Cyberespionage, privateering, hacktivism and influence operations, in Ukraine, Russia, the Middle East, and elsewhere. Criminals need quality control, too. A new entry in CISA’s KEV Catalog.
Dave Bittner: A Chinese cyber-espionage campaign is believed to be active in the Middle East. Poor quality control turns ransomware into a wiper, and a typo crashes a cryptojacker. A large DDoS attack is reported to have hit a Russian state-owned bank. Privateers compromise Western infrastructure to stage cyberattacks. Cyber operations against national morale. A look at the Vice Society. Ben Yelin on the growing concerns over TikTok. Ann Johnson from "Afternoon Cyber Tea" speaks with Charles Blauner about the evolution of the CISO role. And CISA has added an entry to its Known Exploited Vulnerabilities Catalog.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, December 6, 2022.
Chinese cyberespionage campaign believed to be active in the Middle East.
Dave Bittner: Bitdefender has published a report describing a Chinese cyber-espionage operation targeting telecom providers in the Middle East. The threat actor gained initial access by exploiting the ProxyShell vulnerability in Microsoft Exchange Server. After gaining access, the threat actor deployed multiple tools to establish persistence, move laterally and escalate privileges. These included the Irafau and Quarian backdoors and the Pinkman Agent. Bitdefender suspects BackdoorDiplomacy, a China-linked APT discovered last year by researchers at ESET. ESET noted that the group primarily targets ministries of foreign affairs in the Middle East and Africa and, less frequently, telecommunication companies. Bitdefender attributes the campaign to BackdoorDiplomacy based on the domains used for command-and-control.
Poor quality control turns ransomware into a wiper.
Dave Bittner: Yesterday we discussed recent developments in ransomware, highlighting the increased professionalization of ransomware gangs. However, not all threat actors are moving toward businesslike functions and may be disorganized. Poor quality control causes the hoods as many problems as it would a legitimate business. A sample of open-source ransomware toolkit Cryptonite has been found to act as a wiper, Fortinet reports. Researchers say that the sample never offers the decryption window, causing it to act as a wiper, and say that they believe this was unintentional. In their report, Fortinet writes, the ransomware was not intentionally turned into a wiper. Instead, the lack of quality assurance led to a sample that did not work correctly. The problem with this flaw is that due to the design simplicity of the ransomware, if the program crashes or is even closed, there is no way to recover the encrypted files.
Dave Bittner: This sample demonstrates how a ransomware's weak architecture and programming can quickly turn it into a wiper that does not allow data recovery. Although we often complain about the increasing sophistication of ransomware samples, we can also see that oversimplicity and a lack of quality assurance can also lead to significant problems. On the positive side, however, this simplicity, combined with a lack of self-protection features, allows every antivirus program to easily spot this malware.
KmsdBot’s downfall: a typo.
Dave Bittner: And it's not just ransomware that's got its QA problems, either. Cryptojackers need some attention, too. The cryptomining botnet KmsdBot, which could also be used for DDoS attacks, has been described by Ars Technica as a “complex malware with no easy fix.” Akamai researchers, however, witnessed the controller of the botnet accidentally send a malformed command. The bot masters neglected to put a space between an IP address and a port in a command, and it caused a panic crash and an error that read, index out of range. As Ars Technica says, because there's no persistence, the bot stays down, and malicious agents would need to reinfect the machine and rebuild the bot's functions. Akamai principal security intelligence response engineer Larry Cashdollar says that almost all of the KmsdBot activity being tracked by the company has stopped. Akamai describes the situation as a strong example of the fickle nature of technology. So stay in school kids. Even if you are an aspiring criminal, spelling and punctuation still count. Make your English teacher proud.
Large DDoS attack hits Russian state-owned bank.
Dave Bittner: Reuters reports that state-owned VTB, Russia's second largest bank, has sustained a major DDoS attack. VTB said in a statement quoted by Reuters, "The bank's technological infrastructure is under an unprecedented cyberattack from abroad, the largest not only this year but in the whole time the bank has operated." While VTB said the attack originated outside of Russia, it also said it was disturbed by the amount of attack traffic originating from Russian IP addresses and that it was cooperating fully with official investigation. Computing reports that VTB said customer funds and data were safe. Reuters includes an interesting disclaimer above its story, stating, This content was produced in Russia, where the law restricts coverage of Russian military operations in Ukraine. That doesn't suggest falsehood but perhaps some want of useful context. In any case, VTB says it's got the matter under control, which is in all likelihood true.
