Patches, and some incentive to apply them. Hacktivism, privateering, and patriotic banditry in Russia’s hybrid war.
Dave Bittner: Patch notes and the risks associated with failure to patch. Finland's parliament comes under cyberattack. Killnet says there will be blood. Cyberattacks against a U.K. firm that's criticized Russia's war. We're joined by FBI Cyber Division AD Bryan Vorndran and Adam Hickey, deputy assistant attorney general for the National Security Division with an introduction to WatchGuard. Our guest is Matthew Warner from Blumira with tips on avoiding burnout. And not all criminal organizations are working for Russia.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, August 10, 2022.
Dave Bittner: Yesterday was August's Patch Tuesday, with updates released by IBM, Adobe, Siemens, Schneider Electric and, of course, Microsoft. Redmond addressed 118 CVEs, 17 of them critical. Yesterday, the U.S. Cybersecurity and Infrastructure Security Agency - that's CISA - released three industrial control system advisories, one covering equipment from Mitsubishi, the other two, equipment from Emerson. And VMware has warned that exploit code for vulnerabilities it patched last week is now available online. The vulnerabilities affect Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector and vRealize Automation. The availability of exploit code should lend urgency to patching.
Risks associated with failure to patch.
Dave Bittner: Failure to patch is obviously not a good practice, but two security companies last week explained that it can have some specific effects. An unpatched organization can draw more than one attacker, and it will also find itself vulnerable to older forms of malware. A study by Sophos concludes that vulnerabilities that go unaddressed often draw multiple attackers. In some cases, the attackers are interdependent, in others competitive. But whatever their relationship with one another, their simultaneous presence in victims' systems complicates the defenders' challenge. The researchers recommend keeping systems patched and up-to-date, while giving priority to the most potentially damaging vulnerabilities. And old vulnerabilities continue to be vulnerable to old malware. Fortinet reported this week that CVE-2017-0199 and CVE-2017-11882 are nearly five years old, but they're still being exploited. Worse, both vulnerabilities have had official patches for some time. Some of the exploitation is by SmokeLoader, a malware variant that itself has been in circulation since 2011. It's recently been used to drop zgRAT in vulnerable Windows systems.
Finland's parliament comes under cyberattack.
Dave Bittner: The website of Finland's parliament was unavailable yesterday as it came under a distributed denial-of-service attack. The attack is under investigation but is believed to originate from Russia. Finnish news outlet Yle reports that the website was inaccessible between 2:30 p.m. and 10 p.m. local time. The threat actor behind the incident is believed to be a Russian group calling itself NoName057(16), and the motive is to harass Finland's government for its decision to seek NATO membership. The group said, we decided to make a friendly visit to neighboring Finland, whose authorities are so eager to join NATO.
Killnet says its cyber operations will soon turn (literally) lethal.
Dave Bittner: Killmilk, the hacker name used by the person or persons who claim to be the founder or founders of the nominally hacktivist group Killnet, has upped the ante on earlier promises to punish the West for its support of Ukraine and especially for its provision of HIMARS rocket artillery. Newsweek quotes Killmilk as saying in an interview, "in Russia, I will become a hero, and abroad, a criminal. Soon, I and Killnet will launch powerful attacks on European and American enterprises, which will indirectly lead to casualties. I will do my best to make these regions and countries answer for each of our soldiers." Killnet had announced last week that it was undertaking a radical new form of cyberattack against targets it regarded as particularly objectionable, notably Lockheed Martin, which produces HIMARS, and against some unspecified system or subsystem of HIMARS itself. But so far nothing has materialized. It's notable, perhaps, to see the repeated Russian theme, we're not threatening nuclear war, but we're threatening nuclear war, which has surfaced in Killmilk's remarks. Killmilk said, we are crazy guys, but we see the boundaries and are not going to cross them. I don't think that because of several dozen human casualties, nuclear missiles will fly in the face of Lockheed Martin employees. That is, nice company you got here; shame if something happened to it. Anyway, while we understand that absence of evidence isn't evidence of absence, Killmilk strikes many as more hot air than innovative, dangerous threat actor.
