The CyberWire Daily Podcast 8.25.22
Ep 1649 | 8.25.22

Notes from six months of hybrid war. Oktapus criminal campaign. Exotic Lily and Bumblebee Loader. Insights derived from DNS traffic. US DHS shutters its Disinformation Governance Board.

Transcript

Tre Hester: Ukrainian and Russian cyber operations at six months; Oktapus criminal campaign compromises 9,931 accounts in more than 130 organizations. Exotic Lily and Bumblebee loader; Insights derived from DNS traffic; Chris Novak from Verizon on DHS' Cyber Safety Review Board's report on the Log4j investigation. Dave Bittner sits down with our guest, Dr. Scott Crowder, CTO and VP quantum computing, technical strategy and transformation for IBM Systems to discuss the increasingly urgent need for industries to prepare for security threats that Quantum could unleash. And the U.S. Department of Homeland Security shutters its Disinformation Governance Board.

Tre Hester: From the CyberWire studios at DataTribe, I'm Tre Hester, filling in for Dave Bittner, with your CyberWire summary for Thursday, August 25, 2022. 

Ukrainian and Russian cyber operations at six months.

Tre Hester: Politico reviews Ukraine's offensive cyber operations during the hybrid war Russia launched in February. And it concludes loosely that Kyiv has successfully executed portions of a playbook hitherto associated with Moscow. The article outlines four areas where it regards Ukraine as having been particularly successful. The first has come to be generally recognized - Ukraine has been far more successful than Russia at influence operations, controlling the narrative. It's done so without widespread use of coordinated inauthenticity, and it's operated in a highly distributed way that contrasts sharply with Russian centralized, top-down approach to propaganda. It's also relied heavily on truth telling. Moscow's approach has found some limited traction in Africa and Latin America. But Ukraine has been far more successful in shaping international opinion. 

Tre Hester: The second success is related, insofar as it also involves an influence campaign. Ukraine has succeeded in persuading Western tech companies to abandon Russia, effectively inducing an undesirable form of internet autarky Russia has long sought. Third - Ukraine has succeeded in attracting international hacktivist support. Their work has largely been at a nuisance level, but it's been embarrassing to its Russian targets. Russia also made extensive use of hacktivists. And these have, for the most part, been at best privateers and often fronts for units of intelligence and security services. Ukraine has succeeded in crowdsourcing some of their cyber operations. Volunteers, many of them domestic, have also provided defensive resiliency to Ukrainian networks, ABC News reports

Tre Hester: And finally, Ukraine has been able to use data against Russian interests, including both analytic tools from firms including Palantir and facial recognition tools from Clearview AI. In a look at the Russian phases of the cyber conflict, Trustwave researchers describe the distinctive and characteristic tool of Russian operations - wipers. Those tools saw some success in the early days of the invasion but have grown less prominent as the war has progressed. 

Oktapus criminal campaign compromises 9931 accounts in more than 130 organizations.

Tre Hester: Group-IB reports that phishing attacks against employees of Twilio and Cloudflare that impersonated Okta's identity and access management services formed part of a campaign that compromised 9,931 accounts in more than 130 organizations. Most of the victims were in the United States and were Okta users. Group-IB explains, quote, "the initial objective of the attackers was clear - obtain Okta identity credentials and two-factor authentication codes from users of the targeted organizations. With this information in hand, the attackers could gain unauthorized access to any enterprise resources the victims have access to" - end quote. The attackers showed a mixture of sophistication and inexperience, making use of simple commodity tools in a convincing way but with static pages and a phishing kit ill-configured for mobile devices. The researchers developed some information on the threat actor behind what appears to be a criminally motivated operation. Subject X, as Group-IB calls him, is thought to be a 22-year-old software developer working from the U.S. state of North Carolina. Group-IB has shared what it knows with law enforcement. 

Exotic Lily and Bumblebee Loader.

