The CyberWire Daily Podcast 2.13.23
Ep 1759 | 2.13.23

Known Exploited Vulnerabilities. Fool’s gold. Hacktivists come in both dissident and loyal varieties. Naming and shaming the shameless.


Dave Bittner: CISA adds to its Known Exploited Vulnerabilities Catalog. Cl0p claims responsibility for GoAnywhere exploitation. Victims mine for gold. Attackers use pig-butchering tactics. Activists disrupt Iranian television during Revolution Day observances. Killnet claims a DDoS attack against NATO earthquake relief efforts. CyberWire U.K. correspondent Carole Theriault asks what we can learn from the recent Roomba privacy snafu. Rick Howard looks at first principles we considered along the way. And can you name and shame the shameless?

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, February 13, 2023. 

CISA adds three entries to its Known Exploited Vulnerabilities Catalog.

Dave Bittner: We begin with a quick note that will be of interest to U.S. federal civilian executive agencies. On Friday, CISA added three entries to its Known Exploited Vulnerabilities Catalog. One is a denial-of-service vulnerability in Intel's Ethernet Diagnostics Driver for Windows. The second is a remote command execution vulnerability in TerraMaster OS. And the third is a remote code execution vulnerability in Fortra GoAnywhere. More on that last one in a moment. U.S. federal civilian executive agencies have until March 3 to check their systems, and, as usual, they're advised to apply updates per vendor instructions. All three of the vulnerabilities are undergoing active exploitation in the wild. 

Cl0p claims responsibility for GoAnywhere exploitation.

Dave Bittner: Back to that Fortra vulnerability - the company disclosed a vulnerability in their GoAnywhere managed file transfer software, offering indicators of compromise with a patch following quickly thereafter. Attacks exploiting the vulnerability are said to be linked to operators of the Cl0p ransomware family, who themselves claimed credit to BleepingComputer on Friday. The GoAnywhere vulnerability, BleepingComputer explains, enables attackers to gain remote code execution on unpatched GoAnywhere MFT instances with their administrative console exposed to internet access. The release of a proof-of-concept exploit came last Monday, with the company providing emergency updates the following day. Fortra wrote on their support site Thursday that their managed file transfer as a service was also affected. The Cl0p gang reached out to BleepingComputer, claiming responsibility for the attacks and saying that they had stolen the data over the course of 10 days after breaching servers vulnerable to exploits targeting this bug. Lateral movement across victimized systems and implementation of ransomware were also reported possible, according to the spokesperson, though the gang's good nature, of course, prevented them from doing either, stealing only documents from compromised servers. Cl0p's observed activity exploiting a zero-day Accellion FTA vulnerability in 2020 to steal the data of around a hundred companies is reminiscent of this more recent activity that the gang claims affected 130 victims. In any case, users should patch in accordance with Fortra's instructions. 

Gold fever, catphish, pig butchering, and other badly mixed metaphors.

Dave Bittner: Sophos researchers today released a report detailing a scheme they're calling Fool's Gold, one of several pig-butchering schemes they've tracked earlier under the CryptoRom umbrella. Pig butchering uses emotional appeals, usually conducted with an extensive preparatory phase, to lure victims into fraudulent investments. The indelicate metaphor suggests fattening up the mark before leading them to slaughter. Researchers report that the scam began with a direct message on Twitter pretending to come from a woman in Hong Kong. She, he or they, of course, is a catfish. The woman moves the conversation from Twitter and onto Telegram and eventually brings up a gold-trading marketplace that her uncle taught her how to use. MetaTrader 4, a legitimate trading application created by a Russian company observed to be previously abused, is the app eventually provided to the researcher, though it's not delivered via the legitimate App Store but rather in the form of a link to a fake website. Here's where the story gets more complicated. The iOS download of the app alarmingly requires accepting an enterprise mobile management profile connecting the phone to a server in China. The researcher says the scammer claimed that the app had to be installed in this manner due to U.S. sanctions. So OK, thinks the prospective victim. Hey, I've heard about these sanctions. Sounds legit, maybe. She seems nice, right? Due to the actual MetaTrader 4 app's development by a Russian company, the app is not accessible in the U.S. store. 