Cyberattacks against a UK firm that's criticized Russia's war.
Dave Bittner: The Telegraph reports that Britain's National Cyber Security Centre and Scotland Yard are investigating a series of denial-of-service attacks the alt-currency firm Currency.com has sustained since its founder criticized Russia's war at the end of February. Viktor Prokopenya, the company's founder, said the cyberattack has been going on almost on a daily basis every day for the last three months. It's like someone repeatedly trying to break down your front door. He said his security team is convinced that the attack is Russian in origin. The NCSC believes that the operators behind the DDoS are privateers as opposed to Russian government organizations.
Not all criminal organizations are working for Russia.
Dave Bittner: And finally, Digital Shadows reports on a cybercriminal gang that's exhibiting some sympathy for the cause of Ukraine. DUMPS Forum was established in May of this year, and Digital Shadows says it looks a lot like other criminal forums. They say there's a section for trading illicit material, carding, malware and establishing access to targeted networks. At present, this forum is open to members without any vetting or registration process. However, there is an ongoing request for an invite system that may become the main method of gaining access if the forum built its notoriety.
Dave Bittner: But DUMPS is different in the allegiances it declares. Posted to the forum is this opening statement - information services and leaks or other services on our forum are allowed in relation to only two states. These are the Russian Federation and Belarus. Topics that mention other countries are not allowed. This is the main rule of our forum. So it's an anti-Russian and anti-Belarusian operation. Digital Shadows characterizes DUMP as unusually brazen, even going so far as to post what they claim is an overhead image showing their headquarters in a Kyiv apartment building. Who knows if that's true or just a goof, but the roof does have some demonic graffiti that reads roughly, Putin effed up.
Dave Bittner: DUMP may represent, if not exactly privateering, patriotic banditry, mainly because it's unclear whether DUMP has anything like the virtual letter of marque Russian gangs enjoy. Digital Shadows concludes DUMPS Forum likely has an important role to play in the ongoing Russia-Ukraine war as a hub for hacktivists and patriotic cyberthreat actors as a symbol of resistance and making a demonstrable difference on the cyber battlefield. Any success achieved by DUMPS Forum will, however, attract unwanted attention. The ban on Russian citizens visiting the forum highlights that the forum is already on the radar of the Russian state. It is also realistically possible that the success of DUMPS Forum may inspire other services looking to play a part in the ongoing conflict.
Dave Bittner: A linguistic note - DUMPS is written in Russian, and so Digital Shadows speculates that it may be designed to appeal to disaffected hoods within Russia itself. But the forum may have a broader reach than that. Russian is commonly spoken in the near abroad and former Warsaw Pact, although in the latter countries, that proficiency is aging out. It's also easy to underestimate the degree of mutual intelligibility found among the Slavic languages and especially between Russian and Ukrainian. Anglophones may find this comparison useful. Sure, you may have a hard time understanding the Australian accent we put on sometimes in "Hacking Humans," but trust us - in Brisbane, they howl at those gags. That's what we hear, anyways.
Dave Bittner: Let's face it - the past couple of years have been a lot, what with a global pandemic, political discord, the war in Ukraine and - oh, yeah - the ongoing shortage of qualified cybersecurity professionals. It's easy to see why many folks are feeling at their wit's end when it comes to doing more with less. Mathew Warner is CTO and co-founder at SIM provider Blumira, and I checked in with him for insights on avoiding burnout.
Matthew Warner: You run into the situation where you have this feedback loop of exhaustion and trying to push forward, and at the same time, you have this need for maturity across organizations from an IT and security perspective where, if you don't have that continuous growth in the organization, you only have continuous burnout at the same time of the staff within that organization as well.
Dave Bittner: How much of this do you suppose is just plain old understaffing, that we don't have enough people to take care of what needs to be done?
