The CyberWire Daily Podcast 4.21.23
Ep 1807 | 4.21.23

Daggerfly swarms African telco. EvilExtractor described. Patriotic hacktivism in East Asia. Updates on Russia's hybrid war suggest that cyber warfare has some distinctive challenges.


Dave Bittner: The Daggerfly APT targets an African telecommunications provider. Evil Extractor is an alleged teaching tool gone bad. A Chinese speaking thread group is active against Taiwan and South Korea. Europe's air traffic control is under attack. A look at the RSA Innovation Sandbox. Awais Rashid from University of Bristol on the cybersecurity of smart farming. And forget about those evil maids. What about those evil sysadmins?

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, April 21st, 2023.

Daggerfly APT targets African telecommunications provider.

Dave Bittner: Semantech yesterday published a report on a campaign by the Daggerfly advanced persistent threat against an unnamed African telecommunications company, also known as Evasive Panda, or Bronze Highland. Daggerfly is in all likelihood associated with China. The ongoing campaign abuses the legitimate any desk remote desktop software to deploy previously unseen plug ins from the MgBot malware framework. Those plug ins capabilities suggest that Daggerfly's goal is information collection. Semantech's post includes a set of indicators of compromise.

EvilExtractor, an alleged teaching tool apparently gone bad.

Dave Bittner: Fortinet today blogged about the aptly named Evil Extractor, an info stealer targeting Windows operating systems. Fortinet says it was developed by a company named Kodex, which claims, that is the software product, is an educational tool. However, research conducted by FortiGuard Labs shows cyber criminals are actively using it as an info stealer. Fortinet reports that based on their traffic analysis, March saw a significant increase in malicious activity with a tool posted by the website It's usually introduced by a phishing e mail. It usually pretends to be a legitimate file, such as an Adobe PDF or drop box file. But once loaded, it begins to leverage power shell malicious activities. It also contains environmental checking and anti VM functions. Its primary purpose seems to be to steal browser data and information from compromised endpoints, and then upload it to the attacker's FTP server. The malware includes many features and can be used in ransomware campaigns as well. Victims seem to be mostly located in the U.S. and Europe. And Evil Extractor's developer, Kodex, has continued to update the info stealer.

Sinophone threat group active against Taiwan and South Korea.

Dave Bittner: Chinese speaking threat group Genesis Day has been targeting research and academic organizations in South Korea, the record reported yesterday. The attacks, which seem to be intended for data exfiltration, occurred in January of this year, and it appears that a new round of attacks has been launched against Japanese and Taiwanese organizations.

Dave Bittner: An analysis by Recorded Future's Insikt Group says that 12 South Korean research and academic websites were attacked, suffering website defacements, in which the adversaries replaced each hosted website with their own in a compromised server. Genesis Day shared on its public telegram channel that the Korea Internet and Security Agency was intended to be the first governmental target of the group. The group also made unverified claims of cyber-attacks against the U.S., Ukraine, Taiwan, Japan, and South Korea's Ministry of Health and Defense Ministry.

Dave Bittner: Genesis Day seems to be that rare bird, a disinterested patriotic hacktivist crew, the record reports that there were no ties discovered between the Chinese government and the threat actor, but that the hackers also sought neither fame nor profit from the attacks. Di Wu, Senior Threat Intelligence Analyst at Insikt Group said based on the analysis of the group's telegram channels postings on special access forums, and its presence on a clear net website, we conclude that this is a hacktivist group, primarily motivated by patriotism toward China, and it will likely conduct similar cyber-attacks against Western and NATO targets, as well as any country or region deemed hostile to China.

Eurocontrol under attack.

Dave Bittner: The European Air Traffic Control Agency, Euro Control, reports that it's under cyber-attack by Russian actors. Eurocontrol's website has a terse account of the attack, which appears to be of the familiar DDoS variety. Euro Control says the attack is causing interruptions to the website and web availability, and that there's been no impact on European aviation. The Wall Street Journal reports that Killnet has claimed responsibility. The claim is entirely consistent with Killnet's record. Nuisance level DDoS has been their specialty.

Forget about those evil maids. What about these evil sys admins?

Dave Bittner: Support personnel can represent as much of an insider risk to security as can line personnel, sometimes more because of the way they can be overlooked or disregarded. This can be seen, for example, in the evil maid" attacks that might be carried out by an actual member of a cleaning crew.) The Wall Street Journal offers reflections on the ongoing investigation of the Discord papers leaks, especially for what they reveal about the access that IT personnel acquire to sensitive information in the course of their daily work.

