The CyberWire Daily Podcast 8.4.22
Ep 1634 | 8.4.22

Ukraine claims to have taken down a massive Russian bot farm. Were Russian cyber operations premature? Report: Emergency Alert System vulnerable to hijacking. And more crypto looting.


Dave Bittner: Ukraine claims to have taken down a massive Russian bot farm. Russian cyber operations may have been premature. A report says emergency alert systems might be vulnerable to hijacking. The Mirai botnet may have a descendant. Adam Flatley from Redacted with a look back at NotPetya. Ryan Windham from Imperva takes on bad bots. Attacks on a cryptocurrency exchange attempt to bypass 2FA, and Solana cryptocurrency wallets have been looted.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, August 4, 2022. 

Ukraine claims to have taken down a massive Russian bot farm.

Dave Bittner: The security service of Ukraine says it dismantled a large Russian botnet operation that was being used to spread Russian propaganda and disinformation. The bots, about a million strong, were herded from locations within Ukraine itself, BleepingComputer reports. Their output took the form of social media posts from inauthentic accounts associated with fictitious persona. The SSU describes the operation, stating, to spin destabilizing content, perpetrators administered over one million of their own bots and numerous groups and social networks with an audience of almost 400,000 users. In the course of a multi-stage special operation, the SSU exposed the leader of this criminal group. He is a Russian citizen who has lived in Kyiv and positioned himself as a political expert. On the other side of the information war, BleepingComputer also reported earlier this week that Ukrainian hacktivists, Torrents of Truth, were bundling instructions on how to bypass Russian censorship into movie torrents whose intended audience would be Russian viewers. 

Report: Emergency Alert System vulnerable to hijacking.

Dave Bittner: CNN reports that the U.S. Federal Emergency Management Agency - that's FEMA, part of the U.S. Department of Homeland Security - has warned that its emergency alert system could be vulnerable to cyberattacks that would enable the attacker to broadcast bogus messages. CNN quoted Mark Lucero, chief engineer for Integrated Public Alert and Warning System, of which the EAS is a part, saying, a cybersecurity researcher provided FEMA with compelling evidence to suggest certain unpatched and unsecured EAS devices are indeed vulnerable. The agency this week urged operators of the devices to update their software to address the issue saying that the false alerts could, in theory, be issued over TV, radio and cable networks. The advisory did not say that alerts sent over text messages were affected. There is no evidence that malicious hackers have exploited the vulnerabilities. EAS is the national system, familiar to the television and radio audience in the U.S., that will interrupt programming with warnings about severe weather and other hazards. It's also used to communicate Amber Alert notices of child abductions. 

"RapperBot," descendant of Mirai.

Dave Bittner: FortiGuard Labs has been tracking RapperBot, which it describes as a rapidly evolving IoT malware family, since mid-June. Yesterday, the researchers published an update on the current state of the malware which makes heavy use of old Mirai botnet source code. RapperBot departs from its ancestors in its built-in capability to brute force credentials and gain access to SSH servers. Mirai had exploited Telnet. Indeed, the brute force capability seems to be RapperBot's core functionality as it has only limited potential as a distributed denial-of-service tool. RapperBot's operators, whoever they are, seem more interested in establishing persistence in compromised systems than they are in propagating to other systems. And the malware's DDoS potential, which the researchers say was removed then restored, may be there as a form of misdirection. What the operators are after is unclear. FortiGuard lab says that the motives of RapperBot's masters remain unclear. In the meantime, FortiGuard Labs offers some advice for mitigation, saying, regardless, since its primary propagation method is brute forcing SSH credentials, this threat can easily be mitigated by setting strong passwords for devices or disabling password authentication for SSH where possible. 

Online gaming is an increasingly attractive target.

Dave Bittner: Akamai reports that attacks on online gaming companies have more than doubled over the past year. The company this morning released its study "Gaming Respawned" detailing the current state of online gaming and the pervasive threats that target the industry. Researchers discovered that COVID lockdowns resulted in a large increase in gaming and that this increase seems unlikely to fall off. Akamai recorded 250 terabits per second of game download traffic in April of this year. Cyberattacks on gaming companies and player accounts have also increased dramatically with web application and API attacks representing the largest category of attacks overall. Cloud-based gaming is coming into its own and has widened gaming companies' attack surface. DDoS attacks are pervasive in a sector that prizes immediate availability, and these have increased by 5% in the last year. Gaming has retained its place atop the industry leaderboard providing the target for some 36% of all DDoS traffic. 

Solana cryptocurrency wallets looted.

