The CyberWire Daily Podcast 9.2.22
Ep 1655 | 9.2.22

Ransomware groups continue to shift identities and targets. Assessments of the cyber phases of a hybrid war. Is wartime tough for criminals? Anonymous counts coup…against Moscow’s taxis.

Transcript

Dave Bittner: REvil may be back. A Paris-area medical center continues to work to recover from cyber extortion. An assessment of Russian failure to mount effective cyber campaigns. Cybercriminals find wartime to be a tough time. Josh Ray from Accenture looks at cyberthreats to the rail industry. Our guest is Dan Murphy of Invicti, making the case that not all vulnerabilities are created equal. And Yandex Taxi's app was hacked in a nuisance attack.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, September 2, 2022. 

REvil (or an impostor, or successor) may be back.

Dave Bittner: The ransomware group behind REvil may have returned, Cybernews reports. The gang had been in hibernation for some months, and many concluded that it had disbanded. That may still be true, but someone claiming to represent REvil has said they successfully attacked the Midea group, a major Chinese manufacturer of electrical appliances, and they revived a version of the REvil dumpsite to post a proof-of-hack. The story is still developing, and what's been reported so far is as consistent with imposture and rebranding as it is with the gang's return. 

Paris-area medical center continues to work to recover from cyber extortion. 

Dave Bittner: The large French medical center CHSF, hit in August by an extortion attack that reduced the medical center's ability to deliver patient care, is still in the process of recovering from the cyberattack. The effects of the incident have been unusually protracted. RFI reports that the Gendarmerie's GIGN has come to the assistance of the hospital located south of Paris and is both investigating and negotiating with the criminal attackers. CHSF continues to refuse to pay ransom. BleepingComputer has reviewed the grounds for thinking the attack involved a LockBit variant, even though hitting a medical center amounts to a violation of the Robin Hood code, LockBit has postured with in the C2C marketplace. 

An assessment of Russian failure (or disinclination) to mount effective cyber campaigns. 

Dave Bittner: An essay in the New Atlas looks at the decidedly mixed record of cyber operations in the current Russian war. While Russian operators have some early success deploying wiper malware against Ukrainian communications infrastructure, that success was short lived. Since the first weeks of the war, Russian cyber operations have tended toward conventional espionage, augmented by some ransomware privateering and nuisance-level distributed denial-of-service. The reasons for this are obscure. But while due credit should be given to Ukrainian resilience, Russia's cyber shortfalls may be a species of the more general Russian problem of coordinating effective combined arms operations. The essay says, what has been apparent over the last six months is that few, if any, of Russia's cyberattacks have been launched in support of a clear military objective. There were no assaults on military command and control systems, no critical infrastructure attacks and nothing that could put real pressure on Ukraine to force concessions from the country or its friends. 

Hacktivism and privateering may have been overrated in Russia's war, university researchers conclude.

Dave Bittner: Drawing on a range of data sources, we argue that the widely-held narrative of a cyberwar fought by committed hacktivists linked to cybercrime groups is misleading. That's the conclusion a study conducted by researchers at the Universities of Cambridge, Strathclyde and Edinburg reached. The researchers looked at web defacements, reflected distributed denial-of-service attacks and communiques posted to a volunteer hacking discussion group. They enriched their analysis by interviewing people who'd actively engaged in defacing websites in Russia and Ukraine. It appears that hacktivism shades quickly into slacktivism, as much of the initial enthusiasm fades. The researchers summarize, our main finding is that there was a clear loss of interest in carrying out defacement and DDoS attacks after just a few weeks. Contrary to some expert predictions, the cybercrime underground's involvement in the conflict appears to have been minor and short-lived. It is unlikely to escalate further. 

Dave Bittner: Rachel Noble, chief of the Australian Signals Directorate, has, according to the Canberra Times, a higher assessment of how privateers, at least, have performed in the war. She told a conference this week, cybercriminals started to take sides in the war. These are serious and organized criminal gangs with deep resources, who took it upon themselves to take action both on behalf of Russia and on behalf of Ukraine and involved themselves in the conflict. So perhaps privateering isn't decisive, but it's messy and troublesome nonetheless. 

Cyberattack against Montenegro.

