The CyberWire Daily Podcast 1.19.23
Ep 1742 | 1.19.23

Criminal-on-criminal action in the dark web. The cyber phases of the hybrid war heat up. ICS vulnerabilities. Codespaces and malware servers. Blank-image attacks. Social engineering.

Transcript

Dave Bittner: A hostile takeover of the Solaris contraband market. Ukraine warns that Russian cyberattacks continue. An overview of the second half of 2022 ICS vulnerabilities. Codespace accounts can act as malware servers. Blank-image attacks. Campaigns leveraging HR policy themes. Dinah Davis from Arctic Wolf has tips for pros for security at home. Our guest is Gerry Gebel from Strata Identity to describe a new open-source standard that aims to unify cloud identity platforms. And travel-themed phishing increases.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 19, 2023. 

Hostile takeover of the Solaris contraband market.

Dave Bittner: Happy Thursday to you all. It is great to have you here with us today. Researchers at Elliptic report that, as they put it, Friday the 13 was unlucky for the bad guys over at Solaris. Solaris is one of the biggest dark web drug markets, a principal successor to the old Hydra market, which was taken down in April of 2022. Last week the rival dark web market Kraken, which has no connection with the legitimate cryptocurrency exchange of that name, compromised and took control of Solaris. Elliptic explains, Kraken attributed its successful takeover to poor operational security by Solaris admins, allowing the hack to take place over three days without notice. Logs apparently confirming Kraken's full control of Solaris were also shared. 

Dave Bittner: There's been bad criminal blood between Solaris and Kraken for some time, and there are signs that some of Solaris' criminal customers have also been dissatisfied with the service they've received from the market. Both Solaris and Kraken are based in Russia. There's therefore a wartime angle to the story, and it suggests that criminal rivalries among Russian gangs have endured through their recruitment as cyber auxiliaries of the Russian security and intelligence services. Solaris is associated with the Killnet patriot hacktivist group, which has become the most prominent Russian cyber auxiliary. Kraken is reckoned to be pro-Kremlin as well, but that hasn't inhibited it from taking a whack at its rival. 

Ukraine warns that Russian cyberattacks continue.

Dave Bittner: The ineffectuality of Russia's cyber operations against Ukraine have been surprising. As we've had occasion to note, they've fallen short of the expectations set during half a decade of pre-war cyberattacks against Ukrainian infrastructure. But Ukraine wants to warn the rest of the world that the danger, while for now successfully being contained, isn't over. The Guardian reports that Viktor Zhora, of Ukraine’s State Service of Special Communication and Information Protection (SSSCIP), is visiting Britain's GCHQ this week and has said that Russian cyberattacks have tripled over the past year and continue at a high rate. Interestingly, he said that, in some cases, cyberattacks supportive to kinetic effects have been seen. That is, Ukraine seeing signs that Russia is attempting to integrate cyber operations and information operations with missile strikes and action on the ground. 

Dave Bittner: Mr. Zhora's remarks are consistent with a report his agency issued earlier this week titled "Cyber Attacks, Artillery, Propaganda. General Overview of the Dimensions of Russian Aggression." The report stresses signs that Russian attempts at coordinated operations have increased. That Russian targeting has been not just indiscriminate but directed specifically and directly against civilians as part of an intentional campaign of terror. The document also makes the case that Russian cyber operations can amount to war crimes and that they probably have already done so. 

Dave Bittner: The cyberattacks have generally been parried by Ukrainian defenses, but they remain an enduring threat. The report ends with a call for more international cooperation against cyberattacks, whether by Russia or other authoritarian regimes, and notes the value of considering those states' military doctrine in forecasting their probable courses of action in cyberspace. It calls for international recognition of the ways in which cyber operations can constitute either crimes against peace or war crimes. And it urges an expansion and tightening of economic sanctions against Russia. 

An overview of 2H 2022 ICS vulnerabilities.

Dave Bittner: Whether nation-state attacks against industrial control systems rise or not, it's worth taking stock of the known vulnerabilities and mitigating them insofar as that's feasible within a reasonable risk management framework. SynSaber has published a report looking at ICS vulnerabilities catalogued by the U.S. Cybersecurity and Infrastructure Security Agency in the second half of 2022. The researchers found that 35% of vulnerabilities disclosed in the second half of 2022 don't currently have a patch available, and 33% will require a firmware update. Additionally, 43% of vulnerabilities were discovered by security researchers rather than the equipment manufacturers. The researchers also note that 22% of the vulnerabilities require local or physical access to the system in order to exploit.