Dave Bittner: And finally, approximately 9,000 cryptocurrency wallets attached to the Solana blockchain ecosystem have been robbed of at least $4 million in total, the Verge reports. Solana says the attack has been linked to accounts using the Slope Mobile Wallet app. Slope is still investigating and said in a statement, we recommend all Slope users do the following - create a new and unique seed phrase wallet and transfer all assets to this new wallet. Again, we do not recommend using the same seed phrase on this new wallet that you had on Slope. If you are using a hardware wallet, your keys have not been compromised. 

Dave Bittner: We recently passed the fifth anniversary of the NotPetya pseudo-ransomware attack, which targeted Ukrainian companies but spilled over and crippled global organizations like Maersk and FedEx. When the war in Ukraine began earlier this year, security folks couldn't help wondering if another round of NotPetya-like malware might be unleashed on the world. For perspective on where we stand today, I checked in with Adam Flatley, director of Threat Intelligence at [redacted]. 

Adam Flatley: So, you know, the biggest reason why NotPetya spread so far and so fast was that the settings for lateral movement were completely unconstrained by the threat actor. And what that allowed them to do was to ride VPNs out of Ukraine for companies that had connections into Ukraine, and then they hit, essentially, completely flat networks that was able to not only spread in the direct connection that was connected to Ukraine but also all over the world in these company networks. So the biggest mitigations that people have started putting in place are actually segmenting your network properly from a general networking standpoint but then also looking at connections into various countries as having different levels of risk. And I think that's really important because connections into some places are more dangerous than others, and so you can put additional mitigations in place covering the high-risk areas. 

Dave Bittner: Can we dig into that a little bit? I mean, specifically, what are you talking about here? 

Adam Flatley: Let's say, you know, we have a multinational corporation and they have a network connection that lands into a portion of their company that is in Canada and a portion of their company that is in a country that is suddenly becoming a war zone like Ukraine. Connections coming out of Canada are going to be lower risk than ones coming out of a country that is actively being hit with cyberattacks. Multiple wipers were released in Ukraine and some still continue to be released in Ukraine now, and so that's - that changes the risk profile of anything that you still have connected to that area. You monitor them differently. You look at the telemetry more thoroughly. You lock down permissions even further so that you're basically balancing your ease of operability with, you know, the proper strategic security measures for each area. 

Dave Bittner: Do you suppose that it's possible for something like NotPetya to happen today, given what we learned from the first round? 

Adam Flatley: Absolutely. I think that while many companies have learned the lesson - and like I said, like, they were aggressively coming to us asking for help when the Ukraine war started to help make sure that they were thinking the right way about protecting themselves - I think there's an equal number that still have never thought of it. So I'm sure that if the Russians decided to take the current constraints off of the wipers that they're using now and just unleash them in Ukraine unbridled like they did before, I'm quite sure many multinational corporations would go down just as hard. 

Dave Bittner: Yeah. I mean, it's a fascinating thing to think about, isn't it? I mean, I suppose to some degree, diplomacy still holds sway here, right? 

Adam Flatley: It does, and there's - it's very complicated as well because in the original NotPetya attack, I am convinced that the Russians knew that it was going to go outside of Ukraine and they weren't just targeting Ukraine to try and disrupt their economy, but they also wanted to basically punish any Western corporation that was doing business with Ukraine to try and drive them away from Ukraine because it would be too risky to operate there. And when you look at the way that the propagation settings were set up in NotPetya, it could literally go as far and wide as the network existed. There was nothing set in there holding back how many hops it could take, for example. But if you look at the wipers that the Russians are releasing in Ukraine now, they are set at a very constrained setting. Like, one or two hops is the most I've ever seen in any of the wipers that were released in Ukraine. So they're definitely intentionally trying to keep it localized. And, you know, the politics are different now. There's a war going on. There are sanctions in place. NATO is expanding. And as much as the Russians like to bluster, I think they're very reluctant to actually draw NATO into this conflict. And so they're most likely holding back on something that would cause, like, a worldwide cyberattack like they did before out of caution to just not give NATO an excuse to fully engage in this conflict. 

Dave Bittner: So do you suppose that NotPetya was a case of - I don't know - recklessness, disregard for where this might go? Or was it calculated? 

Adam Flatley: Honestly, I think it was calculated. Russian doctrine essentially leads them down the path of escalation until someone stops you. That's sort of how they test their boundaries. And over the past, you know, 10 years, the Russians have been doing more and more bold things in cyberspace, and nobody has done anything about it. There have been no real repercussions against them. And so they kept pushing the limit and pushing the limit. Pause - see if anyone would react. Nobody did anything. They pushed a little further and harder. And I think NotPetya was done out of, you know, a calculated risk assessment on their side that the West wasn't going to do anything to them. And you know what? They were right. NotPetya happened. Multibillion-dollar corporations were affected - millions and millions of dollars lost and nothing, no repercussions for Russia. 