Dave Bittner: Sophos reports that the illegitimate application is only slightly modified, with one server tracing back to the Hong Kong-based scammer. The scammer then redirects the mark to that uncle, she said, was a gold-trading expert. The uncle, given the name Martin Richard, also feigns legitimacy. He's got a big-time backstory too, claiming to be a former Goldman Sachs analyst. You've heard of Goldman Sachs - sounds legit, right? Uncle Martine (ph) then provides a link to the Mebuki financial site and guides the victim through registration, with Martin eventually saying that the real account setup would enable deposits and trades that could be executed under his instruction. Martin and his niece - once again, we reiterate, just to be perfectly clear here - are catfish, fictitious persona. So remember, not all that glitters is gold. It's not even Goldman Sachs. 

Hacktivists disrupt Iranian television during Revolution Day observances.

Dave Bittner: According to Reuters, hacktivists briefly disrupted a televised speech by Iranian President Ebrahim Raisi on the occasion of Revolution Day, observed Saturday. HackRead reports that the Iranian dissident hacktivist group Justice of Ali has claimed responsibility for the action. In addition to airing a familiar slogan, Death to Khamenei, the group urged Iranians to withdraw their money from state banks and participate in anti-government protests expected this Thursday. The hacktivists claimed responsibility in a communique stating, we, the Adalat Ali group, hacked the Islamic Republic of Iran's TV and radio transmission. First of all, the Adalat Ali Group offers its condolences to the entire freedom-loving nation on the decade of dawn at the impure arrival of Khamenei, the executioner to Iran. The disruption was brief, CNN says, lasting about a minute. 

Killnet claims a DDoS attack against NATO earthquake relief efforts.

Dave Bittner: Adalat Ali are dissident hacktivists. Other hacktivists, like Killnet, function in cooperation with their government, and they're not particularly picky about whom they disrupt. They've been interfering with Western hospitals, and now they're seeking to gum up relief efforts to Turkey in the aftermath of the recent earthquake. The Russian cyber auxiliaries of Killnet claimed over the weekend, we are carrying out strikes on NATO - details in a closed channel. The Telegraph reports that the boast referred to a distributed denial of service attack that's disrupted NATO communications with NATO aircraft delivering humanitarian relief supplies to earthquake-stricken regions of Turkey and Syria. A NATO representative said, NATO cyber experts are actively addressing an incident affecting some NATO websites. NATO deals with cyber incidents on a regular basis and takes cybersecurity very seriously. The effects of the attacks appear to have been limited and were contained after a few hours. It's worth noting that all it takes to draw Killnet's attention is the word NATO, and who cares about incidental suffering - not Killnet or Killnet's masters, obviously. 

Killnet and its partners establish a new pro-Russian darknet forum.

Dave Bittner: Radware has reported that Killnet and its partners in the Deanon Club, working together as the Infinity Team, have established Infinity, a darknet forum that caters to cyber criminals. The researchers state, the forum offers advertisement spaces, paid status for those who want to perform business on the forum and is currently offering a variety of hacking resources and services through its hack shop, including DDoS services. The Infinity Team claims to operate from Belarus, and it makes its resources available to all pro-Russian threat groups, providing a special section where they can post their own content. Radware says these groups include Beregini, Zarya, RaHDIt, XakNet, DPR Joker and NoName. The forum, and others like it, offer a way for hacktivists to combine patriotism with criminal profit. Radware concludes, if Infinity forum becomes successful, it will produce a windfall of profits for the pro-Russian hacktivist threat groups. 

Naming and shaming.

