The CyberWire Daily Podcast 8.23.22
Ep 1647 | 8.23.22

Iranian APT data extraction tool described. LockBit gang comes under DDoS. Twitter whistleblower security claims made public. Greek natural gas supplier under cyberattack. Updates on a hybrid war.


Tre Hester: Iranian APT data extraction tool described. LockBit gang comes under DDoS. Twitter whistleblower security claims made public. Poland and Ukraine conclude cybersecurity agreement. Greek national natural gas supplier under criminal cyberattack. Update to the Joint Alert on Zimbra exploitation. Addition to CISA's Known Exploited Vulnerabilities Catalog. Johannes Ullrich from SANS on control plane versus data plane vulnerabilities. Our guest is David Nosibor, platform solutions lead for UL, to discuss SafeCyber phase two. And targeting and trolling with an excursus on Speedos. Really? 

Tre Hester: From the CyberWire studios at DataTribe, I'm Tre Hester, filling in for Dave Bittner, with your CyberWire summary for Tuesday, August 23, 2022. 

Iranian APT data extraction tool described.

Tre Hester: Google's Threat Analysis Group this morning published the results of its investigation into Charming Kitten. The Iranian government-sponsored threat group has been observed using a new extraction tool the researchers call HYPERSCAPE. It's used to extract user data from Gmail, Yahoo and Microsoft Outlook accounts. Google explains, quote, "The attacker runs HYPERSCAPE on their own machine to download victims' inboxes using previously acquired credentials. We've seen it deployed against fewer than two dozen accounts located in Iran. The oldest known sample is from 2020, and the tool is still under active development. We have taken actions to re-secure these accounts and have notified the victims through our Government Backed Attacker Warnings," end quote. 

Tre Hester: The tool depends on having the victim's credentials. "HYPERSCAPE requires the victim's account credentials to run using a valid, authenticated user session the attacker has hijacked or credentials the attacker has already acquired. It spoofs the user agent to look like an outdated browser, which enables the basic HTML view in Gmail. Once logged in, the tool changes the account's language settings to English and iterates through the contents of the mailbox, individually downloading emails as .eml files and marking them as unread. After the program has finished downloading the inbox, it reverts the language back to its original setting and deletes any security emails from Google. Earlier versions contain the option to request the data from Google Takeout, a feature which allows users to export their data to a downloadable archive file," end quote. The report includes, as is customary, a set of indicators that HYPERSCAPE users can check as they defend their systems. 

LockBit gang comes under DDoS.

Tre Hester: Researchers at Cisco Talos tweeted over the weekend that the blog operated by the LockBit gang had come under a heavy distributed denial-of-service attack. Researcher Azim Shukuhi stated, quote, "Someone is DDoSing the LockBit blog hard right now. I asked LockBitSupp about it, and they claim they are getting 400 requests a second from over 1,000 servers. As of this writing, the attack appears to be active. LockBit promised more resources and to drain the DDoSers' money," end quote, and added in the thread that the ALPHV gang seem to be undergoing a similar attack. 

Tre Hester: According to the Register, LockBit, a Russian criminal operation, said that it came under an attack because it had, in its own turn, hit the large U.S. authentication firm Entrust with ransomware earlier this summer. BleepingComputer reports that LockBit is blaming Entrust for the DDoS attack. Quote, "DDoS attack began immediately after the publication of data and negotiations. Of course it was them. Who else needs it? In addition, in the logs, there is an inscription demanding the removal of their data," end quote, LockBitSupp, the public face of the gang, told BleepingComputer. But it's unclear who's behind the DDoS attack. Entrust hadn't yet responded to BleepingComputer at the time they published. And it's entirely possible a rival gang, for example, could be behind the attack. 

Twitter whistleblower security claims made public. 

