A glimpse into Mr. Putin’s cyber war room. 3CXDesktopAppsupply chain risk. XSS flaw in Azure SFX can lead to remote code execution. AlienFox targets misconfigured servers.
Dave Bittner: The Vulkan papers offer a glimpse into Mr. Putin's cyber war room. The 3CXDesktopApp vulnerability and supply chain risk. A cross-site scripting flaw in Azure Service Fabric Explorer can lead to remote code execution. Rob Boyce from Accenture Security on threats to EV charging stations. Our guest is Steve Benton from Anomali Threat Research, sharing a less-is-more approach to cybersecurity. And AlienFox targets misconfigured servers.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, March 31, 2023.
The Vulkan papers.
Dave Bittner: A disaffected insider has apparently leaked sensitive information about Russia's preparation and waging of cyberwarfare. NTC Vulkan, a Moscow-based IT consultancy, has been exposed as a major contractor to all three of the principal Russian intelligence services, the GRU, the SVR and the FSB. Vulkan's specialty is the development of tools for cyberattack. Der Spiegel, one of a group of media outlets that broke the story, sources it to a major leak, stating, this is all chronicled in 1,000 secret documents that include 5,299 pages full of project plans, instructions and internal emails from Vulkan from the years 2016 to 2021. Despite being all in Russian and completely technical in nature, they provide unique insight into the depths of Russian cyberwarfare plans in a militarized country that doesn't just fight with warplanes, tanks and artillery but with hackers and software.
Dave Bittner: The Vulkan papers reveal that the company is engaged in supporting a full range of offensive cyber operations. Its services and products extend to espionage, disinformation and disruptive attacks intended to sabotage infrastructure. And the company also provides training to its customers in the security and intelligence fields. The Washington Post, another recipient of the leaks, ascribes them to a disaffected insider who's motivated by opposition to Mr. Putin's war against Ukraine. The Post reports, an anonymous person provided the documents from the contractor, NTC Vulkan, to a German reporter after expressing outrage about Russia's attack on Ukraine. The leak, an unusual occurrence for Russia's secretive military industrial complex, demonstrates another unintended consequence of President Vladimir Putin's decision to take his country to war.
Dave Bittner: The anonymous leaker explained the motivation behind their actions, stating, the company is doing bad things, and the Russian government is cowardly and wrong. I am angry about the invasion of Ukraine and the terrible things that are happening there. I hope you can use this information to show what is happening behind closed doors.
Dave Bittner: They also told their German contact, when declining to provide identification, that they intend to vanish like a ghost for obvious reasons of personal security. Taken as a whole, the documents show that Russia is devoting considerable attention to cyber battlespace preparation. Keep those shields up.
3CXDesktopApp vulnerability and supply chain risk.
Dave Bittner: Many companies' research units are reporting that a vulnerability in the widely used 3CXDesktopApp is being exploited in a supply chain campaign that may prove as significant as, for example, the SolarWinds incident. SentinelOne, Sophos, and CrowdStrike have all made public reports about the intrusion, with 3CX itself issuing its own warning yesterday morning. A supply chain attack on enterprise phone company 3CX may have compromised thousands of business networks, the Record reported yesterday. The company, which Bleeping Computer says provides services to companies like American Express, Coca-Cola, McDonald's, BMW, Honda, Air France, Toyota, Mercedes-Benz, IKEA, and the UK's National Health Service, confirmed yesterday that its desktop app had contained malware. The desktop app, TechCrunch reports,, is used for voice and video calls. Chief executive of 3CX, Nick Galea, initially noted surprise in a Twitter thread that the compromise was not reported by SentinelOne sooner. But SentinelOne's Juan Andres Guerrero-Saade noted the issue's presence in 3CX's support forums as far back as March 22.
Dave Bittner: Security Week reports that 3CX Chief Information Security Officer Pierre Jourdan said that the intrusion could be the work of a state-sponsored advanced persistent threat. He said, the issue appears to be one of the bundled libraries that we compiled into the Windows Electron app via GIT. Worth mentioning, this appears to have been a targeted attack from an advanced persistent threat, perhaps even state sponsored, that ran a complex supply chain attack and picked who would be downloading the next stages of their malware. The vast majority of systems, although they had the files dormant, were in fact never infected. Cybersecurity firm Huntress has reported almost 2,800 intrusions within their partner base. CrowdStrike also confirmed activity on both Windows and macOS, and found the malware to be notarized by Apple, which the outlet says indicates that the tech giant checked it for malicious elements and failed to find any. However, that seems to no longer be the case, as users are now seeing a warning before the installation of the app. The approximately 400 megabyte Mac application was confirmed by Patrick Wardle to contain suspicious activity, the outlet reports. TechCrunch notes that Linux, iOS and Android versions of the app still appear unaffected at this time.
