Cyber phases of Russia’s hybrid war seem mostly espionage. Belgium accuses China of spying. LockBit ransomware spreads. And Micodus GPS tracker vulnerabilities are real and unpatched.
Dave Bittner: What's Russia up to in cyberspace nowadays? Belgium accuses China of cyber-espionage. LockBit ransomware is spreading through compromised servers. Malek Ben Salem from Accenture explains the privacy-enhancing technologies of federated learning with differential privacy guarantees. Rick Howard speaks with Rob Gurzeev from CyCognito on data exploitation. And MiCODUS GPS tracker vulnerabilities could motivate users to turn the darn thing off.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 20, 2022.
Current Russian cyber operations.
Dave Bittner: Late yesterday, Google's Threat Analysis Group published a full report on what it's seen recently of Turla and other actors aligned with the Russian cause. Turla is indeed impersonating the Azov Regiment and is offering malicious apps that misrepresent themselves as a kind of do-it-yourself kit patriotic Ukrainians can use to conduct DDoS attacks against Russian networks. The apps do nothing of the kind, but instead install malware on the devices to which they're downloaded.
Dave Bittner: TAG writes, Turla, a group publicly attributed to Russia's Federal Security Service, recently hosted Android apps on a domain spoofing the Ukrainian Azov Regiment. This is the first known instance of Turla distributing Android-related malware. The apps were not distributed through the Google Play Store, but hosted on a domain controlled by the actor and disseminated via links on third-party messaging services. We believe there was no major impact on Android users and that the number of installs was minuscule.
Dave Bittner: Other Russian groups TAG mentions in dispatches include the GRU, also known as APT28, Sandworm or Fancy Bear, and a privateering spinoff of the possibly defunct Conti gang. These are exploiting the now-patched Follina remote code execution vulnerability in the Microsoft Windows Support Diagnostic Tool. TAG's observations confirm earlier reports by CERT-UA.
Dave Bittner: The report says the Sandworm campaign used compromised government accounts to send links to Microsoft Office documents hosted on compromised domains, primarily targeting media organizations in Ukraine. TAG has also observed an increased number of financially motivated actors targeting Ukraine. One recent campaign from a group tracked by CERT-UA as UAC-0098 delivered malicious documents with the Follina exploit and password-protected archives impersonating the State Tax Service of Ukraine. We assess this actor is a former initial ransomware access broker who previously worked with the Conti ransomware group distributing the IcedID banking Trojan based on overlaps in infrastructure, tools used in previous campaigns and a unique cryptor.
Dave Bittner: Cyber-espionage continues elsewhere with phishing as its principal mode of gaining access. Ghostwriter, operated by the intelligence services of Russia's ally Belarus, has continued to work against its customary targets, especially Poland. And the Russian threat group Coldriver - also called Callisto, but best known as Gamaredon or Primitive Bear - continues to send credential-phishing emails to targets, including government and defense officials, politicians, NGOs and think tanks and journalists. Coldriver has also used Dropbox and Google Drive to host malicious PDFs.
Cyber escalation and spillover.
Dave Bittner: The European Union yesterday issued a statement deploring Russia's conduct in cyberspace and the way in which its offensive activities have spilled over to countries other than Ukraine. The statement draws particular attention to the nuisance-level DDoS attacks EU member states have recently experienced. The statement reads, the latest distributed denial-of-service attacks against several EU member states and partners claimed by pro-Russian hacker groups are yet another example of the heightened and tense cyberthreat landscape that EU and its member states have observed. We strongly condemn this unacceptable behavior in cyberspace and express solidarity with all countries that have fallen victim. We remain determined to address and investigate malicious cyberactivities affecting international peace, security and stability, including the security of the European Union and its member states, their democratic institutions, citizens, businesses and civil society. The statement made a point of reminding all that the EU had condemned Russian cyberattacks against Ukraine as early as January 14 of this year - a date that seems to mark the onset of the preparation phase of Russia's hybrid war.
Belgium accuses China of cyberespionage.
