The CyberWire Daily Podcast 7.28.22
Ep 1629 | 7.28.22

SSSCIP and CISA sign memorandum of cooperation. Tailored security services, or just hired guns? Bringing PSOAs to heel. More credential-harvesting.


Tre Hester: SSSCIP and CISA sign a memorandum of cooperation. Are private-sector offensive actors tailored security services, or are they just hired guns? Malek Ben Salem from Accenture on why crisis management is at the heart of ransomware resilience. Our own Dave Bittner sits down with Derek Manky from Fortinet to discuss the World Economic Forum Partnership Against Cybercrime. And more credential-harvesting scams are out in the wild.

Tre Hester: From the CyberWire studios at DataTribe, I'm Tre Hester with your CyberWire summary for Thursday, July 28, 2022. 

SSSCIP and CISA sign memorandum of cooperation.

Tre Hester: In another move toward closer U.S.-Ukraine cooperation in cybersecurity, Ukraine's State Service of Special Communications and Information Protection this week signed a memorandum of cooperation with its U.S. counterpart, the Cybersecurity and Infrastructure Security Agency. The memorandum doesn't initiate cooperation. Rather, it extends and expands the collaboration the two agencies have already enjoyed. CISA's announcement notes three areas in particular where the two agencies will work together on shared cybersecurity priorities - one, information exchanges and sharing of best practices on cyber incidents, two, critical infrastructure security technical exchanges and, three, cybersecurity training and joint exercises. 

Tre Hester: The SSSCIP's deputy chairman described the memorandum's significance. Quote, "this memorandum of cooperation represents an enduring partnership and alignment in defending our shared values through increased real-time information sharing across agencies and critical sectors and committed to collaboration and cultivating a resilient partnership," end quote. 

Tre Hester: As The Hill observes, the focus of earlier stories on U.S.-Ukrainian cooperation in cyberspace had been on U.S. Cyber Command's unspecified activities related to Russia's war against Ukraine, acknowledged last month in some concise remarks by Cyber Command's General Nakasone during an interview with Sky News. Quote, "we've conducted a series of operations across the full spectrum - offensive, defensive and information operations. My job is to provide a series of options to the secretary of defense and the president," end quote. 

Tailored security services, or just hired guns? 

Tre Hester: Microsoft late yesterday released a report, compiled by the Microsoft Threat Intelligence Center, the Microsoft Security Response Center and RiskIQ, that describes the activity of a threat group it tracks as Knotweed. Knotweed is regarded as responsible for Subzero malware, which it provides to or deploys on behalf of its customers. The group has also exploited Windows and Adobe zero-days. The report explains why Microsoft views this threat actor as particularly egregious. In brief, it's a private company hiring out cyberattack services. Quote, "PSOAs, which Microsoft also refers to as cyber mercenaries, sell hacking tools or services through a variety of business models. Two common models for this type of actor are access-as-a-service and hack-for-hire. In access-as-a-service, the actor sells full end-to-end hacking tools that can be used by the purchaser in operations with the PSOA not involved in any targeting or running of the operation. In hack-for-hire, detailed information is provided to the purchaser to the actor who then runs the targeted operations. Based on observed attacks and news reports, MSTIC believes that Knotweed may blend these two models. They sell the Subzero malware to third parties but have also been observed using Knotweed-associated infrastructure in some attacks, suggesting more direct involvement," end quote. 

Tre Hester: The company behind Knotweed and its Subzero tool is Vienna-based outfit DSIRF. DSIRF's landing page displays a simple quotation. Quote, "a lie can run around the world before the truth has got its boots on," end quote - but without further elaboration. It's unclear whether that's a sideswipe at researchers who have characterized the company as a mercenary operation. The company describes itself as an Austria-based company with offices in Vienna and Liechtenstein, providing mission-tailored services in the fields of information research, forensics, as well as a data-driven intelligence to multinational corporations in technology, retail, energy and the financial sectors. They stress that they offer fundamental research. Quote, "our tightly integrated team provides sophisticated intelligence products which are individually tailored to each client," end quote. Exploiting zero days would seem, at the very least, to be taking an expansive view of business intelligence. 