Tre Hester: Peiter "Mudge" Zatko, a well-known white hat hacker who served for a time as Twitter's chief of security before being dismissed in January by Twitter's CEO, had filed a whistleblower report against his former employer, the Washington Post reports. The complaint, which Zatko filed with the U.S. Securities and Exchange Commission, the Department of Justice and the Federal Trade Commission, alleges, according to the Post, quote, "that Twitter violated the term of an 11-year-old settlement with the Federal Trade Commission by falsely claiming that it had a solid security plan. Zatko's complaint alleges he had warned colleagues that half of the company's servers were running out-of-date and vulnerable software, and that executives withheld dire facts about the number of breaches and lack of protection for user data, instead presenting directors with rosy charts measuring unimportant changes," end quote. For its part, Twitter says it investigated Zatko's claim at the time he made them and found them without merit. 

Poland and Ukraine conclude cybersecurity agreement.

Tre Hester: The governments of Poland and Ukraine have concluded a memorandum of understanding concerning cybersecurity, formalizing cooperation in the fifth domain. Ukraine's SSSCIP describes the purpose of the agreement as organization of joint efforts for, quote, "repelling the enemy in cyberspace," end quote. The statement adds, quote, "the memorandum aims to strengthen the joint fight against crimes in the digital space, as well as to share experience and detailed information about cyber incidents faster and more effectively," end quote. 

Greek national natural gas supplier under criminal cyberattack.

Tre Hester: The Greek natural gas provider DEFSA (ph) disclosed over the weekend that it had been the victim of a ransomware attack. Quote, "DESFA suffered a cyberattack on part of its IT infrastructure by cyber criminals that have tried to gain illegal access to electronic data with a confirmed impact of the availability of some systems and possible leakage of a number of directories and files," end quote. BleepingComputer connects the incident with Ragnar Locker, a pioneer of double-extortion attacks that both steal and encrypt data. Ragnar Locker, which claimed responsibility and leaked proof of compromised data Friday, is, again, long believed to be based in Russia. An attack on a European natural gas distributor during Russia's war against Ukraine is consistent with privateering aligned with Moscow's interests. The record reports that DEFSA has, quite properly, refused to negotiate with its attackers. 

Update to the Joint Alert on Zimbra exploitation. 

Tre Hester: The Cybersecurity and Infrastructure Security Agency, also known as CISA, and the Multi-State Information Sharing and Analysis Center yesterday updated Alert AA22-228A, "Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite" to include two new detection signatures. Exploitation of Zimbra remains a threat, so the alert is worth a look. CISA especially urges organizations that may not have checked their systems for vulnerability to look for evidence of five vulnerabilities. Patches are available for all of them. 

Addition to CISA's Known Exploited Vulnerabilities Catalog.

Tre Hester: CISA has also added CVE-2022-0028, a vulnerability in Palo Alto Networks' PAN-OS, to its catalog of known exploited vulnerabilities. It's a, quote, "reflected amplification denial-of-service vulnerability," end quote. Filtering policy misconfiguration could permit, quote, "a network-based attacker to conduct reflected and amplified TCP denial-of-service attacks," end quote. U.S. Federal civilian executive branch agencies overseen by CISA have until September 12 to apply Palo Alto's update. 

Targeting and trolling.

Tre Hester: And finally, in an update on the menace to operations security presented by selfies and social media, Ukraine's Defense Ministry has credited holiday photos taken by Russian tourists in occupied Crimea with providing valuable targeting information. The ministry tweeted, quote, "maybe we are being too hard on Russian tourists. Sometimes they can be really helpful - like this man, taking a picture of Russian air defense positions near Yevpatoria, in occupied Crimea. Thank you, and keep up the good work," end quote. The picture shows a middle-aged guy in Speedos posing, evidently deliberately, in front of a Russian missile launcher. The Telegraph explains that such open sources are delivering targets to Ukrainian forces. 

Tre Hester: Ukraine's defense minister is, we think, obviously trolling its Russian opposition. Overhead imagery provides much more timely and accurate target indicators than does any selfie by Ivan Speedodovich (ph). That said, tourist, soldier and bystander photos posted to social media have been an opsec headache for Russian forces since the invasion began, and have probably contributed more to an understanding of the Russian order of battle than to direct targeting. But still, if you must take a selfie while enjoying the sun and the fun, it's better if there's a SAM TEL in the background. Keep snapping, bros. If order of battle and pics of combat vehicles are your hobby, well, we hear that everyone needs one. 

