The CyberWire Daily Podcast 8.19.22
Ep 1645 | 8.19.22

Notes on the hybrid war. Criminal gang hits travel and hospitality sectors. Additions to CISA's Known Exploited Vulnerabilities Catalog. CISA issues five ICS security advisories.


Dave Bittner: Killnet claims a DDoS campaign against Estonia. The head of GCHQ calls Russian cyber operations a failure. U.S. Cyber Command concludes its hunt-forward mission in cooperation with Croatia. A criminal gang targets the travel and hospitality sectors. Thomas Pace of NetRise shares insights on firmware vulnerabilities. Daniel Floyd from BlackCloak on quantifying the business need for digital executive protection. And CISA issues five ICS security advisories.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, August 19, 2022. 

Killnet claims DDoS campaign against Estonia.

Dave Bittner: In retaliation for Estonia's removal of a Soviet-era war memorial, a T-34 tank, from a park in Narva this week, a large distributed denial-of-service incident was conducted Wednesday by the Russian hacktivist front group Killnet, Reuters reports. The effects were negligible. With some brief and minor exceptions, websites remained fully available throughout the day. The attack has gone largely unnoticed in Estonia, according to reports. The incident is reminiscent of a 2007 cyber riot conducted by Russian operators against Estonia in response to the relocation of another war memorial from a public square in Tallinn to a cemetery. That 2007 incident has come to be regarded as the first clear case of a cyberwar waged by one country against another's infrastructure. 

GCHQ head calls Russian cyber operations a failure.

Dave Bittner: An op-ed in The Economist by GCHQ director, Sir Jeremy Fleming, characterizes Russian offensive cyber operations in the present war as a failure, stating, we have seen the Russian state try to align and coordinate cybercapabilities alongside more traditional facets of military power. To date, this hybrid intent has not succeeded. The impact has been less than we and they expected. Fleming attributes the lack of Russian success in its cyber campaigns to effective Ukrainian defensive efforts, assisted by international allies, stating, as we have witnessed heroic defense by Ukraine's military, online, we have seen arguably the most effective defense cyberactivity in history. Operating under sustained pressure against a very capable adversary, this team of industry, intelligence, security agencies and, in some cases, citizens has worked side by side to warn, respond and remediate. 

Dave Bittner: And he teases an allusion to extensive British operational support of Ukraine in cyberspace, saying, an important component of our response to this situation may involve the U.K.'s National Cyber Force, a partnership between GCHQ and the Ministry of Defence. This builds out from our world-class cyberdefense and resilience to deliver offensive cybercapabilities. I won't go into detail about NCF activity. Stealth and ambiguity are key attributes of cyber operations. This secret and important work is conducted in accordance with international law and domestic legislation. It is authorized by ministers and scrutinized by judicial commissioners. It is this ethical, proportionate and legal approach that sets us apart from our adversaries and from Russia's use of cybercapabilities in this war. 

US Cyber Command concludes "hunt forward" mission in cooperation with Croatia.

Dave Bittner: The U.S. Cyber National Mission Force, an element of Cyber Command, has concluded what it characterizes as a successful hunt-forward mission in conjunction with Croatia, CyberScoop reports. U.S. Cyber Command did not explicitly connect the operation with Russia's war against Ukraine, but, as The Record points out, the Command has said that it was giving priority in its hunt-forward operations to threats linked to Russia, and other recent deployments to Eastern Europe have been avowedly conducted for defense against Russian cyber operations. 


Cozy Bear update.

Dave Bittner: Security firm Mandiant reported yesterday on activity it's recently observed by APT29, the Russian SVR operation commonly referred to as Cozy Bear. Mandiant says, we have observed APT29 continue to demonstrate exceptional operational security and advanced tactics targeting Microsoft 365. We are highlighting several newer TTPs used by APT29 in recent operations. Among its recent tactics has been the disabling of licenses in Microsoft 365 in ways that disable the important security functions performed for the suite by Purview Audit. Once disabled, they begin targeting inboxes for email collection. The threat actor has also been observed conducting successful password-guessing attacks that have enabled it to take over dormant accounts and exploit the access thereby obtained. In all of this, Mandiant credits APT29 with an unusually high degree of operational security. 

Criminal gang targets the travel and hospitality sectors.

