The CyberWire Daily Podcast 11.4.22
Ep 1698 | 11.4.22

Flight-planning and rail services disrupted in separate incidents. BEC gang impersonates law firms. Effects of the hybrid war on action in cyberspace. And a farewell to Vitali Kremez, gone far too soon.

Transcript

Dave Bittner: Flight-planning services are affected by a cyberattack, as are Danish rail services. A BEC gang impersonates international law firms. The effects of the hybrid war on action in cyberspace. Deepen Desai from Zscaler examines the evolution of the X-FILES Stealer. Maria Varmazis has an analysis of the Starlink situation in Ukraine. And a sad final farewell to Vitali Kremez, gone far too soon.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Friday, November 4, 2022.

Flight-planning services affected by cyberattack.

Dave Bittner: We open with a couple of stories that have affected different transportation sectors over the past week. Boeing subsidiary Jeppesen has disclosed that its services were interrupted by a cyberattack this week. Reuters describes Jeppesen as a provider of analytical and flight-planning services. The company said, we are currently experiencing technical issues with some of our products, services and communication channels. We are working to restore functionality as soon as possible. Among the services affected is the processing and distribution of NOTAMS, Notice to Air Missions). NOTAMs remain available from other official sources. Live and Let's Fly reports that the incident may have been a ransomware attack. 

Danish rail service disrupted by cyberattack.

Dave Bittner: Train service interruptions in Denmark last Saturday have now been attributed to a cyberattack, Reuters reports. Danish rail operator DSB said yesterday that an IT contractor, Supeo, had been hit by a criminally motivated cyberattack that led Supeo to shut down its servers as a precaution. This had a cascading effect on rail service. 

BEC gang impersonates international law firms.

Dave Bittner: Security firm Abnormal Security is tracking a threat actor they call Crimson Kingsnake that's launching business email compromise attacks by impersonating attorneys, law firms and debt recovery services. Crimson Kingsnake specializes in blind third-party impersonation attacks, a term Abnormal uses to describe BEC attacks in which the threat actor doesn't have direct visibility into the targeted organization's communications or business transactions. The researchers say, based on our observations, a typical Crimson Kingsnake attack starts with an email impersonating an attorney and referencing an overdue payment the target's company owes to the firm or a company they represent. The impersonated attorney and the law firm they purportedly work for actually exist in the real world. So if the target ran a Google search for either, they would actually find results for the impersonated parties. To add legitimacy to their communications, Crimson Kingsnake uses email addresses hosted on domains closely resembling a firm's real domain. The display name of the sender is set to the attorney that is being impersonated, and the email signature contains the firm's actual company address. Since March of 2022, we've identified 92 domains linked to Crimson Kingsnake that have mimicked the domains of 19 law firms and debt collection agencies in the United States, the United Kingdom and Australia. Many of the firms referenced in Crimson Kingsnake attacks are major, multinational practices with a global footprint. 

Dave Bittner: If an employee replies to one of these emails, the attacker will send them a phony invoice requesting tens of thousands of dollars. If the employee questions the invoice, the attackers will impersonate an executive at the employee's company authorizing the transaction. So the social engineering mingled the authority of a law firm with the fear that legal letterhead often induces. It's proved enough to get some people to lower their guard. 

Effects of the hybrid war on action in cyberspace.

Dave Bittner: Russian cyber campaigns have so far not worked. The widespread devastation on Ukrainian and allied infrastructure that had been expected at the outset of the war. But ENISA, the EU's cybersecurity agency, finds that the war has nonetheless shaped activity in cyberspace. ENISA's Threat Landscape 2022 report says, the geopolitical situations, particularly the Russian invasion of Ukraine, have acted as a game changer over the reporting period for the global cyber domain. While we still observe an increase in the number of threats, we also see a wider range of vectors emerge, such as zero-day exploits and AI-enabled disinformation and deep fakes. As a result, more malicious and widespread attacks emerge, having more damaging impact. 

Dave Bittner: How and why the cyber phases of the hybrid war have developed as they have remains a matter for speculation and analysis. The Carnegie Endowment for International Peace has issued an assessment of the state of international assistance rendered to Ukraine for its cyberdefense. Such assistance is being considered as at least a partial explanation of Russia's failure to meet expectations in its cyber campaign. The report offers a clear summary of prewar expectations of Russian performance in cyberspace, stating, "Many - though not all- prewar assessments expected that cyberattacks would play a significant role in Russia's campaign. The strategic context suggested that although Ukraine had much experience in defending against Russian cyberattacks and could call on motivated, highly capable experts to protect critical targets, it would ultimately be unable to prevent major harm to and exploitation of digital networks and data. Ukraine's operational strengths would be outmatched by Russia's strategic advantages of possessing some of the world's most powerful offensive cybercapabilities, albeit with debatable strategic effectiveness, and operating in a digital terrain that has been thought to favor the offense over defense. Moscow appeared to be holding a decisive advantage in cyberspace. 