Dave Bittner: The journal writes, Airman Teixeira, the alleged leaker of the Discord papers, worked on cyber transport systems, a role that involved work to keep communication systems up and running, according to an Air Force job description. The story goes on to point out that another notorious leaker, Edward Snowden, was also in tech support. Mr. Snowden, who lives in Russia, was described by officials at the time of his leak in 2013 as a systems administrator. Their motives, alleged in Airman Teixeira's case, were quite different. But the access their positions gave them had much in common.

Assessments of the cyber phases of Russia's war against Ukraine.

Dave Bittner: The European Cyber Conflict Research Initiative has issued the report on a conference that studied Russian methods of cyber warfare. The ECCRI writes, in line with its doctrine of information confrontation, Russia employed a variety of cyber operations during the war at an unprecedented scale. The primary goals of wartime operations sabotage influence and espionage have remained constant. Cyber operations provide new opportunities to achieve age old objectives. The study focuses on what Russia achieved, most prominently a high cyber operational tempo, as opposed to the many and obvious ways Russian cyber operations fell far short of pre war expectations. The take aways may be this. Cyber-attack tools, tactics, techniques and procedures tend to have a short life. Once used, they're blown, at least if they're used against an opponent who pays attention. And above all, an opponent who learns.

Dave Bittner: Coming up after the break, a look at the RSA Innovation Sandbox. Awais Rashid from University of Bristol on the cybersecurity of smart farming. Stay with us.

Dave Bittner: RSA Conference is right around the corner. And one of the highlights of the show is the annual Innovation Sandbox, a friendly competition providing hopeful startups, with a chance to pitch their wares to a group of distinguished judges, and perhaps catch the eye of investors and partners. My guests today are Cecilia Marinier, Senior Director at RSA Conference for Innovation and Scholars. And one of the Innovation Sandbox judges, Barmak Meftah, Co Founder and General Partner at Ballistic Ventures. Barmak Meftah starts us off.

Barmak Meftah: I'm actually really excited to be, to be part of that incredible group of folks that are going to judge some of the best entrepreneurs that we see out there. And, you know, what we do as venture capitalists is, you know, we look at a lot of ideas every year. And, you know, patterns start to emerge. And sort of applying the same pattern matching towards some of the most innovative companies, especially in the early stages of entrepreneurship, is really, is really an incredible thing to do. So, for me, this is a natural extension of what I do every day. And this fell in my lap, and I couldn't be happier to be part of it.

Dave Bittner: What are some of the things in your mind that set apart the competitors that can really launch someone to the top?

Barmak Meftah: Yeah, I think, you know, as I look at the submissions, and sort of look at the trends in the industry in general, I put them into two distinct categories. There's what I would call evolutionary ideas, which only occur in cybersecurity probably more than any other in technology. And those fall into the category of old security controls that have to be reinvented because of compute architecture changes and what we call adversarial obsolescence, which is the adversary forces, the obsolescence of old security controls. And so you have to think about new ways of doing what probably has become obsolete. So, in that category, think of, you know, application security is making a huge comeback. So, the idea of, you know, giving the appropriate tools in the hands of the developers so security can be built into the fabric of the software, that's an evolutionary idea. But the move to the cloud has sort of forced the reinvention of that. I would say Davis Security falls into that category, cryptography falls in that category. And then the second distinct themes that we look at are revolutionary ideas, which are, you know, trends that haven't necessarily happened yet, but we see the emergence of those happening. You know, a couple of examples I can point out to, you know, giving developers the appropriate APIs or STK so they can build cyber features into the fabric of the software has never been done before. This is something revolutionary and brand new. There's an emergence of Web3 technology that really from a market timing perspective we might be two to three years out still, but I think it's a trend that's going to emerge. And so we look at both. And, you know, I wouldn't necessarily say one is more important than the other, but they kind of fall in different themes. And we love innovative companies that play in either, either, either group.

Dave Bittner: Cecilia, you all recently announced the finalists for this year's Innovation Sandbox. What strikes you as you look at that list? Are there any trends here or anything that they have in common, or is it a wide spectrum of possibilities here?

Cecilia Marinier: Now, see that, Dave, is why I brought Barmak on. I'll just say one piece about it myself, and then I do want to actually let Barmak kind of speak to the trends. One of the things that are really amazing this year was just the amount of the companies, the number of companies that actually applied to RSA Conference Innovation Sandbox. We had 150% increase. And it just demonstrates just how much this industry, how quickly it's moving, and how important this is. And so overall, I want to tell all of the people that submitted, congratulations, because gosh, I'm so grateful that you're doing this into our industry to help us out. It was a very competitive field. So, I've already spoken to a couple companies who didn't make it, and they were like, why not? I'm like, my goodness, it was just a crazy great field. So, Barmak, I'm going to let you talk a little bit about some of the themes that came up. You already addressed some of the big themes. But maybe more specifically about the companies themselves for the top 10.