Tre Hester: Deep Instinct has released a report describing the Bumblebee loader. The threat actor used a phishing email to gain trust and then sent malicious files to the victim under the guise that the files were for a file-sharing platform. The files execute a script that drops the Bumblebee payload. This has been found by researchers to be consistent with activity from threat actor Exotic Lily. And Google's TAG says, quote, "Exotic Lily seems to operate as a separate entity, focusing on acquiring initial access through email campaigns with follow-up activities that include deployment of Conti and Diavol ransomware, which are performed by a different set of actors" - end quote. Exotic Lily has been described by Google's Threat Analysis Group as a financially motivated initial access broker that works closely with elements of the Russian underworld, particularly the gang tracked as FIN12 or Wizard Spider. Thus, Exotic Lily is a player in the C2C market. 

Insights from DNS traffic.

Tre Hester: Akamai this morning released a report detailing insights into DNS traffic in Q2 of this year. Researchers found that just over 12% of devices monitored by Akamai interacted at least once with domains associated with malware and ransomware. Malware and ransomware had the highest level of interaction, with 63% of potentially compromised devices interacting with those types of domains, whereas 32% of interactions were with phishing domains and 5% were with C2. High tech and financial services were the most impersonated industries, with consumer attacks making up over 80% of phishing attacks. Crypto was also found to be the most-used phishing toolkit, found in over 500 domains. 

US Department of Homeland Security shutters its Disinformation Governance Board.

Tre Hester: And finally, the U.S. secretary of Homeland Security, Alejandro Mayorkas, yesterday announced that his department was canceling plans to establish a Disinformation Governance Board. Quote, "In accordance with the Homeland Security Advisory Council's prior recommendation, Secretary of Homeland Security Alejandro Mayorkas has terminated the Disinformation Governance Board and rescinded its charter, effective today, August 24, 2022. With the HSAC recommendations as a guide, the department will continue to address threat streams that undermine the security of our country consistent with the law, while upholding the privacy, civil rights and civil liberties of the American people and promoting transparency in our work," end quote. The Disinformation Governance Board had drawn criticisms as a step toward erosion of freedom of speech, which, of course, the department was at pains to dispute, but nonetheless induced pause in the board's formation and a request for advice, which the department has now received and accepted. 

Dave Bittner: NIST, the U.S. National Institute of Standards and Technology, recently selected four new industry-wide cryptographic standards to help protect against the coming threat of quantum computers. It's complicated stuff, and so to help explain it all, I reached out to Dr. Scott Crowder. He's CTO and VP for quantum computing, technical strategy and transformation for IBM Systems. 

Scott Crowder: So quantum computers in general, you know, are really good at three kinds of math - so far, that's been proven. And one kind of math is solving - you know, simulating nature - so the math around, you know, chemistry, materials, development, all those kinds of problems. The second type of math that's really relevant for this conversation is around finding patterns in complex data, and factoring and discrete log kind of fall into that category. So the good news for society is all the really good stuff that, you know, it can do as well, you know, in machine learning and other places. But for this conversation, the reason why we really are interested is because quantum computers, when they get big enough, will be good at that kind of math. 

Scott Crowder: And the third kind of math is kind of search, which has implications for portfolio optimization, risk and all that kind of stuff - you know, also can be applied for, you know, some of the symmetric as well. But the good news from, a crypto point of view or a decryption point of view, is that that speed-up is only polynomial, so you can just make - increase the number of bits in your symmetric system and you probably will be quantum-resistant for quite some time. But for asymmetric, it's a little bit more serious because, you know, the fundamentals of factoring and discrete log and elliptical curve, etc., etc., really do need to get changed. Quantum computing, when they get large enough and low enough errors, will be able to do that math, you know, very efficiently. 

Dave Bittner: You know, I think my perception certainly has been for a number of years that - I guess in my mind I kind of lumped quantum computing in with nuclear fusion, where it's - you know, there's that old joke about how it's always 20 years away, no matter when you ask. But it seems as though we're getting closer with this technology. Where do we stand today? What do folks in the business estimated a realistic timeline might be? 

