how do you not become overwhelmed with signaling from the folks who are taking part in this? 

Philippe Humeau: Yeah. Well, first of all, it has to be mentioned - it's all automated. So no one is, like, validating whatever or sending manually or clicking on anything. It's just servers that are fending attacks, you know, based on behavior. So if someone is, for example, scanning you or trying to guess your password or injecting credit card numbers to verify if they are still valid or trying to buy automatically a product from your website, all of these are nefarious behavior you want to block. And any time you block one of them, the signal that you block this IP address trying to have this behavior is shared with a central server - with central servers. And those servers that are doing what you call stream processing - so they are literally processing the stream that is flowing through them - they are sorting the real signals from the fake signals because we have a problem here, which is called the Byzantine general problem, like for the blockchains in bitcoin, for example. So we cannot take for granted that everyone is well-intended here. And maybe they are trying to lure us into thinking that, I don't know, Googlebot is a bad actor, has a bad behavior and want us to block the IP of Googlebot. Obviously, we don't want that to happen. So we have algorithm clearing out the noise, clearing out the attempts to do shenanigans with this consensus. And when the consensus is reached - meaning when 150, currently, machines decide that this IP aggressed them all together, and it needs to be banned - then they shoot a ban order to the whole network saying this IP has been seen too many times. Having too many times is bad behavior, and it should be blocked on site until it's having a normal behavior again. 

Dave Bittner: Why is it important that this be an open-source project? 

Philippe Humeau: Well, there are two things in open source that often are misleading. One is open source so that everyone can look into the product and code it and extend it. And the second thing is it's free. It doesn't have to be one with the other. I mean, you can be open source and not free at all. But here this is both. So the point of being free is that money is the first friction to adoption. And obviously, we are after network effects. So the larger we are, the more efficient we are. We already have tens of thousands of machine, but we aim for millions. And this gives us a real-time overview of what's happening over the internet and the capacity of blocking IP addresses used by the cybercriminals in real time. So the more the merrier. And this is where it is important that it's free. And also, the open source part makes it so that you can adapt it to your own IT landscape or your own technological zoo. You know, we cannot possibly cover all the options that are now offered by the market. What we can do, though, is make it very easy for you to be able to adapt the software in your own context. 

Dave Bittner: And how is it funded? 

Philippe Humeau: Well, that's a great question because, yeah, if it's free and if it's open source, well, how do we make money? So I'm not part of those guys thinking that we should, you know, dress like monks and not earn money or whatever. I'm hiring a bunch of great professionals that have opportunities all year long, and I want them to be 100% focused on what they are doing and not have any side jobs or whatever. So I pay them well, and to pay them well, we have to make money. 

Philippe Humeau: So for now, we are founded by VCs, namely Breega in France - B-R-E-E-G-A. But we are about to be - not profitable, but to start monetization. And how we do this is, like - take it like this. We are gathering a lot of signals, extremely valuable signals that are also virtually (ph) accurate. So we know if this IP is addressing medias, if it's addressing hospitals, if it's addressing automotive or energy industry or banks, you know? So this is extremely precious data, and a lot of people are willing to buy them just to protect themselves. You know, they may not want to use the product for whatever reason - maybe they don't have the time to deploy it, maybe they don't want to share anything, whatever. They can still get the data out of the network, out of the community, but they have to pay a premium for it. 

Dave Bittner: That's Philippe Humeau from CrowdSec. 

Dave Bittner: And joining me once again is Betsy Carmelite. She is a principal at Booz Allen Hamilton. She's also the federal attack surface reduction lead. Betsy, great to have you back. I want to touch base with you today on the executive order that President Biden put out. It's been about a year now, and I wanted to touch base and sort of take stock of where we stand now, what worked and where there's still some work to be done. 

Betsy Carmelite: Yeah, Dave. It has been a little more than a year since the president signed the executive order, and it's important that we take a look at the current state of federal cybersecurity and do a bit of retrospective to see how far we've come and what we have left to accomplish. We looked at this tactically and strategically. So to mention a few items here tactically first, generally, the administration has demonstrated strong progress addressing the priorities outlined in the EO, and CISA has played a key role on this front. CISA resources have increased and is working to be the key convener to protect the .gov landscape. 

Betsy Carmelite: Secondly, tactically, the agency has taken several measures, such as publishing the Vulnerability and Incident Response Playbook, ensuring that they have access to all necessary information about incidents affecting federal agencies, and also working with OMB to direct a review of the 650 plus unique cybersecurity-related contract clauses for the contractor workforce. And more strategically, the takeaway is that the cyber executive order has successfully presented opportunities for improved risk management by really elevating the importance of secure product development and supply chain risk management. So while the checklists for supply chain security were necessary, it's critical to step back and identify and address the potential cyber threats that could affect the software supply chain, for instance. Those threats will drive your protections and risk management strategies, and you can uncover those through threat modeling, testing and software emulation. 

Dave Bittner: You know, in the year or so since this went into effect, what has been the response from the organizations that this affects? Are they saying that it's been pretty reasonable and achievable? 

Betsy Carmelite: Well, I think there's a belief that this has really spurred excellent progress. And there are a few areas where organizations and we as Booz Allen think we need to be proceeding further down the road as well. So while the executive order has taken ambitious steps to modernize national cyber defenses and establish action from across multiple entities with a lot of focus, rightfully so, on government and private sector coordination, continued work is needed to improve the nation's cybersecurity and improve the protection of federal government networks. So namely, the EO must really be supported and viewed as a linchpin to drive the momentum of sustained federal cybersecurity. It's critical that resources continue to be aligned to CISA so it can be a leader in the orchestration, risk management, defense operations, connectivity and protection of the landscape. And the EO also advanced proactive, preventative cyberoperations by holding agencies accountable for implementing enhanced detection and response capabilities. So how agencies approach and execute enhanced threat detection is so critical, and this is going to be really important moving forward. The EO specifically outlines more effective and agile federal government responses around detection. And we've really been looking into new approaches, specifically around detection. 

Dave Bittner: So what do you suppose is to come? I mean, having this framework in place, where are we headed next? 

Betsy Carmelite: I'd actually like to look at that detection component because that's really just going to be critical. If you look at, you know, these events such as Log4j and, you know, SolarWinds, managing detection is really tough - in organizations with hundreds of thousands of end users is really tough. And in our work with clients with complex security ecosystems with thousands to millions of endpoints, we're looking to imagine detection at scale. And there are a few things that we think could really advance protection of the federal government. But there are important concepts and tenets to remember as well. Technology is never going to replace an analyst. There's no security analyst that isn't busy constantly shifting their focus to something else. Second - automation is key, but the focus of automation should really be focused on getting detection to the right people at the right time in the right format. And third - to that note on the format, standardization is key. So as you're asking busy security analysts to further manipulate data on the fly, that only increases their workload and puts off other work that they also need to do. So we see a lot of work in the traditional SIM architecture space that needs to be improved. So a lot of those architectures are fairly antiquated. And we set out to introduce a new approach to detection that involves an engine that uses sigma rules to read logs outside of the SIM, send alerts directly to the analyst for further review - so reducing some of their level of effort. It's written with Go to provide incredible speed while decreasing performance overhead. It's built with Kubernetes' Horizontal Pod Autoscaling to address that scaling as needed. And it uses GitOps to automatically pull new signatures from Git or other sources of high-confidence analytics. And so we see this - with this approach, we can increase visibility - so important - decrease cost and automate detections through are a few small changes to already-existing architectures. 

Dave Bittner: All right. Well, Betsy Carmelite, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.