Compromising Western infrastructure to stage cyberattacks.
Dave Bittner: Scottish deception-as-a-service security firm Lupovis ran an exercise to see whether its honey traps would attract Russian cyber operators. They did. The researchers found that the most concerning finding from our study is that Russian cybercriminals have compromised the networks of multiple global organizations, including a Fortune 500 business, over 15 health care organizations and a dam monitoring system. These organizations were based in the U.K., France, the U.S., Brazil and South Africa, and Russian criminals are rerouting through their networks to launch cyberattacks on Ukrainian targets, which effectively means that they're using these organizations to carry out their dirty work. A surprising fraction of the attacks targeted health care organizations. The findings reemphasize the important role cybercriminals continue to play in Russia's war effort. Whether they're functioning as patriotic hacktivists or privateers, the underworld is clearly the Kremlin's principal cyber auxiliary.
Cyber operations against national morale.
Dave Bittner: Oleksandr Potii, deputy chairman of Ukraine's State Service of Special Communications and information Protection of Ukraine, characterized Russian hybrid operations and their cyber components especially as representing an assault on Ukrainian morale. Politico quotes him as saying, "Classic cyberattacks, phishing, DDoS threats, ransomware on critical infrastructure, these cyberattacks continue. But we have a new method of cyberattack attack - to influence political processes, social processes, civil society and political society, to destabilize the social-political situation in different countries, cities and regions. So the cyberattacks are serving the same end as the missiles. They are not there to affect the enemy's military capabilities directly but rather to establish mindshare in civil society.
A look at the Vice Society.
Dave Bittner: The Vice Society, Palo Alto Networks' Unit 42 finds, is interested in education but not in a good way. Unlike some of their competitors in the ransomware game, the Vice Society doesn't write much code from scratch, nor does it play in the typical ransomware-as-a-service market. Instead, they seem to prefer to use forks of preexisting ransomware strains. Unit 42 explains, unlike many other ransomware groups such as LockBit that follow a typical ransomware-as-a-service model, Vice Society's operations are different in that they've been known for using forks of preexisting ransomware families in their attack chain that are sold on DarkWeb marketplaces. These include the HelloKitty and Zeppelin strains of ransomware, as opposed to Vice Society developing their own custom payload.
Dave Bittner: The gang goes after K-12 schools in particular because, first, they're often vulnerable, less well protected than bigger operations and, second, because they hold a great deal of valuable personal data. The Unit 42 report concludes, Vice Society and its consistent targeting of the education industry vertical, particularly around the September time frame, serves as a warning that this group has shaped their campaigns to take advantage of the school year in the U.S. It's likely they'll maintain use of these tactics to impact the cyberthreat landscape moving forward, as long as their activities continue to be lucrative for them.
CISA adds to its Known Exploited Vulnerabilities Catalog.
Dave Bittner: And finally, CISA yesterday added CVE-2022-4262 to its Known Exploited Vulnerabilities Catalog. The issue is a type confusion vulnerability in Google Chromium V8. Agencies are expected to apply updates per vendor instructions no later than December 26. And so federal executive civilian agencies, look to your patching.
Dave Bittner: Coming up after the break, Ben Yelin on the growing concerns over TikTok. Ann Johnson from "Afternoon Cyber Tea" speaks with Charles Blauner about the evolution of the CISO role. Stay with us.
Dave Bittner: Ann Johnson from Microsoft is host of the "Afternoon Cyber Tea" podcast. And on a recent episode, she speaks with Charles Blauner about the evolution of the CISO role.
Ann Johnson: So I know you were in the industry when the CISO role first came to be. Can you share with us some of the history and the evolution of the role from your perspective?
Charles Blauner: Sure. So in a lot of ways, Steve Katz, who's a good friend of both of ours, became the first CISO in 1995. Citibank back then had an event in 1994. A young Russian broke in, stole a bunch of money. And there was this realization that this is a business issue. And so I had actually been working for Steve. He was my boss at JPMorgan. He left to go to Citi and become the first CISO in 1995. And I joined him together with others like Rhonda MacLean, Bank of America, and I was at JPMorgan shortly thereafter.
