The CyberWire Daily Podcast 1.25.23
Ep 1746 | 1.25.23

TA444 and crypto theft on behalf of the Dear Successor. CryptoAPI spoofing vulnerability described. New Python-based malware campaign. User headspace. Tanks vs. hacktivists.


Dave Bittner: How do the North Koreans get away with it? They do run their cyber ops like a creepy startup business. A spoofing vulnerability is discovered in Windows CryptoAPI. Python-based malware is distributed via phishing. MacOS may have a reputation for threat resistance, but users shouldn't get cocky. Some DevSecOps survey results show tension between innovation and security. Russian hacktivist auxiliaries hit German targets. Tim Starks from The Washington Post's Cyber 202 shares insights from his interview with Sen. Warner. Our guest is Keith McCammon of Red Canary to discuss cyber accessibility. And private sector support for Ukraine's cyber defense.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, January 25, 2023. 

Spoofing vulnerability discovered in Windows CryptoAPI.

Dave Bittner: Akamai this morning released research detailing their analysis of a critical spoofing vulnerability CVE-2022-34689, affecting Windows CryptoAPI. The vulnerability allows for malicious actors to feign a genuine entity's identity and perform certain actions. According to Microsoft, this vulnerability allows for attackers to spoof their identity and perform actions such as authentication or code signing as the targeted certificate. CryptoAPI is the primary Windows API handling cryptography, particularly certificates. Akamai says exploitation has two primary steps. In the first, malicious actors take a legitimate certificate, modify it and serve the modified version to the victim. The second phase involves creating a new certificate whose MD5 collides with the modified legitimate certificate and using the new certificate to spoof the identity of the original certificate's subject. The vulnerability, though rated critical, was only given a CVSS score of 7.5. Researchers attribute that rating to the limited scope of vulnerable applications and Windows components in which the vulnerability prerequisites are met. 

Python-based malware distributed via phishing.

Dave Bittner: Securonix describes an attack campaign that's using a Python-based remote access Trojan dubbed PY#RATION. Securonix observed the first version of PY#RATION in August 2022, and the malware has been updated several times since. The RAT is distributed via phishing emails written in English containing malicious ZIP files. The ZIP files contain LNK files disguised as JPEG images showing a U.K. driver's license. The researchers believe the campaign is targeting users in the U.K. or other English-speaking countries. After installation, the malware can carry out a wide variety of malicious activities associated with other RATs, such as key logging and data theft. 

MacOS may have a reputation for threat-resistance, but users shouldn't get cocky.

Dave Bittner: BlackBerry has released its Quarterly Threat Intelligence Report for the fourth quarter of 2022, looking at various threats facing desktop and mobile devices. The researchers note that while macOS is often viewed as being more secure than other operating systems, users frequently install malicious or unwanted software on their Apple devices - stating, during the 90-day reporting period, the malicious application Dock2Master was the most seen threat on macOS. BlackBerry researchers noted that a whopping 34% of client organizations using macOS had Dock2Master on their network, where it was found on 26% of their devices. BlackBerry hasn't forgotten Windows, in case you're wondering, and their study is no means a hit piece on macOS. Windows systems have their characteristic threats too. BlackBerry found that RedLine was the most active info-stealer targeting Windows systems. The point is, perhaps, that no operating system or the applications built for it can be proof against incautious users. Caveat clicker, as the Romans would have said if Nero had the internet. 

DevSecOps survey results show tension between innovation and security.

Dave Bittner: Dynatrace has published a study looking at the challenges of maintaining security during DevOps processes. The survey of 1,300 CIOs and senior DevOps managers found that over a third of respondents are forced to sacrifice code security to keep up with the demand for faster innovation. A few of the other findings they list - 90% of organizations say digital transformation has accelerated in the past 12 months. Seventy-eight percent deploy software updates into production every 12 hours or less, and 54% say they do so at least once every two hours. DevOps teams spend nearly a third of their time on manual tasks involving detecting code quality issues and vulnerabilities, reducing the time spent on innovation. Fifty-five percent of organizations make trade-offs between quality, security and user experience to meet the need for rapid transformation. And 88% of CIOs say the convergence of observability and security practices will be critical to building a DevSecOps culture. And 90% say increasing the use of AIOps will be key to scaling up these practices. The tension between competing goals is familiar. All managers want it faster, cheaper and better. Maybe start the process by picking two.

Russian hacktivist auxiliaries hit German targets.

Dave Bittner: Reuters reports this morning that Killnet responded to the German government's decision to supply Leopard tanks to Ukraine by hitting a range of German sites with distributed-denial-of-service attacks. They were generally brief in duration and amounted to little more than a minor nuisance. Germany's BSI cybersecurity agency said, currently some websites are not accessible. There are currently no indications of direct effects on the respective service and, according to the BSI's assessment, these are not expected if the usual protective measures are taken. So Killnet's got some script kiddies. The Leopard has a 120 mm smoothbore. Our hybrid warfare desk thinks that the latter is likely to prove more disruptive than the former. 