Dave Bittner: Wired sees recent U.S. and U.K. sanctions against Trickbot as representing a new kind of action against ransomware operators. Individuals are being named. This brings a greater degree of specificity to sanctions than complaints against government agencies - in this case, Russian. Whatever the effects of naming and shaming might be, they're unlikely to extend to Russian government action against cybercriminals. According to the Russian outlet Govorit Moskva, which sources its story to TASS, the Duma is considering legal immunity for hackers acting in the interest of Russia. Alexander Khinshtein, head of the Duma Committee on Information Policy, said last week, we are talking about, in general, working out the exemption from liability of those persons who act in the interest of the Russian Federation in the field of computer information, both on the territory of our country and abroad. The details will be made public once they're worked out. You probably can't shame the shameless, but maybe you can at least make it tougher for them to get access to hard currency and harder to vacation on the Riviera. 

Dave Bittner: Coming up after the break, our U.K. correspondent Carole Theriault asks what we can learn from the recent Roomba privacy snafu. Rick Howard looks at first principles we considered along the way. Stick around. 

Dave Bittner: You may recall there was a recent incident regarding a Roomba vacuum that invaded the privacy of someone in a private place in their home. Our CyberWire U.K. correspondent Carole Theriault files this report. 

Carole Theriault: MIT Technology had a big media win recently. Late last year, they got a tip that flagged some pretty concerning photos that had made it to the web. Now, these pics were taken inside people's houses and from a very low angle, looking upwards, sometimes even getting shots of the ceiling. Sometimes these pictures included people, but it looked like the people or pets had no idea that they were being photographed. How to tell? Well, one pic made headlines because the person was sitting on a toilet. MIT researcher Eileen Guo decided to investigate, and she says it took months. And they eventually were able to pinpoint the culprit - a Roomba, the smart automated vacuum produced by iRobot. 

Carole Theriault: What had gone wrong? Well, further investigation revealed that these were not customers but employees, also known as paid data collectors. In other words, the people in the photos were beta testers, and they had agreed - on paper, anyway - to participate in the process. The problem is that it maybe wasn't perfectly clear what participation meant. Eileen Guo summarized it like this - quote, "They understood that the robot vacuums would be taking videos from inside their houses, but they didn't understand that, you know, they would be labeled and viewed by humans, or they didn't understand that they would be shared with third parties outside of the country. And no one understood that there was a possibility at all that these images could end up on Facebook and Discord, which is how they ultimately got to us," unquote. 

Carole Theriault: Apparently, the images were leaked by some data labelers who were contracted in by iRobot. And this is a key point that the researchers make. These were low-paid workers that were being asked to label these images to teach AI how to recognize what they were seeing. And this is kind of important work. This is the process that makes it easier for computers to understand and interpret the data in the form of images or text or audio or video. And it's used in everything - from flagging inappropriate content on social media or, in this case, helping a robot vacuum recognize what's around it. Of course, employees who found Roomba snaps of themselves on the internet - ones they never knew were taken - must have felt like mugs and perhaps humiliated by the shortsightedness of their employer to think they could contract this out to low-paid workers. 

Carole Theriault: There's a few takeaways, though, in this story. I'd say let this be a reminder to, one, always read the fine print; two, think twice before allowing recording devices - be it a camera or microphone - into your private space, and that includes all smart electronics, from white goods to handsets to headsets to vacuums; and three, if you decide to bring one of these gizmos in, check the settings and change the default passwords. This was Carole Theriault for the CyberWire. 

Dave Bittner: And joining me once again is Rick Howard. He is the CyberWire's chief security officer and also our chief analyst. Rick, always great to welcome you back. 

Rick Howard: Hey, Dave. 

Dave Bittner: So in our Slack channels this week, you have been waving around copies of some old research papers from the early days. 

Rick Howard: (Laughter) Yeah. 

Dave Bittner: I'm talking about the '60s, '70s, '80s and '90s, which sounds like my favorite radio station. But the digital dust was flying because those papers are so old. So what's going on here, Rick? 