 

Codespaces accounts can act as malware servers.

Dave Bittner: Researchers at Trend Micro have found that GitHub code spaces, a cloud-based IDE that was released in November 2022, can be abused to create a trusted malware file server. The issue lies in code spaces' ability to share forwarded ports publicly, which allows developers to preview their projects as an end user. The researchers write, we investigated the services offered by this cloud IDE and found that one of its features for code development and collaboration - sharing forwarded ports publicly - can be abused by malicious actors to create a malware file server using a legitimate GitHub account. In the process, these abused environments will not be flagged as malicious or suspicious even, as it searches malicious content such as scripts, malware and ransomware, among others. And organizations may consider these events as benign or false positives. 

Dave Bittner: The researchers explain that attackers can easily abuse GitHub code spaces in serving malicious content at a rapid rate by exposing ports publicly on their code space environments. Trend Micro also notes that they haven't seen this technique used in the wild yet, but as a proof of concept, it's worth preparing for. 

Campaigns leveraging HR policy themes.

Dave Bittner: Abnormal Security released research this morning on phishing attacks purporting to be from internal HR departments with policy updates in the new year. One of the attacks, a payload-based credential phishing attack, claims to be from the victim's company human resources department, informing them of updates to benefits packages. The email asks for the review of an updated handbook, which would lead to a credential harvesting login page imitating Microsoft. 

Travel-themed phishing increases.

Dave Bittner: And finally, as people return to travel, as the pandemic ebbs, criminals are returning as well. Bitdefender has published a report looking at the prevalence of travel-themed phishing scams. The researchers found that 60% of all travel-themed emails sent between December 20 and January 10 were phishing attacks. Most of the attacks observed by Bitdefender targeted English-speaking users. They say, particularly, spammers push their travel-themed lures on English-speaking recipients, with 53% of correspondents targeting U.S. inboxes. The U.S. is followed by Ireland, India, the U.K. and South Africa. Germany trails at only 4%. 

Dave Bittner: Many of the scams impersonate airlines, including Southwest Airlines, Ryanair, Lufthansa, Air France and American Airlines. These scams are designed to gain access to travel rewards and loyalty accounts. Bitdefender says, airline loyalty programs are highly desired digital assets for cybercriminals as they contain a wide variety of personally identifiable information on travelers and airline points that can be monetized on the dark web. So, travelers, you know what they say. Keep your friends close, your enemies closer and your loyalty programs closest of all - pretty sure that's how they say it. 

Dave Bittner: Coming up after the break, Dinah Davis from Arctic Wolf has tips for pros for security at home. Our guest is Gerry Gebel from Strata Identity on a new open-source standard that aims to unify cloud identity platforms. Stick around. 

Dave Bittner: Multicloud adoption continues to grow, with some reports indicating that the majority of organizations are making use of more than one public cloud service. This opens the potential for security and risk management challenges since each of the cloud providers uses their own proprietary identity system and policy language. Gerry Gebel is head of standards at Strata Identity, where they're leading an open-source industry standards initiative called IDQL, Identity Query Language, and Hexa orchestration. 

Gerry Gebel: So some of our founders and early management team - they're a part of SAML, the Security Assertion Markup Language, from back in the early 2000s. That was one of the first standards for federated identities. So you could have single sign-on across different application domains. And so there's a lot of history and DNA within the company here to really not only embrace standards but really support them in a significant way. And as the founders began Strata as an identity orchestration company that deals with identity across domains - primarily authentication but other aspects as well - in a multi-cloud environment, they realized that if you take it one step further and look at access policies across a multi-cloud kind of environment, they realize there's no standard there. Every platform - it seems like every implementation of an application has its own way of doing access policy. 

Gerry Gebel: So that was the - you know, the genesis or the motivation for coming up with IDQL, or Identity Query Language - is an attempt to standardize or normalize that access policy across a multi-cloud environment where IDQL can be the single point of definition of access policy. And then we use the Hexa open-source software to translate that IDQL format into the format of the target or bespoke system. 