Dave Bittner: Security researchers at Proofpoint report that TA558, a criminal gang the researchers assess as a financially motivated small crime threat actor targeting hospitality, hotel and travel organizations, has increased the tempo of its operations in 2022, stating, since 2018, this group has used consistent tactics, techniques and procedures to attempt to install a variety of malware, including LODA RAT, Vjw0rm and Revenge RAT. Its targets have, for the most part, been in Latin America, its emails generally written in Portuguese or Spanish. The report concludes, TA558 is an active threat actor targeting hospitality, travel and related industries since 2018. Activity conducted by this actor could lead to data theft of both corporate and customer data, as well as potential financial losses. Organizations, especially those operating in targeted sectors in Latin America, North America and Western Europe should be aware of this actors' tactics, techniques and procedures. Proofpoint has indeed provided a guide to those tactics, techniques and procedures. 

Additions to CISA's Known Exploited Vulnerabilities Catalog.

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency has made seven additions to its Known Exploited Vulnerabilities Catalog. As CISA reminds in its announcement, "Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. The newly added vulnerabilities affect SAP, Apple iOS, macOS, Chrome, Microsoft Active Directory and Windows and Palo Alto Networks PAN-OS. All of these are undergoing active exploitation in the wild, and U.S. Federal Civilian Executive Branch agencies falling under CISA's oversight are required to check their enterprise software and apply vendor patches no later than September 9, 2022. 

CISA issues five ICS security advisories.

Dave Bittner: And finally, CISA has also released five industrial control system advisories affecting systems from Siemens and Mitsubishi Electric. The list of advisories can be found on CISA's website. Operators should read and heed. 

Dave Bittner: BlackCloak is a security firm focused on the unique needs of executives, board members and high access employees. They recently released their latest report titled Quantifying the Business Need for Digital Executive Protection. Daniel Floyd is chief information security officer at BlackCloak. 

Daniel Floyd: What we've encountered is, on the corporate executive side, these home networks actually resemble more of a small office network or even, in some cases, an enterprise network. What we've discovered is, you know, home wireless systems that have multiple access points - you know, 15, 20 access points - wireless LAN controllers, multiple switches, PoE switches - you know, anything from Cisco to Fortinet routers and VPNs and firewalls, home theater automation systems from Savant, Crestron, Control4. So when you actually look at these types of home setups, they start to resemble more of a corporate small office or even enterprise office setup. 

Dave Bittner: And is this, just from a practical point of view, that these folks tend to have larger homes with more gadgets in them? 

Daniel Floyd: Yes. It's both at the larger homes. As you know, if you get into the 10,000-plus-square-foot home, you're going to have a need to have a multiple access point system. And due to that need, you're going to have multiple wireless LAN controllers, multiple access points, and this is where you get into the more enterprise grade systems. And then you'll also have potentially IP camera systems. And this is where you'll see power over Ethernet switches, HP, Cisco types of switches like that that you wouldn't see in a standard home setup for most people. 

Dave Bittner: Now, in this executive's day-to-day life, in their interactions with their company, is it that their home is kind of out of sight, out of mind in terms of the security folks they have at the office? 

Daniel Floyd: Yes, absolutely. So, you know, one of the things that, you know, corporates, SOCs and security teams struggle with is, you know, they're specialized in their corporate security. So they have within the four walls of their security, your SOC is specialized in the type of equipment that you've purchased, right? You may be a Cisco shop. You may be a Juniper shop. Whereas the home networks are really outside the purview of the security team at the organization. And, you know, these executive home networks are like snowflakes. No home is the same. So you have 20 executives? You're going to have 20 different setups. One home may have a Cisco wireless system set up with HP switches. The next home could be Fortinet. The next home could be SonicWall. Next home could be Ubiquiti. 

Daniel Floyd: You're really - you're never going to see the same home setup unless the security team at the organization set that up. It's literally going to be a snowflake per home, which makes it difficult for the security team to have the skill set to secure these homes or even have the permission to secure these homes. And then in addition to the different types of setups you see, you have the privacy concerns. You know, where do you draw the line in the sand from what the security team at the organization should be doing at the office versus what access they should have at the individuals' homes? 

Dave Bittner: Yeah, that was actually going to be my next question, which is, you know, is there a cultural issue here as well that, you know, the security folks don't want to mess with the boss's house, right? 

