The CyberWire Daily Podcast 12.14.22
Ep 1723 | 12.14.22

InfraGard data for sale. Cyberespionage warnings. Data sharing practices. Malicious drivers with legitimate signatures. Patch Tuesday. Task Force KleptoCapture indicts five Russian nationals.

Transcript

Dave Bittner: The FBI's InfraGard user data shows up for sale. An update on Iranian cyber operations. NSA warns of Chinese cyberthreats. Challenges in sharing data for threat detection and prevention. Legitimately signed drivers are used in targeted attacks. Patch Tuesday addressed a whole lot of actively exploited issues. Tim Starks from the Washington Post Cybersecurity 202 shares his reporting on ICS vulnerabilities. Our guest is Mike Fey from Island with an introduction to the Enterprise Browser space. And the U.S. indicts five Russian nationals on sanctions evasion charges.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, December 14, 2022. 

InfraGard user data for sale.

Dave Bittner: KrebsOnSecurity has some unpleasant news that goes to the challenges of vetting people for access. The blog reports that someone using the hacker name USDoD, and whose avatar is the U.S. Department of Defense seal but who's obviously unconnected with the Pentagon, is offering an InfraGard user database for sale in the criminal market Breached. Now, InfraGard describes itself as a partnership between the Federal Bureau of Investigation and members of the private sector for the protection of U.S. critical infrastructure. So any data it might hold is obviously of interest to crooks and the other miscellaneous goons who are all over cyberspace. 

Dave Bittner: According to KrebsOnSecurity, the attacker gained access to InfraGard by applying for membership under a bogus identity. The blog states, USDoD said they gained access to the FBI’s InfraGard system by applying for a new account using the name, Social Security number, date of birth and other personal details of a chief executive officer at a company that was highly likely to be granted InfraGard membership. The CEO in question, currently the head of a major U.S. financial corporation that has a direct impact on the creditworthiness of most Americans, told KrebsOnSecurity they were never contacted by the FBI seeking to vet an InfraGard application. 

Dave Bittner: Mr. USDoD says he’s asking $50,000 for the data he’s been able to pull. He hasn’t got that yet, and he’s not surprised, given that the info is pretty basic stuff. Still, it’s a going-in position to start negotiations, and you never know. In any case, he’s snagged some invitations to security conferences. One imagines he won’t be stupid enough to show up and present his credentials to the FBI. But again, you never know. To the certain personal knowledge of our crime desk, malefactors often, in fact, do stupid things. A classic example is a guy wanted by the FBI for a variety of offenses, including facilitating gun trafficking, who was stupid enough to go on the Johnny Carson show back in the '70s with a snake-handling act. He’d evaded capture until then, but some of the Feds were apparently fans of "The Tonight Show," because this particular act of carelessness earned the Cobra King a sabbatical in the Federal Correctional Complex in Allentown. They couldn’t find him until shortly after they heard, here's Johnny. 

Dave Bittner: Anyway, KrebsOnSecurity elaborates on the details of the offering. USDoD said in their sales pitch that Pompompurin - remember those guys? - would guarantee the transaction via the escrow service they offer in the Breached forum, so satisfaction guaranteed. Pompompurin administrators the Breached forum, a market that’s widely regarded as the functional successor to RaidForums, closed back in April by the U.S. Feds. The incident suggests, obviously, inadequate vetting of applicants. The FBI says it's aware of the matter and that an investigation is ongoing. It's worth pointing out that if InfraGard can fumble vetting, maybe the rest of us can, too. 

Update on Iranian cyber operations.

Dave Bittner: Proofpoint this morning released research on what it calls aberrations in operations of the Iranian threat actor TA453, a group whose activity overlaps that of Charming Kitten, PHOSPHORUS, and APT42. Proofpoint says, a hallmark of TA453’s email campaigns is that they almost always target academics, researchers, diplomats, dissidents, journalists, human-rights workers, and use web beacons in the message bodies before eventually attempting to harvest a target’s credentials. Such campaigns may kick off with weeks of benign conversations from actor-created accounts before attempted exploitation. 

Dave Bittner: Since 2020, however, TA453 has selected victims from a wide range of sectors, and it's used compromised accounts, malware, and confrontational lures in pursuing them. Its new targets include medical researchers, realtors and travel agencies. Proofpoint thinks, with moderate confidence, that this activity reflects a flexible mandate to the Islamic Revolutionary Guard Corps' intelligence requirements. There's also a sub-cluster of the activity that seems to support covert IRGC operations, including, disturbingly, apparent attempts to lure targets into kidnapping traps. Sharper elbows all around. 

