The CyberWire Daily Podcast 12.8.22
Ep 1719 | 12.8.22

The IT Army of Ukraine claims VTB DDoS. DPRK exploits Internet Explorer vulnerability. New variant of Babuk ransomware reported. Blind spots in air-gapped networks. And, dog and cat hacking.


Dave Bittner: The IT Army of Ukraine claims responsibility for DDoS attacks against a Russian bank. North Korea exploits an Internet Explorer vulnerability. A new variant of Babuk ransomware has been reported. Blindspots in air-gapped networks. Rob Boyce from Accenture has insights on the most recent ransomware trends. Our guest is Nathan Howe from Zscaler with the latest on Zero Trust. And the hacking of cats and dogs.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, December 8, 2022. 

IT Army of Ukraine claims responsibility for DDoS against Russian bank.


Dave Bittner: HackRead reports that the IT Army of Ukraine, Kyiv's hacktivist auxiliary, has claimed credit for the distributed denial of service attack against the state-owned Russian bank VTB. The IT Army tweeted, in convincing, if not perfect, idiomatic English, VTB could not handle with our attack the whole week long, so they have to admit it. However, the problem is not we took them down so long, but something went wrong newly, and they cannot settle paychecks, remittances, fine and tax payments. That is, VTB is unable, says the IT Army, to handle routine online transactions. DDoS attacks in the current war, whether conducted by Russian or Ukrainian operators, have rarely risen above a nuisance level of severity. Still, any nuisance at all remains a nuisance, even though it's unlikely VTB will be crippled for very long. 

North Korea exploits Internet Explorer vulnerability.


Dave Bittner: Researchers at Google's Threat Analysis Group report that North Korean threat actor APT37 exploited a zero-day vulnerability in Microsoft Internet Explorer in a phishing campaign against South Korean targets. Google writes, on October 31, 2022, multiple submitters from South Korea reported new malware to us by uploading a Microsoft Office document to VirusTotal. The document references the tragic incident in the neighborhood of Itaewan in Seoul, South Korea, during Halloween celebrations on October 29, 2022. This incident was widely reported on, and the lure takes advantage of widespread public interest in the accident. Microsoft was quick to patch the issue after Google reported it. It's noteworthy that Internet Explorer continues to be a target for exploitation by threat actors even after Explorer's replacement by Microsoft Edge. 

Dave Bittner: MITRE points ou that researchers commonly cover APT37, like other DPRK units, under the umbrella name Lazarus Group. Some of the operations associated with APT 37 have been Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy? FreeMilk, North Korean Human Rights and Evil New Year 2018. Whatever they're called, APT37 is bad news. And whatever they're up to, they're up to no good. 

New variant of Babuk ransomware reported.


Dave Bittner: Researchers at Morphisec announced today that they've observed a new version of Babuk ransomware in the wild. An infestation was detected at a large manufacturing company, which Morphisec describes as a multibillion dollar manufacturing company with more than 10,000 workstations and server devices. The researchers explain on Morphisec's blog, the attackers had network access for two full weeks of full reconnaissance prior to launching their attack. They have compromised the company's domain controller and used it to distribute ransomware to all devices within the organization. 

Dave Bittner: They think that earlier attribution of the attacks to WannaRen are mistaken, and they offer three reasons for concluding that, in fact, the malicious payload is an upgraded version of Babuk. First, the overall execution flow and code structure correlates to that presented by Babuk ransomware. Second, it uses the same encryption algorithm. As the researchers put it, one of the most characterizing functions of any ransomware is the encryption method. We verified that the payload in our case matches the one in the Babuk source code. And finally, the configuration and usage of the original and variant overlap. The improvements the attackers made to Babuk are designed to evade much present scanning and detection technology, Morphisec thinks. The new version of the ransomware implements side-loading executes within legitimate applications and implements reflective loading functionality to hide the rest of the execution steps. 

Blind spots in air-gapped networks.


Dave Bittner: Security firm Pentera has published a report showing how attackers can use DNS tunneling to communicate with air-gapped networks. Organizations often use air-gapped networks to isolate their sensitive assets. Theoretically, these networks should be entirely cut off from the outside internet. Pentera explains, however, while air-gapped networks may not have direct access to the internet, they still often require DNS services in order to resolve a company's internal DNS records. Many organizations often make the mistake of thinking that by routing communication over an internal DNS server, they are preventing a potential breach. However, they are still susceptible, as the internal DNS server can still connect with a public DNS server. 