Scott Crowder: Yeah. I mean, you know, so I'm not going to give you a date for the decryption part because I never want to underestimate human ingenuity. But, you know, from a just basic making quantum computers practical - I mean, when I started getting involved in this six years ago now, you know, we had a five-qubit system that we had just put on the cloud and let people play with. And the error rates and the fidelities and those things were, like, 99%. And, you know, to make them practical, we need to get the scale of them up to, you know, in the hundreds to thousands, and we need to get the - you know, the error rates for, you know, the basic operations into, you know, 99.99% or 99.999% fidelity, because then you can start using error mitigation to trade off. And over the last six years, we've gone from five qubits to 127. We'll be at 433 this year, over 1,000 next year. So from a scale point of view, we're rapidly improving. And then from a gate error improvement, you know, we've gone over an order of magnitude improvement, you know, in the last five years, and we demonstrated in the last year 99.9% two cubic gate fidelities. 

Scott Crowder: So at IBM, we've kind of published a year-by-year, very detailed road map, you know, going out to the middle of this decade to 2026 with, you know, what we're going to deliver every year to kind of cut through the hype, you know, and say, OK, today these systems are not big enough or low enough error rates in order for them to be practical, you know, better than classical computers. But if we keep marching along, by the middle of this decade, they will. And that's probably when you're going to see the first practical use for other applications, not decryption but for other applications, like machine learning, you know, like simulating nature, et cetera, et cetera. It's going to take a little while beyond that to get the systems large enough, you know, to really do the kinds of things that we're all worried about from a decryption point of view. 

Dave Bittner: Well, let's go through the things that NIST has put out here. What strikes you as really deserving our attention here in the stuff that they've put out? 

Scott Crowder: Yeah. So basically, they put out, you know, one standard for - you know, methodology for PKE, which is CRYSTALS-Kyber. And they put out, you know, three standards for digital signature CRYSTALS - Dilithium, Falcon and SPHINCS. The first three I mentioned are all based on some methodology of lattice cryptography. And then the last one uses a stateless hash methodology. You know, I - you know, our team - not me personally, but our team in IBM Research has been working on this for many, many years. And, you know, in fact, you know, the first three came out of, you know, IBM Zurich, working with, you know, their collaborators. So, you know, we feel fairly confident - well, we felt fairly confident that NIST was going to select them because we had, you know, done a lot of work beating on them and making sure that we felt that those were going to be quantum resistant. 

Scott Crowder: And then the fourth one, you know, we actually hired the guy who contributed to that one as well. So we feel - well, personally, we feel like - I feel like, you know, NIST has done a good job of due diligence on these, you know, kicking the tires and have selected good standards here for the first round of these. And I think it's now at the point where we need to start working with, you know, government agencies and industrial clients in key areas where we need to protect the infrastructure to understand how we're going to leverage this - these algorithms, these schemes to implement, you know, starting with the areas that are of the, you know, largest risk and then working from there. 

Dave Bittner: Is it at all possible that we could have, you know, something along the lines of a Sputnik moment where, you know, one of our adversaries suddenly comes out and says, we're farther ahead of this than we had expected them to be? 

Scott Crowder: I would be surprised, but I'm not sure I would give too many people - you know, I wouldn't overstate that and say, like, everybody should feel really comfortable. 

Dave Bittner: Yeah. 

Scott Crowder: I think, you know, more likely than the underlying computing capability being, like, you know, jumping up way beyond our published road map would be if there's some spark of human ingenuity on how to leverage error mitigation or some other technique to be able to use more noisy quantum computers to do, you know, effectively, you know, a variation of Shor's algorithm or something like that. That would surprise me a little bit less than, you know, an adversary all of a sudden having, you know, a quantum system that's, like, four years ahead of, you know, the state of the art in, you know, IBM or, you know, one of other large players that are putting a lot of investment in. 

Dave Bittner: Yeah. 

Scott Crowder: That being said, like, you know, I wouldn't bet the national security on it. You know, I think... 

Dave Bittner: (Laughter) Right, right. 

Scott Crowder: So, you know, I think that's why it was important for NIST to do what NIST has done and the Biden administration and the U.S. government over multiple administrations really taking this seriously and, you know, asking the agencies across the board to get their act together and put plans in place to, you know, become quantum safe. 

Dave Bittner: That's Dr. Scott Crowder from IBM Systems. 

Dave Bittner: And joining me once again is Chris Novak. He is managing director for security professional services at Verizon. Chris, always great to have you back. I wanted to touch today on some work I know you and your colleagues have been doing when it comes to investigating Log4j. What can you share with us today? 

