The CyberWire Daily Podcast 12.5.22
Ep 1716 | 12.5.22

Swapping cyberattacks in a hybrid war. Privateers or just a side-hustle? US CSRB will investigate Lapsu$ Group. Notes on the cyber underworld.


Dave Bittner: Wiper malware hits Russian targets. Microsoft sees an intensification of Russian cyber operations against Ukraine. State policy, privateering or an APT side hustle? The U.S. Cyber Safety Review Board will investigate the Lapsu$ Group. Rackspace works to remediate a security incident. The Schoolyard Bully Trojan harvests credentials. Grayson Milbourne of OpenText Security Solutions on attacks on common open source dev libraries. Rick Howard looks at CISO career paths. And trends in ransomware - cybercrime succeeds when the gang runs like a business.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, December 5, 2022.

Wiper malware hits Russian targets.

Dave Bittner: Kaspersky has described a newly observed wiper, CryWiper, a pseudo-ransomware Trojan that researchers think is designed to destroy data. It seems unlikely in their judgment that CryWiper is being deployed for financial gain. Although it displays a ransom demand with the customary Bitcoin wallet address, files overwritten by CryWiper are permanently unrecoverable. It focuses on databases, archives and user documents, not on the victim's operating system. Kaspersky said in its Friday notice that so far it had observed CryWiper in use only against targets in Russia. Ars Technica says that CryWiper seems to have affected mostly judicial courts and mayoral offices. No one is offering attribution, but the selection of targets would seem circumstantially to point to Ukrainian cyber operations. 

Microsoft sees a coming intensification of Russian cyber operations against Ukraine.

Dave Bittner: Microsoft published an appreciation of Russian cyber operations on Saturday. It begins with a familiar assessment of Russian forces' conventional combat failure, stating, in the wake of Russian battlefield losses to Ukraine this fall, Moscow has intensified its multi-pronged hybrid technology approach to pressure the sources of Kyiv's military and political support, domestic and foreign. The report notes the combination of missile strikes, intensified information operations and the extension of cyberattacks to targets outside Ukraine proper, notably Poland. So Microsoft predicts two lines of coordinated attack, neither of which involves conventional ground combat - missile strikes, while the munitions stocks last, and cyberattacks. In both cases, the targets are infrastructure. 

Dave Bittner: The GRU's cyber operations unit Microsoft tracks as Iridium is likely to play a significant role in the next phases of the hybrid war. The group has a strong track record of attacks against civilian infrastructure and has also shown an indifference to the effects of its operations on others than the primary targets. Indeed, the effect of NotPetya on companies, especially logistics companies in 2017, suggests that those effects were not so much unintended collateral damage as they were welcome side benefits. 

Dave Bittner: Deployment of wiper malware during the present war has had mixed results and has in general fallen short of what Russian commanders might have wished, but it represents an ongoing threat. The group's recent deployment of Prestige ransomware against targets outside Ukraine suggests a continued willingness to hit countries that support Ukraine's cause. Microsoft says it intends to follow an approach built around what it calls the four D's - detect, disrupt defense and deter. These are inherently cooperative activities, and Microsoft says it will be working with their customers in support of democracies. 

State policy, privateering, or an APT side-hustle?

Dave Bittner: It's unclear what authorities were in play, but NBC News reports that a U.S. Secret Service investigation has attributed a wave of COVID relief fund fraud to APT41, a threat actor that customarily works on behalf of the Chinese government. The fraud was very widespread, and a great deal was stolen. But whether the APT was stealing under orders, was privateering or was simply permitted to enjoy a profit from a side hustle is unclear. 

US Cyber Safety Review Board will investigate the Lapsu$ Group.

Dave Bittner: The U.S. Cyber Safety Review Board, established in February of this year, has announced that it's undertaking an investigation of the Lapsu$ Group, the international extortion gang, many of whose members are teenagers. The Lapsu$ Group has had an impact on organizations far out of proportion to its perceived skills and resources. This represents the Cyber Safety Review Board's second investigation since its founding. The first, completed in July, was an examination of the Log4j family of vulnerabilities. 

Rackspace works to remediate a security incident.

Dave Bittner: Late Friday afternoon, cloud service provider Rackspace disclosed that its customers were experiencing difficulties with the company's Hosted Exchange environments. On Saturday, the company explained, on Friday, December 2, 2022, we became aware of an issue impacting our Hosted Exchange environment. We proactively powered down and disconnected the Hosted Exchange environment while we triaged to understand the extent and the severity of the impact. After further analysis, we have determined that this is a security incident. 

Dave Bittner: Through yesterday, Rackspace was contacting customers and advising them on workarounds available to restore alternative services, but they remained unsure when the hosted exchange environments might return to normal. Early this morning, the company  advised customers to restore email service by moving to Microsoft 365. The exact nature of the security incident is unclear, but BleepingComputer shares some informed outsider speculation that suspects it might have involved exploitation of the ProxyNotShell vulnerability discovered in September and addressed by Microsoft last month. A Shodan search by researcher Kevin Beaumont is said to have indicated that Rackspace was running a vulnerable Microsoft Exchange server build. 

