Disentangling cybercrime from cyberespionage. A threat to the IoT supply chain. What do you do with the hacktivists when they stop being hacktivists? A retired FBI Special Agent is indicted.
Dave Bittner: DragonSpark conducts opportunistic cyberattacks in East Asia. ProxyNotShell and OWASSRF exploit chains target Microsoft Exchange servers. The IoT supply chain is threatened by exploitation of Realtek Jungle SDK vulnerabilities. CISA adds an entry to its Known Exploited Vulnerabilities Catalog. A Cisco study finds organizations see positive returns from investment in privacy. What's the hacktivist's post-war future? Joe Carrigan tracks a romance scam targeting seniors. Our guest is Pete Lund of OPSWAT to discuss the security of removable media devices. And a retired G-Man is indicted on multiple charges.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, January 24, 2023.
DragonSpark conducts "opportunistic" cyberattacks in East Asia.
Dave Bittner: So are they spies or just crooks? Sometimes it's not obvious, and that's the case today with a group that's romping through East Asia with some seldom seen but not entirely novel tools. SentinelOne this morning described the activities of a threat actor they're calling DragonSpark. The researchers are fairly confident it's a Chinese group, but whether it's a criminal or an intelligence organization remains unclear. The motive behind the attacks could be either financial gain or espionage. DragonSpark is making heavy use of SparkRAT, a multi-platform and feature-rich tool that's open-source but little seen and that's also regularly updated with new features. The attacks use Golang source code interpretation - also an uncommon technique - to thwart static analysis and evade detection.
ProxyNotShell and OWASSRF exploit chains target Microsoft Exchange servers.
Dave Bittner: Bitdefender has observed an increase in attacks using ProxyNotShell and OWASSRF exploit chains to target Microsoft Exchange servers. ProxyNotShell and OWASSRF are exploit chains that launch server-side request forgery against Exchange servers. These exploits can allow an authenticated user to escalate access and carry out remote code execution. BleepingComputer reported earlier this month that more than 60,000 Exchange servers are still vulnerable to these attacks. Bitdefender describes several recent attacks using these exploit chains, including one by the Cuba ransomware operation. Bitdefender says that most of these attacks targeted entities in the United States but that companies in Poland, Austria, Kuwait and Turkey have also suffered. Look to your patches, and look to your mitigations.
IoT supply chain threatened by exploitation of Realtek Jungle SDK vulnerability.
Dave Bittner: Looking at attack records between August and October of last year, Palo Alto Network's Unit 42 researchers discovered that one vulnerability in particular, a remote code execution issue affecting the Realtek Jungle SDK, was particularly attractive to attackers. It's unusual, Unit 42 says, to see a single vulnerability account for more than 10% of the attacks detected over a period of time, but this one accounted for more than 40% of the total number of attacks over those three months. The researchers wrote this morning, many of the attacks we observed tried to deliver malware to infect vulnerable IoT devices. This tells us that threat groups are using this vulnerability to carry out large-scale attacks on smart devices around the world.
CISA adds an entry to its Known Exploited Vulnerabilities Catalog.
Dave Bittner: CISA yesterday added a vulnerability to its Known Exploited Vulnerabilities Catalog. U.S. federal civilian executive agencies have until February 13th to apply vendor updates to address CVE-2022-47966, remote code execution vulnerabilities in multiple Zoho ManageEngine products. They contain an unauthenticated remote code execution vulnerability due to the usage of an outdated third-party dependency.
Cisco study finds organizations see positive returns from investment in privacy.
