The CyberWire Daily Podcast 4.20.23
Ep 1806 | 4.20.23

Two-step supply-chain attack. Plugging leaks, in both Mother Russia and the Land of the Free and the Home of the Brave. Belarus remains a player in the cyber war.


Dave Bittner: The 3CX compromise involved a two-stage supply-chain attack, impersonating ChatGPT. Russia's security unit say they're cracking down on leaks. Updates on the Discord Papers case. Belarus arrests a pro-Russian hacktivist. Rob Boyce from Accenture Security on Dark Web cyber criminals targeting CRM systems. Our guest is Mike Loewy from the ide Foundation with an innovative approach to distributed key security. And is Minsk going wobbly on Moscow?

Dave Bittner: From the CyberWire's studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 20th, 2023.

3CX compromise involved a two-stage supply-chain attack.

Dave Bittner: Mandiant reported this morning that the exploitation of 3CX, a supply-chain attack, was itself enabled by a previous supply-chain attack. The company's report said, "In March 2023, Mandiant consulting responded to a supply-chain compromise that affected 3CX desktop app software. During this response, Mandiant identified that the initial compromise vector of 3CX's network was via malicious software downloaded from Trading Technologies website. This is the first time Mandiant has seen a software supply-chain attack lead to another software supply-chain attack. The attack is being attributed to UNC 4736 generally regarded as a North Korean threat actor. Its activities have been related to the financially motivated North Korean apple juice activity, as reported by SISSA.

Impersonating ChatGPT.

Dave Bittner: Palo Alto Networks Unit 42 wrote today that they're observing increased malicious activity impersonating ChatGPT. The hackers have been seen creating sites claiming to be OpenAI and attempting to trick users into sharing personal information or even, in some cases, paying for the ChatGPT service. From November of last year through early this month, the researchers observed a 910% increase in web domains that were ChatGPT related. They say that in this same timeframe, we observed a 17,818% growth of related squatting domains from DNS security logs. Detections of around 118 ChatGPT related malicious URLs were also caught daily by the company's URL filtering system. The faux sites are said to be reminiscent of OpenAI's legitimate site but seek to exfiltrate user data or even attempt to make the user pay for ChatGPT, which, when legitimately used through OpenAI, is free.

Russia's security organs say they're cracking down on leaks.

Dave Bittner: The Institute for the Study of War reports that Russia's FSB is undertaking a comprehensive overhaul of the company's security apparatus, apparently in response to a growing concern about leaks and security breaches. The institute says Russian state controlled outlet tasks reported on April 19th that the FSB and the main directorate of the security service of the Ministry of Internal Affairs have been conducting mass checks at the Moscow Central District Internal Affairs Directorate and several Moscow district police offices for the past several weeks due to the leakage of data from Russian security forces at the request of Ukrainian citizens. Police departments appear to be the focus of what amounts to an incipient purge. The researchers state, "The reported FSB and MVD raids on the Moscow police departments are occurring against the backdrop of a series of arrests and dismissals of prominent members of the Rosgvardia, Russian National Guard, leadership. The Kremlin may be pushing for such arrests and investigations in order to conduct an overhaul of the domestic security apparatus to oust officials who have fallen out of Kremlin favor and consolidate further control of internal security organs." That's certainly possible. And there's plenty of historical precedent in Russia for this sort of purge, but the possibility that the security organizations are spooked by leaks is also a real one.

Update on the Discord Papers case.

Dave Bittner: The US has also had recent difficulty with leaks. Jack Teixeira, the Air National Guardsman, alleged to have taken and leaked the Discord papers to a small group of young and besotted followers on the gamer social platform has been charged, is in custody awaiting trial and has yet to enter a plea. The New York Times, which has published a review of where the case stands, comments on the apparent motive, which appears to be devoid of the usual elements of ideology or political commitment, and also of any compromise or financial gain. The motive seems to have been as simple as a desire to show off in front of online friends."

Belarus arrests a pro-Russian hacktivist.