NSA warns of Chinese cyber threats.

Dave Bittner: Yesterday, NSA released "Citrix ADC Threat Hunting Guidance" that warns of activity by APT5. The advisory doesn't explicitly attribute APT5 to China, although it does link it to UNC2630 and MANGANESE. But as Reuters observes, APT5 has long been strongly suspected of being a Chinese intelligence threat group. Mandiant is among those who've registered that suspicion. NSA's advisory offers guidance on file integrity and behavioral checks, as well as YARA rules useful for detection. 

Challenges in sharing data for threat detection and prevention.

Dave Bittner: A survey commissioned by Splunk has found that 63% of public sector organizations struggle with leveraging data to detect and prevent threats, compared to 49% of private sector entities. The survey concludes that these difficulties of analyzing data directly impact partnerships between the public and private sectors and their ability to share intelligence. Despite the disparity in leveraging data for security, the survey found that public and private sector organizations have very similar priorities for cybersecurity. The top three cybersecurity priorities for both sectors are improving threat response and remediation capabilities, improving detection of emerging threats, and improving user security awareness. 

Legitimately signed drivers used in targeted attacks.

Dave Bittner: Microsoft has taken steps to address the problem of legitimately signed Microsoft drivers being used in targeted attacks, stating, Microsoft was recently informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity. Microsoft has completed its investigation and determined that the activity was limited to the abuse of several developer program accounts and that no compromise has been identified. We’ve suspended the partners' seller accounts and implemented blocking detections to help protect customers from this threat. The issue was discovered and disclosed by SentinelOne and Mandiant, working in partnership with one another. The threat actors detected using the malicious drivers were doing so in an evident attempt to evade detection by security tools. And, of course, in full disclosure we note that Microsoft is a CyberWire partner. 

Patch Tuesday notes.

Dave Bittner: Yesterday was Patch Tuesday, and there was more going on than we can conveniently describe here. We will say, however, that apart from that malicious driver issue, a number of vendors fixed issues that are undergoing active exploitation in the wild. You’ll find a full set of references in today’s CyberWire Daily News Briefing, available on our website, thecyberwire.com. 

US indicts five Russian nationals on sanctions-evasion charges.

Dave Bittner: The U.S. Department of Justice announced yesterday that five Russian nationals had been indicted in connection with violations of sanctions and export controls. They're charged with conspiracy to defraud the United States as to the enforcement of export controls and economic sanctions, conspiracy to violate the Export Control Reform Act, smuggling, and failure to comply with the Automated Export System relating to the transportation of electronics. The indictments are the result of work by Task Force KleptoCapture, an interagency group formed specifically to enforce sanctions and go after the corrupt oligarchs who are so often responsible for their violation. Four of those indicted remain at large. But one, whom Justice calls a suspected officer with Russia’s Federal Security Service, the FSB, was arrested in Estonia last week and is awaiting extradition to the U.S. And, hey, he didn't even have to go on "The Tonight Show." 

Dave Bittner: Coming up after the break, Tim Starks from the Washington Post Cybersecurity 202 shares reporting on ICS vulnerabilities. Our guest is Mike Fey from Island with an introduction to the Enterprise Browser space. Stick around. 

Dave Bittner: The humble web browser has come a long way since its original development in 1990 by British computer scientist Tim Berners-Lee. Today, web browsers are essential tools for accessing the internet and are found on almost all computers and mobile devices. And in our day-to-day work lives, a whole lot of information passes through them. That reality has led to the development and deployment of Enterprise Browsers, customized versions with enhanced security and control mechanisms. Michael Fey is co-founder and CEO at Enterprise Browser provider Island, and I checked in with him for some insights. 

Michael Fey: Well, I think we can all appreciate that the browser has become the most widely deployed application on the planet. There's 5 billion consumers that use it. But it's also the most widely deployed application in our enterprises, in our companies, our organizations, our governments. And the reality is it is finely tuned and governed by the needs of the consumer, as it should be. But when we bring that into the enterprise, we have a different set of requirements and desires for it. And to date, we've treated it almost like a caged animal - backhauling its traffic, breaking its encryption, putting, you know, DLP or data prevention controls all around it, serving it up on virtual infrastructure - all in the name of trying to make this application safe, secure, easy to manage and productive. The Enterprise Browser stands to deliver a unique version of that specifically targeted to provide a productive and safe and great user experience for our organizations and employees. 