Dave Bittner: If an attacker gains the owner rights to a route record within the organization, they can create a name server that can communicate with the air-gapped network over DNS. This isn't trivial, since DNS traffic is usually sent over UDP, and the attacker has no control over the flow or sequence of data transmission. These obstacles can be overcome, however. For example, if the payload is compressed before sending and decompressed after it's received, the attacker can verify whether the data has been corrupted. 

The Internet is going to the dogs. Or the cats. Maybe the ferrets, too. The tropical fish and turtles? Well, probably not.


Dave Bittner: And finally, all this stuff about air gaps has us thinking - what about species gaps? What about Fluffy, Fido or Flipper? Are they hackable? Or if not they themselves, are the chips they carry in their collars or under their fur perhaps, in some fashion, vulnerable? Could malware jump the species gap? Or to put it another way, does your dog's accessibility online increase your attack surface? Our Dog Desk informs us that dogs do indeed communicate with one another. The barking is obvious. It usually means, hey, hey, hey, hey. So is the howling, which reliably translates to, I hear you, and I'm here, too. Woo. Woo. More complicated messages are usually carried out by deposits of scent, missives like, Queenie loves Rex, or Jimbo ate the whole thing all by his own self, or take it from me straight; the raccoons are still down the storm drain. 

Dave Bittner: Anyhoo, because this is the kind of thing actuaries think about, Insurance Journal explains a threat that we confess hadn't really occurred to us but which they've convinced us is real. They call it "An Unlikely Vector for Cyber Threats: Household Pets." A study by Kaspersky and Opeepl concluded, According to the survey, half of the devices used for pets have access to the internet, which makes them vulnerable to cyberattacks. Cat and dog trackers can allow attackers to manipulate information about the pet's location or even steal its owners' personal data. The study also found that the penetration of technologies and digital devices related to pets isn't limited to trackers, either. Other popular tools cited by respondents were web cameras for watching pets, smartphones and tablets with games designed for pets, digital toys, automatic feeders or water dispensers and more. So when you tell Rover to fetch, the cyber hoods may be fetching your data. Bad hacker - bad, bad. 

Dave Bittner: Coming up after the break, Rob Boyce from Accenture has insights on the most recent ransomware trends. Our guest is Nathan Howe from Zscaler with the latest on Zero Trust. Stick around. 

Dave Bittner: Looking back at 2022, I think it's safe to say that Zero Trust was certainly one of the hot topics in information security. Zscaler recently published their State of Zero Trust Transformation report, "Taking Stock of Where Things Stand." Joining us to unpack the report is Nathan Howe, vice president of emerging technologies at Zscaler. 

Nathan Howe: In its simplest way, the best thing that we can say is that Zero Trust is where we don't allow anything to happen, no communication, no sharing information, nothing at all between an initiator - so anything creating and initiating a connection - and destination, without going through the appropriate controls. So we see those controls being - verifying the initiator - so who's actually connecting? What are they doing? Where are they going? - applying controls about how risky they are - what are they carrying with them? Are they doing anything malicious? Are they trying to download anything malicious? Are they exfiltrating anything that's important? And finally, applying controls, and that control could be allow, block, steer, a number of things. But the goal of this is to ensure that no initiator gets to any destination without going through that approval first. So it doesn't matter what network they're on, where they are. Any initiator - whether it be human, workload, thing, - talking to anywhere else is able to connect only if it goes through that verification, that control and that policy enforcement. Otherwise, nothing happens. 

Dave Bittner: Do you have any sense for, as organizations start this journey, as they head down that path, is it what they thought it would be? Is it more or less than they thought they were getting themselves into? 

Nathan Howe: I think the biggest thing is everyone opens the Zero Trust door and gets hit with that kind of metaphoric fire hose of information. I tend to ask the question of many enterprises when I meet with them, is, do you know what applications, do you know what services you have internally? Do you know what they are? Do you have a list? And more often than not, the answer is a laugh, like, a sheepish laugh going, oh, we really shouldn't talk about that. And I think that's where Zero Trust starts. That conversation often says, well, Zero Trust is a granularity thing. It's about understanding the specifics and then creating the specifics around those initiators and destinations. If you don't know what you have, then how can you do that? And I think people overlook the things they've already done historically to be able to achieve these things. 