Tre Hester: Microsoft explains their attribution, quote, "Multiple news reports have linked DSIRF to the development and attempted sale of a malware toolset called Subzero. MSTIC found the Subzero malware being deployed through a variety of methods, including zero-day exploits in Windows in Adobe Reader in 2021 and 2022. As part of our investigation into the utility of this malware, Microsoft's communication with Subzero victims revealed they have not commissioned any red teaming or penetration testing and confirmed it was an unauthorized, malicious activity. Observed victims to date include law firms, banks and strategic consultancies in countries such as Austria, the United Kingdom and Panama. It's important to note that the identification of targets in a country doesn't necessarily mean that a DSIRF customer resides in the same country as international targeting is common," end quote. 

Bringing PSOAs to heel.

Tre Hester: In conjunction with the technical report of Knotweed, Microsoft also issued a statement, quote, "Continuing the fight against private sector cyberweapons," end quote. That places Knotweed and DSIRF into the context of what Redmond sees as a larger problem, the emergence of PSOAs - that is, private sector offensive actors. They've used companies like DSIRF, NSO Group and Candiru as threats that deserve legislative attention. The Permanent Select Committee on Intelligence of the U.S. House of Representatives hearings on the matter yesterday. Microsoft's statement to the committee urged that the U.S. work to advance global norms that would protect human rights and privacy from the wanton use of commercially produced surveillance tools that have enabled governments around the world to exceed their technical capabilities or legal authorities. Representatives of Google and the University of Toronto's Citizen Lab testified in-person, and according to Decipher, their testimony was at least as critical of the PSOAs as was Microsoft's written statement. 

More credential-harvesting.

Tre Hester: And finally, this morning security firm Avanan released a report detailing a specific attack used by cybercriminals mimicking a landing page in order to get your credentials. Researchers report that threat actors are sending phishing emails that appear to be from the victim's organization that say that their password is due to expire and include a link to keep or update the password. The link sends the victim to a reCAPTCHA form and then sends them to a perfectly mirrored login screen with their company email pre-populated in order to make it look more convincing. The attack is much like that of the phishing-as-a-service subscription group, SPAM-EGY, but differs in that it targets Google domains. This may signify that the activity Avanan describes is from a different group. Many of the facets of this attack - including a mirrored login screen, the pre-populated email address and the email that appears to be from the victim's organization - makes this scam pretty convincing. But when they look more closely, wary users will see that the URL doesn't match. This sort of attack has been seen before. Vigilant users should be on the lookout. 

Dave Bittner: Derek Manky is chief security strategist and VP of global threat intelligence at Fortinet. They're one of the founding members of the World Economic Forum's Center for Cybersecurity, an effort that includes experts from private cybersecurity companies like Fortinet as well as law enforcement agencies, service and platform providers, global corporations and nonprofit alliances. An initial result of those efforts is the Atlas Project, created to better understand the cybercriminal ecosystem, how to disrupt it, and how to mitigate the negative impact of cyberattacks. Here's Derek Manky. 

Derek Manky: What makes this valuable with the World Economic Forum and the Center for Cybersecurity is it really brings all of this together, stitches this together, if you will, under one hood to concentrate a lot of - all of those good efforts that are happening out there specifically on cybercrime, specifically on disruption, which, as I'm sure you're well aware from a lot of the conversations that you and I and other peers in the industry have had, is the lion's share of activity that we see out there. 

Dave Bittner: Can you give us an idea of how it works from a practical point of view - the interactions you have with the World Economic Forum and the types of things that they rely on you to contribute? 

Derek Manky: Yeah, absolutely. So we were a founding partner of the Center for Cybersecurity in 2019, which is a platform with various projects underneath it, all aimed towards, you know, further enhancing cybersecurity. Specifically where we're contributing, me and my team from FortiGuard Labs, is on the Partnership Against Cybercrime. And so this journey really started in 2020, at the beginning of 2020. And we all - when I say we, by the way, there's over 40 members initially in the Partnership Against Cybercrime. So it's a really good - already a good core group that we have between public and private sector. And just to give you an idea, that's - if you look at the makeup of that, it's a diverse group. We are talking about law enforcement globally. We're talking about policymakers. We're talking about intelligence organizations. But we're also talking about, of course, security experts on the private sector as well, too. 