Dave Bittner: Concluding that privateering may be played out, however, may be premature if the Montenegro incident is any indication. Balkan Insight characterizes the effects of the Cuba ransomware on Montenegrin networks as having sent the country back to analog. Bloomberg reports that investigation and recovery are still in progress, as Montenegro calls in assistance from its NATO allies. And a second piece in Bloomberg cites a warning from the Italian foreign minister that cyberattacks against Western European targets have spiked since Russia's invasion of Ukraine. 

Cyber criminals find wartime to be a tough time. 

Dave Bittner: Apparently, war is tough on the underworld, too. Digital Shadows, in the course of its continuing observation of Russophone cybercriminal fora and its ongoing nosing around the dark web, finds that the war has been tough on the cyber underworld, too. Part of the tough times seems to be the normal fluctuation of the criminal business cycle. Gangland is just going through one of its periodic troughs. But sanctions and other war-driven downturns have had their effect as well. Digital Shadows writes, with recent sanctions and additional scrutiny on activity originating from Russian entities, it's likely that many of these cybercriminals have been forced to constantly refine, and adapt their techniques and, therefore, having to climb out of that trough again. A good example of this is the use of Google Pay and other financial technologies becoming banned for use across Russia. This led to many scams becoming redundant almost overnight. There's one surprise in this report. Some of the bite taken out of their earnings seems to have come from the Russian authorities themselves, who've cracked down on the carding they'd formerly winked at. 

Yandex Taxi’s app was hacked in a nuisance attack.

Dave Bittner: Taxi. Taxi over here. Taxi. Like everybody else, all us bots need a lift, too - or something like that. The latest incident in nuisance-level hacking to be seen in the hybrid war Russia opened with its February invasion of Ukraine took place in Moscow. Yandex's taxi ride-hailing app was breached by hackers this week who summoned dozens of cabs to the Hotel Ukraina, snarling traffic and generating much inconvenience, Cybernews reports. For what it's worth, Anonymous TV claimed responsibility on behalf of the hacktivist collective, tweeting, Moscow had a stressful day yesterday. The largest taxi service in Russia, Yandex Taxi, was hacked by the Anonymous collective. A traffic jam took place in the center of Moscow when dozens of taxi were sent by the hackers to the address on Kutuzovsky Prospekt. The tweet associated the action with Anonymous's OpRussia. So what can you do? Well, you can take the bus or take the metro. Seriously, what does Anonymous hope to accomplish with the cyber equivalent of prank phone calls? Much hacktivism is like slacktivism in that it seems mainly aimed at enhancing the hacktivists' self-esteem. 

Dave Bittner: Coming up, Josh Ray from Accenture looks at cyberthreats to the rail industry. And Dan Murphy from Invicti makes the case that not all vulnerabilities are created equal. Stay with us. 

Dave Bittner: Threat actors have been exploiting remote code execution vulnerabilities across all industries. And faced with that reality, organizations are working to prioritize their remediation and threat-hunting strategies. But knowing how to go about setting those priorities is often easier said than done. Dan Murphy is a distinguished architect at software security firm Invicta. 

Dan Murphy: One of the key challenges that organizations have is how to prioritize what to fix first. There's so much that you need to know where to spend those precious development hours and patching things. In an ideal world, every possible vulnerability would be fixed. But in reality, we have to find out the ones that can be exploited, you know, the ones that can be attacked, the ones that can actually be used by someone hostile on the network. And figuring out that balance is something where tools can help you. Good tooling is essential to be able to find out what the fix first. 

Dave Bittner: Well, and traditionally, how have folks gone about this? What have been the methods by which people have prioritized these things? 

Dan Murphy: Yeah. So there's a number of different ways that we can find vulnerabilities in software. When we take a look at how software is built using something like software composition analysis, you can do a kind of an inventory of all of the libraries that go into your software and just make sure that everything that goes in is from a trusted version. You can also take different approaches using something like static analysis, which will take a look at the code and actually parse it in and look for harmful patterns where an untrusted source of input - say, a parameter that comes over an HTTP request goes to an untrusted sync, something like a sequel call where someone didn't care to escape all of the hostile parameters that were injected. 

