The CyberWire Daily Podcast 11.28.22
Ep 1711 | 11.28.22

Keeping pentesting tools out of criminal hands. Updates from an intensified cyber phase in Russia’s hybrid war. Fars reports sustaining a cyber attack. The most common password remains “password.”

Transcript

Dave Bittner: Nighthawk is at the diner, but maybe not on the crook's menu. Internet service in Ukraine and Moldova is interrupted by strikes against Ukraine's power grid. Sandworm renews ransomware activity against Ukrainian targets. Russian cyber reconnaissance is seen at a Netherlands liquefied natural gas terminal. The European Parliament votes to declare Russia a terrorist state. Carole Theriault reports on where these kids today are getting their news. Malek Ben Salem from Accenture on digital identity in Web 3.0. And hey, that new list of most commonly used passwords looks depressingly familiar.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, November 28, 2022. 

Nighthawk’s at the diner (but maybe not on the crooks’ menu). 

Dave Bittner: It's good to be back together after the long Thanksgiving weekend. Today is Cyber Monday. We trust you're staying safe as you shop online and that you'll also give safely online tomorrow, on Giving Tuesday. On to the news, we heard last Tuesday about steps Google was taking to render Cobalt Strike less susceptible to abuse by cyber criminals. As you know, Cobalt Strike is a legitimate penetration testing toolkit that's been frequently abused by criminals who've used it to move through victims' networks and help stage attack payloads. Google reduced open-source YARA rules that should make it easier for defenders to detect such abuse. The step should also have the welcome result of returning the tool to its proper users - white hat penetration testers. 

Dave Bittner: Proofpoint also suggested that another newer pen testing framework, Nighthawk, might be susceptible to similar abuse. Proofpoint said it hadn't observed any signs of Nighthawk's being abused, and they acknowledge that the tool is a mature and advanced commercial C2 framework for lawful red team operations that is specifically built for detection evasion, and it does this well, but, they caution, it might be abused. 

Dave Bittner: MDSec, Nighthawk's proprietors, didn’t care for that discussion of a priori possibility at all, stating Proofpoint also makes unsubstantiated and speculative projections that Nighthawk could be abused by threat actors in the future. This subsequently led to various questions over both Twitter and email about what precautions we take when distributing Nighthawk. MDSec goes on to describe the steps it takes in its licensing process to prevent Nighthawk from falling into the wrong hands. Their discussion is too lengthy to recount in detail here, but it's offered to support their conclusion. They do state, we firmly believe that the layered mixture of soft and technical controls that have been implemented stand us in good stead to responsibly distribute the product to responsible customers. 

Iran's Fars news agency reports cyberattack.

Dave Bittner: Iran's state Fars news service says, according to AFP, that its operations have been disrupted since Friday in cyberattacks. Fars calls the incident a complex hacking and cyberattack operation and cautioned that disruptions might continue for some time. There's no attribution, but Fars did say that it was often under Israeli cyberattack. There's also the possibility of hacktivism, given Fars' role as an official source of information during ongoing protests in Iran over the death of Mahsa Amini. The story is still developing. 

Internet service in Ukraine and Moldova interrupted by strikes against Ukraine's power grid. 

Dave Bittner: And while Russia's war against Ukraine has settled, for now, into artillery exchanges and Russian drone strikes against civilian targets, the cyber phase of the hybrid war has seen an uptick of Russian activity. Some of it is incidental, some disruptive and some informational. 

Dave Bittner: First, the incidental - Moldova's vice prime minister, Andrei Spinu, tweeted last Wednesday morning, massive blackout in Moldova after today's Russian attack on Ukraine's energy infrastructure. Moldelectrica, Moldova's TSO, is working to reconnect more than 50% of the country to electricity. The Record reported over the weekend that the attacks against the power grid have also taken down internet service in both Moldova and Ukraine. Ukrainian internet service providers are using emergency generators as they work to restore online connectivity. 

Sandworm renews ransomware activity against Ukrainian targets.

