The CyberWire Daily Podcast 8.5.22
Ep 1635 | 8.5.22

CyberFront Z's failed influence operation. Iranian operators target Albanian government networks. CISA issues two ICS security advisories. CISA and ACSC issue a joint advisory on top malware strains.


Dave Bittner: CyberFront Z's failed influence operation. Iranian operators target Albanian government networks. Andy Robbins of SpecterOps is here to discuss Attack Paths in Azure. Denis O'Shea from Mobile Mentor talks about the intersection of endpoint security and employee experience. And CISA and ACSC issue a joint advisory on top malware strains.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, August 5, 2022.

CyberFront Z's failed influence operation.

Dave Bittner: Facebook's corporate parent, Meta, released its Adversarial Threat Report for the second quarter of 2022 yesterday. Prominently featured in the report is Meta's account of its monitoring of and action against a large Russian troll farm that had been marshalled to support Moscow's narrative concerning Russia's war against Ukraine. It's connected to the notorious Internet Research Agency, itself connected with Russian attempts at influence operations during recent U.S. elections. In this case, the flagship of the influence operation is called CyberFront Z. The report reads, we're also sharing our threat research into a troll farm in St. Petersburg, Russia, which unsuccessfully attempted to create a perception of grassroots online support for Russia's invasion of Ukraine by using fake accounts to post pro-Russia comments on content posted by influencers and media on Instagram, Facebook, TikTok, Twitter, YouTube, LinkedIn and Russian social media networks. Our investigation linked this activity to the self-proclaimed entity CyberFront Z and individuals associated with past activity by the Internet Research Agency. 

Dave Bittner: Coordinated, inauthentic behavior is Meta's, and previously its subsidiary Facebook's, term of art for organized trolling in the service of disinformation. The term is self-explanatory. Instead of attacking disinformation on the basis of content and thereby seeking directly to moderate and control content, the company has typically gone after campaigns that use false persona, inauthentic identities, with evidence of coordination of central direction. Meta's report explains what it found and what it did about its discovery. The report says, we took down a network of Instagram accounts operated by a troll farm in St Petersburg, Russia, which targeted global public discourse about the war in Ukraine. This appeared to be a poorly executed attempt, publicly coordinated via a Telegram channel, to create a perception of grassroots online support for Russia's invasion by using fake accounts to post pro-Russia comments on content by influencers and media. 

Dave Bittner: CyberFront Z was, in Meta's estimation, the Z team - that is, definitely not the A-Team, not even the junior varsity. The report says, this deceptive operation was clumsy and largely ineffective - definitely not A-team work. On Instagram, for example, more than half of these fake accounts were detected and disabled by our automated systems soon after creation. Their efforts didn't see much authentic engagement, with some comments called out as coming from trolls. We also found instances of the trolls who sprinkled pro-Ukraine comments on top of the paid pro-Russia commentary in a possible attempt to undermine the operation from within. 

Dave Bittner: While the operations of CyberFront Z were labor intensive - they concentrated on commenting in social media with posts written by human operators - they seem to have included only perfunctory gestures in the direction of building convincing persona. The overall goal, however, was to create an impression of grassroots opinion. The one-note concentration on the many evils of what CyberFront Z characterized as Ukraine's Nazi regime, however, seemed to have proven largely unpersuasive. In several channels, the comments attracted pro-Ukrainian and anti-Russian posts that outnumbered CyberFront Z's comments. 

Dave Bittner: In all, Meta evaluates CyberForce Z (ph) as a fizzle. They offer one caution. Influence operations seek to become self-reinforcing, and they do so in part by creating an impression of success. The growing public awareness of and fear of disinformation can contribute to such reinforcement. The report says, these examples underscore the importance of analyzing attempted influence operations according to the evidence and not taking any claims of viral success at face value. Some threat actors try to capitalize on the public sphere of influence operations by trying to create the false perception of widespread manipulation even if there is no evidence, a phenomenon we called out in 2020 as perception hacking. Besides, it helps the trolls to look good to the boss. So there are local, self-interested incentives for the trolls to shine it on. Rolling Stone indelicately sums up the caree of CyberForce Z's IRA parent. Their headline reads "Russia's infamous Troll Farm is Back - and ****ing the Bed." 

Campaign against Albanian government networks attributed to Iran.

Dave Bittner: In the middle of last month, the Albanian government disclosed that a range of government sites and services had come under cyberattack. And the campaign had succeeded in disrupting operations. The Albanian national news reported at the time that the National Agency of the Information Society had shut down government systems as it worked to neutralize what AKSHI characterized as sophisticated and coordinated foreign attack on the country's IT infrastructure. Yesterday, Mandiant released a report on the incident that attributed the campaign to Iran. The company's researchers identified the strain of ransomware used in the attack as a member of the ROADSWEEP family. The operation was conducted with the pretense of being the work of a front group, HomeLand Justice, which was concerned to disrupt a conference of the Iranian opposition organization MEK. It also aimed to punish Albania's government for its willingness to connive with the Iranian opposition by permitting the conference, the World Summit of Free Iran, to meet on its territory. Mandiant sees the operation as unusually brazen. They say, this activity is a geographic expansion of Iranian disruptive cyber operations conducted against a NATO member state. It may indicate an increased tolerance of risk when employing disruptive tools against countries perceived to be working against Iranian interests. 