Dave Bittner: In 1894, William Henry Merrill Jr. founded the Underwriters Electrical Bureau, later known as the Electrical Bureau of the National Board of Fire Underwriters. For most of the organization's life, they were known by the name UL - Underwriters Laboratories - and their certification was the standard for safety in electrical products. These days, UL has updated their name and their brand to UL Solutions, expanded their mission to applied safety science, including cybersecurity. David Nosibor is product lead for UL's SafeCyber platform. 

David Nosibor: We have, first of all, an increasing volume and sophistication of security attacks. And as part of these attacks, we see that connected devices are being one of the main attack vectors with, obviously, supply chain components being part of that and representing a huge problem for their lack of security. So we can go along and ultimately talk about the targeted attacks targeting critical infrastructures, industrial and automotive players, as well as their suppliers. We see that about a quarter of organizations - 25% - have experienced a supply chain attack in the past year. And ultimately, this is a testament to the fact that hackers are finding more and more ways to exploit those attack vectors and ultimately cause great harm to businesses and even individuals. 

David Nosibor: And now, the second thing we need to talk about is why this is happening. And one of the key reason is the lack of expertise - security expertise - in most companies to prevent and fix these issues related to security. And, thing is, this is due to security having been relegated at the back of the queue over speed to market when we look at connected device manufacturers, that we're looking at gaining market share and favoring innovation. And security had been considered as a costly element and ultimately hampering that speed to market. Well, that momentum, like I said, is shifting because of the great harm that's been happening with the attacks that we've been witnessing. 

David Nosibor: And the third element to look at is governments and industry bodies waking up to this and seeing the damage that it's causing and finally starting to push regulations and policies to address device security. And the SolarWinds attack was pretty much a great wake-up call in that regard - right? - in 2020. And with those three elements that we've quickly recapped, it's all about how we can democratize product security for every connected device stakeholders so that they can essentially play ball and implement the right security measures to essentially mitigate those threats and risks. They have to strike the right balance with speed to market and security along with compliance since we have regulations being enforced, such as, if we can mention the executive order from the U.S. government and President Biden in May 2021, ultimately imposing device manufacturers and suppliers to come up with software building materials and encouraging supply chain transparency. How can those connected device stakeholders make sure they are having the right information while also having the means to implement what's needed? This is where SafeCyber comes into play. 

David Nosibor: SafeCyber is a security and compliance posture management platform for product security and development teams that are working at those device manufacturers, OEMs, suppliers and system integrators. SafeCyber is essentially hosting a suite of digitally enabled solutions - applications, per se. This is representing the gateway to UL's product security expertise and aiming at democratizing connected device security. So we have for now two solutions on the platform that are Maturity Path and Binary Check. Maturity Path is more focused on the product security processes and governance side of things, helping organizations organize, assess that, helping organizations assess that, while Binary Check is more on the product security testing side of things and available in a self-service capacity for these organizations. 

Dave Bittner: Well, help me understand. You know, I think, like a lot of folks, I certainly have a long history with UL and, you know, growing up and seeing the UL logo on consumer products and so on. Is this part of the for-profit side of UL? 

David Nosibor: So that's correct. So let me provide a bit more background as to why UL Solutions is tackling security in addition to safety. And there's actually a simple reason for that because today, there's no safety without security. And this is pretty much put in full display when we look at, for example, a connected car today with a lot of software components, essentially having computer on wheels, so to speak. If we are finding security risks at the car level, this could actually impact the safety of its passengers, right? So at the end of the day for you, well, it's quite a natural element to tackle to ensure the overall safety of citizens and people at large - right? - and make the world a safer place. And ultimately, UL Solutions has been having an extensive expertise in cybersecurity and device security with a global network of IoT and OT security labs across the world, along with a roster of security experts and advisors that are specialized in securing several ecosystems, right? Not only talking about ICS and industrial manufacturers, but also automotive, health care, the connected home and consumer electronics at large, as well as smart buildings and payments. 

Dave Bittner: That's David Nosibor from UL Solutions. 

Dave Bittner: And joining me once again is Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the "ISC StormCast" podcast. Johannes, always great to welcome you back. 