Nathan Howe: So a good example I always like to point out is that every single company has some sort of role definition. So you know that Mary is in accounting. You know that Bob's in finance. And you know that Jerry is in security. That is a simple, simple step to begin that granular path 'cause you have some sort of path to be able to define a role or a control around. It's not going to be perfect, but it's a starting point. 

Nathan Howe: And the hardest part with this is - to your question, was, they don't necessarily know where to act when they get this thing started because it's too much coming at them. But they should feel empowered. They already have information to take those steps forward, to make those initial Zero Trust paths, and then start taking advantage of that, whether it be going to the cloud or whatever else. But it gives them that step forward. So they need not to be scared of that huge amount of torrent of information and focus on where they can affect changes quickly. 

Dave Bittner: You know, it's a really interesting thing that you bring up, and it makes me think about that notion about, you know, not letting the perfect be the enemy of the good and how this plays into - we call it Zero Trust, not almost-Zero Trust, right? And so the absolute implied in the name itself - I wonder, is that helpful as a mindset, or is it more aspirational than a reality? 

Nathan Howe: Fantastic statement. You're right. There is - it's very much a definitive a name, that it is zero. You start from zero. I think that because it is challenging what has been the status quo for so many years of that interaction, the network being this magical path of everything being connected, it can also be quite, yeah, I think, shocking to people to be able to move. I think that you're right, the naming could be perhaps not perfect. I think if we looked at it at its, you know, crux of what we're talking about here, it's almost going back to the early days of mainframes, where you were allocated a very specific slot with a very specific set of permissions to run your very specific process and nothing else. And when you're finished, you let the next person come in with their punch cards or whatever it was. And it was very, very, very controlled. And I think that's where - we're getting to that point, but in the internet world where, you know, everybody's device is connected to 1,000 things at once, how can you possibly provide all of those controls in parallel, and for that matter, visibility? It becomes, I think, a bit inundating for the company. So, yeah, perhaps it's worthwhile saying, let's talk about granular control or granular trust, maybe not Zero Trust. But yeah, that's the buzzword. 

Dave Bittner: Yeah. So based on the information you gathered here, what are your recommendations? 

Nathan Howe: I think the biggest one is to not be afraid. This is a big challenge for enterprises. And we've seen that when we look at the geo-breakdowns. They certainly want to enable this. They want to get moving on Zero Trust. But there is 90+% that have a plan to actually execute, again, Zero Trust. But around 20% are actually doing it. As I mentioned before, not to be scared of what you have and leverage - for example, probably one of the best implementations of Zero-Trust controls, the very first one, is to say get the user or the initiator - in this case we'll focus on the humans - get them off the shared network where the destination application is. 

Nathan Howe: And unfortunately, we had a global event a few years ago that allowed us to have every single person off the network where the actual obligations were. And I think that in itself is an opportunity to look at where we can actually effect change. And whilst many of us certainly follow the path for Zero Trust or remote-access Zero Trust, others went down the VPN path, and that's fine, but the goal really should be to look at that and think, well, hold on, if everyone's actually off the network, what can I take advantage of? 

Nathan Howe: And I always quote one of my CIOs that I spoke to about this, where they said, during the pandemic, they used the measurement of dust. They actually went through buildings and to see how much dust was on the tables and on the routing equipment. And that dust indicated just how little that office was used. Therefore, they could, A, recuperate the cost by shutting down the site, removing of the legacy network infrastructure that was not being used. 

Nathan Howe: Now, of course, it's not a perfect measure, but it was a great example of making a decisive action and taking a decisive action off that, the incident, and saying where can they find business value. So my advice to enterprises is not to be intimidated by this, but to look where you can take advantage of those decisive cuts in moments, like people being off the network, and take advantage of that to get business optimization and save some money because as we head into the economic situation that we are facing, we need to be able to focus and put our time, energy and, of course, money in the areas that matter the most. And by being granular, at least to some level of granularity, you can cut some things out. And it's a good place to start. 