Daniel Floyd: Absolutely. Yes. Yeah. There's absolutely the privacy implications of it, both for the executive but also for the security team. It could be a very uncomfortable situation for the security team to have to physically access the device, physically access the home, come across something, you know, that's more privacy related that they shouldn't have. And it can really become a very, you know, awkward, sticky situation. 

Dave Bittner: Teenage kids, right? 

Daniel Floyd: Yes. Right. Exactly. You know, and the home network is a totally different paradigm, right? You have, you know, the things that you can block and prohibit on a corporate network because it's owned by the company is totally different than what's going to be at a home network. You know, the home network is going to be wide open. You're not going to be able to deploy UR filtering. There's no Zscaler. There's no, you know, really shouldn't be, you know, installing Palo Alto firewalls at everyone's home... 

Dave Bittner: Right. 

Daniel Floyd: ...Unless you do some type of network segmentation. And that can get real complicated, real messy over time. 

Dave Bittner: How much of a real-world threat is this? I mean, in terms of the things that you all are tracking, are the executives' homes a target? 

Daniel Floyd: Absolutely. So what we've discovered is, you know, almost 20 - a little over 20% of the executives' homes have open ports. That can lead to, as I mentioned, security cameras, VPNs, routers, firewalls. And if you actually go back a few years, there was a breach that occurred at a major social media company which I won't name that actually occurred via this exact same attack vector. They were - it actually wasn't an executive. It was - a security site reliability engineer was working from home and there was an attacker that discovered his home IP address. 

Daniel Floyd: And a lot of these home IP addresses are available on data broker sites. You can actually Google someone - an individual or executive's name and through a number of different ways, through OSINT, actually determine what their public IP address is. This threat actor was able to compromise a device that was running at this linked social media employee's home that he was then able to then pivot from the privately-owned device into a work computer that contained the SSH keys to access the remote access environment at the company. 

Dave Bittner: Well, so based on the information that you all have gathered here, what are your recommendations? How should folks come at this? 

Daniel Floyd: So some of the strategies to reduce the risk at the executives' homes are, you know, kind of the same strategies that you would deploy at your corporate office, starting with asset management. What are the devices that are at the home? What types of devices that are at the home? You don't know - you can't secure what you don't know. So, you know, taking an inventory of these types of devices. Then, you know, the same strategies that you would deploy at the corporate office, you deploy at the home - ensuring the devices that are patched, make sure they're not end of life, making sure they still have support, making sure there's no misconfigurations or default credentials on these devices, things of that nature. 

Daniel Floyd: One of the other things that we found very effective, very low cost, high fidelity, low false positive rate is to deploy a honeypot or deception-like device at the home. We've discovered that, you know, as honeypots can act as a early warning radar or early warning trigger system if someone does gain a foothold into the network, you know, one of the first things they're going to do is enumeration and attempt to pivot. And if you set up a nice juicy target, such as a honeypot, it's a very effective way to detect an intruder in the network. 

Dave Bittner: That's Daniel Floyd from BlackCloak. There's a lot more to this conversation. If you want to hear more, head on over to the CyberWire Pro and sign up for interview selects, where you'll get access to this and many more extended interviews. 

Dave Bittner: Thomas Pace is co-founder and CEO at NetRise, where they focus on the security of firmware and things like ICS, IoT and medical devices. We kicked off our conversation with a look toward the skies, considering the security of satellites. 

Thomas Pace: Satellites have - or any kind of space devices, including the associated infrastructure to support them such as, like, ground stations and the radar, any of the other kind of supporting infrastructure required, have kind of been ignored for a reason I guess I don't totally understand. They're just devices like anything else. And so having appropriate visibility into the software components that are present on these devices, that are obviously serving incredibly critical functions in the world, in our society, for the military, etc., is paramount. And that has basically - that's really been lacking. 

Dave Bittner: You know, earlier in my career, back in the - oh, I suppose around the early 2000s or so, I was working in television. And I remember having a conversation with a satellite engineer. And this was really during the transition from analog to digital. And I remember asking him, you know, what keeps someone from stepping on another person's satellite transmission? And he said courtesy. And that was it (laughter). And I remember my jaw kind of hitting the floor. I mean, have we progressed much past that? 