Dan Murphy: So se two things are great, but they find kind of potential. If you've ever been a developer that's been on the other end of a static analysis tool, you know that they tend to be somewhat noisy. You get flooded with all sorts of potentialities, things that could go wrong. But oftentimes as a developer, you know, the conditions in which software is deployed, you know where it sits, you know, generally speaking, what's possible to be an input. Now, you can't get overconfident in knowing what those inputs are, but there's a lot of noise and there's a third class of tool as well, which is dynamic analysis tools. And those tools, those work by actually sending the attacks over the network. They perform the real exploits that the Black Hats will use. And these three lenses, they're all important. They all give kind of a different sense of what is out there, what the risk is. However, when it comes to prioritizing, really taking a look at what is provably exploitable, that's kind of key. So I tend to favor that last lens, have a bit of a bias working at Invicti. But actually doing those attacks, the way that the attackers are doing them is a great way to know what to fix first. 

Dave Bittner: When people fall short on this, I mean, what typically leads to that? I mean, it's - everyone's intentions are good, of course, but as you say, there's just so much noise. 

Dan Murphy: Yeah, and there's a lot. I mean, if we look at the number of CVEs that have come out within the last year, even just in the realm of RCE - remote code execution - there's been a ton. If you look at since the start of the pandemic, it's basically a big hockey stick that is getting exponentially larger. And because of that, it's almost impossible to keep up with the number of packages, that software is getting increasingly complex. It's composed of more and more packages that are out there. And you just kind of have this explosion of complexity. It almost leads to a situation where simple software is now composed of hundreds of packages. And for a development team to keep up with that, it's tough. It's that combination of the lens of knowing what goes in, trying to limit that complexity, but also make sure - making sure that you're doing that real testing that can kind of tell you what is actually explainable. That's kind of the way to cope with that complexity. 

Dave Bittner: Well, in your experience, the organizations that are having success here, who are doing the right things and being able to measure it, what sort of things do they have in place? Is there a common thread there? 

Dan Murphy: Yeah. In fact, I think that a successful organization really applies all of those techniques at different stages of the software development lifecycle. So great organizations, they will scan their source code as soon as it's checked in to look for vulnerabilities. They will automate the practice of auditing things and checking out the composition to make sure that stuff doesn't get old. With software systems that are increasingly composed of many open-source solutions, what was good today is not going to be safe tomorrow. And automating that practice, not just kind of deferring it to a manual once-over every quarter, but making it part of the continuous integration, continuous delivery pipelines, making it part of that system, practice is key. So automation and frequency of scanning. In fact, we've actually noticed when Log4j came out, which was a bit of an earthquake back in December, we noticed a very strong correlation between those who scanned frequently and those who fixed. So those who scanned were those who fixed. And we noticed that those companies that were kind of - had that regular practice of a scheduled scan that was either automated, happening daily or weekly - those are the ones that were able to respond. We actually found that the mean time to remediate was, like, eight days or so, which is not that bad. But it comes from that constant practice, not just making security an afterthought but baking it into the software delivery process to make sure that it's something that you design for from the start. 

Dave Bittner: Can you give us some insights on, you know, dialing in the human element versus the automation and finding that right - the proper balance? 

Dan Murphy: Yeah. So I'm a huge believer in the human element is often what causes vulnerabilities, and it's often what is great at being able to detect them. So automatic scanning is very important because you can throw robots at it. You can have it be repetitive. But the true - a lot of very interesting attacks - those come from very creative applications of problem solving. I tend to try to go to hacker conferences like DEFCON, and one of the main reasons that I go is to see the incredible display of human ingenuity that is just up on stage, the tiniest crack that someone can get and then turn that into a way to execute code on a remote system. It never ceases to amaze me what human creativity can do. So I think that combination of automated testing but then also with manual penetration testing and threat hunting is key. There's going to be things that - particularly very clever ways that exploits can be chained together. Gadgets can be constructed to start with that tiny crack and then widen it and ultimately achieve kind of a shocking objective. That is, you can't forget that human element. 

Dave Bittner: That's Dan Murphy from Invicti. There's a lot more to this conversation. If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects, where you get access to this and many more extended interviews. 

Dave Bittner: And joining me once again is Josh Ray. He is managing director and global cyberdefense lead at Accenture. Josh, great to welcome you back. 

Josh Ray: Thanks for having me back, Dave. 

Dave Bittner: You know, I want to touch base with you today on what I consider to be perhaps one of the - I don't know - overlooked elements of critical infrastructure. And that's the rail industry. I know this is an area that you and your colleagues have been focused on lately. What can you share with us today? 