Dave Bittner: That's Nathan Howe from Zscaler. 

Dave Bittner: And joining me once again is Robert Boyce. He is global lead for cyber resilience and an advisory board member at Accenture. Rob, it's always great to welcome you back to the show. I know you and your colleagues there have been tracking some trends when it comes to ransomware. I wanted to check in with you. What's the latest? 

Robert Boyce: Yeah. Thanks, Dave. And thanks for having me back. We - I feel like we're in perpetually tracking ransomware trend at this stage in the cybercriminal life cycle. But yeah, we are actually seeing a few interesting shifts. So I have a couple of, you know, interesting bullets here that we can go through and share. You know, I think this year in ransomware, not only have we seen more than ever, but it's been a really interesting year of, you know, shake-ups, to be honest. You know, we saw a number of arrests near the beginning of the year, which I think slowed down a lot of the ransomware for a short period of time. Of course, it is now built all back up. You know, we've seen governments fighting back with different sanctions around the world. And funny enough, we've even seen the Russia-Ukraine conflict cause a lot of shifts in the ransomware game for a lot of the ransomware gangs. 

Robert Boyce: So, you know, a couple of the things that stand out to me that we're tracking is we've seen, you know, a couple of trends geographically, I would say. So in Europe, we're starting to see a lot more focus on energy production. And I think this is not uncommon considering Europe is so heavily reliant on some of the energy that's coming out of Russia. And so I think - as I said earlier, I think that Russia-Ukraine conflict may be impacting a component of that. In Latin America, we've seen a lot of government ministries being targeted, which we find interesting. And in North America, we're seeing an uptick in the medical field, medical industry, as well as critical infrastructure, which is also fascinating. 

Dave Bittner: When you look at the back-and-forth, you know, this ongoing cat and mouse, does it seem like anybody is gaining ground or losing ground, or is it pretty much tit for tat still? 

Robert Boyce: I find that there's a lot of money to be made in the ransomware game still. So we're still seeing, you know, just - I think the sheer amount of, you know, currency or money that's going through this attack vector is still really promoting that this is a viable business, right? So we're seeing a lot of new emerging threat actors get into the game as well. And in line with that, one interesting - we've actually started to see is a couple of the really popular ransomware - so your well-known ransomware gangs like Conti and Lapsus$ - have disbanded, right? And I think we have a couple of hypotheses for that. 

Robert Boyce: I think, you know, part of that could be just due to the government sanctions that were put in place. So, you know, once a ransomware gang gets put on the - you know, the sanction list, they're not going to be able to get paid, or the likelihood of them being paid is much, much, much reduced. And so, you know, rebranding themselves is something that we're seeing a lot - seeing happen quite often now. And I do think, as I said earlier, that Russia-Ukraine conflict has been divisive for some ransomware gangs where some may fall on the Russia side, some may support the Ukraine side. And we're starting to see that separation happen a little bit, too. And we're seeing those gangs start to affiliate themselves with one side or the other - not in all cases. But in some cases, we're seeing that as well. 

Dave Bittner: What is your sense in terms of the breadth of the ransomware ecosystem? And specifically I'm thinking about the low-level - what I almost describe as nuisance level ransomware operators. You know, when ransomware first began, that's where things were. Now, the big-ticket ransomware operators are the ones who get all the headlines. But are there still people down at that lower level who are making a living, you know, $500 at a time? 

Robert Boyce: Yeah, 100%. And again, I think the whole ransomware as a service has - really helps enable that ecosystem. So we're seeing, you know, a lot of the initial attack vectors or the initial access, I would say, being bought now. So it's so easy to buy access that you don't even need to be sophisticated enough to do a targeted spear phishing attack in some cases to try and get credentials. You can just buy them. And so that's helping enable a lot of the, I would say, lesser skilled or lower level, as you were saying, you know, ransomware threat actors be successful. And then, of course, the tools that are available. We've seen tools from groups like Locket be leaked. Those are, of course, now being able to be used by more than just the affiliates of that ransomware group. So it's just - there's a lot of different ways to enable those - you know, those lower-level threat actors to be successful. 

Dave Bittner: All right. Well, interesting to track the trends over time for sure. Rob Boyce, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Milly Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoscheit, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.