Schoolyard Bully Trojan harvests credentials.

Dave Bittner: Mobile security firm Zimperium has discovered an Android threat, the Schoolyard Bully Trojan. The Trojan has been active since 2018 and primarily targets Vietnamese readers. The Trojan has the ability to steal credentials from the Facebook accounts of victims, including email, phone number, password, ID and name. Schoolyard Bully disguises itself as a reading or educational app, IT World Canada reports. The malware also uses JavaScript injections to show phishing pages designed to look like a Facebook login screen so that the victim's credentials can be stolen. IT World Canada writes, the Trojan steals these details by using WebView to open a legitimate Facebook login page inside the app and injecting malicious JavaScript to extract the user inputs. 

Dave Bittner: Vietnamese readers are the primary target of the Trojan, but the malware has been seen victimizing over 300,000 people in 71 different countries. Zimperium, however, acknowledges that infected applications still exist in some third-party app stores. The bullies look a lot like those involved with FlyTrap, Zimperium reports. FlyTrap involved Vietnamese threat actors creating and spreading applications, while this Trojan targets Vietnamese readers. But despite the geographical coincidence, the researchers discovered enough differences between the code samples for them to conclude that in all probability there's no direct connection between FlyTrap and Schoolyard Bully. 

Trends in ransomware: running a gang like a business.

Dave Bittner: And finally, LookingGlass this morning published a report on attacks by organized ransomware gangs during the first half of 2022, finding that these groups continue to grow increasingly professionalized. The researchers also point out the similarities between ransomware gangs and legitimate technology businesses, stating, groups have started to incorporate business practices such as finance departments, human resources and even naming employees of the month. These are not the loosely affiliated groups of the past. Rather, they are highly professionalized organizations with quarterly revenue targets and even customer service teams. 

Dave Bittner: The top players are the most organized. LookingGlass notes that the majority of targeted ransomware attacks in the first half of 2022 were launched by the top 15 most active gangs. To mention just the top three, the leaders during the period covered by the report were LockBit, Conti and Alphy. 

Dave Bittner: After the break, Grayson Milbourne from OpenText Security Solutions on attacks on common open source dev libraries. Rick Howard looks at CISO career paths. Stay with us. 

Dave Bittner: And it's always my pleasure to welcome back to the show the CyberWire's own Rick Howard. He is our chief security officer and also our chief analyst. Rick, welcome back. 

Rick Howard: Hey, Dave. 

Dave Bittner: So on our CyberWire Slack channels this week, you have been making some noises. And by making noises, I mean running around with your hair on fire about... 

Rick Howard: (Laughter). 

Dave Bittner: ...Some sort of all-hands-on-deck at the CyberWire hash table. So what's going on here, my friend? 

Rick Howard: For the "CSO Perspectives" podcast, we put a call out to our collection of subject matter experts, you know, a little over 30 in all at this point - you know, these are CISOs, CIOs, CEOs and board members - to see if they had any thoughts or advice about how cybersecurity newbies could become CISOs sometime in their career. And oh, my God, Dave... 

Dave Bittner: (Laughter). 

Rick Howard: ...Almost half of them responded with really good advice. So, you know, we had our hands full, yeah. 

Dave Bittner: Well, I mean, it's my experience that if you get more than one CISO in a room and ask them a question, you're going to get a lot of answers. 

Rick Howard: (Laughter). 

Dave Bittner: Was there any kind of consensus that formed after talking to all these experts at your hash table? 

Rick Howard: Well, you're right about that. If there's a trait that we can assign to most CISOs, is that we all have opinions about how things should get done, right? And we all think we're right. So - including me, all right? So - and advice for newbies on how to become CISO was no different and - but I will tell you that a consensus did emerge. And I think your listeners who aren't CISOs will be surprised to learn what that top advice was. 

Dave Bittner: And I think that is what they call in the business, a teaser. 

Rick Howard: (Laughter). 

Dave Bittner: So you will have to subscribe to CyberWire Pro to find out. You can find out all about that over on the CyberWire webpage. 

Rick Howard: You've outed me, Dave. You've totally outed me... 

Dave Bittner: (Laughter). 

Rick Howard: ...All right, so... 

Dave Bittner: Every week, you unvault (ph) an older episode of the "CSO Perspectives" archives, and you make that available to the public. What do you have in store for us this week? 

Rick Howard: Yeah, so "CSO Perspectives" is all about cybersecurity first principles, strategies and tactics. And this episode is from the Rick the Tool Man series and talks about zero trust as a first principle strategy but more specifically, the zero-trust tactic of vulnerability management. 

Dave Bittner: I think a lot of folks would say that vulnerability management is kind of the meat and potatoes of cybersecurity. Is that on track? 

Rick Howard: Well, it's definitely table stakes for any cybersecurity professional, but it is so much more than just patch management, which is complicated enough. But when you think about it, it's really a cyberthreat intelligence task. It's a DevSecOps task and should somehow automatically feed into your risk management program. So it's way more complicated than most people think it is. 

Dave Bittner: Well, before I let you go, what is the word of the day over on your "Word Notes" podcast? 