Thomas Pace: I don't think so. I mean, you do have specific - like, there's, like, government bands and communication channels that I think are challenging for some people to leverage in some cases. But, you know, it's really the FCC that's regulating and monitoring this. It seems to happen at DEFCON just about every year where people bring radio jammers and are talking on channels and frequencies they're not supposed to - so things like the 911 channels, the, like, emergency response channels, like, the police scanning channels that are reserved for specific things, obviously. And they don't want people on there, you know, screwing around or messing with things or blocking those radio frequencies, things like that. But yeah, that's just - that stuff's floating around in space. So being able to listen in or jam it or add your own whatever it is isn't that huge of a challenge necessarily. 

Dave Bittner: So what are organizations like yours bringing to bear here? What are the - some of the mitigations that you all are proposing? 

Thomas Pace: Yeah. So what we are bringing to bear here is gaining visibility into what is going on inside of these devices. People view a lot of these devices - IoT, ICS, medical devices, embedded systems in vehicles, telecommunications equipment and satellites - as these, like, mystical black boxes where we don't have any idea what's going on inside. The reason we don't know what's going on inside is pretty simple. No one's looking. And why is no one looking? Because it's challenging. You - it's not like looking inside of a Windows operating system or a Linux operating system or something like that. It typically has to be done by evaluating the firmware that is running on these devices. And firmware is a just much harder thing to extract, analyze and find risks in for a myriad of reasons. Now, we're very good at doing that. So simplifying visibility for very difficult things to gain visibility to is basically what we are doing. So now we can say things like, OK, we've identified these software components that exist in these devices. Once we do that, we can say these vulnerabilities exist for these software components. And then these vulnerabilities can be exploited. They can be - they're being leveraged for ransomware, or we find things like weak credentials, default credentials. We find things like expired certificates or certificates that have been like - where the certificate authority has been compromised. We find public keys and the private keys are both in the same firmware image, which, obviously, is I think what you would call a worst practice - so things like that. Once we get access into the firmware, we've extracted that out and can identify the software components, you're basically solving that problem in the same way you solve a lot of these problems for, like, normal devices. But getting into them is, like, a really big part of the challenge. And that's what we've done, you know, really, really well across a very wide, heterogeneous, disparate set of device types. 

Dave Bittner: Yeah. I mean, I suppose - I mean, you know, there's that old saying, you know - if it ain't broke, don't fix it. But that really doesn't apply here because, as you say, you know, vulnerabilities can be discovered along the way. So even though something may be sitting there doing its function, it doesn't mean that it's not essentially a sitting duck. 

Thomas Pace: I mean, that's 100% right. So we have identified something like - it's well over a million what are known as N-day vulnerabilities. So they're not zero days. What this means is these are vulnerabilities whereby - like, open SSL vulnerabilities, as an example. Let's say there's vulnerabilities from 10 years ago. And I go look in that national vulnerability database, and I want to say, what devices have this vulnerability? There's a 0% chance that every device that has that version of open SSL is in the National Vulnerability Database. That's not the way it goes. So what we have figured out is there's countless devices - I mean, countless - that are not even in the NVD at all. And so every vulnerability that we find in a software component in a device like that is basically known as an N day, meaning this is a vulnerability that is known to exist but is not known to exist on this device because no one's looked. 

Thomas Pace: And that could be because the device manufacturers don't even have a product security team, which is more common than I would care to admit. But it's also just because, you know, time to market matters with these devices, and the security of them kind of takes a backseat. But at the same time, we're seeing attacks now - I mean, we've been seeing attacks for a very long time. A lot of these attacks weren't maybe in the public eye, especially for people who are working in the darker corners of the government that knew these kind of things were happening. But now it's in the mainstream. Like, there was a big firewall manufacturer last year that literally recommended to their clients to turn off their firewalls because a vulnerability was being exploited that was allowing attackers to launch ransomware attacks within their environment through their firewall. 

Thomas Pace: So, who's watching the watchmen? - as they say. Like, there's a bunch of really famous VPN hacks last year that were also being used for the same thing. Speaking of satellites, there was a large satellite manufacturer that had an issue recently, but that actually came through VPN vulnerabilities that gained them access to the satellites. So you can see here that this is not like - just saying like, hey, guys, these are risks. Like, there's risks in every single thing we do every single day. There are actual, tangible attacks that have been happening for years against these devices via exploiting the firmware vulnerabilities. 

Dave Bittner: That's Thomas Pace from NetRise. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at Be sure to check out this weekend's "Research Saturday" and my conversation with Dick O'Brien from Symantec. We're discussing the Clipminer Botnet making operators at least $1.7 million. That's "Research Saturday." Check it out. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.