Johannes Ullrich: Yeah, thanks for having me again. 

Dave Bittner: So interesting topic that you have been looking into here, looking at some vulnerabilities and sort of contrasting between control planes and data planes. What's going on here? 

Johannes Ullrich: Yeah, that's actually a distinction that the reader of our diaries reminded me of. And if you are looking at your network security devices, routers and such, you should distinguish between control plane and data plane. Data plane is sort of what you basically consider what goes through the device, so your packets that are being passed along. Control plane is usually where you find the security vulnerabilities. That's, like, your web-based admin interface. And if you ever listen to me - I get sick of saying it - well, block access to that admin interface. That's sort of one of the common issues here. But lately, we have seen some interesting issues with the data plane, which is much more difficult to control because that's, after all, sort of considered a little bit transparent. And historically, I think people haven't really paid much attention there because the data plane is conceptually pretty simple. You get the packet. You look at some headers. And you pass it on, or you block it. But it turns out that, well, as many things, once you look deeper into it, it's not quite as simple. And for example, there are these application layer gateways. What they are doing is they're doing very complex operations on packets on the application layer. 

Dave Bittner: Let's dig into that. Help me understand what's going on here. 

Johannes Ullrich: Yeah. So let's look at a recent example here, and this was of this Real Tech vulnerability that affected their SIP, so their voice over IP application layer gateway. These gateways, they do have to do NAT. They do have to rewrite IP addresses. For 99% of the packet, that's only affecting the headers, you know, your IP header and then check sums and such and UDP and TCP. But for protocols like SIP, you find that the IP address is also embedded in the payload. Now the device, your router, has to rewrite that payload and not just the headers. And that's where it gets complicated because those payloads are not really meant to be rewritten. There are fairly intriguing kind of protocols that are being used here, and that's essentially where they messed up. Plus, the other problem you have with the data plane is that speed matters. 

Johannes Ullrich: For the control plane, when you're connected a web server, you have noticed a lot of these small routers, the web servers is a little bit sluggish kind of, and you connect to it. And that's usually OK because you have, like, one user connecting to it, and you only need to connect to it once a month. Hopefully, you connect to it once a month to check if the firmware needs updating, but that's about it. On the data plane, with gigabit connections that people have now in their homes, speed matters. So developers are a little bit enticed to take some shortcuts here to keep things simple, not necessarily check all the little details. And that's exactly sort of what happened here with Real Tech, where, well, if Real Tech routers, these particular routers, use or look at SIP traffic, you have a very straightforward and easy-to-exploit buffer overflow just by them looking at it. So you don't even have to use this protocol. It's just the router receives a packet that is SIP. It sends it to this application layer gateway. Hey, does this need rewriting? Oh, there's a buffer overflow here. Let me execute the attacker's code. 

Dave Bittner: So what's to be done here? I mean, what are your recommendations? 

Johannes Ullrich: Well, that's the hard part. So definitely, you know, keep those firmwares updated. But like in the Real Tech case, you may not have an update. It's - you know, with a router that's sort of running end of life and such, you may not find an update for this particular vulnerability. The standard advice - always, well, you know, add a device before your router, kind of add a firewall in front of firewall to protect the firewall. Well, you can see how we can sort of play that game and of course that's... 

Dave Bittner: It's firewalls all the way down, right? 


Johannes Ullrich: Yeah. And that's not really realistic kind of for a home user necessarily. Disable features as much as possible is certainly something that you can consider. Like, keep it simple. And, you know, lastly in particular, if this is, like, a - let's say a cable Gazelle modem that your ISP provided, you may not even have sort of a lot of inside in the configuration, just treat it as hostile. And then, again, you know, the firewall after firewall, now you have your firewall behind the ISP's firewall to basically ignore what happens there. Yes, they can still cut you off. They can still do a denial of service, but at least you don't have that implant in your network that's controlled by an attacker. 

Dave Bittner: All right. Well, good information. Johannes Ullrich, thanks for joining us. 

Johannes Ullrich: Yeah. Thank you. 

Tre Hester: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Tre Hester filling in for Dave Bittner. Thanks for listening. We'll see you back here tomorrow.