Private sector support for Ukraine's cyber defense.

Dave Bittner: Kyiv has often acknowledged the contribution private sector corporations have made to its cyberdefense and IT resiliency over the course of Russia's war. Computer World has an account of how one company in particular, Microsoft, has helped. The assistance rendered has been, the piece argues, both principled and the working of enlightened self-interest. Computer World says Microsoft isn't just trying to help defend a country under siege from an aggressive, more powerful neighbor. Russian cyberattacks against Ukraine can also get loose in the wild and do damage to enterprises and organizations that rely on Microsoft technology. Russia could also deliberately target private companies with those attacks. By helping Ukraine, Microsoft also helps its customers, and it happens to be good PR as well. Russian cyberattacks against Ukraine had gotten loose in the wild even before last year's invasion, with NotPetya being the most prominent example. Microsoft has provided both threat intelligence and the sort of hardening and resiliency that have helped Ukraine keep its networks up and running. Computer World summarizes the effects, stating, Ukraine has so far defeated Russia in the cyberwar. Russia's once-feared hackers threw everything they had against Ukraine, including trying to shut down the power grid, disable government networks and kill satellite communications. They failed every time. In full disclosure, we note Microsoft is a CyberWire partner. 

CISA issues two ICS advisories.

Dave Bittner: CISA yesterday issued two industrial control system advisories. As always, users are counseled to apply updates per vendor instructions. 

“Devotion to the dollar and the grind.”

Dave Bittner: And finally, whether you're in San Jose or Sinanju, it's the same jading story. As Proofpoint puts it in the study they released this morning about a North Korean APT TA444, a startup is a startup, whether you're a cool disruptor or an uncool grifter. North Korean state-run threat actors are distinctive in that they're at least as focused on stealing money as they are on stealing information. Proofpoint explains, TA444, which overlaps with public activity called APT38, Bluenoroff, BlackAlicanto, Stardust Chollima and COPERNICIUM, is likely tasked with generating revenue for the North Korean regime. Pyongyang's chronic financial hardship is the function of a failed economy, one kept down by global odium and international sanctions. So the regime turns to cybercrime to help keep itself together, able to buy the expensive stuff that, for example, a nuclear weapons program needs. Recently, TA444 has turned its attention to cryptocurrencies, selecting its victims and shaping its phishbait to suit the victims' probable susceptibilities. In doing so, the threat actor has been quick and opportunistic - and opportunistic in a way that, while morally objectionable, is operationally a good thing from TA444's point of view. They're acting like a startup in their focus on success and their devotion to trying whatever seems likely to work. 

Dave Bittner: Proofpoint sourly observes, while we do not know if the group has pingpong tables or kegs of some overrated IPA in its workspace, TA444 does mirror the startup culture in its devotion to the dollar and to the grind. Who knows? All of that stolen alt-coin can't be going to ballistic missile R&D. Your hackers need some R&R, don't they? Proofpoint's got a point here that they don't need to prove - pingpong and IPAs don't necessarily make for a healthy organizational culture. We've always preferred shuffleboard and a nice Gose, like those at Full Tilt down the block in Baltimore, where our editorial staff hangs out. Pingpong and IPAs? Come on, Pyongyang. You're not competing in Barmageddon (ph). Show some self-respect, Mr. Kim. I mean, you're supposed to be the banner of all victory and glory and not some tacky crypto bro, or so we hear. We note that in this report, Proofpoint is clearly having a lot of fun, and it's worth a look. 

Dave Bittner: Coming up after the break, Tim Starks from The Washington Post's Cyber 202 shares insights from his interview with Sen. Warner. Our guest is Keith McCammon of Red Canary to discuss cyber accessibility. Stay with us. 

Dave Bittner: Many small companies simply don't have the resources to hire dedicated cybersecurity staff. And while there are many options available for them and plenty of offerings for them to consider, there's still a significant gap when it comes to cybersecurity accessibility. Keith McCammon is CSO and co-founder of security firm Red Canary, and I checked in with him for insights on the cybersecurity haves and have-nots. 

Keith McCammon: We're doing better than we were. I'm very much an optimist when it comes to, like, accessibility and security solutions, and I'd say even, you know, security of software and platforms is far better than it was when I started doing this 20-something years ago. Platforms are more secure by default. I think we're starting to understand what works and, you know, the types of controls and changes that have, like, the broadest impact. That said, at the lower end of the market, the small and mid-enterprise, you know, the cost of some of those solutions still exceeds what they're willing to or can support paying. So we definitely have some work to do when it comes to particularly, like, starting at the smallest enterprises or businesses and moving up right into what we think of as the traditional enterprise with thousands of employees. 