Dave Bittner: And you have quite a number of folks on board here who have joined this effort. 

Gerry Gebel: That's right. We have a mix of vendors and end users that are part of the working group at the moment and a number of individual contributors as well. 

Dave Bittner: Can you give us some insights as to some of the technical challenges that go on behind the scenes here? I'm just thinking with the variety of cloud providers out there, they all have their own proprietary standards here. It must be a bit of a puzzle to get them all to work. 

Gerry Gebel: That is spot on. It's - you know, it's definitely a big challenge. If it was easy, anyone could do it, right? 

Dave Bittner: (Laughter). 

Gerry Gebel: And it's also why, you know, it's a big commitment to really bootstrap this effort. We started, you know, in the middle of last year and started looking at, you know, what's the right architecture for such a system. And then we took the three main cloud platforms and started with them. And in each case, it's a lot of research, you know, looking into the APIs that are available for managing policy. You know, it's not about managing users but managing roles in groups and policy formats and a lot of research into those - to that documentation and those APIs and then, on the software development side, again, trying to experiment through a lot of trial and error to get things working the way we want them to. 

Gerry Gebel: So, you know, that is a - gives you a sense of some of the challenges we've come across and also that they are so different, right? Each platform - if you look, again, just at the main three cloud platform providers, each of their APIs is so different, and they have a similar but different mix of technical capabilities up and down the stack whether you're talking about the IDP - you know, the identity provider functionality or how you authenticate to various kinds of proxies that can stand in front of applications. And, yes, it's a complex mix, but we're trying to, you know, take chunks that we can solve and work on them and just make continuous progress. That's been our approach so far. 

Dave Bittner: Yeah, I would imagine, you know, along the way, making sure that you're not introducing any security issues on your own. 

Gerry Gebel: That's quite true. And this is where I think the CNCF model is very helpful. You know, we're a sandbox project at CNCF, the Cloud Native Computing Foundation, and they really emphasize the security aspect. So we're doing code scans. We're doing, you know, vulnerability scans, and - as well as staying up to date on any vulnerabilities that might affect the different components that we are working with, because you're absolutely right. You know, we're dealing with the access policies to sensitive or valuable resources. So we don't want to introduce a new vector of attack in our work. 

Dave Bittner: You mentioned that despite, you know, Strata having a leadership role in this effort, this isn't a product. This is an open industry standard. Why is Strata choosing to invest in this, just to spend time in this project for the greater community? 

Gerry Gebel: Yeah, well, we made the decision pretty early on when we decided to tackle this challenge that it's something that was bigger than, you know, just a commercial product that Strata could introduce. So we felt it was more valuable to contribute this to the industry rather than just to make, you know, another commercial product to address it. So that, you know, was the basic motivation - not a whole lot more to say to that. We just thought it was bigger than Strata itself. 

Dave Bittner: That's Gerry Gebel from Strata Identity. 

Dave Bittner: And I'm pleased to be joined once again by Dinah Davis. She is the VP of R&D operations at Arctic Wolf. Dinah, it's always great to welcome you back to the show. I want to touch base with you. I saw you and your colleagues there at Arctic Wolf had a blog post recently about improving your security posture at your home. I think this is something worth visiting here. What do you got to share with us today? 

Dinah Davis: Yeah, I mean, we often think about hackers trying to come at a company, like, through company resources, right? But they're really going to try from every angle possible. And one popular way that they've been making progress is through people's personal accounts, right? So even if we look at the May Cisco breach, the hacker there gained access to the employee's personal Google email account. This was really interesting. It wasn't just that they, like, reset passwords and stuff, but once they did that, they were able to get into their Chrome browser password store and extract all passwords from there, one of which was really bad, which was the VPN access to their work, which, like, people, your VPN access, any work passwords should never be in a personal password store anyway, full stop. But again, this is why maybe using a Chrome browser or the Safari key password store is not a great idea. Having things separated makes it harder. 

Dave Bittner: Well, let's go through some of the things that really caught your eye here. What are some of the ones that rise to the top of your attention? 