Dave Bittner: Cisco this morning released their 2023 Data Privacy Benchmark Study, which takes a foray into privacy and its impact on organizations from the perspectives of security professionals worldwide. The study details continued strong investments in privacy despite the global economic downturn, reporting an increase from $1.2 million three years ago to $2.7 million today. Organizations believe these are worthwhile investments, citing the benefits of building trust with customers, reducing sales delays or mitigating losses from data breaches, as some significant or very significant benefits from these expenditures. The benefits are estimated to be valued at around 1.8 times what organizations are spending, with a whopping 94% of those surveyed indicating the value of the investments outweighing the costs overall. Seventy-nine percent of surveyed professionals believe that regional privacy laws have been a positive influence, with privacy legislation present in 157 countries - 12 more than last year. A majority of respondents - 88% - reported more comfort in storing their data within their own country lines. However, the reality, when factors such as costs and security are considered, drives professionals toward globalized organizations. The bulk of respondents - 90% - did report belief that a global provider operating at scale would be better suited for data protection when compared to local options.
What's the hacktivist's postwar future?
Dave Bittner: Hacktivism has been practiced by both sides during Russia's war against Ukraine, with both Moscow and Kyiv using hacktivists as an auxiliary to their security and intelligence services' cyber organizations. In Russia's case, these auxiliaries have been marshaled to a significant extent from the Russian organs' long-standing relationship of tolerance and of collaboration with criminal organizations. The situation in Ukraine has been different, with more emphasis on recruiting IT sector workers, hobbyists and script kiddies into the IT army. An essay in WIRED wonders what the IT army's hacktivists, in particular, can expect once the war is over. Could they, for example, be prosecuted for cybercrimes? It seems unlikely that any jurisdiction other than a Russian one would undertake to do so, but WIRED considers it a serious possibility.
Dave Bittner: Hacktivists who've developed their skills during the war do represent an augmentation to a cyber workforce, and governments might devote some thought on what to do with them in the post-war world. The essay concludes, in 2023, voluntary cyber organizations in support of Ukraine may therefore prove to be both an opportunity and a challenge. Governments would do well to see the IT army of Ukraine as a recruiting ground, a pool of talent for official cyber volunteer programs. Of course, it's possible that they'll go back to their old jobs or find other hobbies to replace their wartime engagement. If the hacktivists feel, however, that they have discovered their vocation, then careers in threat research or pentesting could be good possibilities.
Retired G-Man indicted.
Dave Bittner: And finally, in a black eye for the bureau, retired FBI agent Charles F. McGonigal, formerly the special agent in charge of the New York Field Office, has been indicted for improper contact with foreign agents. The U.S. attorney for the District of Columbia yesterday said, according to the nine-count indictment, unsealed today, from August 2017 and continuing through and beyond his retirement from the FBI in September 2018, McGonigal concealed from the FBI the nature of his relationship with a former foreign security officer and businessperson who had ongoing business interests in foreign countries and before foreign governments. Specifically, McGonigal requested and received at least $225,000 in cash from the individual and traveled abroad with the individual and met with foreign nationals. The individual later served as an FBI source in a criminal investigation involving foreign political lobbying, over which McGonigal had official supervisory responsibility. McGonigal is accused of engaging in other conduct in his official capacity as an FBI special agent in charge that he believed would benefit the businessperson financially.
Dave Bittner: Some of these actions took place before Mr. McGonigal retired from the FBI in September of 2018. But he's also in trouble for activity alleged to have occurred after he completed his career at the bureau. The U.S. attorney for the Southern District of New York, in a separate announcement yesterday, said that Mr. McGonigal has also been charged with five counts connected with alleged violation of sanctions against Russian entities. Specifically, he's charged with violating and conspiring to violate the International Emergency Economic Powers Act and with conspiring to commit money laundering and money laundering. The sanctioned Russian oligarch Mr. McGonigal is alleged to have been close to is Oleg Deripaska, who, the FBI said in their comment on the arrest, performs global malign influence on behalf of the Kremlin and are associated with acts of bribery, extortion and violence. Of course, those accused are rightly considered innocent until proven guilty. The story, however, can't be described as anything other than depressing.
Dave Bittner: Coming up after the break, Joe Carrigan tracks a romance scam targeting seniors. Our guest is Pete Lund of OPSWAT, who discusses the security of removable media devices. Stick around.