Chris Novak: Sure, yeah. Thanks, Dave. Always a pleasure to be here. So, yeah, the thing you're referring to there is the Cyber Safety Review Board. So for folks who may not be familiar, this was actually created by President Biden's Executive Order 14028, for all the gov geeks out there. 

Dave Bittner: (Laughter). 

Chris Novak: And we really kicked off in earnest February of this year, and the first investigation was into Log4j, as you noted. And it's interesting. It's a combination of, you know, government employees as well as private sector citizens essentially kind of looking at it through the lens of, you know, like an NTSB but for cyber. And the first report was just released a couple of weeks ago now and really gave some interesting insights into, you know, what it is that us as a cyber safety review board saw kind of manifesting in that Log4j situation. It was, you know, arguably one of the most serious software vulnerabilities that we've seen. And I think, you know, one of the things that really jumped out at everybody throughout the course of that investigation - and you'll see it noted in the report - is just the sheer challenge that every organization, large and small, had with just simply understanding where Log4j existed in their environment. For folks who were not keeping track on this one, it's a library that exists in lots of software, other open-source software, other commercial software. Log4j itself is part of an open-source software foundation managed by Apache. So that in and of itself created a lot of challenges for organizations, like I said, and just understanding where it exists to then be able to follow that up and say, how do we remediate it, right? 

Dave Bittner: Yeah. I mean, is that revelation? Would you consider that to be an aha moment of the investigation? 

Chris Novak: I would say it was an aha moment for a lot of folks who were looking at the problem because I think historically, everybody looked at vulnerability management in a lot of ways through the lens of, well, my vendor, my provider, my someone will give me a patch when something pops up. And what I think became very clear to a lot of individuals and a lot of organizations, especially if you're using things that are open source, is there may not be a specific cadence that the open-source software community will work towards in terms of applying patches or releasing patches. 

Chris Novak: Obviously, a lot of the work that we see that comes out of the open-source software community is fantastic work. Some of the smartest minds in the world are contributing their talents to that work effort. But a lot of that is volunteer-based. And so things happen on a kind of as-available type of basis. There's not necessarily the same manner of operations as you might see, for example, for a commercial, off-the-shelf piece of software where you're paying for that licensed software, you're paying for support. You may even have contractual terms that dictate, hey; if there is an issue or a bug, there is a timeline for a fix or a patch or some way to address it. When you're looking at open source, you don't necessarily have that. And I think to your point, I think everybody deep down recognizes that. But I think they started to see with Log4j the prevalence of it within a lot of other applications. 

Dave Bittner: And so what are the recommendations going forward? 

Chris Novak: Yeah. So obviously, one of the big things that comes out of it is - this is, you know - we've kind of referred to it as kind of almost an endemic kind of problem in the sense that Log4j itself is going to be here for a while. There's still a lot of organizations still trying to wrap their arms around it. So a big piece of it is going to be monitoring and maturing vulnerability management practices within and across organizations so that they can at least try to get caught up on what this one looks like. 

Chris Novak: And then also, one of the big recommendations coming out of it is improving things like software bill of materials tooling and adaptability because a key component of being able to identify that it even exists in your environment is knowing what the ingredients are. You know, I say it's kind of almost like if you have an allergy to a specific type of food, knowing that it is part of your meal would be important. If you don't know kind of what that makeup is, you're going to struggle in understanding that there may be something underlying there that is a concern. So that software bill of materials, or SBOM, is very important. 

Chris Novak: Another thing that was also a big recommendation coming out of it was evaluating the efficacy of something like a cyber safety reporting system. So kind of akin to - and one of the things that we really looked closely at is what the aviation sector did in terms of how employees and anybody involved in that sector could report things that might be of concern as it relates to security or safety. And there was a manner in which that could be filtered out, reviewed, investigated and then determined what might ultimately happen from a mitigation or an improvement standpoint. Might there be an opportunity to do something like that for cyber as well? 

Dave Bittner: Yeah, that's fascinating. All right. Well, Chris Novak, thanks for joining us. 

Tre Hester: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe and I'm Tre Hester filling in for Dave Bittner. Thanks for listening. See you back here tomorrow.