Dave Bittner: Officials in Kyiv have credited assistance from the EU, the U.K. and the U.S. with providing major assistance to Ukraine's cybersecurity. Western technology companies have also provided extensive support. This assistance includes Starlink's provision of satellite communication services, which the company this week has said will continue. It also includes Microsoft's commitment of $400 million to enable Ukraine to continue its use of Redmond's cloud and data services. 

Dave Bittner: The Carnegie Endowment's paper concludes with some lessons learned so far from the experience of Russia's war. Overall, the lessons make the case for the effectiveness of collective defense, stating, cyberdefense at scale relies on the involvement of the largest commercial technology and cybersecurity companies. Politics and geopolitics count in cyberspace just as everywhere else. Shared values are as important as shared interests. Government can be a catalyst and sponsor of large-scale cyberdefense involving commercial entities. And capacity building is valuable, but it is no substitute for capability reinforcement. People will be drawing lessons from Russia's war against Ukraine for years. But it's not too early to make a preliminary assessment, and that's what the Carnegie Endowment has done. 

Rest in peace, Vitali Kremez.

Dave Bittner: We close with a sad note of farewell. Vitali Kremez, chairman and CEO of AdvIntel, died in a scuba accident this week. He was a true white hat, much respected in the community, and he'll be missed. Our condolences and wishes for consolation to all of his family, friends and colleagues. 

Dave Bittner: Coming up after the break, Deepen Desai from Zscaler examines the evolution of the X-FILES Stealer. Maria Varmazis has an analysis of the Starlink situation in Ukraine. Stay with us. 

Dave Bittner: Starlink satellite internet has been a valuable resource for the Ukrainian army fighting against the invading Russians. The rhetoric around this tool has been complicated and, at times, confusing. Our CyberWire space correspondent Maria Varmazis has the latest. 

Maria Varmazis: It's been a busy news cycle for anyone trying to follow the story about Elon Musk's Starlink and the war in Ukraine. At first, Musk said he's happy to provide Starlinks to Ukraine. And then he says he can't do it anymore. And then he says, wait. Never mind. And I quote, "To hell with it." And we'll continue to provide Starlink support to Ukraine despite the costs. It can't be said enough that communication via Starlink has been crucial for soldiers fighting in Ukraine. Mobile phone infrastructure is damaged. Distances are often too impractical for radio. So Starlink has been the option for battlefield command and control, from sharing intelligence to controlling drone flights, to simply communicating with families and with the outside world. 

Maria Varmazis: So while the debate roiled over who's been paying for Starlink access and how to sustain the financial support for Starlink service in Ukraine, wrapped up in all of this was controversy about Starlink connectivity on the Ukrainian front lines, specifically in the south and the east, just as Ukrainian fighters made some serious headway into regaining territory. Starting in late September, Ukrainian fighters on the front lines started reporting some major Starlink outages, which soldiers on the ground said had a, quote, "catastrophic impact." As the zones of control in a war are often shifting quickly, satellite geofencing might not always reflect the on-the-ground reality, and it's possible that the geofencing meant to keep Russia from using Starlink simply hadn't been updated quickly enough to match the needs of Ukrainian fighters on the front. 

Maria Varmazis: But the timing of this Starlink outage did raise some eyebrows. Ukrainian fighters started seeing outages around September 30. And just a few days later, on October 3, Elon Musk tweeted that perhaps Ukraine could put an end to this war by giving Crimea and Donbas to Russia, which coincidentally also happens to be what Russian President Vladimir Putin wants. A belief repeated by some Ukrainian officials was that perhaps the geofencing had purposely not been updated to reflect Ukraine's newly regained territory. If the timing of Musk's tweets about ceding territory to Russia seemed suspect, one could infer Musk's sympathies and see restricting Ukrainian front-line access to Starlink as a decisive move to try and shift battlefield conditions to Russia's favor. But the inverse of that theory also follows. If SpaceX purposely disabled Starlink connectivity in those areas, it was perhaps to prevent Starlink from being used in a counteroffensive by Russian forces. Both theories depend on your point of view of which side of this war Musk does or doesn't support. But for his part, Musk hints in his tweets that the explanation could be a lot simpler - namely, it's Russian interference. 

Maria Varmazis: Here's a few words from Elon Musk himself, from his Twitter account. Quote, "In addition to terminals, we have to create, launch, maintain and replenish satellites and ground stations and pay telcos for access to internet via gateways. We also had to defend against cyberattacks and jamming, which are getting harder. Starlink is only comms system still working at war front. All others dead. Russia is actively trying to kill Starlink. To safeguard, SpaceX has diverted massive resources towards defense. Even so, Starlink may still die. Internet fiber, phone lines, cell towers and other space-based comms in war areas have been destroyed. Starlink is all that's left for now," end quote. And then here at the end of this tweet, Elon Musk also includes a link to an article in WIRED about the February Viasat attack. 