Matthew Warner: I think part of it is understaffing to an extent. But when understaffing gets brought up, I tend to think about things like, well, how large are the IT needs, and how large are security needs of an organization's are? Is security being gatekept away from certain IT professionals, for example, 'cause classically, there's some gatekeeping that lives in kind of every segment of IT and IT security? And I do think that there is some - some understaffing exists. Some forced by the organization - they don't want to spend that budget. Some forced by the market - there's not enough people to take those positions. And in some situations, it's forced through the legacy nature of the organization. If you are continuing to update your organization, if you're continuing to build maturity and good process into that organization, the need for more and more people can be reduced. You can get some scale out of your organization.
Matthew Warner: And what tends to happen is that kind of continuous pressure of more things to do, more things to solve, and doing that at the exact same time as trying to scale your organization or scale your IT teams, often the easy answer is, we'll throw some people at it, and then you run into that staffing problem of, where do we find those people? How do we really make it work? And having to kind of mesh those two needs, which is growing the company from a process maturity perspective at the same time as growing it from an IT staffing perspective makes it really hard for company leaders to then understand where the sysadmins are and creates a kind of, like, breaking point where both sides are not necessarily working on the same problem. They're just kind of working in the same organization.
Dave Bittner: So what are some potential ways that organizations can come at this to take some of that pressure off of folks?
Matthew Warner: I think some of the best ways for organizations to approach the problem of just stress and anxiety that lives within IT and the exhaustion that comes from it really comes from the top of process definition, which I know is the most boring thing ever from a business perspective. But it's really important, and for me and my organization, when I talk to companies, it's really easy - in not necessarily the best way - to just throw a solution out there and run with it. And that's - I think that's where almost everyone in the IT world, like, we're accustomed to say, I have a problem. I'm going to solve that problem. Execute on the problem. This is how I'm going to solve it. But doing that day in and day out doesn't necessarily help the organization as it grows.
Matthew Warner: So you really kind of have to take a step back, look at who's in your organization, talk to the leaders in the IT part of your organization, determine if they are the people that are going to help you mature that organization, and really look at the people - your independent contributors - and think about, how are they doing? Are we asking them to do too much? What are their hours looking like? Are they able to execute on what we're asking of them? And really, most importantly, are they able to support business needs at the same time as just getting through the problems in the day? And the only way to do all of those things together is to sit down, look at your processes, look at what you're asking your staff to do - or as a sysadmin, looking at what you're being asked to do - and then going up and talking to your leaders and saying, this isn't working. Here are the ways that we can start to solve this. It may be adding people, but it may also be, we need better automation with our endpoints. We need an RMM in place. We need some better scanning tools in place because we just don't have time to sit down and do this work.
Matthew Warner: And really, the best way to save time these days is to find that tool that really works best for your organization, that you can bed into that process and then scale that team around your toolset and your automation rather than just trying to scale it around people because people make those decisions for you. They solve those problems for you. They have to use those tools for you. And if they aren't there and you're burning them out, then you will have, at one point, nothing, and it will just become you trying to churn through those people. That's a - it's a punishing way to run a business, and it's a punishing way to be a sysadmin as well.
Dave Bittner: To what degree do you think there are cultural elements at play here? I mean, I think - I know we've all seen people who almost - you know, they look at their lack of sleep or the hours they spend at work almost as a badge of honor.
Matthew Warner: You're never going to be able to build out a team that's mature and that you trust without having a culture that focuses around it. So I definitely think that there is a cultural issue of overwork in IT and IT in security, and part of that goes to the 24/7 nature of IT and IT security. They're always having to deliver. There's always an ongoing thing. But that also goes back to, how do we build tools? How do we make processes that work for our people? And if there are things that are maybe awful among culture - like, if they have to be on call, if they have to be working late, if they have to have a difference in work-life balance - how do you pay that back to them? Not necessarily in money, but it could be in their own time. It could be in giving them something that they want to be working on. It could be paying them outright for that time as well, just as much that there's a trade-off, so instead of that culture being about, well, you're in IT. Your job is just to burn your time and get problems solved. Rather, it's about, you're in IT. How can you help us solve these problems? How can we do it in a way that is reliable and best for all of us? Because having a tired system and having tired security teams only results in negative outcomes for an organization. It might solve that one problem that came up, but over time, that burnout just kind of layers on and layers on, and there's definitely a cultural impact with it.