Dave Bittner: Second, some disruptive activity has also been seen in the ongoing conflict. ESET reported over the weekend that it's observed a surge in a ransomware strain the company calls RansomBoggs. The malware is written in .NET and represents a new strain of ransomware, but the deployment, according to ESET, is similar to what they've observed in Sandworm activity in the past. Sandworm has been associated with Russia's GRU. The researchers tweeted, there are similarities with previous attacks conducted by Sandworm. A PowerShell script is used to distribute the .NET ransomware from the domain controller, which is almost identical to the one seen last April during the Industroyer2 attacks against the energy sector. ESET also sees similarities between RansomBoggs and Iridium, Microsoft's name for the GRU operation the company detected in Prestige ransomware attacks against Polish and Ukrainian targets in October. 

 

Russian cyber-reconnaissance at a Netherlands LNG terminal.

Dave Bittner: Other Russian threat activity linked to past attacks against energy infrastructure has been observed in at least one Western European port. So far it seems to amount to battlespace preparation for a broader cyber war against Europe as a whole. According to the NL Times, industrial cybersecurity firm Dragos has warned that Xenotime and Kamacite may be engaged in reconnaissance of liquid natural gas terminals in the Netherlands. The two threat groups have been linked with GRU attempts against industrial targets in the past. The publication quotes Dragos' Casey Brooks as saying, "we know that LNG terminals are a target. It's just a question of when and how. These are tests to see where they could potentially have an impact with a digital attack." The researchers have seen signs of such preparation in the systems of Gasunie’s LNG terminal in Rotterdam's port of Eemshaven. OilPrice.com reports that threat intelligence and security firm EclecticIQ has seen increased activity around critical infrastructure in the Netherlands and in Europe generally. 

European Parliament votes to declare Russia a terrorist state (and Russia responds with cyberattacks and terroristic threats). 

Dave Bittner: And an informational response to criticism of Russia's war - the European Parliament last Wednesday voted to declare Russia a state sponsor of terrorism on the grounds that its strikes against Ukrainian civilian targets, including energy infrastructure, hospitals, schools and shelters, violate international law and warrant the terrorist designation. It's effectively a symbolic vote since the European Parliament, Reuters explains, lacks a legal framework that might provide some mechanisms for enforcement. But the designation is thought likely to spur deeper sanctions. Maria Zakharova of the Russian Foreign Ministry responded in her Telegram channel, stating, I propose designating the European Parliament as a sponsor of idiocy. 

Dave Bittner: A few hours after the vote, the Parliament's websites were taken down for a short period of time by a DDoS attack, which the Wall Street Journal and others report members of the EU's parliament described as sophisticated. It took about two hours to restore service, and since the incident appears to have been a relatively routine DDoS attack, it's difficult to see where the sophistication lay. The Russian auxiliary threat actor Killnet has claimed responsibility in a message posted to its Telegram channel, which reads in part, Killnet officially recognizes the European Parliament as sponsors of homosexualism, which one supposes is one way of looking at the conflict. Most observers are inclined to credit Killnet's claims of responsibility. The attack looks like something up their alley. 

Plus ça change, plus c'est le même mot de passe.

Dave Bittner: And finally, NordPass has released its list of 2022's most commonly used passwords. It's so familiar as to be, well, depressingly familiar. The top five will come as no surprise to anyone. No. 1 - password - check, always there. No. 2 - 123456 - double check for the numerically lazy. No. 3 - 123456789 - the added three digits offering a thread of hope of additional security. No. 4 - guest - be our guest. Five - qwerty - checkarooni (ph) for the alphabetically lazy. 

Dave Bittner: The toughest of these to crack? It's guest, believe it or not, which is crackable in a snail's paced 10 seconds. Don't misinterpret that comment as an endorsement, but cracking the others takes less than a second. None of the top 200 is even funny, although batman at No. 185 on the leaderboard shows a little bit of playfulness, more than superman at 125. But maybe Gotham City just seems a little more interesting than Metropolis. 

Dave Bittner: And to those who use f***you as their credential, right back at you, bro or sis or whatever, girlfriend, whoever you are. F***You places at No. 88, which offers a little bit of irony since 88 in ham radio shorthand means love and kisses. No 88 for you, bro, or for your girlfriend either. 