Dinah Davis: So you want to use VPNs as much as possible, right? So if you're at home in a coffee shop or anywhere that is not the office, you could be subject to a man-in-the-middle attack, which is when somebody is able to pretend they're actually your home Wi-Fi or your - the coffee shop Wi-Fi and give you access to the internet through that, but see everything you're typing. So if that happens, if you're using a VPN, what a VPN is going to do is encrypt all the data going through, and so even if you are in the middle of a man-in-the-middle attack - wow, that's some inception right there - you're going to be fine, right? So that's - those are really important. Also using MFA, multifactor authentication - right? - so even if they got his whole password store, if he'd have had MFA or a second-factor authentication, it still would have been hard for them to get in, right? 

Dave Bittner: Right. Right. I remember seeing a study from Google - it was probably a year ago now - where they said that people who put MFA, like, on their Gmail accounts don't get hacked. Like, it wasn't, like, 90%. It was, like, 100%. If you have a hardware key, you're probably good to go. 

Dinah Davis: Yeah, because, like - OK, I liken it back to when I grew up, I grew up in Winnipeg, Manitoba, Canada, and it happens to be the car theft capital of Canada - or it was in the '90s, let's put it that way. I have no idea if it still is. 

Dave Bittner: (Laughter) OK. 

Dinah Davis: OK? 

Dave Bittner: Right. 

Dinah Davis: And so what we used to do is, like, we had this thing called the club, and it was, like, this metal bar that you put across your steering wheel, and you locked it, and it made it so you couldn't turn the wheel. So even if they hotwired your car, they couldn't turn that wheel. Now, could they... 

Dave Bittner: Right. 

Dinah Davis: ...Still get that off with like a massive saw or something like that? Sure they could. But if they're going down the street, looking into the driver's seats of all the cars, the ones with the clubs aren't going to get hit because it's just too much work, right? 

Dave Bittner: Right. Right. 

Dinah Davis: And I think that's the same principle that's happening when you put MFA on your accounts, right? You've made it harder. Unless they really, really want you for a very specific reason, they're not going to bother, right? Here's a good one that I failed at recently. Secure your physical devices. So that means do not leave things on airplanes. 

Dave Bittner: I feel like there's a story here. 

Dinah Davis: Yeah, I might have just done that recently. It was very annoying. 

Dave Bittner: (Laughter) Oh, no. Oh, no. 

Dinah Davis: If you leave it on an airplane while it's an airplane mode, it's very (laughter) hard to get to. But here's a good thing to do. Make sure you set up that emergency contacts on the front of the phone because it will turn the airplane mode off when they call you for 24 hours. And you can get the device wipe and find your phone, Google or iPhone, in there. So it does happen. I wasn't worried when I lost my phone because I have all the passwords set. I have MFA on my Google accounts. I was able to reach my phone and security wipe it. So it's not an issue, but it's still not something I would have liked to do. In the future... 

Dave Bittner: Yeah. 

Dinah Davis: ...I don't think I'll ever do that again. But when you're running for a connection, sometimes it's easy to misplace some things. 

Dave Bittner: Yeah, leave that in that pocket in the front of the seat next to you. I mean, it brings up a good point that I've heard people say when you're traveling, which is not to put all of your electronic eggs in one basket. In other words, you have your mobile device, and it gets lost, you need to have another device to be able to go in and try to change whatever settings you need to on that original device. 

Dinah Davis: A hundred percent. So, you know, I was able to log into my computer that I also had with me and, you know, get the device wipe. And then, you know, until I got my phone back, I was able to use my iPad for the key store. Like, I was so happy that I had a authenticator that backed up into the cloud. So, you know, like, Google Authenticator, I use a different one. I use... 

Dave Bittner: Right. 

Dinah Davis: ...The one that LastPass uses. 

Dave Bittner: Yeah. 

Dinah Davis: And so you can back it up into your LastPass account. I'm very careful not to use the same, like, password keeper app. So I use one password for my passwords and LastPass for my authenticator. So they're in two separate systems entirely. But I was able to, you know, pull that all up on my iPad and relive. So I had very little disruption to my life other than not being able to receive text messages while the phone was lost and, you know, kept going. And I wasn't really worried. 

Dave Bittner: All right. Well, good tips for sure. Dinah Davis, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. The CyberWire podcast is a production N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.