Matthew Warner: But that kind of goes all the way back to, people that are used to that culture will only get out of that culture if they're brought out of it. It's really easy to get embedded into a culture of, like, overwork or IT rotation that burns you out. Like, when you're just rotating, like, weekly primary, and then the next week, you're secondary, and that's just what you do for your entire life, that's a really hard way to exist, and you end up with this cricket in the back of your head that says, well, I could be working. I could be getting these problems solved. I need to be getting these things solved. And when you don't have that downtime, that's when you get - you create this burnout situation. You start to break culture a little bit more. And it really needs to be more focused on - and IT is classically not great at this - but focused on the human, helping them help you and building that kind of environment for them that will allow them to because it will be way, way more successful in the grand scheme of it all. But it doesn't feel more successful when you're going through it.
Dave Bittner: That's Matthew Warner from Blumira.
Dave Bittner: And I'm pleased to welcome back to the show, Bryan Vorndran. He is the FBI cyber division assistant director. Also joining us today is Adam Hickey. He's a deputy assistant attorney general at the Department of Justice. Gentlemen, welcome back to the CyberWire.
Bryan Vorndran: Dave, it's good to be here.
Adam Hickey: Hello.
Dave Bittner: So, Bryan, let me start with you here. I know you and your colleagues - as the war in Ukraine has been underway for quite some time now, you and your colleagues at the FBI have been working against some Russian botnets. Can you bring us up to date on what's going on there?
Bryan Vorndran: Of course, Dave. Thanks for the opportunity to be here today. You know, the botnet that everyone is referring to is referred to as Cyclops Blink or Sandworm. And essentially what it is, is a vulnerability that Russian actors from the GRU found in WatchGuard firewall devices, which sit at the edge of a network. And so that vulnerability was first discovered in late November of 2021, and the FBI had a very, very fruitful initial meeting with WatchGuard. And WatchGuard was an exceptional partner throughout the entire process, but it did take WatchGuard some time to build a mitigation criteria and a remediation plan for their vulnerability because of the complexity of the vulnerability. On Feb. 23, WatchGuard published their mitigation advice in a blog. And contemporaneous with that, the UK's NCSC, FBI, NSA and CISA published a quad seal cybersecurity advisory that was also released on the Cyclops Blink threat, the malware, and the mitigation advice from the blog. And that was a really important step. And that cybersecurity advisory coupled with the blog from WatchGuard essentially reduced the command-and-control nodes in terms of mitigation. The global command-and-control nodes, it reduced by about 50%. And the command-and-control nodes for the botnet in the United States were reduced about one-third. So when we look at moving from least intrusive to most intrusive, certainly a least intrusive step is the publication of cybersecurity guidance to owners of the WatchGuard device. And again, in this scenario, when you look at the global command-and-control nodes of the botnet, that step effectively mitigated 50% of the global nodes and a third of the U.S. based nodes.
Bryan Vorndran: But if you're tracking dates - on Feb. 24, Russia invaded Ukraine. And so just one day after that mitigation guidance, Russia invaded Ukraine. And so we then moved into a scenario where we started conducting hundreds of victim notifications to try and get the attack surface of that botnet reduced even further from the numbers I mentioned earlier. What was most concerning to us, though, was that the GRU from Russia continued to operate and maintain the botnet. And the only reason you would operate and maintain a botnet is for future use. And so through the victim notification process, we were able to reduce the global attack surface by about another 25% and the U.S. based attack surface by about 50 more percent. But it still left between 15 and 20% of the C2 nodes available for use in the botnet. And that's of significant concern to us because, as I said, the only reason you operate and maintain a botnet is for future use for a catalyzed attack. And so we essentially used our Rule 41 authority at that point and a very technically technical piece of code that we developed in-house with the FBI and essentially took steps to neutralize the remaining 15 to 20% of those command-and-control nodes globally - and very, very successful operation at the end of the day. And we feel very, very positive about where it left the American public in terms of safety related to the GRU's capabilities.