Josh Ray: Yeah, Dave, I think you're right. I mean, this is this is definitely an overlooked industry from a critical infrastructure standpoint. And I had a great conversation with Anthony Wilson on this the other day. And the rail industry really kind of presents a very unique convergence of things like not only critical infrastructure but their role in defense. But they also have a lot of really interconnected IT, OT, IoT types of technology. And this is just continuing to grow - right? - as, you know, you look at network signaling, switching routing and all the different control systems that, you know, provide a very unique attack surface for threats to exploit but also collect intelligence against. 

Dave Bittner: What sort of things are we seeing out there? I mean, are the bad guys actively, you know, banging against the rail industry's infrastructure? 

Josh Ray: Yeah. I mean, we've seen, you know, a very - a few specific types of examples, you know, around ticketing and IT scheduling systems. I mean, these obviously represent very significant targets which not only can cause, you know, significant disruption, but, you know, a financially motivated actor can take take advantage of this, as well. But, you know, I really want to kind of hone in on the defense kind of aspect on this and maybe even the nation-state. And this is something that I think has obviously gotten the attention of many governments, especially, you know, the U.S. government as Anne Neuberger, I think, is going to be hosting a bunch of CEOs from from the rail industry to really kind of talk through a comprehensive approach about, you know, securing this privately owned and operated infrastructure. But, you know, there are some - I think some really specific things that, you know, we wanted to make sure that, you know, the CyberWire folks, you know, understood. But some key takeaways, I think, for CEOs or chief risk officers kind of going - potentially even going into that meeting. 

Dave Bittner: Well, let's go through it together. What sort of things do you think deserve our attention here? 

Josh Ray: Well, I mean, this might be probably just, you know, a captain obvious statement. But thinking about it through an adversary mindset and understanding, you know, that your stock, the things that you have, are of very much interest to, say, nation-state types of actors, right? So the things that you are moving across your rail inherently makes you of interest to those types of actors. And you look at even the Indian Railway, where they are classified as a national defense asset because of the critical nature that they have as far as moving troops and defense-related types of equipment. 

Josh Ray: Another thing I think - just kind of that convergence that I spoke about before as far as the interconnectivity between IT and OT systems, you know, really does make them vulnerable, right? And this is something that continues to need more segmentation, as well as, you know, monitoring across, you know, those types of systems. And, you know, don't forget those ticketing and scheduling systems because they don't have to necessarily target the OT system to really disrupt your organization. And then I - you know, I'd also say - and this is kind of - comes from a maybe a nontraditional way of looking at kind of the volumes of traffic for spikes in the system that might, you know, indicate some type of malicious types of activity in your network. And really, it's kind of using a Cigent (ph) type of technique to really kind of determine patterns across your network to help determine if you have a malicious actor that is potentially latent in your network. But the last thing, I think, and really the one to kind of foot stomp is, you know, there is a direct connection between the type of rail that you ship and move and nation-state motivations. And this is very specific as it relates to understanding kind of where those assets are moving and the type of intel that can be gained from a nation-state actor, especially when you're thinking about things from a defense standpoint. 

Dave Bittner: Do you have a sense for where we stand in terms of, you know, is the rail industry keeping up with this? Or are they behind? Are they ahead of the game? Any thoughts there? 

Josh Ray: Well, you know, I think that they, like all industries, you know, are trying to keep pace, you know, and operate at the speed of the threat. But, you know, when you're talking about critical infrastructure, all forms of critical infrastructure, you know, kind of need to continue to understand their role as it relates to kind of, you know, the broader economic impact, the broader impact to defense and society as a whole. And I think, you know, this public-private partnership approach is incredibly important in understanding not only the threat landscape, but, you know, what specifically can you do to defend your organization? And I really can't stress enough that, you know, the importance of, you know, the rail in our industry, in our, you know, economic well-being is kind of being one of those things that while it's often, you know, maybe forgotten, it is incredibly important to make sure that we secure those, that critical infrastructure. 

Dave Bittner: All right. Well, Josh Ray, thanks for joining us. 

Josh Ray: Thank you, Dave. Appreciate the opportunity. 

Dave Bittner: And that's the CyberWire. For links to all of today’s stories, check out our Daily Briefing at thecyberwire.com. Be sure to check out this weekend's "Research Saturday" and my conversation with Ryan Kovar from Splunk. We'll be discussing their findings, "Truth In Malvertising," which contradict the LockBit group's encryption speed claims. That's "Research Saturday." Check it out. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.