CISA issues two ICS security advisories.

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency released two Industrial Control System advisories yesterday. 

CISA and ACSC issue a joint advisory on 2021's top malware.

Dave Bittner: And finally, oldies get as much love from cybercriminals as, say, Roy Orbison songs get play on our local classic rock station. The U.S. Cybersecurity and Infrastructure Security Agency and the Australian Cyber Security Centre have issued a joint advisory describing the most significant strains of malware observed in 2021. The list of top malware includes some familiar names, like Agent Tesla, Formbook, Ursnif, LokiBot, NanoCore Qakbot, Remcos, TrickBot and GootLoader. None of these came out of nowhere. The agencies say, malicious cyberactors have used Agent Tesla, AZORult, Formbook, LokiBot, NanoCore, Remcos and TrickBot for at least five years. Malicious cyberactors have used Qakbot and Ursnif for more than a decade. The malware strains are under continuing criminal development, which accounts for their longevity. 

Dave Bittner: Andy Robbins is product architect of BloodHound Enterprise at SpecterOps. He and his colleagues have been documenting attacks in Microsoft Azure that abuse identities, tokens and access. 

Andy Robbins: We are looking at the practical attacks that can be executed against Azure that don't rely on exploiting some kind of vulnerability that Microsoft can patch. As an example, if I have a user in Azure Active Directory and you have a user in Azure Active Directory, my user may have some kind of role granted to it that lets me reset your password and then take over your user. Well, the mechanism of that is the foundation of how Azure Active Directory works and how it doles out permissions through role assignments. The misconfigurations that can pile up, that introduce the attack paths that abuse legitimate functionality - they are extraordinarily attractive to real adversaries because they are difficult to audit. The misconfigurations that you find can be even more difficult to remediate because people hate giving up any kind of privilege that they already have. And for those two reasons, these things get worse over time. 

Andy Robbins: And so the end result is that if you're choosing attacks that abuse legitimate functionality in any platform, you're going to have a very long shelf life for that attack. It's going to be very hard for a defender to tell the difference between legitimate and illegitimate usage of those protocols. And these misconfigurations - they emerge in basically every company's instance of Azure Active Directory or Active Directory. So you don't have to relearn these tactics over and over and over and over. You can learn them once and then use those skills to attack almost any organization in the world. 

Dave Bittner: So how is this playing out in the real world? I mean, are we seeing these sorts of - seeing this sort of targeting? 

Andy Robbins: So we are. There are various breach reports that come out - so, for example, with SolarWinds, with Cloud Hopper, with real organizations that have been abused by trust relationships they have. So, for example, the Target breach from a few years ago comes to mind. And these tactics that adversaries are employing - they are very, very similar to what adversaries have been executing with on-prem Active Directory for the past 20 years, for example. But right now is a very, very critical time for organizations to be aware of these tactics and to audit their environments for opportunities for adversaries to attack them and to do something about that. We don't want to get into the position that we are now with on-prem Active Directory, where 20 years of misconfiguration debt have piled up so high that we can't do anything about it. We need to understand these abuse primitives before the adversaries can understand and abuse them. And so for that reason, we actually do a lot of research into attack primitives that are not talked about publicly. And we discuss those new attack primitives with some of our friends at Microsoft before we publish them. And then we do go ahead and publish them on our SpecterOps medium publication for consumption by anybody. 

Dave Bittner: Yeah, I can imagine, you know, if you take Microsoft's point of view, how they would be hesitant to go in and change anyone's settings because, you know, how do you know if something was configured in error or did somebody mean to do it that way? 

Andy Robbins: Absolutely, yeah, and I don't blame Microsoft whatsoever for, you know, what can only be seen as a very, very difficult decision they have to make when faced with something like this. So I think that Microsoft is always going to be in this position where they're having to weigh between, you know, potentially breaking functionality in Azure for the sake of security. And unfortunately, they are going to have to choose not to break functionality or to break existing workflows in the name of security. So there's always going to be responsibility on Microsoft customers to cooperatively secure their environments with Microsoft. 

Dave Bittner: Where do you suppose we're headed with this? How do you envision how this will work in the future? 

Andy Robbins: There's a couple of angles there. So, you know, we're talking about Azure Active Directory, and certainly a lot of organizations are adopting Azure Active Directory. But what we are seeing is that most organizations that we work with are not 100% migrating all of their IT services into Azure. They're keeping things in a hybrid situation. So where I think this is going - where I think we are going is we are headed for a hybrid future where we are probably, for the most part, for most organizations, always going to have some on-prem Active Directory component that is cooperating with an Azure Active Directory component in order to facilitate the business operations that any enterprise needs to accomplish. There are many examples of organizations that cannot fully go into a cloud-computing environment because of legal restrictions or compliance restrictions. Certainly, there are, let's say, military organizations that never will fully go into the cloud. So we are definitely heading, in my opinion, for a hybrid future, at least in the next - I would say the next 10 years is going to be a strongly hybrid decade. 