Dave Bittner: The head of Anonymous Russia, a young man who went by the hacker name, Raty, has, according to KillNet, been arrested by Belarusian authorities," Flashpoint reports. It's worth noting that this particular group is not the anonymous that sought to pester Russia but rather an alternative organization devoted to Russia's cause and operating as a kind of junior partner to KillNet. KillNet has said it would appoint a new leader for Anonymous Russia, the reconstituted group will concentrate on two things.

Dave Bittner: First, they've declared a war on CIA rats and expression that in their reading, means pro-Ukrainian hacktivist groups, such as the IT Army of Ukraine, a group of pro-Ukrainian activists, formed shortly after Russia's 2022 invasion, which is specifically named in one of the channels messages. The mention of this trope lifted from Russian propaganda is likely meant to confirm the new group's pro-Kremlin credentials.

Dave Bittner: Second, the group has also announced that it would transform itself into a DDoS-for-hire group that anyone can purchase. However, it also specified that the project would be aimed at dark web, too. This latter announcement suggests that Anonymous Russia will perform DDoS attacks against dark net markets similarly to KillNet.

Dave Bittner: It's unclear why Raty was arrested but KillNet was quick to identify and, Forcepoint says, docks him. The reconstituted Anonymous Russia seems to be moving along with its better known and more active, bigger colleague, KillNet, in the direction of a profit-making enterprise. Last month, KillNet said that it was organizing itself as a private cyber operations corporation, along the lines of the Wagner Group, the notorious private military corporation. The rise of Wagner-like groups in cyberspace was the subject of a warning this week by the UK's NCSC, which, according to the record, is warning that such groups are expected to represent a particular threat to critical infrastructure.

Poland describes current Belarusian information operations.

Dave Bittner: And finally, lest one conclude that the arrest of Raty was a sign that Minsk was going wobbly on Moscow. That's pretty clearly not happening. Ghostwriter is back. Polish authorities say that a major propaganda campaign by the Belarusian group, Ghostwriter, was detected on April 18th. Attribution was unusually quick and Poland has taken steps to control any damage. The record reports, "The group's goal in Poland is to disrupt the country's relations with its allies, including Ukraine, the US, and NATO countries, according to Poland's Ministry of National Defense. The group's campaigns have also aimed to foment social unrest among Polish citizens." It's that old familiar mischief making. Don't worry about persuasion. Just go for confusion.

Dave Bittner: Coming up after the break, Rob Boyce from Accenture Security on dark web cyber criminals targeting CRM systems. Our guest is Mike Loewy from the Tide Foundation with an innovative approach to distributed key security. Stay with us.

Dave Bittner: An organization called the Tide Foundation is looking to improve cybersecurity with a clever approach to access keys that splits them into millions of pieces distributed across 20 distributed servers around the world. Mike Loewy is co-founder of the Tide Foundation.

Mike Loewy: What we're looking to do is to redefine the authority model in the digital world. Today, we have a scenario where the security of our systems and the protection of sensitive information is all, at the end of the day, reliant on blind trust, blind trust in the people that build, administer, and manage our IT systems. And what were -- those people today have effectively carte blanche authority over the sensitive information that these systems hold. And we're looking to redefine that. So that's no longer the case.

Dave Bittner: When we say blind trust, what exactly do we mean by that?

Mike Loewy: So if you think about -- even take into account zero trust. So zero trust, a methodology that was kind of introduced 10 years ago. But even with the implementation of zero trust, we're still seeing the most horrific breaches in history, and breaches have increased in frequency and severity. And the reason for that is because no matter how much effort we put into applying that model of constantly verifying, and checking, and making sure that, you know, the -- whoever we're providing this access to is who they say they are. There is some kind of route authority, something somewhere that has to make that final decision of, can I provide access to this resource? Can you swipe and open this front door? Or can you access this file? And that authority lives somewhere on something and is administered by someone. And that means that there's always this kind of Achilles' heel that exists inside of a system, whether it's the identity and access management system, the firewall, whatever security apparatus it is, and there's no way to verify the integrity of those people administering those systems, whether there's mal intent or whether they're just human beings that make mistakes, accidentally click on the wrong links. That's what I mean.

Dave Bittner: And so what is it that you're proposing here? What's the technology behind what you're looking to accomplish here?