Dave Bittner: And is this primarily an issue of expense here? Or is it - I mean, we all know cybersecurity people are expensive to hire. 

Keith McCammon: Expense is one component of it. I think there's - yeah, there's two things, like the very - kind of zooming out, the first thing folks have to do is have an understanding of, like, the problems that they're most likely to face and the fact that they're likely to face them. And so helping folks to - you know, we say things like threat modeling, and we talk about threat intelligence. And when you're dealing with a mature enterprise and you're - you know, you're talking to peers and other information security professionals, those words resonate, and they make sense. That's not something you should expect someone at a small or even some - you know, most midsize businesses to understand. And so one component is the expense of hiring people. But I'd say, if you back up from that, it's just, you know, helping to do a better job educating folks - helping them understand, like, the threats that they're most likely to face, where and how those things are most likely to materialize and the likelihood that those things are going to happen to them, right? 

Keith McCammon: Now, when we - you know, when we think about things like threat modeling and threat intelligence, we tend to think of those by default as being very organization-specific. The one thing that we need to help folks understand before they start to do that calculus with respect to hiring people or bringing on board services is just helping them understand that baseline threat model that we all share, right? Like, ransomware has been a great equalizer there. And you can - you know, it's pretty fair to say that virtually every business of any meaningful size is now equally likely to be the target of a ransomware attack. And so just helping folks understand that, helping to simplify some of those concepts, helping to educate, I think, is the first step. And then, at that point, you know, folks are in a position to make a - you know, a well-informed decision in terms of investing whether that's in people, technology services. 

Dave Bittner: And how do you envision that sort of outreach taking place? How do we reach these folks who need these services and this information? 

Keith McCammon: I think when it comes to helping smaller and midsized enterprises in particular, reaching them is always going to be a little bit more difficult. They're - you know, they typically aren't seeking out this information unless they've already got someone on staff from a technology or security standpoint who's starting to look ahead and really kind of, you know, pushing that agenda and helping to kind of drive that understanding. So it's equal parts good and bad news. But, you know, the prevalence of attacks like ransomware, business email compromise, things like that, just the media coverage of them in general means that, I think, there is a - like, there's a baseline, like, level of awareness now in smaller and midsized enterprises that didn't exist before. 

Keith McCammon: And that's despite the fact that it's a - you know, obviously a negative consequence when those things happen. The fact that we're starting to talk more openly about them is positive. And I think in particular where that's materializing and how we're reaching them, sometimes in a roundabout way, the obvious efforts - things like community outreach, local user groups, information security organizations, particularly those at the local level where they're, you know, bringing folks together, setting up events, conferences, things like that - those are all good mechanisms to get folks who are interested access to the information and the people that can help. 

Keith McCammon: On the business side, I think what we're seeing now, which is also a positive outcome or a silver lining, is that boards, CEOs, legal counsel and folks like that - they're starting to ask more questions about cybersecurity readiness and whether the business is prepared to detect and respond to the cyberattacks that are most likely. And so that's - you know, for better or worse, I think that's how those two angles of attack - through community outreach and I'd call it, you know, grassroots or bottoms-up efforts to educate and share information coupled with media coverage, things like the impact of ransomware on cyber insurance and some other - like, those other activities or those other - like, that other educational motion or information sharing motion - that's how we're reaching more of the business folks, particularly in the small and mid enterprises, than we were before. 

Dave Bittner: That's Keith McCammon from Red Canary. 

Dave Bittner: And joining me once again is Tim Starks. He is the author of The Cybersecurity 202 at The Washington Post. Tim, always great to welcome you back. 

Tim Starks: Always great to be back. 

Dave Bittner: (Laughter) Well, you have, I have to say, a really interesting interview in The 202 this morning. You caught up with Sen. Mark Warner. 

Tim Starks: Yeah. Kind of an important fellow in the cybersecurity world especially as it pertains to the Hill. You have him co-founding the Senate Cybersecurity Caucus, which he still leads, and the Senate Intelligence Committee, which he is the chair of. So he has both a focus and an interest and a jurisdiction that matters. 

Dave Bittner: Yeah. Well, take us through some of the highlights of the interview here. What are some of the things that caught your attention? 

Tim Starks: So I think some of the things that caught my attention the most were certainly his focus on health care and his concern about ransomware attackers going after the health care sector and finding the health care information. We're talking about the very private information that, you know, were it to be posted online, it would be pretty bad for the organizations they took it from. And it being valuable - it's something that you can reuse in attacks. So he's very concerned about that. And one of the interesting elements of that was that he - you know, he talked about this a little bit in a report where there's just so many agencies that touch health care cyber, 16 in all. And he said, nobody's in charge, which was an interesting thing, I thought for him to say, considering we have the national cyber director; we have someone - you know, Anne Neuberger at the NSC, who does this; we have Jen Easterly; we have the FBI; we have - I mean, there's just... 

