The CyberWire Daily Podcast 2.17.23
Ep 1763 | 2.17.23

FBI Investigates a network incident. Developments in cybercrime. DDoS against German airports. US forms a Disruptive Technology Strike Force. CISA releases 15 ICS advisories.


Dave Bittner: The FBI is investigating incidents on its networks; Frebniis backdoors Microsoft's servers; ProxyShell vulnerabilities are used to install a cryptominer; Havoc's post-exploitation framework; Atlassian discloses a breach; German airports sustain a cyber incident; an Aspen Institute report concludes that cyber assistance benefits Ukraine; the U.S. announces Disruptive Technology Strike Force; Robert M. Lee from Dragos on the value of capture-the-flag events; our guests are Commander Brandon Campbell of U.S. Navy Cyber Defense Operations Command and Captain Steve Correia, commanding officer of Naval Networks Warfare Command; and CISA releases 15 ICS advisories. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, February 17, 2023.

Report: FBI investigating incident on its networks.

Dave Bittner: CNN reports that the U.S. FBI has contained and is investigating an incident that affected systems the bureau uses to investigate child sexual exploitation. The FBI has been tight-lipped, saying only this is an isolated incident that has been contained. As this is an ongoing investigation, the FBI does not have further comment to provide at this time. 

Frebniis backdoors Microsoft IIS servers.

Dave Bittner: Symantec has spotted a new strain of malware called Frebniis that's being deployed against targets in Taiwan. Frebniis abuses a troubleshooting feature of Microsoft's internet information services to install a backdoor. Symantec explains the technique used by Frebniis involves injecting malicious code into the memory of a DLL file related to an IIS feature used to troubleshoot and analyze failed web page requests. This allows the malware to stealthily monitor all HTTP requests and recognize specially formatted HTTP requests sent by the attacker, allowing for remote code execution. In order to use this technique, an attacker needs to gain access to the Windows system running the IIS server by some other means. In this particular case, it is unclear how this access was achieved. Symantec adds that Frebniis can be used to proxy commands to systems in a network that aren't accessible from the internet. The researchers conclude no files or suspicious processes will be running on the system, making Frebniis a relatively unique and rare type of HTTP backdoor seen in the wild. 

ProxyShell vulnerabilities used to install cryptominer.

Dave Bittner: Morphisec is tracking a stealthy malware campaign that's distributing new ProxyShellMiner cryptominers. ProxyShellMiner exploits the ProxyShell vulnerabilities in Microsoft Exchange Server, which Microsoft issued patches for in 2021. The malware uses the vulnerabilities to gain initial access, then installs the cryptominer. The researchers note that while cryptominers are often viewed as a somewhat benign form of malware, the access gained by attackers can be used to launch more damaging attacks. 

Havoc's open-source post-exploitation framework.

Dave Bittner: Zscaler observed the Havoc framework being deployed against a government organization last month, and the security firm has published a detailed analysis of how the framework operates. BleepingComputer says that among its most interesting capabilities, Havoc is cross-platform, and it bypasses Microsoft Defender on up-to-date Windows 11 devices using sleep obfuscation, return address stack spoofing, and indirect syscalls. It's worth noting that, like Cobalt Strike and other similar tools, Havoc is intended to be used by penetration testers. Like most pentesting tools, however, it can be abused by threat actors. 

Atlassian discloses data breach.

Dave Bittner: In what appears to be a case of stolen credentials, Atlassian says that unauthorized parties obtained access to sensitive corporate information, including employee records. CyberScoop reports that the SiegedSec criminal group claims it's begun leaking the stolen data. The gang said earlier this week, we are leaking thousands of employee records as well as a few building floor plans. These employee records contain email addresses, phone numbers, names and lots more. According to BleepingComputer, the criminals obtained the data via Envoy, a third-party app Atlassian uses to manage its offices. Neither Envoy nor Atlassian were hacked in the sense of having malware deployed against them or by having their systems compromised by attackers using technical means. It appears that an Atlassian employee's Envoy credentials were obtained and then used to access the app. Atlassian and Envoy are cooperating on their response to the incident. 

German airports sustain a cyber incident.