Mike Loewy: So if you think about -- think about even a banking system. So banking system holds a huge amount of information or on its customers. It would have identity information, financial history, all kinds of information that, at certain points in time is required by the bank, at certain points in time is required by the customer. But beyond those points in time when that information is needed, the system -- there's no good reason for the system to have access or authority over that information. In fact, it doesn't want it because it's a liability for the bank. And it's a huge risk for the end customer if that information is then appropriated or misappropriated. What we -- what we're looking to do is using a technology to effectively decouple the authority over digital assets, for one of a bit of word, whether that's like identity information, financial information, or even network access rights, and decouple that from the systems that today it lives inside of. So if you think about each customer record in a bank being locked with a different key, and none of those keys sitting in the bank system anymore. So even the -- you know, your super users, your administrators don't have access to those keys. And putting those keys somewhere where they can be used only as appropriate but cannot be stolen, cannot be used in a context outside of what they were designed to do. And that's a -- and from a technology perspective, what we've done is to have those keys not live anywhere but kind of live everywhere. So a key is, in fact, born in 20 pieces across a fully decentralized network and operated in a way that it's never actually put together. So, effectively, no one holds that key.

Dave Bittner: Well, help me understand here. Because I think a common line of thought here could be that, don't you need a key to access the keys? You know, it's sort of is -- its key's all the way down, right? Like if -- I think about it even with something like my password manager or something like that. Ultimately, there's a master key. But you're -- what you're saying is you all have found a clever way around that.

Mike Loewy: So, yeah. So that's an awesome question. So your password -- your master password to your password manager is effectively the keys to the kingdom. The question is, where does that key sit? Where's our master password live? And how has that master password authenticated or validated to check that you've entered that password incorrectly? So if that has been performed by any single server, any centralized service, again, where -- which is administered by people or is accessible to people, then it's always compromisable. If that process of -- even validating a password is done in a way that no one ever gets to see the password. Password doesn't live anywhere in that kind of singular form. Then the integrity of the process that checks that password is sacrosanct, can't be circumvented, and there's no longer a central repository holding all of those usernames and passwords and sitting in, you know, one convenient place for an attacker to steal and kind of perform all kinds of interesting brute force attacks offline. So what we've developed is a way to authenticate a user, be it first or second factor. Obviously, adding additional factors is, you know, highly advisable. But starting with just that very root ubiquitous form of authentication, username and password, that making sure that that password lives nowhere and that password is checked in a way that no one actually gets access to the secret, to the password itself. And we do that using a decentralized network where it's almost like a multiple servers performing a small part of that process in a way that reveals no information to them. And, in fact, that those servers don't even know what they're doing and for whom.

Dave Bittner: And what does all this look like to the user? Is -- what's the user experience like?

Mike Loewy: Absolutely no change to the user experience. So from the user -- end user's perspective, they're typing a username and password into their banking platform, or their social media site, or whatever they -- whatever they're authenticating to. Behind the scenes, that password is being authenticated by 20 different endpoints simultaneously rather than one singular source. So as far as the user is concerned, they enter a username and password, that could be through a browser. But there is no -- there's no one in the middle that can compromise that process.

Dave Bittner: That's Mike Loewy from the Tide Foundation.

Dave Bittner: And joining me once again is Robert Boyce. He is managing director and global lead for Cyber Resilience at Accenture. Rob, it's always great to welcome you back to the show. You know, my wife is currently car shopping. And that means that one of the things she's considering is getting an EV car, an electric car. And so we've been weighing all the pros and cons with that. And I know you and your colleagues have been looking at EV cars and charging stations and some of the potential vulnerabilities there. What can you share with us today?

Robert Boyce: Hi, Dave, and thanks so much for having me back. And as an EV owner myself, I'm also very passionate about this topic. So, you know, it's -- this is, of course, something the security community has been talking about a lot. It just happens to be now that we're seeing so many more EVs on the road that the topics coming up is becoming even more prevalent. And, you know, I think it's interesting because a lot of people are always asking, "Well, don't -- you know, combustion engine cars have computer chips, why are we not concerned about them?" And I think it's just the absolute magnitude of the presence of the computer- computerized cars and EV, like a standard combustion engine maybe has 100, 150 chips in it, where these EVs are having 20 times that. So as you can imagine, the exposure is just phenomenal. And then when you think about the connectivity that these cars have either being, you know, typically have connections back to the manufacturer or the dealers or maybe even the rental agency, you know, just that level of attack surface makes them a very potentially interesting target for threat actors.