Dave Bittner: There's some national variation in the results. Among the Five Eyes, Australia and the United Kingdom favor password. Canada goes with 123456, and the United States likes guest. There's no listing for New Zealand, which seems like a sad oversight. Still, the Four Eyes who got an entry all picked one that placed in the top five. The master list appears to be a good-guys-only affair as neither Russia, China, North Korea nor Iran get so much as a look in. But we're pretty sure those lists would differ only in detail. So what do you say, Fort Meade? What's the average Ivan using these days in those St. Petersburg troll farms? Inquiring minds want to know. 

Dave Bittner: Coming up after the break, Carole Theriault reports on where kids today are getting their news. Malek Ben Salem from Accenture looks at digital identity on Web 3.0. Stay with us. 

Dave Bittner: What do you consider your most trusted source for news? Those of us old enough to remember Walter Cronkite certainly have some opinions on the matter. But, of course, these days, most people get most of their news from online sources, and that includes teens. Our U.K. correspondent, Carole Theriault, files this report about how teens are finding their news. 

Carole Theriault: So Ofcom is the U.K. regulator on all things communication services. They say on their site, we make sure people get the best from their broadband, home phone and mobile services as well as keeping an eye on TV and radio, and we also help to make sure people don't get scammed and are protected from bad practices. 

Carole Theriault: Now, Ofcom has recently put out a report on news consumption in the U.K., and this report provides the findings of Ofcom's 2021-22 research into news consumption across television, radio, print, social media, podcasts, website apps, magazines, etc. And they had an interesting finding that social media is overtaking traditional channels for news among teens. So Instagram, TikTok and YouTube are now teens' top three most used sources for news. Now think about that. These largely unregulated sites definitely have targeted, personalized ads that must be almost impossible for a national regulator to monitor with any confidence. This is the place where our kids are getting their news from. I mean, if someone asks you quick-fire question - who do you trust, public broadcasting or the socials? What do you say? TikTok, arguably the home to the full-face wax challenge or the magnet ball challenge? Instagram, the place that internal researchers called a teen mental health deep dive, including a study that found Instagram made body issues worse for 1 in 3 teenage girls? Or YouTube, the place with a reputation for taking users down dangerous rabbit holes? But thing is, I kinda get it. Were I a teen or a tween, I am a hundred percent sure I would much prefer to be glued to one of these social channels as opposed to the BBC, CBC, or PBS. 

Carole Theriault: But here's the kicker. Ofcom's findings show that fewer than a third of teenagers trust TikTok's news content. So a mere 1 in 3 trust TikTok for news, yet it has surpassed things like the BBC as a source for news. It just seems like a weird dichotomy. And maybe the answer here lies in training kids in the art of investigative consumerism. Stay with me here. In the same way that we, as readers, might put our trust into an investigative journalist to double check their facts and sources, we teach kids how to consume their daily news media so they can have confidence in what they are remembering, sharing and commenting upon. Is that crazy? This was Carole Theriault for the CyberWire. 

Dave Bittner: And it is my pleasure to welcome back to the show Malek Ben Salem. She is the security innovation principal director at Accenture. Malek, always great to have you back. I want to touch base with you today about some stuff I've been seeing about Web 3.0 - and we can talk about that and - but, particularly, digital identity within Web 3.0. What do you have to share with us today? 

Malek Ben Salem: Yeah. Thanks, Dave. So let's start with defining - what is Web 3.0? I think... 

Dave Bittner: Please. 

Malek Ben Salem: ...You know, it... 

(LAUGHTER) 

Malek Ben Salem: And I'm not sure I have the answer, but basically... 

Dave Bittner: (Laughter). 

Malek Ben Salem: ...It's a term that was first coined by Gavin Wood. Gavin Wood is the co-founder of Ethereum, which is the second-biggest cryptocurrency. Now, recently, this term has gained prominence, and some people believe that the main premise of Web 3.0 is that it's supposed to break the world free of, you know, the monopolistic control by using a mixture of blockchain, cryptocurrencies and NFTs to give power back to the internet users - giving back power in the form of control and ownership. And that's it, you know? That's great. 

Dave Bittner: That's an aspirational goal. 

Malek Ben Salem: Aspirational goal. 

Dave Bittner: (Laughter) Right? 