XSS flaw in Azure SFX can lead to remote code execution.
Dave Bittner: Researchers at Orca Security discovered a cross-site scripting vulnerability affecting Azure Service Fabric Explorer. The vulnerability, which Orca calls Super FabriXss, can allow remote attackers to leverage XSS vulnerability to achieve remote code execution on a container hosted on a Service Fabric node without the need for authentication. Microsoft issued a patch for the flaw in its March 2023 Patch Tuesday fixes. Organizations that have updated Service Fabric Explorer to the latest version are protected against this vulnerability. For more on this vulnerability, see CyberWire Pro.
AlienFox targets misconfigured servers.
Dave Bittner: And finally, we close with a look at another commodity being traded in the criminal to criminal market. SentinelOne describes AlienFox, a toolset designed to steal credentials and API keys from at least 18 cloud service providers. The toolset is being sold over Telegram and is under active development. AlienFox opportunistically targets misconfigured web servers hosting web frameworks such as Laravel, Drupal, Joomla, Magento, Opencart, Prestashop and WordPress. The toolkit will then dump the server's configuration files and extract cloud API keys and secrets. The researchers state that the spread of AlienFox represents an unreported trend toward attacking more minimal cloud services, unsuitable for crypto mining, in order to enable and expand subsequent campaigns.
Dave Bittner: Coming up after the break, Rob Boyce from Accenture Security looks at threats to EV charging stations. Our guest is Steve Benton from Anomaly Threat Research sharing a less-is-more approach to cybersecurity. Stay with us.
Dave Bittner: Be honest. Do you consider yourself a security tools packrat? It's easy to do these days with vendors making the compelling case that if only you add their special solution that protects like no other, your organization will be safer. You'll sleep better at night and will receive the admiration of friends, family and coworkers alike. Steve Benton is VP of threat research at Anomali, and he makes the case that when it comes to security tools, sometimes less is more.
Steve Benton: Every tool that you've got is creating data. It's causing costs to you, as an organization, in terms - just to operate the technology, but also those that have to look after it and process what it produces. And is it aligned to your current threat landscape and the current threats in which you're facing? Is the legacy of what you've acquired holding you back as an organization, and you can't let go of the past in order to grab what you need to, in order to assure yourself into the future? This is a big challenge for any organization, and especially in the security sphere, because let's face it, security is an overhead for an organization. It's part of your cost base, and you need to be exercising that cost base in the most effective and efficient way possible. But you need to ensure them that you've got that means to assess what do you truly need from what you've acquired; what do you need to acquire going forward, and can you justify that and put the budgets in place to make that happen?
Dave Bittner: How do you recommend that organizations go about that self-assessment?
Steve Benton: Well, you've got to do it with rigor. You've got to do it with honesty. The simplest way that I've approached doing it in my past is I sort of draw, if you like, a bell curve. Call it, like - even call it, like, a hype cycle. And so let's imagine at the very top of this bell curve are the tools that you've assessed that are absolutely hitting the sweet spot. They're working in an optimal way for the organization, and they're working efficiently in terms of the effort that you need to place within them in order for them to operate, not just individually, but how they operate as part of your ecosystem.
Steve Benton: So any good security ecosystem has a set of overlapping and amplifying controls that, you know, meet the needs of maintaining the security posture for the organization. If we look at the left-hand side, you've maybe got tool sets that you've acquired fairly recently that are still on that adoption slope. You haven't quite pulled them up the slope to get them into that sweet spot of operation, but that could be because of what's sitting on the right-hand side of this slope. So these are the tools that really have sort of established themselves, but they aren't really hitting the mark. You're continuing to feed and water them. You're continuing to utilize the output because you kind of have to process it because maybe that's the way you're judged. That's the way your KPIs are judged, and your security operations. But fundamentally, they aren't delivering the impact for you on the organization.