Barmak Meftah: Yeah, absolutely, yeah. I mean, I'd like to echo what you said, Cecilia, which is, you know, the number of submissions from what I heard from Cecilia, have increased dramatically, which is awesome to see. You know, it's an area, again, with technology that continues to evolve. So, you know, the number of companies since I started my career in cybersecurity, gosh, better part of 18 years ago, has exponentially increased, which is really awesome to see as well. But, yeah, you know, high level, I pointed out to kind of the two main themes that have been evolving over the last eight to ten years. We see that still evolving. And let's see, if I have to pick some, you know, the other thing I would point out that's really important to point out is how much time the judges put in to give the appropriate due process to each of these submissions. I mean, these are entrepreneurs that put their blood, sweat and tear into these submissions, that worked really hard. And so we want to ensure that we, that we hear all of them, and we read, you know, all the submissions, and so we take our job very seriously, and all the judges put in a ton of time to ensure that we select the top 10 appropriately. But, you know, I mean, some of the examples I can pick in the top 10 submissions, again, I think, you know, there's one company that deals with Web3 security, for example. Market timing might not be ideal, but it's a really innovative way of thinking about, you know, how do we secure the infrastructure with, you know, for Web3 as it emerges? There's probably, you know, four or five companies that fall into the application security area, spanning, you know, the gamut of how do we outfit developers with more appropriate tools and effective tools so they can find security vulnerabilities and be able to fix those security vulnerabilities during the software development lifecycle, which is really awesome, and it's been a quest of the industry for a long period of time. In fact, my first company, Fortify, was kind of one of the first application security companies that came to market, so it's really heartening to see that emerging. There's a couple of companies that deal with application security more from an administrative perspective, which is how do we outfit the chief information security officer so they can have central audit control and a single painted glass of view towards what's happening upstream in their software development lifecycle. And finally, you know, there is one company that provides APIs and an STK that allows developers that need to build cyber features into the fabric of the application to go to one place, to grab all the APIs to need to build those cyber features into the fabric of the application. They're coining the term SPaaS, which is security platform as a service. So, all of them, awesome companies. All of them, great companies. Very innovative. And I bet we're going to have a hard time selecting who's going to be the best among, among all of them. But at least we're really proud of the top 10.

Dave Bittner: Yeah, I don't envy the task you all have for you there. Cecilia, I want to close with you. I mean, the week of RSA Conference is a busy week for everybody. What's the, what's the equation here for folks to carve out some time in their schedule to make sure that they check out the Innovation Sandbox, things like the Launchpad and the Early Stage Expo Programs, why should folks spend their time here?

Cecilia Marinier: So, everybody in this industry is very aware of how quickly our adversaries are actually moving, and how innovative they are. I think that spending time learning more about what we are doing on the, on the good fight side, to address those concerns, is what is, makes innovation here so important. Because, Dave, we've had just such a long year and long history of identifying some of the most incredible companies that are really changing how we address cybersecurity now in the Innovation Sandbox contest, I want you to go check out Launchpad. It's just great. And the Early Stage Expo. This is a great opportunity for those that are caring about how tomorrow adversaries might be acting, tomorrow's adversaries might be acting, how can we address them today, come and see this at the Innovation Sandbox contest, see what's happening.

Dave Bittner: That's Cecilia Marinier from RSA Conference, and Barmak Meftah from Ballistic Ventures.

Dave Bittner: There's a lot more to this conversation. If you want to hear the full interview, head on over to CyberWire Pro and sign up for interview selects where you'll get access to this and many more extended interviews.

Dave Bittner: And it is always my pleasure to welcome to the show Dr. Awais Rashid. He is the Director of the National Research Center on Privacy, Harm Reduction, and Adversarial Influence Online at University of Bristol. Professor Rashid, always a pleasure to have you back on the show. You know, I am fascinated by the intersection of cybersecurity and things that are out there in the real world. And I know you and your colleagues have been doing some work when it comes to smart farming. I was hoping you could share with us some insights on that today.

Dr. Awais Rashid: Yes. Thank you for having me back again. Farming, like any other sector, is seeing increased deployment of digital technologies. You could call this effectively Internet of Things. But for farming, and you can see a number of application areas with regards to this smart farming, for example, in horticulture you can use this to monitor, for example, crop health. You can use it to monitor, for example, you know, irrigation levels, or even kind of weather responding to the weather, or, you know, pest control and those kind of things. And in other, other types of farming, like dairy farming, it can also be used to monitor, for example, animal health, feed, movement, you know, raising, and, you know, providing more kind of free, free grazing, and all those, all those kind of things. So, there is a lot of applications of Internet of Things and technologies in smart farming.