Dave Bittner: Reuters reports that German airports have sustained an unspecified cyber incident, believed to be a distributed denial-of-service attack. There is little information available and no attribution yet, but Deutsche Welle points out that the attack bears a strong resemblance to an earlier DDoS attack the Russian auxiliaries of Killnet that mounted against German airports. 

Aspen Institute report concludes that cyber assistance benefits Ukraine.

Dave Bittner: A study by the Aspen Institute concludes that international assistance rendered to Ukraine for its cybersecurity has blunted the effects of Russian cyber offensives. The institute looked at the record compiled by the Cyber Defense Assistance Collaborative for Ukraine, which has given four kinds of assistance - intelligence analysis, support and sharing, licenses, tactical services and advising. The report says, cyber defense assistance in Ukraine is working. The Ukrainian government and Ukrainian critical infrastructure organizations have better defended themselves and achieved higher levels of resiliency due to the efforts of CDAC and many others. The report concludes, however, that CDAC's work is not yet done and that Ukraine will require support through the next phases of Russia's war. 

US announces "Disruptive Technology Strike Force."

Dave Bittner: U.S. Deputy Attorney General Lisa Monaco yesterday announced the formation of a Disruptive Technology Strike Force, an interagency collaboration between the U.S. Department of Justice and Commerce. Its aim will be to deny hostile governments tactical advantage through the acquisition, use and abuse of disruptive technology innovations that are fueling the next generation of military and national security capabilities. CyberScoop reports that the new strike force is intended as an evolutionary development of the Committee on Foreign Investment in the U.S., a mechanism that's hitherto been used to protect U.S. technology from hostile foreign poaching. The Disruptive Technology Strike Force is expected to bring enforcement out of the brick-and-mortar period in which CFIUS was drafted and into the present age of cyber espionage. 

CISA releases fifteen ICS advisories.

Dave Bittner: CISA yesterday released 15 industrial control system advisories. They cover systems by Siemens, Sub-IoT, Delta Electronics and BD Alaris. Operators, check your systems and, as always, apply updates per vendor instructions. 

Happy Presidents Day.

Dave Bittner: And finally, Monday is the U.S. federal holiday of Presidents Day. And the CyberWire won't be publishing on the 20th. We'll be back as usual, on Tuesday. To those of you who also observe the holiday, on behalf of all of us at N2K Networks, enjoy the long weekend. And for those of you who are outside of the U.S., enjoy the regular weekend. We'll see you again on Tuesday. 

Dave Bittner: Coming up after the break, Robert M. Lee from Dragos on the value of Capture the Flag events. Our guests are Commander Brandon Campbell of the U.S. Navy Cyber Defense Operations Command and Captain Steve Correia, commanding officer of Naval Network Warfare Command. Stay with us. 

Dave Bittner: The mission statement of the United States Navy is to recruit, train, equip and organize to deliver combat-ready naval forces to win conflicts and wars while maintaining security and deterrence through sustained forward presence. In today's world, achieving that mission means the U.S. Navy must maintain a high level of cybersecurity in order to protect its data networks and systems from malicious actors. My guests today are two distinguished naval officers on the front lines of that critical mission. Commander Brandon Campbell is operations director at Navy Cyber Defense Operations Command. Captain Steve Correia is commanding officer of Naval Network Warfare Command. Commander Campbell leads off our conversation. 

Brandon Campbell: I'm the operations director at Navy Cyber Defense Operations Command. And essentially, at NCDOC - is what we call it - we are chartered and responsible for protecting and defending the Navy's global array of networks across 180 networks, to be exact. And in that responsibility, we protect and defend against malicious cyberactivity and advanced persistent threats. And we do that 24/7, 365. And then if there's actually an incident or an actual compromise on a Navy network, we're then also responsible for doing the risk analysis, assessing it, and then, when needed, expelling the adversary from our networks. 

Dave Bittner: Captain Correia, how about you? 

Steve Correia: Naval Network Warfare Command's mission is to operate and secure Navy networks and communication systems. So we do that in our ashore enterprise networks and the ashore portion of our float networks. And we're also designated under Fleet Cyber Command as the commander of Task Force 1010, which we have tactical control of the command and control communications commands within the Navy. 