Steve Benton: So what do you need to do? Well, you need to exit those tools on the right-hand side of the slope. You've got to accelerate the adoption up to the top of the slope, and then be sure of the grind you're standing on at the top of that slope in terms of what is the value these overlapping tools are giving you for your security posture. Why have you selected them, and how are they justified going into the future? So these are hard yards, but they're necessary and allow you as a security leader to stand in front of your investors, your board, your senior leadership team and the rest of the business to say why this expenditure is worthwhile and the value it's delivering to the organization.
Dave Bittner: What is the danger of being overprovisioned here? I mean, is there - is it a risk of things collapsing under their own weight?
Steve Benton: There is an element of that for sure. The more you've got, you're clearly adding to the complexity of your security operation. So being able to see the clarity of the visibility of your security posture is absolutely vital. Now, that clarity can be, you know, achievable when you're operating in what I call peacetime. So what do I mean by peacetime? Not that nothing's happening, but nothing of significant harm to your organization is currently happening. You have no cresting threats that are significant to the organization. You have no current attack that you're aware of that's dangerous to your organization. You're operating in a reasonably steady state and maintain the visibility with a complex set of toolsets. You can live with that.
Steve Benton: But then when you move into a wartime situation where you've got a complex threat approach in the organization, you possibly have parts of the organization that are already compromised, and you're trying to understand the extent of that, and you've got a complex ecosystem which can't give you answers with the immediacy that you need, well, you've lost the precision of your security operation. In fact, you've lost the grip of your security posture right when you need it most. And that's the danger for the organization, is that complexity, but also the overhead in terms of the effort of people that need to be skilled and understand how to bring those toolsets together. You're asking too much, especially when the chips are down in that kind of wartime situation.
Dave Bittner: You know, I'm reminded there was an old saying in advertising, you know, back in the "Mad Men" days of - you know, I know that 50% of my spend on advertising is wasted. I just don't know which 50%. Is that sort of philosophy at play here, where there's - you know, people are afraid to shed some of these security tools because there's always that what-if over the horizon? What if that's the tool that that stops the threat, and if I get rid of that tool, I'll be blamed for having gotten rid of that tool that might have stopped the threat?
Steve Benton: Well, you're absolutely right. And, in fact, we know, you know, security vendors are always saying, you know, you need our tool. We're the ones that will define this. We're the ones that will keep you safe. So there's an element of that. There's also an element with your security teams themselves that they have got comfortable with certain toolsets, and they're happy to live their lives there. But what you actually need to do is to enlist your security operations, your top analysts, your leaders in your security operations to come together and say, look, guys, you know, we don't have any sacred tools here. Let's actually take a step back together. Let's look at this slope. Let's look at what's up at the top of the hill and whether it's working effectively for us. Let's look at what sliding down the right-hand side.
Steve Benton: And you know what? I support you in making a bold decision to say, we will exit that, but we'll understand why we have done it. And we will have convinced ourselves that what we're sticking with and what we're downsizing to is the effective set of tools that will take us through having the grip on our security posture now and into the future as we anticipate the threats coming forward.
Dave Bittner: That's Steve Benton from Anomali.
Dave Bittner: And joining me once again is Robert Boyce. He is managing director and global lead for cyber resilience at Accenture. Rob, it's always great to welcome you back to the show. You know, my wife is currently car shopping, and that means that one of the things she's considering is getting an EV car, an electric car. And so we've been weighing all the pros and cons with that. And I know you and your colleagues have been looking at EV cars and charging stations and some of the potential vulnerabilities there. What can you share with us today?
Robert Boyce: Hi, Dave, and thanks so much for having me back. And as an EV owner myself, I am also very passionate about this topic. So, you know, it's - this is, of course, something the security community's been talking about a lot. It just happens to be now that we're seeing so many more EVs on the road that the topic's coming up, becoming even more prevalent. And, you know, I think it's interesting because a lot of people are always asking, well, don't, you know, combustion engine cars have computer chips? Why are we not concerned about them? And I think it's just the absolute magnitude of, you know, the presence of the computer - computerized cars, in EV.
Robert Boyce: Like, a standard combustion engine maybe has 100, 150 chips in it, where these EVs are having 20 times that. So as you can imagine, the exposure is just phenomenal. And then when you think about the connectivity that these cars have, either being - you know, they typically have connections back to the manufacturer or the dealers or maybe even the rental agency. You know, just that level of attack surface makes them a very potentially interesting target for threat actors.