Dave Bittner: What are some of the concerns that folks have when you talk to them about adopting something like this? 

Michael Fey: You know, right away it's, is this going to feel different or do I have to learn something new? My user population, in many cases, is very, you know, large, and I don't want to have to undergo that training. And so that's one of the things people get really comfortable with quickly is this feels and acts like the browser you know and love. It installs on your desktop, just like every browser you've ever used. It's a little bit faster, but it provides all these wonderful connection points back into the enterprise to make our lives easier. And so that's one of the things we have to get through, is will my end users be negatively impacted? And the answer is no. They'll actually get a wildly more productive and viable experience than they have to deal with today in most companies. 

Dave Bittner: What about the security side of things? I imagine, of course, you probably have the ability to dial things in very specifically. But does it work with, you know, third-party offerings as well? 

Michael Fey: Yeah. So at the end of the day, think of it as just a browser that's contributing to the outcome. If you want to use some other control that you have in place today, you still can't. Now, granted, it does provide a lot of security controls better than things that are sitting on the outside because it's natively a part of the application. We don't have to do things like break its encryption just to govern what website it goes to. We don't have to force a whole networking path just to make sure that a particular device is configured correctly before it goes to one of our SAS applications. But in a large enterprise that has, you know, countless number of tools, capabilities and dependencies, we can fit very nicely into those. But we can also start to simplify those stacks and remove a lot of repetitive and expensive controls. 

Dave Bittner: What about for folks who are under regulatory regimes, you know, who have to dot their I's and cross their T's when it comes to that? Is there - are there enhanced capabilities for them? 

Michael Fey: There most definitely is. We can literally govern anything that occurs in the browser. So take screenshots, for example. We have a lot of health care organizations struggling with protecting patient data but engaging in contract doctors. We can provide the bridge that allows them to be open to those doctors that need to be involved but protect that crucial data. We can mask the data the doctor doesn't need to see, like your Social Security number, maybe, you know, additional fields that aren't relevant to the problem at hand, but then share with them the data in a way that it can't be accidentally stolen or misused. So most definitely in those highly regulated, highly secured areas, they're finding a lot of value from the Enterprise Browser space. 

Dave Bittner: That's Michael Fey from Island. 

Dave Bittner: And it is always my pleasure to welcome back to the CyberWire Tim Starks. He is the author of the Cybersecurity 202 at The Washington Post. Tim, welcome back. 

Tim Starks: Always good to be here. 

Dave Bittner: So this morning, you and your colleagues published an interesting report titled "Severe Vulnerabilities Found in Most Industrial Controllers." You got my attention here, Tim. What's going on? 

Tim Starks: I'm glad. You know, we talked a little bit - the headline was not what I wrote, and the editor changed it to that. I was like, are people going to know what industrial controllers are? But, you know, I was comfortable with what she did. So, yeah, industrial controllers are hard to describe, and that's why I wasn't sure what should have been the headline. The idea is that - it's a little bit like it sounds, right? It's a thing that controls industrial processes. It's - there's the kind of device that keeps, you know, electricity plants or water treatment plants safe and operational. And Microsoft took a look at the systems of its customers and discovered that 75% of them had high-severity unpatched vulnerabilities. So that's not great. 

Dave Bittner: How do we interpret that? I mean, you see a number like this and, for me, I think - and yet the lights are on, the water is flowing. Is this a ticking time bomb situation? Is this a - you know, a breathless headline that we need to put some perspective on? What's your take? 

Tim Starks: I think it's a little bit of both and somewhere in between there, maybe. The way it - you know, the way I react to it is that attacking these kinds of controllers would be very, very bad for us, for the people in the countries where they live. I mean, we saw - this goes back to the Stuxnet worm, of course, like, that demonstrates the power of these kind of attacks on these kinds of specific targets where, you know, Stuxnet was able to take down a bunch of nuclear facilities in Iran. And we've seen attacks on this kind of thing knock down power in Ukraine. We saw the threat of it happening in the United States when the Oldsmar, Fla., plant, where the water treatment facility - someone was able to get in and briefly elevate the levels of lye to very high levels before someone at the plant caught it and kept it from really happening. But, you know, these are also the kind of attacks that if somebody did it, there would be a lot of hell to pay in the United States, you know? 