Rick Howard: I know. Some of those papers are ancient. Well, as you know, my "CSO Perspectives" podcast is largely about getting back to the first principles - cybersecurity first principles, if you will. And I've made the argument over the past three years that our collections of best practices, laws and frameworks haven't really stemmed the hacking tide. You may have noticed, Dave. 

Dave Bittner: I - well, I totally agree with you. You know, I read the cyber news every day, and I read the cyber news every day - (laughter). 

Rick Howard: Yeah (laughter). 

Dave Bittner: It doesn't feel like the volume of attacks is going down at all. Are you saying that if those best practices and laws and frameworks are so good, then why aren't we on top of this? Why aren't we doing a better job? 

Rick Howard: Right. And let me reiterate here. Those tools aren't bad, per se. There's some really good stuff in those things. It's just that they're not sufficient. I make the case in my podcast that there are - these are not the essential first principles of cybersecurity. I mean, it's been 50 years since we started this security thing - let's call it the early 1970s when things got rolling - and these big-brain thought leaders, you know, from that time, like Willis Ware - we've all heard of these guys - Willis Ware and James Anderson and Bell and LaPadula and Schroeder and Saltzer - they made some assumptions about how to protect our digital spaces back in those early days, and the rest of us kind of just went along, and we never stopped to consider if we were going in the right direction in the first place. 

Dave Bittner: What do you mean? What were some of the big ideas back then? 

Rick Howard: Well, there was a bunch of ideas, but two that had some staying power - the No. 1 was that they all thought it was possible to design a computer system that couldn't be hacked. You know, that didn't turn out too good. 

Dave Bittner: Isn't that adorable? Yeah. 


Rick Howard: I know. And we spent all that brainpower for 20 years trying to figure it out. So that's one thing. The No. 2 one, though, is the notion of the CIA triad - the confidentiality, integrity and availability. And that all sounds great when you say it fast - CIA triad - but it's not adequate to solve all the issues that we face in the modern day. So for this latest episode of the "CSO Perspectives" podcast, we talk about all of that and many of the other ideas that the research community has put forth up to the current day as the ultimate cybersecurity first principle. 

Dave Bittner: All right. Well, that is over on the subscription side. How about on the public side, with your "CSO Perspective" show? 

Rick Howard: This week, we're unvaulting another Rick the Tool Man episode from May of 2022 called "Software-Defined Perimeter." 

Dave Bittner: Oh, yes, I remember that one. Now, my recollection is that that name itself is kind of wonky and doesn't really accurately convey what the technology does, right? 

Rick Howard: Yeah, it's - right. Software-defined perimeter has nothing to do with perimeter defense at all. Who knew, right? So no wonder that most of us are confused about what the vendors are selling us every day. 

Dave Bittner: Yeah. 

Rick Howard: So SDP, as the cool kids call it, takes the identity and access management systems out of the traditional perimeter and moves them somewhere else in the cloud. The system verifies who you say you are and then establishes a connection to the workload, the only workload that you're authorized to connect to. So we're going to take a look at that. 

Dave Bittner: All right. Well, before I let you go, what is the phrase of the week on your "Word Notes" podcast? 

Rick Howard: This one we had a little fun with. With ChatGPT and AI being all the rage right now, we thought it would be fun to have the ChatGPT interface write the show for this week. We even asked it if - which movie or TV show best represents the current technology that ChatGPT represents, and you're going to be surprised with what we came up with. And that, Dave, is what we call a tease in the biz. 

Dave Bittner: (Laughter) Well played, sir. Well played. 

Rick Howard: (Laughter). 

Dave Bittner: All right. Well, Rick Howard is the CyberWire's CSO and also our chief analyst, but more importantly than any of that, he is the host of the "CSO Perspectives" podcast. Rick, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at Don't forget to check out the "Grumpy Old Geeks" podcast. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. 

Dave Bittner: The CyberWire Podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.