Dave Bittner: Right. 

Tim Starks: ...So many people who are involved. And what he was saying was that even with all of that, it still is not clear who is really in charge. And that's something that we have heard from people on and off. And it sounds kind of wonky and, like, oh, it's just moving the boxes; it's personnel stuff. But I think it's important in the cyber world in particular because if you talk to the private sector, one of the things they say most often is, when I get attacked, I don't know who to go to. And there is an answer from the administration, and it's a coherent answer. But it's a complicated answer. It's not an easy, this is the person. It's, for this, you need to go to this person; for this, you need to go to this person. So that was interesting to me. 

Tim Starks: Another highlight was that he seems very interested in exploring some of the things you and I have talked about a little bit before - the whole national security cyber threat overlap where rules of war come into play. You know, one of the things that we've discussed is that NATO Article 5 rule, which says if - you know, an attack on one member is an attack on all, therefore, you invite a collective response. That has not been invoked very often. It's not - it's only been invoked once that we know of, and it's not been invoked for cyber. So he's talked about wanting to address that and explore that. It's a very complicated and difficult topic to address, so that's interesting. He kind of made news in every piece of the question I asked him, so we could talk about what he said about TikTok, we could talk about what he said about the cyber incident response law. 

Dave Bittner: Yeah. Let's start with TikTok here. I think he had some interesting things to say. 

Tim Starks: Yeah. He's been one of the Democrats who's been pushing the notion of a potential full ban on TikTok - or at least a ban on using it in the government - exploring ways to limit it. He has been one of the leading voices on the Democratic side for that. First off, he's not as concerned anymore about the privacy point, and I think that's a valid thing to back off of. It's not that there aren't privacy concerns about TikTok. It's not that there aren't privacy concerns that people should have or not have about the China ownership. But, in a lot of ways, the privacy piece of what's potentially upsetting about TikTok is not a lot different than the piece for Facebook or Twitter or any other social media platform. He was saying that he's - he - and this is something that we've actually seen from a number of TikTok critics that are moving in this direction - they're concerned about the way TikTok controls messaging and - you know, the fact that if China owns it, and they're sending one message to China and another message to the U.S., that's something that he's concerned about. 

Tim Starks: But I think, potentially, the most interesting policy ramification of what he said about TikTok was that he's not so sure that the Committee on Foreign Investment in the United States - which is this multi-agency committee that decides what happens when someone from another country tries to put a significant investment in a U.S. company - he's not sure that that's equipped to handle some of these national security/cyber concerns, like TikTok, like Huawei, like - Kaspersky was another one he mentioned. So if he's looking at a mechanism that is different than CFIUS, which we've had for a very long time in this country, that could be a very interesting policy development, too. 

Dave Bittner: Yeah. Real quick, what did he have to say about the cyber incident notification law? 

Tim Starks: Yeah, he was one of the first people who put out the idea that we needed - you know, this is after SolarWinds was such a big deal. He was one of the first people to put out the idea that we really need to have a way for companies to be mandated to report when they get hit by a major hack. And he had put some very strict terms on this. He was thinking of, like, 24 hours. He was including companies that weren't just companies that got hit, but companies that were - incident response companies that were helping those companies. And a lot of that got cut, even though, again, he was one of the originators of the idea, and he was - he indicated his disappointment with that and how that worked out. Another thing he said was that he wasn't - he did not like the amount of time that it would be required to enact that into law. The law was passed in 2022 - early 2022 - and there is an approximately three-year period of rulemaking that actually will make it go into effect. And he mentioned he was concerned that it might string out for longer than that. You know, if you follow the federal government, occasionally... 

Dave Bittner: (Laughter). 

Tim Starks: ...Occasionally they don't meet their deadlines on things like this. 

Dave Bittner: Yeah (laughter). 

Tim Starks: So I think that's what he was getting at. He said he didn't want this to last five years, and he talked about maybe we can see about going back and revisiting this in law. I don't know if there's going to be enough momentum for him to do that, but it's an interesting thing that we should keep an eye on because, as he said, if there's another big major - he actually used holy heck. I don't know if that's a Virginia-ism (ph)... 

Dave Bittner: (Laughter). 

Tim Starks: ...But he said, if there's another holy-heck moment like that - like a SolarWinds or like a Colonial Pipeline - he's not sure that people are going to be happy with this thing still being gestating. 

Dave Bittner: Yeah. Well, it's an interesting interview, and I do recommend folks check it out. It's over at The Cybersecurity 202 at The Washington Post. Tim Starks, thanks so much for taking the time for us today. 

Tim Starks: Always, always. Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.