Dave Bittner: There's other cyber spying out and about. Belgium's foreign ministry has accused China of an extensive cyberespionage campaign against numerous Belgian targets, including the country's ministries of interior and defense. The specific threat groups singled out include APT27, APT30, APT31 and GALLIUM. This last group also tracked as SOFTCELL and UNSC 2814. The foreign ministry's statement said in part, Belgium strongly denounces these malicious cyber activities, which are undertaken in contradiction with the norms of responsible state behavior as endorsed by all UN member states. We continue to urge the Chinese authorities to adhere to these norms and not allow its territory to be used for malicious cyber activities, and take all appropriate measures and reasonably available and feasible steps to detect, investigate and address the situation.
Dave Bittner: China says, in effect, prove it - and by the way, you can't because China, as usual, is the real victim here. The response of the Chinese embassy in Brussels is familiar stuff, reading in part, we have taken note of the statement. It is extremely unserious and irresponsible of the Belgian side to issue a statement about the so-called malicious cyberattacks by Chinese hackers without any evidence. On the one hand, the Belgian side refuses to provide the factual basis. And on the other hand, it makes groundless accusations and deliberately denigrates and smears China. We express our strong dissatisfaction and our firm opposition. On the issue of cybersecurity, China is square, frank and open. China has always been a strong advocate of cybersecurity and one of the main victims of cyberattacks. Various other whoppers follow. If you're curious, do read the whole thing. Our European desk tells us the statement sounds better in French - but then, most things do.
LockBit ransomware spreading through compromised servers.
Dave Bittner: Researchers at the Symantec Threat Hunter Team - part of Broadcom software - this morning reported that threat actors are targeting servers with LockBit ransomware. Their goal is to spread the ransomware through compromised networks. One attack utilizing LockBit has been seen identifying domain-related information, creating a group policy and executing a gpupdate/force command to update the group policy. The threat actors behind LockBit, which Symantec tracks as Syrphid, first appeared in September 2019 and quickly expanded its operations through a network of affiliates. This version of LockBit delivers a double extortion attack, both encrypting files and threatening public exposure of stolen data. LockBit is selective in its targeting, sparing Russia and a small selection of countries in the near abroad.
Dave Bittner: LockBit is a ransomware-as-a-service operation, and it's replaced the now possibly defunct Conti atop the C2C market leaderboard. Its rise is thus particularly opportunistic, but Symantec sees other keys to its success. They say LockBit's success is also due to its developers' and affiliates' continued evolution of features and tactics, which include the malware's fast encryption speed, ability to target both Windows and Linux machines, its brash recruitment drives, and high-profile targets. In addition, as previously mentioned, the launch of a rewards program for vulnerabilities in LockBit's code and for suggestions on improving the ransomware-as-a-service operation will no doubt help the ransomware remain a serious threat to organizations.
Micodus GPS tracker vulnerabilities.
Dave Bittner: Researchers at BitSight have issued a report on vulnerabilities in the popular MICODUS MV720 automotive GPS tracker. The MVS720 (ph) is designed for both fleet management and theft protection. In addition to simply tracking vehicles in which it's installed, the MV720 offers antitheft, fuel cutoff, remote control and geofencing features. All of these are susceptible to exploitation in a variety of ways. As BitSight puts it, the exploitation of these vulnerabilities could have disastrous and even life-threatening implications. For example, an attacker could exploit some of the vulnerabilities to cut fuel to an entire fleet of commercial or emergency vehicles. Or the attacker could leverage GPS information to monitor and abruptly stop vehicles on dangerous highways. Attackers could choose to surreptitiously track individuals or demand ransom payments to return disabled vehicles to working condition. There are many possible scenarios which could result in loss of life, property damage, privacy intrusions and threaten national security. The researchers say they've been trying to get through to MICODUS since September of last year, and the account of their attempts at responsible disclosure form a story of virtue under trial worthy of Samuel Richardson's "Clarissa." In brief, BitSight says, MICODUS never replied. And eventually, when BitSight turned to the U.S. Cybersecurity and Infrastructure Security Agency, CISA had no better luck getting through. Guangdong-based MICODUS says on its website that it values customer feedback, but there was no mention on their site of any of the issues BitSight uncovered, nor are there any fixes or updates available. So what's a concerned driver to do? Punch out, friend. Take the Martin Baker option. BitSight thinks all users should disable their MV720s at once and stop using them until a reliable fix for the vulnerabilities is available. CISA, while noting that no public exploitation of the vulnerabilities has so far been seen, basically agrees and thinks users should take care to isolate their networks from the vulnerable devices.