Tim Starks: So I think that it's a - it's an option for our adversaries, but it's the kind of thing that if you're going to do it, if you're in Russia or you're somewhere - you know, somewhere in any country, you have to know that the United States is going to be very upset that you did it. And they're going to - there's going to be reaction. You've seen it with some of the ransomware gangs when they, you know, attack Colonial Pipeline and JBS. Suddenly we put a lot of attention on them, and it didn't go terribly well for them. You know, some - in some ways, they've reformed. But it's something that's scary, but if it happened - and it's not likely to happen - there would be a big, big repercussion. 

Dave Bittner: Yeah. In your article, you spoke with Bryson Bort from security company SCYTHE. And his comments were interesting. You want to share his insights? 

Tim Starks: Yeah. He - whenever talks about - he said whenever he talks about industrial control systems, he starts off by defining them. What's an industrial control system? And the answer is, it's any computer that's 20 years old or older. And that's a defining trait of these industrial control systems and controllers. For what it's worth, the controllers are the devices and then there are systems of them that - so I'm using the term a little bit interchangeably. But what I'm getting at is, you know, these devices are extremely old for the most part, or systems are extremely old. That makes them hard to update. It makes them hard - it makes it hard for them to run, you know, modern operating systems. And it makes it - they're hard to rip and replace. They're very - they're systems that are very, very focused on just keeping things running and keeping things going pretty well. And they were not built with security in mind. So they're not secure by design, as they say. 

Tim Starks: The other thing he told me is that, you know, there's a little bit of good work going on over at the Department of Energy office that the people call CESER on securing these systems. Otherwise, a lot of the work that's going on in securing them is - it's very part of other things. So, you know, you see CISA, you know, at the DHS office invite people to the joint collaborative environment. And I guess the JCDC is not the joint collaborative environment. But you know what I'm talking about. 

Dave Bittner: Yeah. 

Tim Starks: The - inviting people to attend that from the industrial control systems world, but there aren't a whole lot of dedicated initiatives right now to solving the industrial control system security problem. 

Dave Bittner: Interesting. One other thing I wanted to highlight - an article that you link to in the Cyber 202. This is a bipartisan push by a couple of lawmakers who are trying to improve the cyber literacy of their colleagues. 

Tim Starks: Yeah, that is something that I think, you know, they point out as needing to happen. This is Congresswoman Cathy McMorris Rodgers. She's probably going to end up being the Energy and Commerce Committee chairwoman. And Jim - Congressman Jim Himes is a prominent member of the House Intelligence Committee that I talk to from time to time on cyber issues. Essentially saying that there need to be more - more education, more hearings. And I think, you know, if you go back to many, many years ago with Senator Ted Stevens famously referring to the internet as a series of tubes, you can see that the history of people needing to get up to speed on this is real. 

Tim Starks: One thing I've noticed though - I think we talked about this last time we were chatting. You have congressmembers like Jim Langevin leaving, who's been a big, big voice on cybersecurity on the Hill. You have members like John Katko leaving, who has been a prominent voice on cybersecurity on the Hill. It's concerning to lose that expertise. But one of the things that's positive is that the older - you know, the further along Congress gets, the younger the members get. And that means they're more in tune with the internet and what it means, and they grew up with it more. That's a potentially very positive development that I think - the problem solves itself a little bit that way. But at the same time, it also requires people focusing on this. 

Tim Starks: And one of the things that's always been interesting about covering the national security community is, what do members of Congress get out of specializing in these things? When you're on the House Intelligence Committee, maybe you have a satellite contractor in your district that, you know, you can produce jobs and show jobs - like, I was on the House Intelligence Committee, helped to get this contract. But for the most part, it's - you know, it's hard to explain to your voters, yeah, I'm spending a lot of time on cybersecurity because - it's the kind of thing that doesn't sell for a lot of the lawmakers. Interestingly enough, there was a congressman who is no longer around who said that this was the No. 1 or No. 2 issue for his constituents. So I think it might be a matter of a disconnect between the lawmakers and what their - what they think their constituents want to talk about, and that might be why we haven't seen much focus on it. But I do think the more they pay attention, you know, and this kind of initiative that Himes and McMorris Rodgers are talking about takes off, that's also a positive element. 

Dave Bittner: Yeah. Well, it's reassuring to see that there's some self-awareness here, that it's an area... 

Tim Starks: Yeah. 

Dave Bittner: ...In which they need to focus. Tim Starks is the author of the Cybersecurity 202 at the Washington Post. Tim, thanks so much for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Millie Lardee (ph), Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoshite (ph), Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.