Derek Manky: And the way that we started this to contribute was in 2020, we started - of course, this was at the start of the pandemic, so we actually held a series of virtual workshops, many of them throughout 2020, basically brainstorming, getting all these, you know, organizations together, thinking how - what can we do? What's our focus point? What are the recommendations if we're going to all team up together to disrupt cybercrime? And that actually led to the release of a report at the end of 2020. It's the Partnership Against Cybercrime report. There were six principles and recommendations that were released from that report at the end of 2020. And that led us into, of course, 2021, looking at how do we actually implement some of these recommendations? Where can we start and do a proof of concept, which is really what led us to the creation of Atlas. 

Dave Bittner: I see. So it seems to me like this really could function as a conduit for different organizations who, in your day-to-day lives, may be competitors with each other. This is an opportunity for you all to sort of set that aside and do something for the common good. 

Derek Manky: Absolutely. And that's why I have a lot of passion. And that's what - in this - and I'm quite excited about it. And it's exactly like you say. This is putting this all under one hood, making it a neutral space and an environment for all of these organizations to work together. We've proved that this can be done in the private sector with the Cyber Threat Alliance as an example, where we have competitors working in this space to better - you know, to share threat intelligence. But those, of course, are technical indicators, right? In this case, we're talking about a broader scope, looking at, again, attribution, looking at things like crypto wallets, looking at all these different disruption points, not just infrastructure, but also the who's who and mapping that ecosystem. And so, yeah, it's absolutely a great environment. It's been a great journey so far. And as I said, we're just really beginning at this point. 

Dave Bittner: That's Derek Manky from Fortinet. 

Dave Bittner: And joining me once again is Malek Ben Salem. She is the technology research director for security at Accenture. Malek, it is always great to welcome you back to the show. You know, ransomware stays in the news and seems as though no signs of abating. I want to touch base with you today about crisis management in the face of ransomware and your recommendations there. 

Malek Ben Salem: Yeah. So as you know and as you mentioned, Dave, ransomware continues to be a problem. We know that year over year, it has doubled in size, so over 107% increase year over year in ransomware and extortion attacks. Particularly in the U.S., 47% of ransomware attacks are actually - are for organizations based in the United States. So this is a problem. And our research has indicated that the way we're dealing with this is - probably can be improved, just to say the least. So we're still dealing with ransomware as a technology or a security problem. However, I think the right approach is to really involve the businesspeople, potentially the boards, as we respond to these attacks, to understand what's the impact of the attack, you know, what can we do, what ransomware can be paid or not - right? - those decisions. But also, how do we communicate to the stakeholders? And that's key. Today, that's not part of the crisis management preparation or response at this point. 

Dave Bittner: Is this a situation where you'd go about it the same way that an organization would plan for, say, something like a hurricane, a natural disaster? 

Malek Ben Salem: I think that's what's happening today, is that the existing recovery strategies that are attuned to traditional business continuity plans are no longer enough, right? We need business leaders to understand and prepare for ransomware's implications across the whole organization. The response should be treated as a business risk, but it has to prioritize the effective crisis management across the enterprise. I think that will be key. 

Malek Ben Salem: So in terms of, you know, what to do or how can businesses improve their ransomware response, I think business preparedness is key - knowing the moving parts that make the business profitable, the critical processes, their underpinnings, the downstream dependencies across every area of the organization and what the organization's priorities are in the event of an attack, right? That's key. Defining an agile communications strategy that considers the complexity of the of the attack, includes not just the technical perspective, but the business perspective as well is important. And then also getting the CEO and board on board with the testing and validation of attack prevention mechanisms, right? Perhaps even, you know, with the tabletop exercises, getting those executives included in the simulations as organizations test their defenses and introduce, you know, the risk and the adrenaline of a real-life attack scenario to them will be key as organizations prepare for these ransomware attacks. 

Dave Bittner: Yeah. I think that's a really interesting point. I mean, the whole notion of, you know, trying to get people in something close to an authentic emotional state, because I think it's so easy to overlook that when we're sort of coldly calculating, planning out how we would respond. I think it's important to remember that people are going to be wound up. 

Malek Ben Salem: Oh, yeah, absolutely. And understand who are the key decision-makers, right? And perhaps are there certain thresholds for cases where maybe technology folks can make the decision, versus other thresholds where you need the business to make the decision. And who are those key decision-makers is important in the preparation process. 

Dave Bittner: Yeah, absolutely. All right. Well, Malek Ben Salem, thanks so much for joining us. 

Tre Hester: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Tre Hester: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Tre Hester, filling in for Dave Bittner. Thanks for listening. We'll see you back here tomorrow.