Dave Bittner: My CyberWire colleague, Rick Howard, recently sat down with Rob Gurzeev from CyCognito to discuss a recent disclosure from CISA on data exploitation.
Rick Howard: I'm joined by Rob Gurzeev, the CEO of CyCognito. Rob, it's good to have you back on the CyberWire.
Rob Gurzeev: Thank you, Rick. It's a pleasure to be here again.
Rick Howard: So back in November, CISA, the U.S. Cybersecurity and Infrastructure Security Agency, released a report called Reducing the Significant Risk of Known Exploited Vulnerabilities. And in it, they announced a new intelligence report called the Catalog of Known Exploited Vulnerabilities. What's going on here?
Rob Gurzeev: Yeah, it's a super interesting release where they cover one of the most important elements in cybersecurity that is also one of the least discussed or well understood areas in cybersecurity, I believe, which is - and that's their data, that only 4% of the total number of CVEs that have been public actually got exploited. So only 4% got exploited. But 50% of these vulnerabilities of these 4% actually get exploited within less than 48 hours. And 70% of these vulnerabilities get exploited within less than 28 days.
Rob Gurzeev: So when you think about meantime through remediation, which on average, it's in the months, obviously that's not nearly enough. And so that's a super important statement that should make security teams, security leaders inspect, you know, what they're doing today. Is their MTTR - meantime through remediation - relevant enough? And it's related to the general risk management question.
Rick Howard: So the report says that in 2020, industry partners identified a total of over 18,000 new cybersecurity vulnerabilities. And like you said, only 4% of those were used for exploitation. I did the math. That's just 720 vulnerabilities compared to 10,000. So how do we adjust our thinking here? What do we do with that information?
Rob Gurzeev: The tricky thing or the interesting thing about cybersecurity and actually having done offense and dealt with offense for years in intelligence agencies and other contexts, make the following quite obvious. There is the IT perspective, which is, we have all of these systems. We're building our architecture, want the architecture to be really great, really safe, easy to manage, great. But then there is the attackers' perspective, which is related to these 4%, which is related to path of least resistance. Interestingly enough, that path of least resistance actually leads attackers to look at subsidiaries, assets you don't even know about and don't monitor. Third-party assets like this marketing campaign that we've seen in Europe or Asia or what have you, have built for your company, but you're not managing it might expose some of your customers' information, including PII. But it's not in your asset inventory, and your application security testing tools are never monitoring it. So that's the path of least resistance.
Rob Gurzeev: So on the one hand, yes, it's just 4% of the vulnerabilities, and that sounds great. On the other hand, attackers are becoming more and more efficient. These 48 hours for exploiting 50% of the vulnerabilities, I think, makes that pretty obvious. And then you have these blind spots in the broad sense, whether it's subsidiaries, assets you simply don't know about, third-party assets that put you and your data and customers at risk. And then the most important question, I think, becomes, how do I increase my coverage and prioritization?
Rick Howard: So it seems counterintuitive, you know, that we rate vulnerability as being highly critical or highly, you know - and if I was doing it, I would say, oh, that's where the bad guys would go. But you talk about this idea of chaining - that bad guys are looking for initial entry into the victim's network, right? Can you explain what you mean by chaining?
Rob Gurzeev: Sure. So if you think about a third-party application that these - the marketing team has built with this other vendor, and that has some of your customers' credentials on it, and it has these SQL injection vulnerability. So hackers can gain these credentials from that third-party asset. And then, for example, everyone is talking about zero trust. What almost no one is talking about is zero-trust coverage, the deployment coverage. So say that only half of your authentication mechanisms actually have zero trust deployed on them. And now attackers can leverage the credentials they stole from that third-party website that is not really monitored or protected, which is something we are seeing even at the biggest banks, by the way. And then they're going to use these credentials against this, even in some cases on-prem authentication mechanisms that happen to be exposed to the internet that are not protected with your zero-trust solutions that you are discussing with your board that, you know, you have deployed. And we've actually talked to Fortune 500 companies that got breached exactly this way.