Dave Bittner: Every few years, we see reports of someone doing a test where they drop a bunch of USB flash drives in a parking lot to see how many people will find it, take it inside and plug it into their work computer without giving it a second thought. Indeed, infected removable media was part of the plan recently observed from the UNC4191 cyberespionage group targeting organizations in Southeast Asia. Pete Lund is VP of OT security products at OPSWAT, and I reached out to him for a reality check on securing removable media.
Pete Lund: Although we have seen some of our customers implement technologies that actually let you transition the removable media, the data on the removable media from removable media to something like an internal network share - so giving you the ability to kind of stop that threat while you do a bit of a check in and move to a more acceptable form of media installation.
Dave Bittner: It's interesting - kind of remotely detonate the removable media device.
Pete Lund: Yeah, yeah, give you the ability to check it, see what's on it. OK. Let me only take the things that are good, known good, and move them into the environment safely.
Dave Bittner: So then what are your recommendations? I mean, people have systems that they need to have air gapped, and when they need to get stuff on and off of them, what kind of options do they have?
Pete Lund: So really, I like to start with the easiest one, which is around policy and procedure. There's lots of great recommendations, whether they come in the form of, you know, like, NERC CIP in the U.S. utility industry or, you know, the NIST cybersecurity framework or, really, any good, you know, industrial security program and policy you can put in place. You know, that's that check, that step and check to say, validate who's bringing the media. Validate, you know, in a very basic way what's on it. So people and process are very much at the heart of cybersecurity. And then as you mature, you can get into doing things like dedicated removable scanning stations and even some that provide this ability, you know, on the fly in a mobile environment or even doing things like transitioning of that media to something that's known good. So let's say you're standardized on using a specific type of trusted removable media in your environment. You can do that transition with some great tools out.
Dave Bittner: And what is the state of things when it comes to, you know, things like a scanning station? I mean, are those reliable? Is that the kind of thing that people can count on?
Pete Lund: Yeah, they're highly reliable. And they do it kind of in an interesting way where, you know, a typical computer that you and I might be using right now might have traditional, you know, antivirus, anti-malware programs on it. What scanning stations do is they leverage multiples of those. And then also, we use up to 30 different scanning engines to really get close to 100% effective capture of those threats and, really, your earliest way to get access to stopping or discovering kind of a zero-day. We've got lots of different engines from great vendors that you've heard of around the world, and that really helps that detection capability.
Dave Bittner: And how do you keep from injecting too much friction in the process here, you know, slowing down people's work?
Pete Lund: Yeah. So two different ways we like to tackle that - one is you can actually do this scanning in that media transition mode that I talked about. So if a contractor is looking to, you know, introduce something in, you can have it scanned as soon as the contractor arrives while they're checking in, signing their name at the front desk. And then we take technology and go off and do all that scanning into the background. And by the time the contractor walks their way, you know, down into the industrial environment, that media has been scanned and approved or even transitioned to the industrial environment on their behalf, so really making it part of that early in the workflow 'cause we know scanning takes time. And it's all about that time and number of engines and processing. And we offer some great solutions that can be deployed and used in a very, very rapid environment and lots of great ways to mitigate the time there.
Dave Bittner: What are your recommendations for folks who are looking to get started with this, to go down this pathway? Where's a good place to begin?
Pete Lund: Yeah, so a great pathway is to start to understand your process. So do you have contractors bringing in removable media? Is it employees from IT that need to bridge the IT/OT gap? Look at what types of media are coming in. Is it, you know, binaries to update things like PLCs and RTUs? Is it, you know, very large-sized Windows updates? Is it programmable logic data? Take a look at the data that's coming in, and then you can kind of right-size your solution for not only the data but the threats you're worried about. Are contractor's bringing in things like Word documents or PDFs? All of those can be part of the process in understanding and choosing what the right solution can be for you. And then, ultimately, if you can take a strong stance and ban removable media, you can actually have the ability to do some of this scanning prior to someone showing up. So, oftentimes, we'll introduce workflows where a contractor is going to be on site, you know, next week. Mr. Contractor, please upload all of your files to this safe and secure portal, and they'll be scanned and ready for you, and on removable media when you arrive. So you can even get that kind of mature with your removable media security program.