Charles Blauner: But back then, it was not a business function. Back then, the idea of the CISO's job was basically keep off the front page of The Wall Street Journal, The New York Times. Stay out of trouble with the regulator. And you had a very sort of narrow focus that was really about protecting the data, especially in banking, because of things like the Gramm-Leach-Bliley Act, which was one of the first times the word customer privacy came up in U.S. law. So you had this very narrow function. It was basically keep out of trouble. And if you were lucky - in banks, once a year, you met with the board for about 5 minutes. It was the law. And that was good. And if you were lucky, you might get a really tough question about one of the board member's personal credit cards. But the world changed. And over time, we started to really think about this as a risk management discipline.
Ann Johnson: What were some of the key paradigm shifts you saw? And in addition to what you've talked about, what were some of the surprises along the way, those a-ha moments that you said, wow, we could have or should have been thinking about this, or wow, I'm surprised this is in my remit?
Charles Blauner: I mean, one is I think there's been a radical shift in the nature of the threat - right? - where you went from when the early days it was a bunch of young kids who were getting whistles out of Cracker Jack bottles to hack the telephone system for free dial tone to sophisticated criminal organizations to nation-state actors and now to a point where you've got actual criminal organizations that are as good, if not better, than a lot of nation-state actors. And so you have one piece of pretty radical change. And then you sort of layer on the various technology changes. Then you think about the next radical change, distributed computing. And now cloud or public cloud is the next thing. And each of those things have driven radical changes in the underlying security technology.
Ann Johnson: What advice do you have to see CISOs who need to make that transition from being viewed as a blocker to really being viewed as an enabling business partner?
Charles Blauner: So the most important thing, I think, for CISOs is to really understand the core of how your company makes money. That will drive everything - how a bank makes money - one thing, actually, how a bank makes money is lots of different things - how a pharmaceutical company makes money, how consumer packaged goods company makes money. You really need to understand how your company makes money, right? And you need to understand the key sort of business processes that support that.
Charles Blauner: The other thing is with the sort of digital transformation that's underway - to a greater or lesser degree, depending on what industries you're in, that digital transformation creates an opportunity and risks sort of pare about how you do the business in this new digital world. And how do you take the maybe nontechnical business controls that may have existed, and how do you make those things happen in as frictionless a way as possible?
Dave Bittner: That's Ann Johnson from "Afternoon Cyber Tea" speaking with Charles Blauner. You can hear the entire interview on the "Afternoon Cyber Tea" podcast. That's right here on the CyberWire Podcast Network.
Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Hello, Ben.
Ben Yelin: Hello, Dave.
Dave Bittner: Interesting article came over. This is written by Brooke Singman over on the Fox Business website. It's titled "TikTok Poses Legitimate National Security Concerns According to Treasury Secretary Yellen." First of all, Ben, Treasury Secretary Janet Yellen - a relative of yours?
Ben Yelin: Yeah, she's my great-aunt. No, I'm just kidding.
Dave Bittner: (Laughter).
Ben Yelin: It's spelled differently. She spells it the incorrect way of Y-E-L-L-E-N. I'm Y-E-L-I-N.
Dave Bittner: I see.
Ben Yelin: But certainly hasn't stopped me from making many jokes about it.
Dave Bittner: So let's dig into this story here. This is about TikTok, the potential national security concerns. This is something that's been talked about for a while here. What do we make of Secretary Yellen addressing this specifically?
Ben Yelin: So we've heard about this going back several years to the Trump administration where there were legitimate threats to shut down TikTok in the United States. TikTok is owned by ByteDance. That is a Chinese company based in Beijing. And because it's based in China, a lot of U.S. officials have warned that the Chinese Communist Party could compel that company with the full force of the law to turn over American users' data. The consequences of using our data is it could expose us to propaganda. It could learn things about our own citizens that we don't know about ourselves. It could control software on millions of devices, which could technically compromise those devices. That certainly presents a lot of risk. TikTok is what the young people use these days.
Dave Bittner: (Laughter).
Ben Yelin: It's very ubiquitous.