Maria Varmazis: So the implication there, if one really wants to read into tweets by the notoriously mercurial Musk, is that with Starlink being so crucial to Ukrainian fighters, that, of course, it's going to be a prime target for jamming and cyberattack takedowns by Russia. And it should be noted that while the Starlink outages started in late September, by around October 7, it seems that connectivity on the war front lines had mostly been restored. And Starlink itself faced and foiled signal jamming attacks from Russia earlier this year, in fact. In March, Starlink updated its software in mere hours to mitigate jamming techniques that were being seen on the front lines used against them. And on March 25, Musk himself proudly tweeted that, quote, "Starlink, at least so far, has resisted all hacking and jamming attempts." But it's possible that Russia has started to find new ways to effect Starlink service that SpaceX can't quite act against yet. 

Maria Varmazis: Not everyone believes Musk's claim that Starlink's downtime was due to jamming or at least that it was solely due to jamming. Many military experts believe it may have been a combination of a number of factors, including jamming, as well as the geofence not being updated. Since Starlink is so crucial to Ukrainian fighters and since Starlink really is the only option for resilient front line connectivity and communication at this point, despite the unexplained outage, for now, we may just have to take Musk at his tweeted word. For the CyberWire, I'm Maria Varmazis. 

Dave Bittner: There's a lot more to this conversation. If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects, where you get access to this and many more extended interviews. 

Dave Bittner: And I'm pleased to welcome back to the show Deepen Desai. He is the chief information security officer and VP of security research and operations at Zscaler. Deepen, always great to welcome you back to the show. I want to talk to you today about some research that you and your colleagues have published recently. You were tracking the X-FILES Stealer, some of the things you've been seeing in terms of evolution of that. What can you share with us today? 

Deepen Desai: Yeah, thank you, Dave. So yeah, ThreatLabZ team recently spotted a new variant of an info stealer named X-FILES. And then, you know, we've been tracking this for almost a couple years now. There were a few enhanced features and the way it was exfiltrating data, which prompted the team to dissect further and publish our research on it. 

Dave Bittner: Well, let's go through some of the details together here. What sort of things have been updated? 

Deepen Desai: Yeah. So, I mean, if I were to start with the history X-FILES, this family has been around since March of 2021. There were a couple variants that we saw in 2021 itself. In June, which is a couple of months back, we saw a new version of this stealer where, you know, there were a few things being added. And I'll go through that. One of the stuff that we saw with this malware was the infrastructure that was being used was in Russian region, that the IPs where the phishing domains were hosted were located in Russia. The C2 panel, where the malware will communicate with post-infection were also in Russia. And then what we have seen is in the recent variant that I'm talking about, they started exploiting Follina vulnerability, right? And for those of you that don't know, that's the remote code execution vulnerability, you know, that Microsoft recently released a workaround guidance, as well. So this was affecting Microsoft Support Diagnostic Tool in Windows, where a remote, unauthenticated attacker could essentially exploit this vulnerability to take over the impacted system. So X-FILES' payload was taking advantage of that. Or the threat actors behind it were taking advantage of that to plant this. And then it aims to steal and exfiltrate sensitive information, such as browser credentials, crypto wallets, your FTP application credentials, and then, you know, financial stuff like credit cards. 

Dave Bittner: What's going on under the hood here? I mean, did you have any sense for what sort of tools they're using to develop this? 

Deepen Desai: Yeah, so this is - actually, all the variants that we have stumbled across are all written in C# - that's a programming language - and with new features being added over time by the threat actor. With the latest variant, the threat actors have switched to hiding some of the interesting strings. And this, again, falls in the ANT analysis anti-invasion technique, where the goal for the threat actor is to increase the shelf life of this payload. So Base64 format rather than plain text for some of those interesting strings, changing the CNC protocol, where, you know, what will be observed over the network layer when the payload communicates with the command-and-control server. So we observed some obfuscation getting added over there, too. 

Dave Bittner: That's interesting. Now, you say you all have been tracking this organization for a couple of years now. I guess it's fair to say that we can expect them to be around for a while. 

Deepen Desai: Yeah. I mean, with the new updates getting pushed out, we do expect this to continue. And it's important for the end users. Again, this is one of those stealer that will show up as part of the cracked software, right? That's one. The other one was phishing campaigns being leveraged to deliver this payload, as well. So make sure, when you click on those links, you know, you trust the destination. Do not download software from, you know, unsolicited links that you receive. Never click on them to begin with. 

Dave Bittner: Yeah. All right. Well, Deepen Desai, thanks for joining us. 

Dave Bittner: And that's The CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. Be sure to check out this weekend's "Research Saturday" and my conversation with Roya Gordon from Nozomi Networks on "UWB Real Time Locating Systems: How Secure Radio Communications May Fail in Practice." That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.