Dave Bittner: That's Adam Flatley from [redacted]. 

Dave Bittner: The team at security firm Imperva recently released the latest version of their bad bots report, looking at bot traffic on the internet in 2021. Ryan Windham is vice president of application security at Imperva. 

Ryan Windham: Yeah, so, you know, unfortunately, the problem isn't getting any better. In 2021, we saw that bad bots accounted for a record-setting 27.7% of all global website traffic. So, you know, roughly, you know, almost a third of all global website traffic is being generated by bots - so a huge toll on, you know, the internet at large on society, on these application vendors and on customers. And, you know, of those bad bots, we saw a rise in what we call evasive bad bots. So those made up about 65.6% of all bad bot traffic. So these are what we call both, you know, moderate and advanced bad bots that use really sophisticated methods to try to avoid detection. So they'll do things like, you know, cycling through random IP addresses. They'll come in through anonymous proxies or services that are known as residential proxies. They'll change their identities. They'll mimic human behavior to evade detection - so definitely seeing a lot more of these more sophisticated bots. 

Ryan Windham: You know, one of the other big things that we saw in 2021 was a rise in what's called ATO attacks, or account takeover attacks. And so these are attacks where bots will attempt to, you know, as it sounds, take over a user's accounts. And so they'll be trying to get access to financial information or other personal information because maybe they want to commit identity fraud or maybe steal, you know, loyalty points or that sort of thing. So these were on the rise. They were about 148% up over the prior year. 

Dave Bittner: Now, when you talk about some of these advanced bots that you all are tracking here, do you have any sense for how successful they are? I mean, you're detecting them, right? 

Ryan Windham: Yeah. So we're detecting them, and in many cases, we're stopping them. In most cases, we're stopping them. You know, I can't speak for kind of the internet at large, but certainly the attacks that we see - we're offering protection against them. And I think, you know, what makes these bot attacks so difficult to protect against is if you think about kind of traditional vulnerabilities, you know, hackers are essentially exploiting, say, a code vulnerability. But in the case of bots, you know, there's really no code being exploited. They're actually just coming in and taking advantage of what we call a business layer attack or an application layer attack. So essentially they're using the application the way that a regular user would use it except they're doing it at scale with the intent to commit fraud or abuse. So, you know, encourage listeners to look at, you know, getting some specific, you know, bot protection solutions in front of their application architecture if they don't have it already. 

Dave Bittner: What are you seeing in terms of who they're focused on attacking? Are there any particular verticals that they're going after here? 

Ryan Windham: Yeah, so great question. You know, the account takeover attacks we actually saw, you know, be a pretty across-the-board horizontal attack type. But then we did see - you know, financial services certainly stood out as being one that's often attacked as well as travel vertical and retail. And, you know, the reasons, I guess, are pretty obvious. Just there's higher stakes involved, typically financial gains to be had in these industries. 

Dave Bittner: You know, one thing that caught my eye here was in the report, you all pointed out that a lot of these bots will disguise themselves as mobile web browsers. And you pointed out that mobile Safari was popular. Because of Apple's increased privacy settings, it makes them harder to detect. That's an interesting response. 

Ryan Windham: That's right. So as you were mentioning, Apple rolled out some enhanced privacy settings last year. And, you know, those are intended to prevent, you know, advertisers or others from tracking you across sites. But it also creates additional protections for operators to masquerade behind. So it makes it more difficult for technology that is attempting to block bots from actually being able to track them and identify them. So you have to get more creative with your detection techniques. So mobile user agents were a popular disguise for bad bot traffic in 2021. They accounted for more than a third of all internet traffic, which was up from 28.1% in 2020. 

Dave Bittner: So what are the take-homes here? I mean, in terms of recommendations for organizations to best protect themselves here, what do you all recommend? 

Ryan Windham: Yeah. So the impact from bots is pretty cross-functional and pretty strategic. It can create revenue loss. It increases potential for customer churn. There's skewed metrics, especially when you think about, you know, content and price scraping that takes place that - you know, where bots come in and effectively look at content, scrape it but don't close a transaction. That's going to skew your metrics. So it's really a cross-functional problem, one that everyone needs to be aware of. In terms of, you know, how to protect against them, I think it's important to look for any increases in traffic that are out of the ordinary. You know, oftentimes these will come in, as, you know, high rates of traffic. The other is to, you know, think about putting in place a specific solution that's intended to block bots, going beyond just your traditional web application firewall that may look more at, you know, rules or signature-based detection, something that takes into account behavior and can use dynamic machine learning and other advanced techniques to, you know, monitor this traffic and identify malicious behavior. 

Dave Bittner: That's Ryan Windham from Imperva. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.