Dave Bittner: It's what I hear. Yeah (laughter).
Ben Yelin: Yeah. And what's so - I wouldn't say funny because this is very serious. We're talking about national security implications. But, like, most of TikTok is people making silly videos. I'm on it just more for observational purposes. And it's mostly - at least the content that gets filtered to me based on my personal characteristics are married couples with kids sharing their foibles about raising toddlers.
Dave Bittner: Right (laughter).
Ben Yelin: It's just interesting that that's turning into a major national security threat. But I think what we've heard from Secretary Yellen and from FBI Director Christopher Wray is without knowing how much this parent company is going to share with the Chinese government, I don't think we're properly able to assess our risk. This is a powerful tool. It is embedded with very advanced artificial intelligence. In the words of former Secretary of State Mike Pompeo, it is an element of the Chinese security apparatus. And so it certainly is something that could jeopardize national security, especially for our - maybe our second biggest geopolitical foe at the moment but certainly probably our biggest geopolitical foe in the long term. So, kids out there, if you are TikTok users and this is how you communicate with your friends, at least be aware that there's a possibility that this is going to be curtailed in the United States if a case can be made in front of the proper government bodies that this is - presents an undue risk to national security.
Dave Bittner: And this is unprecedented, right? I mean, we haven't seen a major social media platform taken down - or I guess banned is a better way to say it because it would be access in the U.S. that would be restricted, right?
Ben Yelin: Right. We have not seen this on a large scale. So smaller apps have been banned by this committee in the Treasury Department. So the Treasury Department has this Committee on Foreign Investment in the United States. They evaluate national security risks associated with foreign-owned companies. And their decisions carry the force of law. So they really do have the authority to shut this down. It would be a radical action. It would get a lot of blowback. So yeah, I think you have to treat it very delicately. Even if you acknowledge that it's a national security risk, is it worth shutting this down if it could lead to retaliation or if people would try to use less secure TikTok alternatives or, through piracy, get TikToks on their device? And you wouldn't be able to regulate it. It would be even less secure than it is now. So it's certainly not - making a decision to ban it certainly would not be without risk. But I think it's remarkable that we've seen the government consider something like this when this is one of the top - not selling, but one of the top free applications on Google and iOS, so.
Dave Bittner: And TikTok is saying that they've got this under control. They're claiming, you know, we're spun off. We're independent from our Chinese mothership, if you were, you know, the parent company. So nothing to see here. No - your concerns are overstated.
Ben Yelin: Yeah. I mean, so I don't think we should take that at face value because the Chinese government is extremely powerful. I mean, they've been able to enforce basically a lockdown of billions of people at a time in some major cities because of their surveillance capabilities and their large law enforcement presence. Whether you agree with the morality of that or not, and I suspect most people do not, especially those who listen to our show, that shows their level of power and capability. So if you get on the wrong side of the Chinese Communist Party, that's not going to be good for your company. So I think that gives companies the incentive to comply with potential requests. And that's one of the natures of Secretary Yellen's concern here.
Dave Bittner: Can we imagine an outcome - some sort of middle ground here? Is this an all or nothing, do you suppose?
Ben Yelin: I don't think it's an all or nothing. I think an outright ban is within the realm of possibility, but unlikely. I think there could be some type of workaround that they could figure out where - there's enforcement power through the Department of Justice that prevents this company from handing data over to the Chinese Communist Party with the threat that if you do, we're going to ban this app in the United States. That could be a potential starting ground for negotiations, or there's probably creative people out there who could think of better solutions that don't lead to banning the application. But it's certainly a risk that's out there.
Dave Bittner: Yeah. Yeah. All right. Well, it's yet another one to follow. And you and I will follow it, but more importantly, my teenage son will be following it with great interest.
Ben Yelin: Yeah. I mean, think about all the time all the teenagers are going to have in this country when TikTok is eliminated. What are they going to do?
Dave Bittner: Right. Right.
Ben Yelin: They're going to go back to Facebook, where all their grandparents are posting political memes?
Dave Bittner: Yeah, that ain't going to happen. All right. Well, Ben Yelin, thanks for joining us.
Ben Yelin: Thank you.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Milly Lardy (ph), Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoscheit, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.