Dave Bittner: Well, Adam, can you walk us through the process here of using that authority? From the DOJ's perspective, how do you collaborate with your colleagues at the FBI?
Adam Hickey: So the FBI is going to tell us what they've designed or the protocol they've developed that would allow them to take the operation. And we're going to analyze that and look to see whether it amounts to a search or a seizure under the Fourth Amendment such that a warrant will be required. And we're going to look at Rule 41, the rule of criminal procedure that governs warrants and in particular allows us to go to a court in one district to address an infection or malicious computer activity that occurs in more than one district - right? - where going to every single judicial district where the software is running would not be practical - would not be feasible.
Adam Hickey: And, you know, the first question I mentioned - whether it's a search or a seizure - we don't spend too much time on that because - and the reason is we're always going to want to have a warrant if we can get one. We're always better off for a variety of reasons going to court, laying out our thinking and writing and having a judge weigh in and authorize what we're doing. Even if technically there might be an argument, say, that this was such a de minimis action, you wouldn't need a search warrant, or maybe you'd make an argument that there's no reasonable expectation of privacy in malware - you know, those just aren't the arguments we're making. We're fortunate that we are allowed to go get a search warrant, even if there's some argument we might not need one.
Adam Hickey: And then obviously we have to comply with Rule 41, which has certain procedural requirements, including after the fact - right? - notice requirements. So any time we do an operation like this, we may not be in a position to be public immediately. It may take a couple days for the operation to play itself out and make sure we've disrupted all the nodes that we're aware of. But ultimately, we're going to make as much of the affidavit and warrant public as possible. We're going to announce it on our website, and we're going to give notice to affected computer owners, either directly if we can or through their ISP or through broad public notification.
Dave Bittner: So, Bryan, can you clarify for us the timeline of this? I mean, when you're dealing with those last remaining systems, is this an issue where you're trying to hit them all as quickly as possible?
Bryan Vorndran: Dave, it's a great question. And the answer is yes, it is. We want to eliminate the remaining vector of attack - whether the adversary is China, Russia, North Korea, Iran or a criminal target set - as quickly and simultaneously as possible. So imagine a scenario where we have 20 computers remaining at a command and control structure that are serving as C2 nodes in a botnet. Rather than going to each one of those 20 potential victims - unwitting victims - and have them take their own mitigation steps over their own defined timeline, we would much prefer to run a technical operation under the right authorities that we have and essentially eliminate the remaining vector of that attack very, very quickly and simultaneously, to just wipe it out completely. So that decision is one we take seriously. It's not one that we simply gloss over. But the velocity at which we destroy those remaining vectors is very important to us.
Adam Hickey: The way I think about it, Dave - we have to assume that the actor is watching what we do to their infrastructure. And if a process of going door-to-door is going to take 72 or 96 hours, and they're gradually seeing themselves go dark, as it were, over that period, that gives them runway to adapt, to retool, to figure out what we know and how we know it, and to change how their malware runs in a way that defeats our technical ability and denies us the ability to - the objective of the operation. So there are situations where, if we don't act simultaneously, we will miss the opportunity to disrupt the actor. We will give the opportunity - the actor an opportunity to retool and maintain presence. And, you know, I'm conscious of the fact that, while I think there's pretty wide-ranging support for this, there are folks who would probably say, well, I just don't want you to touch my computer. I just don't want you doing this. And we have, as law enforcement, to think about whether to give the heckler a veto, if you will, or whether we're going to say, look, one person can't deny us the ability to protect thousands if we have the capability and the authority to act in the interest of public safety.
Dave Bittner: All right. Well, gentlemen, thank you so much for joining us. That's Deputy Assistant Attorney General Adam Hickey and also, by the FBI Cyber Division, Assistant Director Bryan Vorndran. Gentlemen, thank you so much for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.