Malek Ben Salem: Definitely. Definitely. If, you know, our listeners remember, Web 1.0 was basically the first version of the web, where it was all about static pages. Web 2.0 was - you know, started in the early 2000s. There was an evolution of, you know, the initial scheme where, now, internet users can not just read content, but are able to read and write content. And so companies like, you know, Facebook allow you to share content, right? You are the producer of that content. It's no longer the - you know, the bigger companies who are generating that content. 

Malek Ben Salem: Now, in Web 3.0, there might be - along that way of giving control back to users and enabling them more, there is a natural development through the availability of technologies like blockchain to give back control to the users in terms of owning and controlling their identities. Now we're dealing - we know what's the existing form of digital identity, which is typically - you know, you have a user ID and passwords, and that's how you prove your identity to a company or a - to a digital service provider. In Web 3.0, the - you know, the natural evolution is this rise of decentralized identities, where, again, control is supposed to be given back to the users so that they own their identity. It's a unique identity across multiple platforms, and they can decide, you know, which pieces of their identity - which pieces of data they can share with, you know, this service provider or that service provider and when to revoke access to that piece of data. 

Dave Bittner: Yeah, I mean, that revocation is really a key element, here. I suppose this is really intricately tied with privacy. 

Malek Ben Salem: Oh, yeah, absolutely. And that's the whole premise of this is that this should give the users that capability of protecting their privacy. You know, the whole motivation behind building these decentralized digital identities is to - basically, there is an imbalance, if you will, between the power - between the big platforms today and the internet users, and we need to rebalance that. I mean, I, as an internet user, would say that. 

Dave Bittner: (Laughter). 

Malek Ben Salem: And one way of doing it is through these technologies. But again, you know, that's the, you know, aspirational goal. Whether it's feasible, I think that remains to be seen. 

Dave Bittner: Yeah. Well, but that's my next question for you, then. I mean, have you seen anything from a technology point of view? Is there anything on the horizon that makes you think that this is a practical thing that might - we may come see to pass? 

Malek Ben Salem: I think, in terms of the early proofs of concept and proofs of value that we've seen, I think it's technically feasible. There's no doubt about that. The technology allows it. But, as some lawsuits have revealed recently, we've discovered that some of the infrastructure or a large portion of the infrastructure behind blockchain or behind Ethereum is owned by big tech companies. And therefore, if they are the owners of that infrastructure, then they may end up being the owners of, you know, these platforms that are supporting these distributed digital identities. 

Dave Bittner: So there are a lot of potential benefits here. But how about some of the risks? 

Malek Ben Salem: Yeah. So we talked about the benefits of giving back control to the users - you know, providing seamless digital consumer experiences to the end user. There are also benefits to the technology providers today. Maybe they can reduce their costs of managing these identities if that management work is given back to the end users. But there are also risks associated with decentralized identities, the first being the risk of exclusion, right? There is a growing digital divide. And, you know, for certain demographics, you know, a Web 3.0 wallet may not always be intuitive - would be a steep learning curve. So I think there is definitely that risk. There is the risk of, you know, being able to self-manage identity data that may not be straightforward for a lot of people. Even though managing, you know, a large list of passwords is daunting - but, you know, managing these identity pieces also in a decentralized manner may also be daunting. 

Malek Ben Salem: There is the risk of a far-reaching implication of a certain hack. So if your identity gets hacked, then, you know, the threat actor who got access to that identity may have access to many services - right? - at once. It's not just access to one platform. It's - you know, this is your identity for all services on the web, and so the implications are much higher. There is a risk of imputability and privacy. As we know, in these distributed ledgers, particularly, you know, decentralized blockchains are immutable. So any data that is entered on that blockchain is irreversible. And if you have past identities, there is no way to hide that. Past transactions, even, you know, for legitimate reasons, may not be hidden. 

Dave Bittner: Well, interesting insights, as always. Malek Ben Salem, thanks for joining us. 

Dave Bittner: And that's the CyberWire. CUL, 73 to all you radio hams out there. That's see you later, best regards, in ham radio speak. You were white-hat hackers before hacking was even a thing. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. 

Dave Bittner: The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.