Rick Howard: This is a good one. We're explaining AES - that's advanced encryption standard. And you can make the case that AES is the glue that holds most every internet transaction together. So come look for it. That'll be a fun little "Word Notes" episode for everybody. 

Dave Bittner: All right. Well, you can find out all about all of these things over on our website, Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And joining me once again is Grayson Milbourne. He is the security intelligence director at OpenText Security Solutions. Grayson, welcome back to the show. 

Grayson Milbourne: Hey, Dave, glad to be here again. 

Dave Bittner: I want to touch base with you about some security concerns that folks are having when it comes to open source development libraries. What sort of things can you share with us today? 

Grayson Milbourne: Yeah. Well, I mean, open source is a fantastic thing. And I love the community, and the amount of peer-reviewed development has, I think, launched software faster forward probably than any other single community. But the problem with that is that, you know, threat actors always look at, you know, how are people using convenience to make their lives better and how can we disrupt that? And unfortunately, what we've started to see are examples of attacks on code repositories. And so, just for example, like in Python, there's a tool called PyPI. Java - or TypeScript has NPM. But these are basically packet management systems that allow you to install additional libraries to support the type of development that you're looking to do. So, like, when you just default install Python, for example, it comes with the Python library, but it doesn't include so many of the millions of other projects that are out there. 

Grayson Milbourne: And so what we've seen is that attackers are starting to go after some of these repositories, and they're kind of doing it in a couple of crazy ways. And so, you know, we've seen, like - the idea behind security in open source is that there is a review process and that updates to the code are community approved. And so what we've seen is we've seen some examples of poisoning of those communities. And either, you know, the person who reviews it is in on it, and, you know, you have a peer review from a poison partner. And so malicious code gets committed and can then be distributed. 

Grayson Milbourne: And what's dangerous about that is, as a developer, I'm writing some application that's benign. But I need this library, and I don't want to do all that development work. So I grab it, and all the sudden, I've now included something in my code that just by adding that to my code, has Trojanized my application. And so that's a really scary concept in that I can now unknowingly be distributing malware. 

Grayson Milbourne: And we've actually seen this at scale. Now, this is a little different from attacking open source libraries, but at the end of - or the beginning of 2020, we had the SolarWinds attack. And that was - you know, SolarWinds' Orion platform, which is their remote management platform, was Trojanized. And they didn't realize it, and they distributed this out to all of their customers, delivering a security solution that contained a Trojan. And so I think, you know, the cybercrime community saw the benefit and the cost savings on attacking, like, a trusted vendor and having them distribute your code out to all of your potential targets as a much easier way to break in than, you know, going after all of those targets. So I think an extension of that has been these attacks on open source. 

Grayson Milbourne: And so, as I mentioned, you know, one of them is definitely, you know, trying to poison legitimate packages. But another one we've seen is kind of borrowing from a really common technique that we see in the business email compromise space, as well as the phishing space. And that's typo squatting and basically hoping that - you know, as a developer we all probably type pretty quick, but not with 100% accuracy, I'll have to say. 

Dave Bittner: Right. 

Grayson Milbourne: So yeah, right? Sometimes, I put that E before the L or the S before the T. And, you know, what we've seen is that there's a lot of these out there that are basically waiting for somebody to type the wrong thing, inadvertently infect themselves. 

Dave Bittner: So what's to be done here? I mean, how - obviously, the benefits of open source software are clear, but how does an open source community protect itself? 

Grayson Milbourne: So I think this is, like, a challenge for that open source community. And I think it comes down to having a proper hierarchy of review. And for, you know, depending on the component that's being modified, I mean, you might need more eyes on it. You know, I think this is not a problem that's simply solved. I think some of this is easy to solve, right? So we look at, like, typo squatting. You know, we - like, some of these communities have discovered that, hey, you know, somebody put this package here that's two letters off or jumbled up a little bit. And they realize that it's malicious, and so then they remove it. So, you know, I think the communities themselves need to do a better job of vetting the content within. And really, since we've seen these attacks on GitHub, as well, PiAPI NPM, these communities have already done a lot to now retroactively review and identify and have actually even found several examples of malicious updates. So, you know, I think it's not a - there's no silver bullet to these solutions. It's - you know, I think it's one of the the costs, perhaps, to having open-source development is that, sometimes, you have a bad egg out there. And so it just requires a bit more review. 

Grayson Milbourne: But that said, I mean, like, the bugs that you can find in open source are, you know, sometimes much worse than bugs you can create in your own development environment and vice versa. I think it's really more about ensuring that what you get is what you expect. And so I think this is another way that attackers are trying to get in between that level of trust of, you know, oh, you know, this is open source. I can trust it. You know, somebody has reviewed this. I don't need to. And whenever there's that kind of leap of trust, I think that also creates an opportunity for exploitation. And I think that's what we've seen here. 

Dave Bittner: All right. Well, Grayson Milbourne, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. 

Dave Bittner: The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup Studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson. Bennett Moe, Catherine Murphy. Janene Daly, Jim Hoscheit, Millie Lardee (ph), Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.