Dave Bittner: So what are the primary concerns here? I mean, are we talking about ransomware? Are we talking about privacy issues? What are you all tracking?
Robert Boyce: Yeah. It's a great question. And so what we've seen in the research is that there's a number of different possible threat scenarios. A ransomware's is a great one. So as you know, we've seen ransomware for the last several years be a very big vulnerability for organizations. But imagine, you know, threat actors were able to ransom your car and you couldn't start it without having to pay them, or, you know, or being able to move from a charging station into a car or take - and maybe even take over or penetrate an EV manufacturer - because they all have over-the-air updates - of being able to use that network to compromise many vehicles simultaneously.
Robert Boyce: These potential scenarios are super fascinating. And, of course, as you can imagine, there's a human-safety element to this as well. So as you're in your car and someone's able to take over your car and maybe start driving it for you, you know, and you don't have the control anymore, that's a huge concern. And we haven't seen this happen in the wild yet, but we have seen researchers successfully take over a car and make it drive erratically in the test scenario.
Dave Bittner: What about the charging stations themselves? I mean, is - to what degree is there actually relevant or, you know, important communications going on between the stations and the vehicles?
Robert Boyce: Yeah. The charging stations are also super interesting. I mean, especially the public charging stations, as you can imagine, that they're typically connected to cloud or connected via cellular networks, so - which makes them, you know, themselves a very attractive attack surface for threat actors. And the majority of these charging stations are operating with an open protocol that allows them to, you know, be able to take many different manufacturers connecting to, you know, a single public charging station, so they have to use some level of open protocol for that.
Robert Boyce: And the information that's being transferred back and forth is, you know, just being able to identify the car, but, again, there is always the possibility of malware being transmitted from a car to a charging station and from a charging station to a car. And then, as you can imagine, the more and more cars that are using these public infrastructures being that being a possible attack vector is quite significant.
Dave Bittner: As an EV owner yourself, how do you approach this? I mean, it's not like with a computer where you can say, hey, don't click the links, you know? Like, what - are there best practices to try to make yourself not be the low-hanging fruit?
Robert Boyce: You know, this is - I knew you would ask me this question when I said I had an EV myself.
(LAUGHTER)
Robert Boyce: And, you know, it's almost a little embarrassing for someone who's been doing security for, like, 25 years. But I can promise you, it wasn't even a consideration that I had when I was choosing my car. I wanted something that was - you know, was really cool, that had a good user experience, good interface. And, you know, just the prospect of full autonomous driving is very exciting. So even someone like me definitely overlooked security as a possible - you know, a possible requirement when I'm buying it.
Robert Boyce: But, you know, I mean, there's some things that you can do and some things that are harder. Like, you know, I typically try and stay away from public charging stations, try and charge my car at home. But when you're thinking about updates and things like that, there's not really a lot of optionality, I would say, in that. You're taking the update or you're not taking the update from the manufacturer. So at this time, there's not a lot a consumer could do.
Robert Boyce: What is exciting - we are seeing a lot of focus in this area, right? So the Biden White House had a lot of people within the EV industry last - I think it was October, at the White House talking about security in the space. We've seen transportation agencies also start talking about security implications in this space. So I think we're going to start seeing more regulations that will help manufacturers start making sure that they're embedding more security.
Robert Boyce: I think this is a very, very young industry. And of course, as you can imagine with any young industry, first to market is super important. And so I think - I'm not saying security has necessarily been overlooked, but I don't think it's necessarily been a priority from the manufacturer's point of view. It's really, you know, I think, just with any young industry, we need to learn more about security and how it applies to this industry to make sure we're really safeguarding the consumers appropriately.
Dave Bittner: All right. Make sure you have your seat belts properly fitted in and secured, right?
Robert Boyce: Absolutely.
Dave Bittner: Yeah. All right. Rob Boyce, thanks so much for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. Be sure to check out this weekend's "Research Saturday" and my conversation with Dick O'Brien from Symantec's threat hunter team. We're discussing their research "Blackfly: An Espionage Group Targets Materials Technology." That's "Research Saturday." Check it out.
Dave Bittner: The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Milly Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoscheit, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.