Dave Bittner: That's Andy Robbins from SpecterOps. There's a lot more to this conversation. If you want to hear more, head on over to the CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews. 

Dave Bittner: The team at endpoint management firm Mobile Mentor recently released a study looking at the security implications of the hybrid workforce and remote workers as we come out of the pandemic. Denis O'Shea is founder of Mobile Mentor. 

Denis O'shea: Before the pandemic, work, in a way, was beautifully simple. If you think back, people came to their place of work. They drove there usually, and then they logged into a machine owned by their employer. They worked there for a few hours - or eight or nine hours - and they went home, and it was very simple. And then when the pandemic happened, there were five big shifts that happened really, really quickly. The first one was we were told go home and figure out how to work from home. And then we saw a 500% increase in cybercrime where, you know, the bad actors really went after schools and hospitals and government organizations. And then we saw this crazy global chip shortage so that when organizations started hiring again - kind of coming out the other side of the pandemic - they weren't able to supply a laptop or desktop to their employees, which meant that the employee was using a bring-your-own laptop or desktop for the first time in history. So now if you think about it from a security perspective, the new security perimeter was the home office. And people are using sometimes a personal computer on a consumer-grade internet connection that's being shared with the kids, maybe on Zoom and TikTok and Netflix and all that. And they're using, you know, their company data and Office 365, and all their applications is out there in that less secure home environment. And then the other big thing that happened was employees realized how easy it was to change jobs. The barrier was now so low that all you had to do was take your current laptop, put it in a FedEx package and send it away, and open a new package and power up your new laptop. And you could stay sitting in the same seat, connecting to the same monitor, connect to the same Wi-Fi and you had a new job. 

Denis O'shea: And so all these changes really meant that the world shifted quite significantly and very quickly for remote workers, and we think it's not going back. So we think that that lays the foundation for massive shift in how employers think about their employees and being able to attract them, secure them, retain them over time. 

Dave Bittner: Let's touch on the whole notion of passwordless authentication. I mean, there's been a lot of momentum in that area. Is that a space that you think is the future? 

Denis O'shea: I do. I do, and for two reasons. One, passwords were actually a great invention in 1961. And then we found out in 2021 during the pandemic, they were the primary reason organizations were getting hacked - so compromised credentials leading to breaches and ransomware and, you know, databases and the dark web and all that. So we know now that passwords are the problem. They're the weakest link. 

Denis O'shea: And we also know that most people have too many passwords, and they're quite careless with them. And we know from our research that 34% of people write their work passwords in a personal journal. Twenty-nine percent save their work passwords on an app on their personal phone. And 21% save their work passwords on an Excel spreadsheet. So people are fundamentally a bit careless, what they're doing with their passwords. And as a society, we're also lazy in the way we create our passwords. And we know from other research done by BBC that 15% of people base their password on their pet's name. And so, you know, the problem now is that cyber - the bad actors, the cybercriminals don't need to break into our networks, our environments anymore. They can just log in with our weakest password. 

Denis O'shea: And so we fundamentally need to move away from passwords. We need to kick that habit and go passwordless. And fortunately, most of us have the technology. It's in our pockets. It's on our desks. We have most of the components we need to join the dots and, you know, put all the pieces together, but we believe we have to go passwordless as a society. And we think the best predictor of the future workplace is to study Gen Z now. The better we understand them, the better we can anticipate what the future looks like. 

Denis O'shea: And when I think about that, I think reducing friction is the key way we're going to get Gen Z to be really productive, really secure and do great things in the world. And that friction, it comes in three different forms. If we apply old school security to Gen Z, we're going to create digital friction, and they will not respond well to more passwords and VPNs and domains and all that. They'll probably walk. If we create physical friction, and if we say, you have to drive into the CBD, you have to pay for overpriced parking, pay for overpriced lunch, sit in a cubicle and work with people you probably don't like, that's going to create a different kind of friction. And then culturally, if we create friction by saying, you're a problem generation, and make them feel like they're a problem and that they don't pay attention to our security, we're going to create a massive problem for ourselves. 

Denis O'shea: And we did this with the millennial generation. So only 15, 20 years ago, you might recall going to conferences or reading articles where people were speaking and saying unkind things about the millennial generation. And now we can stop and look back and think, wow, look at what they've built. They've built the digital world we live in. They built, you know, everything from Spotify to Facebook and TikTok and all of that. They've done amazing things despite all the unkind things we said about them. 

Denis O'shea: So when I think about Gen Z, I think it's up to us to learn how to love Gen Z, how to empower them, how to secure them without creating additional friction. And if we get it right, we're going to unlock the power of an amazing generation. And we've got to be very deliberate in how we approach that. 

Dave Bittner: That's Denis O'Shea from Mobile Mentor. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at Be sure to check out "Research Saturday" and my conversation with Deepen Desai from Zscaler's ThreatLabZ. We're discussing how APTs like the Lyceum Group create tactics and malware to carry out attacks against their targets. That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.