Dave Bittner: So, what specifically are the cybersecurity concerns here?

Dr. Awais Rashid: So, that's really where the challenge lies, because like with all, all other sectors, digital technologies offer a lot of benefits. But, of course, you can also start to see that as technologies are deployed, they are not necessarily always considered with security built in. Especially not to dissimilar to, for example, what we saw in [inaudible] control systems security, devices are being deployed in rugged settings, okay, farmers are not cybersecurity experts, nor do they have to be. And even a number of companies who are moving into this space, they're specifically coming in from an agricultural background rather than necessarily from cybersecurity background, or those kind of practices that have been built in, say, for example, in the enterprise setting, just currently do not exist. So, examples would be that, for example, you may have a farm, and it would run what you would call a flat network So, everything is connected to everything else. There is no isolation. Often, things are controlled from a single PC, which is then shared by a number of people on the farm. This may not be regularly updated. And devices are out there in the open. And they may not always be getting regular, regular updates. So, as an example, we've been testing some of the security of the devices that have been deployed in these farms. So, for example, we saw that more monitoring and management of some of the farming infrastructure had, you know, vulnerabilities, using insecure protocols, or default log ins, for example, you know, which is considered kind of, you know, a basic security practice in enterprise settings. But these kind of things are not necessarily currently being utilized in itself. Then there are other things that are being utilized. For example, in case of say dairy farming, you know, collars, or think of them like sort of Fitbits for cows, they could be on the legs, or on the necks, which are used for animals to kind of come by themselves through gates to go out for grazing or come back and do course for milking and so on. And, again, our analysis shows that there are security vulnerabilities in these. So, you can, for example, create effectively jobs. So, if animals can't get in automatically for milking, then it puts them in discomfort. Or if they can't go out grazing, then it's not good for their well being. And also cameras are often used to kind of monitor health, for example. And if those feeds can be, can be deferred with, again, you know, basic skill practices don't always exist, if those feeds can be deferred with, then, you know, again, it leads to a serious, serious welfare issue. So, the fundamental thing here is that there are a lot of potential advantages of using smart farming. But the state of security is at a very early stage. And more needs to be done to build both fundamental security practices, but also understand what are the kind of nuance needs of this sector so that we can provide appropriate cybersecurity mechanisms.

Dave Bittner: And how do you propose we go about doing that? As you mentioned, farmers are busy doing their farming. So, how do we provide them with the level of security they need and not interrupt the work they're doing to provide us with a reliable food supply?

Dr. Awais Rashid: Absolutely. So, the key here is really, you know, ecurity of the food supply. An individual farm being impacted is perhaps an impact on the original farmer and their business. But given that a lot of these systems are supplied by the same companies or same, same manufacturers, there is a risk of what we would call common [inaudible] failures, that, for example, one vulnerability impacts actually hundreds of farms. But there are sorts of advantages. So, our experience of actually working with the people in the agriculture sector has been really positive. So, the companies who provide these services or these technologies, they're actually very keen to improve the security of these systems. So, when we find a vulnerability and we report it, you know, one of [inaudible] worked with us, and within three days, the fix was deployed across, you know, hundreds of farms, because they also provide manage services. So, the farmer does not really take responsibility for updating the equipment or so on. This is all done by the company, which means that they also have the potential to apply security fixes as they go along. So, multiple things need to be done. I think first this good practice of responding positively to security vulnerabilities, and actually improving the state of security is very, very important. And the other is really sort of more work with the sector itself to bring up the kind of basic fundamental state of security into the product. So that we start with those kind of practices that we have built in already in other areas, for example, in enterprise settings, you know, about 20, 25 years ago, increasingly more in other critical infrastructure sectors to also bring them here. Of course, you know, regulators have it all to play, because considering that the state of security in farming is very, very important, or exactly safeguarding the security of the food supply, but also integrity of that. So, the issue here isn’t that, for example, you can disrupt a set of farms and impact, you know, sort of reaching from the farm to the table potentially if you interfere with treatment parameters, you know, there is impact on destroying crops, for instance. And those are the kind of things that we need to be concerned about. So, there is a positive experience on our, on our part, interacting with those who work in this sector. But I think more needs to be done to build basic security practices.

Dave Bittner: All right, well interesting insights for sure. Professor Awais Rashid, thank you for joining us.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at Coming up on this weekend's research Saturday, my conversation with Shiran Guez from Akamai, discussing chat bots, celebrities, and victim retargeting, and why crypto giveaway scams are still so successful. That's research Saturday. Check it out. The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Billie Lardi [phonetic], Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoshite [phonetic], Chris Russell, John Petrik, Jason Cole, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.