Dave Bittner: So I'd love to get the perspective from both of you. You know, the Navy's network has some uniquely difficult defensive challenges when you think about everything that's on your network, you know, from data centers, office buildings, and then, of course, ships and airplanes and the global distribution of all of that. And then also you're dealing with many levels of classification. That's a big problem. And how do you come at that? 

Steve Correia: Dave, I'll start first. So that's part of the reason why the Navy's taken a more agile approach and we've moved to a more zero-trust approach, is because of those complexities. You know, I think for the longest time we tried to keep the adversary outside the walls of the castle, if you will. But we've realized over time that that's difficult if not impossible in a lot of cases. So we've increasingly adopted a zero-trust approach where we assume the adversary's inside the castle walls, and we put controls in place to guard the data and information systems from those adversaries. 

Brandon Campbell: To dovetail a little bit on that, you know, the Department of Defense recently just issued late last year its overarching first ever zero-trust strategy. And like Captain Correia just said, you know, the very first sentence of that strategy states that our adversaries are in our network. So that's a huge paradigm shift in how we look at, evaluate and design resilient networks, resilient and secure networks. So in parallel with that part of that strategy, the Department of Defense has underlaid and implemented seven essential pillars for its zero-trust strategy. And then with each one of those pillars, there are subactivities - 152 to be exact - and set a very lofty goal of achieving zero-trust capabilities, strategies and principles no later than 2027. And the Navy is well on its way and helping pave the way towards those capabilities, aggressively modernizing its IT, as well as implementing cloud-native cyberdefense and cybersecurity tools. So it's been a really exciting time, and I'm really excited to see how the next, you know, five years or so as we modernize and get to 2027 - what the changes of our landscape and how we design and secure our networks are going to look like. 

Dave Bittner: You know, there's that old cliche, and forgive me for using it, but, you know, a battleship doesn't turn on a dime. Do you all feel as though you have the ability to be nimble, to react to the things that are coming at you, again, with an organization as large in breadth and depth as the U.S. Navy? 

Steve Correia: Yeah, I'll take that one, Brandon. If - it's very perceptive, but I - you know, in my career, that's generally been my experience, but I think it's changed recently. And so we, during the pandemic, because the leadership at the top - Mr. Weiss, Ms. Youngs Lew at PEO Digital - so our acquisition partners - and operationally on our side, myself and my predecessor, Captain Jody Grady, decided - made a conscious decision to move out quickly on implementing cloud once we had a secure implementation. And we did so in the image of DevOps or Agile. And our current framework is Scaled Agile Frameworks, so SAFe. And we are definitely taking a more agile approach. 

Steve Correia: And because of that, we're working together with our acquisition partners and engineering in a DevOps type of model where we are able to make agile decisions, make configuration changes in that DevOps type of approach. And for me, it's been a revolution, you know, very much getting away from the traditional waterfall approach where we took a long time to write a requirement, and then the engineers went back into the engineering spaces and came out with a product that wasn't to anyone's satisfaction on the ops world and a little bit dissatisfaction on the engineering world, too. So we're in a different place right now where we're all working together toward a common goal, and it's refreshing to see. 

Dave Bittner: Commander Campbell, I'm curious what your pitch is for folks who may be considering a career with the Navy. We have a lot of listeners who are students coming up. There are unique challenges there of joining the service but also some really amazing opportunities. 

Brandon Campbell: Yeah, there really are. You know, and I'm wrapping up my two-decade career here in the next few months, so I have done some reflection on that personally. And it is an exciting time, especially in the cyber field, the cyber community at large. There's a large modernization effort going on across the Navy. You know, I've had the unique opportunity through my career, through working with SEAL teams to being deployed on ships, aircrafts and the whole host, the whole gamut. So it's always exciting. It's always challenging. There are a lot of educational benefits and opportunities if you just take advantage of them. So I would encourage anyone out there who's looking for a way to get a little of excitement, to do a very, very important mission for our Navy and for the national security of our nation. And really just kind of embrace it and know that it's going to be long and sometimes it's going to be hard and challenging, but at the end of it, you absolutely will be better off for it and then walk away for the rest of your life knowing that you've served your nation and you've done something really unique and special. So yeah, I'm super excited and - to what the future holds, and especially as this advancing career in this industry, in the cyberdefense and cybersecurity space and where it's going to go here in the next five, five-plus years. 