Dave Bittner: That's Pete Lund from OPSWAT.
Dave Bittner: And joining me once again is Joe Carrigan. He is from Harbor Labs and the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Interesting story - this came by the way of the Associated Press, and it's titled, "Fake 'General'" - and general is in quotes...
Joe Carrigan: Right.
Joe Carrigan: ..."Scammed Seniors in Online Romance Scheme." This is the kind of thing we cover over on "Hacking Humans" quite often. What's going on here, Joe?
Joe Carrigan: So this is a story - I don't know why the dateline's coming out of Providence, R.I., but...
Dave Bittner: Yeah.
Joe Carrigan: ...It's a story about a Texas man who's pled guilty in a romance scam where he scammed a total of about $1.6 million from women, pretending to be a U.S. Army general.
Dave Bittner: Oh.
Joe Carrigan: Now, his name is Fola Alabi.
Dave Bittner: Yeah.
Joe Carrigan: I think I'm saying that right.
Dave Bittner: Yeah.
Joe Carrigan: Even though this guy's a criminal, I don't want to disrespect his family name. But he pleaded guilty in the U.S. District Court of Rhode Island. I guess that's why it's coming out of Rhode Island, because...
Dave Bittner: Yeah.
Joe Carrigan: ...The Feds have taken this guy into custody. I don't know if you're familiar about the difference between - I mean, there's a difference between federal and state prosecution. You probably are familiar with that...
Dave Bittner: Sure.
Joe Carrigan: ...Of Ben Yelin. But the Feds - when the Feds prosecute you, it's a whole different ballgame than when you're being prosecuted by a state or local attorney. It is bad news.
Joe Carrigan: Because one of the things about the federal government and the lawyers is they do not like losing cases.
Dave Bittner: Oh.
Joe Carrigan: So generally, they don't take a case unless they're pretty sure they can get a conviction.
Dave Bittner: I see. So what exactly was the scam here?
Joe Carrigan: So the scam was he would be on social media sites, and he would fake that he was - or tell these women that he was a general in the Army and stationed overseas. He went after women in their 70s or 80s, and they were usually widowed or divorced. And he would then persuade them to send him checks or cash. And he lived in Richmond, which is near Houston - Richmond, Texas.
Dave Bittner: OK.
Joe Carrigan: The money was then deposited into his bank accounts, which he then started moving around very quickly. So the Feds have charged him with conspiracy, which is the romance scam part, and then money laundering, which is moving the money around and trying to disguise where it came from. One of the victims was a woman from Arizona who lost $334,000. The prosecutors are saying that she, quote, "felt shame, embarrassment and guilt" over being scammed and now doesn't have enough money to buy food or pay bills as a result.
Dave Bittner: Wow.
Joe Carrigan: I'm hopeful that they can get some of the money back for this poor woman...
Dave Bittner: Yeah.
Joe Carrigan: ...Who was scammed out by this - scammed out of a third of a million dollars by this guy. That was probably her life savings. In fact, that was her life savings.
Joe Carrigan: There was a Rhode Island woman who sent a check for 60 grand and was going to send an additional 24 - I'm sorry, $240,000, but her bank determined that she was being the victim of fraud and put a hold on her account, notified police.
Dave Bittner: Wow.
Joe Carrigan: So whoever that bank is, thank you very much. Good job.
Dave Bittner: (Laughter) Yeah.
Joe Carrigan: I wish more banks did this.
Dave Bittner: But, you know, that's an interesting trend, though. I mean, I think for - again, something we talk about over on "Hacking Humans" is that we're seeing more and more of this, even to the point where cashiers at drugstores...
Joe Carrigan: Right.
Dave Bittner: ...If they see you buying a bunch of gift cards, they have been trained now to ask you what's going on.
Joe Carrigan: Right. I went into the LEGO store. Did I tell you this already?