Dave Bittner: So what are the primary concerns here? I mean, are we talking about ransomware? Or are we talking about privacy issues? What are you all tracking?

Robert Boyce: Yeah, that's a great question. And so, you know, what we've seen in the research is that there's a number of different, you know, possible threat scenarios. A ransomware is a great one. So as you know, we've seen ransomware for the last several years be a very big vulnerability for organizations, but imagine, you know, threat actors were able to ransom your car and you couldn't start it without having to pay them or, you know, or being able to move from a charging station into a car or take -- and maybe even take over or penetrate an EV manufacturer because they all have over the air updates and being able to, you know, use that network to compromise many vehicles simultaneously. These potential scenarios are super fascinating. And, of course, as you can imagine, there's a human safety element to this as well. Like -- so as you're in your car and someone's able to take over your car and maybe start driving it for you, you know, and you don't have the control anymore, that's a huge concern. And we haven't seen this happen in the wild yet, but we have seen researchers successfully take over a car and make it drive erratically in the test scenario.

Dave Bittner: What about the charging stations themselves? I mean, is -- it -- to what degree is there actually relevant or, you know, important communications going on between the stations and the vehicles?

Robert Boyce: Yeah, the charging stations are also super interesting. I mean, especially the public charging stations, as you can imagine, that they're typically connected to cloud or connected via cellular networks. So -- which makes them, you know, themselves very attractive attack surface for threat actors. And the majority of these training stations are operating with an open protocol that allows them to be able to take many different manufacturers connecting to a single public charging station. So they have to use some level of open protocol for that. And, you know, the information that's being transferred back and forth is, you know, just being able to identify the car. But, again, there is always the possibility of malware being transmitted from a car to a charging station, from a charging station to a car. And then, as you can imagine, the more and more cars that are using these public infrastructures, being -- that being a possible attack vectors is quite significant.

Dave Bittner: As an EV owner yourself, how do you approach this? I mean, it's not like with a computer where you can say, "Hey, don't click the links," you know. Like what -- are there best practices to try to make yourself not be the low-hanging fruit?

Robert Boyce: You know, this -- I knew you would ask me this question when I said I had a EV myself. And -- you know, it's almost a little embarrassing for, you know, someone who's been doing security for like 25 years, but I can promise you, it wasn't even a consideration that I had when I was choosing my car. I wanted something that was, you know, was really cool that had a good user experience, good interface. And, you know, just the prospect of full autonomous driving is very exciting. So even something like me, definitely overlooked security as a possible, you know, a possible requirement when I'm buying it. But, you know, like -- I mean, there's some things that you can do and some things that are harder like, you know, I typically try and stay away from public charging stations, try and charge my car at home. But when you're thinking about updates and things like that, there's not really a lot of optionality, I would say, in that. You're taking the update or you're not taking the update from the manufacturer. So at this time, there's not a lot a consumer can do. What is exciting, we are seeing a lot of focus in this area, right? So Biden, White House, had a lot of people within the EV industry [inaudible] I think it was October at the White House, talking about security in the space. We've seen transportation agencies also start talking about security implications in the space. So I think we're going to start seeing more regulations that will help manufacturers start making sure that they're embedding more security. I think this is a very, very young industry. And, of course, as you can imagine, with any young industry, first market is super important. And so I think -- I'm not saying security has necessarily been overlooked, but I don't think it's necessarily been a priority from the manufacturer's point of view. It's really -- you know, I think just with any young industry, we need to learn more about security and how it applies to this industry to make sure we're really safeguarding the consumers appropriately.

Dave Bittner: All right, make sure you have your seatbelts properly fitted and secured, right?

Robert Boyce: Absolutely.

Dave Bittner: Yeah. All right. Rob Boyce, thanks so much for joining us.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where their co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Trey Hester with original music by Elliott Peltzman. Show was written by John Petrik. Our executive editor is Peter Kilby and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.