Dave Bittner: You know, Captain Correia, we have quite a few senior members of industry and government who listen to our show. I'm curious - if you had the opportunity to ask, is there any support or assistance that you would request from those folks? 

Steve Correia: Actually, Dave, the support has been great to the approach that we've taken. And Brandon mentioned this earlier. The leadership has been - has really leaned in on this, and they've put their money where their mouth is because they've really, really supported us on various approaches that we've taken but also on the common decisions that we make and we've made to secure the network. And in some cases, you know, we've taken a pretty aggressive approach on security, which, you know, can have impact in some cases, but they've - you know, we've kind of all worked on that together on finding that right balance. So I just want to say thank you, actually, to leadership for their support. 

Dave Bittner: Our thanks to Commander Brandon Campbell, operations director at Navy Cyber Defense Operations Command, and Captain Steve Correia, commanding officer of Naval Network Warfare Command. We appreciate them taking the time for us. 

Dave Bittner: We will be publishing an extended special edition of this conversation this coming Monday. Look for it in your CyberWire podcast feed or on our website. 

Dave Bittner: And I'm pleased to be joined once again by Robert M. Lee. He is the CEO at Dragos. Rob, it's always a pleasure to welcome you back to the show. You and your colleagues there at Dragos had your Dragos Industrial Security Conference back in November of last year, and that included a capture the flag element. And I wanted to touch on that today, why you think that's an important thing to include in an event like the one you held and what you and the participants get out of it. 

Robert M Lee: Yeah. So capture the flags in general are a fantastic form of training and sort of testing out those skills. Sometimes it's testing. Sometimes it's more training. If you look at, like, the SANS CTFs as an example, their NetWars, ones that they run at their conferences, like, level one and level two are very educational. Click on it. Get a hint. You'll get the answer, but it's more teaching you how to do it. Level three is, hey, you know, this is harder. This is now kind of testing out your skills, and level four or level five is just like, we're going to kick you in your teeth. Like, good luck, you know? It's just kind of that process, which is both educational and testing, which makes it both fulfilling and challenging, but people leave with better skills than just sort of the academia or theory of it. 

Robert M Lee: And so in the same mindset, we want to do that, of course, on the industrial control system side. And when I came into this field, it was impossible. There was no ICS CTFs, even in the government circles. For me to get access to industrial networks that were our own - to get access to our own industrial networks was extraordinarily expensive or costly or whatever to be able to go in there and do anything. So it was just unaccessible, which meant it was difficult to bring people in the field 'cause I could lecture to them. We could do PowerPoints. We'd give them a packet capture every now and then of something with, like, a Raspberry Pi generating Modbus TCP traffic. But that was about it, and that's not very realistic. 

Robert M Lee: And so I love the idea of bringing people into the community. Of course, I want Dragos to be successful and live our mission, but the reality is our mission is kind of for naught if we don't build a community around us and sort of raise all boats, if you will. And so we put a lot of effort and time. We've got some phenomenal people on the staff that spend a ton of time making these CTFs. We'll generally run two a year, one in combination with the SANS ICS team for their annual summit and one at our conference, the DISC conference that you mentioned. And it's free. It's accessible. Anybody can access it around the world and online. There's no cost, no, like, filtering. 

Robert M Lee: And we've got millions of dollars' worth of control equipment that we've had to buy just for our own testing EQA purposes and so forth for our technology product, and so taking those same ranges, setting up actual industrial environments and emulating adversaries against them and releasing packet captures, Logic files, memory images, all that kind of fun stuff is just, I think, very, very helpful to the community. When you can get over 1,000 people at a time signing up and playing, I think that's good validation as well that the people are responding well. And what we hope to see is more and more people kind of cross-training into OT security from IT security, and we want to see new people in the field understand that it is accessible and it is a viable career path to go into. 