Dave Bittner: No.
Joe Carrigan: I went into the LEGO store to buy some gift cards for my nephews.
Dave Bittner: Yeah.
Joe Carrigan: And I walk up to the guy and I say, I need two hundred-dollar gift cards for my nephew who's in deep legal trouble. And he looks at me and I go, I'm kidding. I need them for my nephews. I promise.
Joe Carrigan: But he's like, that's good, 'cause I wouldn't sell them to you, so...
Dave Bittner: (Laughter).
Joe Carrigan: He - we had a conversation about it. I told him about this - about our podcast, "Hacking Humans," and...
Dave Bittner: Yeah.
Joe Carrigan: ...He said, well, I'll check it out. He probably never checked it out.
Dave Bittner: But he'd been trained. He'd been trained.
Joe Carrigan: Right. He'd been trained, exactly.
Dave Bittner: Yeah.
Joe Carrigan: He knew what to look for. Here's something interesting about this. When federal agents searched Alabi's phone, they found photographs and videos of packages containing cash and checks he received from the victims. Dave...
Dave Bittner: It's always good to document your crimes, Joe.
Joe Carrigan: Right, yeah. Dave, whenever I'm up to something that is, you know, a little silly and my daughter pulls out the cellphone, I go, that's evidence. Put that away.
Dave Bittner: Right. Right.
Joe Carrigan: (Laughter) Right? And I don't understand why these criminals do this. Hey, look at all this money I just scammed this woman out of. Let me take a picture of it. I'm glad that he does it. I'm glad that he did it because that's just more evidence for the prosecutors to use to convict him. And actually, he got a plea - or he pled out. Sentencing is scheduled for April 25. So it'd be interesting to see how much time this guy gets.
Dave Bittner: So I suspect, you know, a lot of folks in our audience who certainly are better informed than the average person out there, they're probably, you know, nodding their head along with this and thinking, well, I certainly would never fall for something like this. But I think, first of all, you might.
Joe Carrigan: Right, yeah.
Dave Bittner: Second of all...
Joe Carrigan: That's a dangerous mindset to have, actually.
Dave Bittner: Yeah. I think, you know, one of the main reasons we share this is that it's good to check in with your loved ones.
Joe Carrigan: Right. That's a good point.
Dave Bittner: Let them know about this sort of thing. You know, the older folks, the people who might be vulnerable here, just - this is a great - this is an interesting story. It's great to have a conversation about and use that as a way to discuss some of these potential frauds. You know, those of us who are in the know kind of have a responsibility to look out for folks who may have a target on their backs.
Joe Carrigan: Right. And anybody that is going to have a target - two things I want to say. Everybody has a target on their back. And it's just a matter of finding out what that target is, which kind of dovetails into the I-would-never-fall-for-this kind of mindset. That's a - I said that's a dangerous mindset, and I mean that. You may not fall for this specific scam, but there is something that will work on you. Pretty much guaranteed there's something that will work on you. And when we're talking on "Hacking Humans," every now and then we hit something and I go, this is one that would work on me.
Dave Bittner: Yeah.
Joe Carrigan: The one thing that comes to my mind every single time - the first example of that - is a pickpocketing scheme where a pickpocket will take a bottle of mustard or ketchup or something and spray it on a kid. And then the kid goes up to his parent and goes, look what happened. Somebody's just got mustard all over me. That would work on me pretty much every time - right? - because I'm like, oh, look at your clothes. I can't stand the kids being messy. I would be bending down, and that's when they reach behind you and pick your pocket.
Dave Bittner: Right.
Joe Carrigan: So there are things that will work on you. You have a trigger. You may not know what it is. The more, I think, that you listen to stories like this, the more inoculated and better off you are.
Dave Bittner: Yeah.
Joe Carrigan: But that does not make you impervious.
Dave Bittner: Yeah, absolutely. All right, well, Joe Carrigan, thanks for joining us.
Joe Carrigan: It's my pleasure.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.