Rick Howard: So then this idea of chaining is really the adversary working their way across the intrusion kill chain, and they don't require a massively vulnerable exploit in some piece of software. They just need a way to get their toes on the network and then they can move laterally, you know, and move their way up the escalation chain to accomplish their mission. This is a long-term play. This isn't a, you know, quick smash-and-grab operation. Is that correct?
Rob Gurzeev: In many cases. It really depends on the threat actor. So if you thinking about Russia, you know, they're fine with spending a few months gathering these credentials from this one asset, leveraging it over here, getting into the network, then slowly establishing the infrastructure there and taking the next steps. When such organizations do that, it's very hard to completely eliminate every attack path. But that's quite rare. And even the most advanced intelligence agencies and organizations, by the way, will still always prefer to rely on weak spots. It's obvious. And it can massively slow them down if these are hard to find.
Rick Howard: Well, it's good stuff, Rob. Who knew - 4% of the vulnerabilities? That was a shocker to me. I think I spit my coffee all the way across the room on that one. So thank you, Rob, for coming on. That's Rob Gurzeev, the CEO of Cycognito. Thanks for coming on the show, Rob.
Rob Gurzeev: Thank you, Rick.
Dave Bittner: And I'm pleased to be joined once again by Malek Ben Salem. She is the technology research director for security at Accenture. Malek, it's always great to welcome you back to the show. I wanted to touch base with you today on some privacy-enhancing technologies that I know you and your team have been tracking here. What can you share with us today?
Malek Ben Salem: I think privacy-enhancing technologies have gained more interest recently, especially with the regulations that have been either, you know - that went into effect like GDPR or the ones that are being developed, whether in the U.S. or in other countries. So they've gained more interest. And one of the later, more recent developments is this combination of a couple of privacy-enhancing technologies.
Malek Ben Salem: So one of them is federated learning, right? Federated learning is basically this idea where - or this machine learning approach where you can train a neural network model or machine learning model in general on a mixture of local devices, for example, phones - right? - and central devices. But it decouples the ability to do machine learning from the need to store data in a local - sorry - in a central server or on the cloud. So you can do this distributed learning through this federated learning approach. And it has been introduced - so Google uses it for Gboard, for instance, and for the prediction of, you know, next word prediction or the next emoji suggestion. Differential privacy is another privacy enhancing technology. And what it does, it provides some guarantee on the privacy level that is introduced. The way it works is it fuzzes the data, so it adds some noise to the data. So if you're typing, for instance, and, you know, the sensor is looking at your keystrokes and your patterns of typing, then it introduces, you know, some noise for each keystroke.
Malek Ben Salem: Now, the new development is this ability to combine the federated learning approach with differential privacy so that now not only is the data kept local at the endpoint devices, but also, you know, you can provide the end users some guarantee about their privacy level. It's mathematical, you know? It can give them a number - right? - on how much privacy they're getting. And that's the key development that we've been, you know, watching. I think this is a great new development and is very promising for the advocates of privacy as we can develop these algorithms that can automatically, you know, identify where to continue training with the federated learning approach, how can we deal with cases where, you know, we don't have enough number of devices to train on, which may mean that, you know, privacy is lost, but how can we compensate for that with the differential privacy approach. So, you know, developing these algorithms that can combine the two, I think, is a very exciting new development.
Dave Bittner: Can you give us an example of what a possible use case would be for this combination?
Malek Ben Salem: So definitely, as I mentioned, you know, the next word prediction on mobile devices or, you know, your keystroke typing patterns - things that you want to keep the information or the data local. And, you know, if you train a central model, there is some information that has to be shared - right? - back and forth between your local machine and the central model, so how do we ensure that that happens with some privacy guarantees and that those privacy guarantees are not just added to the individual prediction of the next words, so the individual instance of training data, but also are added at the user level, so for all of your data.
Dave Bittner: And are we still at the experimental stage with this, or are people actually deploying this?
Malek Ben Salem: People are actually deploying it, but not at a very - at scale. I know that Google has experimented with this, and they've deployed it for some of their devices. But, you know, they're currently basically assessing how scalable the approach is. But at a minimum, we know it's working. The protocol is there. The algorithm is there to make it work. You know, what are the impacts on the accuracy of the neural network model that is trained this way, I think that's what has to be assessed.
Dave Bittner: All right. Well, interesting stuff for sure. Malek Ben Salem, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the cyberwire.com
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.