Dave Bittner: From your perspective, what goes into setting up one of these things successfully? I mean, how do you blend the different elements, the different challenges that people are going to face? 

Robert M Lee: Yeah, some of them - so first and foremost, you got to have the equipment, right? So I always get folks who are like, oh, I want to emulate this and just do virtual, and, like, that can work a lot with IT networks, but when you're talking with OT, you really want a physical process to be there. That's what's going to make it a real thing, not just sort of the network protocols. And so we do have real ranges that we set up. So in our office, as an example - well, one of our offices, as an example - we have a Lego city that's, like - I think it's, like, 12 feet by 6 feet, and it's, you know, train and wind turbines and all sorts of real stuff, and there's racks of equipment behind it, monitoring and doing the control of. In another part of the building, we've got a little gas pipeline. In another part of the building, we have a brewery, which is completely just for science and analytics purposes... 

Dave Bittner: Sure. Sure. 

Robert M Lee: ...Even though the beer - nominal. Anyways, the - so those physical processes then have all the control equipment and networks around them. And we have a control engineer on staff that does nothing but maintains all that equipment as if you're talking about a normal production environment. And then our services and intel team will go through and actually build out the scenarios. 

Robert M Lee: Some of them are going to be in emulation of things that we've seen in the past, so emulating Electrum going after Ukraine electric system, as an example, or emulating, maybe - I think this past year we had an emulation of the Xenotime group going after the Saudi Arabian petrochemical facility using Tri Sys and try to modify and blow up the safety system - right? - so stuff like that. But then we also have just kind of, oh, that would be neat, or kind of hard challenges and release some of the folks in the team, just go get creative and come up with interesting things. But none of it's designed to be gotchas. 

Robert M Lee: It's not designed on how, hard can we make this? I mean, we could we could crank it up pretty high. It's designed on what skills are realistic that people should have, and can we expose those through the CTF? Now, our CTFs are not hacking kind of - I don't know - hacking's an abuse word - but, like, pen test-type CTFs. It's not break in (inaudible) server. It's digital forensics, network security monitoring, kind of like defensive skill sets, log analysis, etc. And in that way, it also tends to be pretty unique. And there's not many of those out - and again - there's more now, but there's not as many of those as there are the, let me set up some stuff and go hack it, 'cause the, I'm going to break into something, generally at first sounds sexier. 

Robert M Lee: You spend years doing that, and you find out the defense is really, really sexy. But that, again, makes it something different for folks, gives them access to equipment and environments they just have no chance of having access to otherwise and, again, hopefully just encouraging people to come to the field, and if not, at least having a better understanding of it. You know, being an IT security person at a manufacturing company or data center or whatever, having a better understanding of what's happened in those control networks broadens out people's expertise. And even if they're not going to do the OT security work themselves, at least they understand it more now and kind of collaborate better inside their companies. 

Dave Bittner: And having this sort of visibility as you all are able to observe the folks who are participating here as they're, you know, banging away on things and trying to solve these, are there aha moments for you all along the way? 

Robert M Lee: Maybe, but we don't really do that, because it's not them banging away because we give them the files and the data and everything else. They take it home with them and work on it and submit the answers. So we don't... 

Dave Bittner: I see. 

Robert M Lee: ...We - as a company strategy in general, we really try not to hold on to people's data or insights or monitor people. And so, like, I mean, we're a giant target, if you think about it from, like, almost every state actor out there that wants to do industrial probably would like to know what we're working on. 

Dave Bittner: Yeah. 

Robert M Lee: And so the last thing I want to do is be holding on to people's data or insights. So we don't really see that. I'm sure there would be aha moments 'cause there're some just really brilliant people and really brilliant talent across the world. But unfortunately, and by design, we don't watch them do it. 

Dave Bittner: OK. Interesting. All right. Well, Robert M. Lee, thanks so much for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today’s stories, check out our Daily Briefing at Be sure to check out this weekend's "Research Saturday" and my conversation with Wendy Nather from Cisco. We're discussing their work on Cracking the Code to Security Resilience, lessons learned from the latest Cisco Security Outcomes Report. That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Milly Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoscheit, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.