Section 230 survives court tests. Pre-infected devices. IRS cyber attachés. DraftKings hack indictment. Notes on the hybrid war.

Dave Bittner: Section 230 survives SCOTUS. Lemon Group's pre-infected devices. The IRS is sending cyber attachés to four countries in a new pilot program. A Wisconsin man is charged with stealing DraftKings credentials. Russian hacktivists conduct DDoS attacks against Polish news outlets. An update on RedStinger. Grayson Milbourne from OpenText Cybersecurity discusses IoT and the price we pay for convenience. Our guest is Matthew Keeley with info on an open source domain spoofing tool, Spoofy. And war principles and hacktivist auxiliaries.

Dave Bittner: I'm Dave Bittner with your CyberWire intel briefing for Friday, May 19th, 2023.

Section 230 survives SCOTUS cases.

Dave Bittner: The Supreme Court made decisions on two cases concerning the liability of social media platforms that contain terroristic content. Both cases, Twitter v. Taamneh and Gonzalez v. Google, were initiated by the families of ISIS victims in Paris and Istanbul. The case against Twitter raised the question of whether the platform can be accused of aiding in terrorism for hosting tweets from ISIS. The case against Google asks if their recommendation system is protected under Section 230 of the Communications Decency Act, which Article 19 explains, "grants legal immunity to online platforms for content posted by third parties and allows platforms to remove objectionable content without exposing themselves to liability." The Supreme Court unanimously ruled in favor of Twitter, and dismissed the case against Google.

Lemon Group's pre-infected devices.

Dave Bittner: A cybercriminal gang called "Lemon Group" has been leveraging pre-infected Android devices for malicious activities, Trend Micro reports. “No fewer than 8.9 million” devices, primarily budget phones, have been affected. According to the Hacker News, the gang has also been seen branching out to Android-based IoT devices. Bleeping Computer reports that the pre-installed malware, "Guerilla," allows the hackers to load additional payloads, intercept texts, and hijack WhatsApp. The infected devices were reportedly re-flashed with new ROMs, although it was not determined how the devices were initially infected. As the researchers explain, re-flashing is "reprogramming and/or replacing the existing firmware of a device with a new one." The highest rates of infestation have been found in the US, Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, the Philippines, and Argentina.

IRS to send cyber attachés to four countries in new pilot program.

Dave Bittner: The IRS announced yesterday that it would begin a cyber attaché pilot program extending to four countries. The Hill reported that attachés will be sent to Australia, Colombia, Germany, and Singapore. This is not the first instance of IRS criminal investigation agents being sent abroad, and the IRS has a permanent cyber attaché at the Hague in the Netherlands. In a statement statement the program, IRS-CI Chief Jim Lee said, "In order to effectively combat cybercrime, we need to ensure that our foreign counterparts have access to the same tools and expertise we have here in the United States,"

Wisconsin man charged with stealing DraftKings credentials.

Dave Bittner: Joseph Garrison, an 18 year old from Wisconsin, was charged yesterday for hacking into approximately 60,000 DraftKings sports betting accounts in November of 2022. The complaint filed by the FBI explained that Mr. Garrison was able to purchase credentials from a third-party site and sell around 1,600 of the hacked accounts causing about $600,000 to be withdrawn from the victims'. BleepingComputer explains that Mr. Garrison is also accused of running a dark web trafficking site that sells hacked accounts. The complaint alleges that, "law enforcement had located an undated picture showing that Goat Shop had sold 225,000 products for total sales revenue of 2 million dollars.

Russian hacktivists conduct DDoS attacks against Polish news outlets.

Dave Bittner: Polish news agencies were taken offline yesterday by distributed denial-of-service attacks, Cybernews reports. The Polish government attributes the actions to Russian hacktivists. Such groups are well-known to function as auxiliary cyber forces. DDoS campaigns have become a characteristic feature of Russia's hybrid war. Help Net Security, citing a study by Arelion, reviews the ways in which DDoS attacks attend geopolitical conflict.

Disaffected Russian IT specialist jailed for DDoS attacks on Russian targets.

Dave Bittner: TASS is authorized to disclose that Yevgeny Kotikov has been convicted of crimes intended to disrupt the Russian Federation's IT infrastructure. Kotikov was reportedly "involved in a computer DDoS attack organized by the Ukrainian side on the information systems of subjects of the critical information infrastructure of the Russian Federation." He will serve three years in a penal colony. Cybernews has a description of the conditions that accompany such a sentence. Suffice it to say, they are not good.

An update on RedStinger (a.k.a. CloudWizard).

Dave Bittner: Malwarebytes has recently reported on a cyberespionage group of uncertain provenance, RedStinger, which appears to have selected targets on both sides of Russia's war against Ukraine. Kaspersky researchers this morning released a report on a group they call CloudWizard, and which they explicitly identify not only with RedStinger, but also with the groups responsible for earlier operations in the region going back as far as 2008. Kaspersky as a matter of policy doesn't attribute cyber operations to nation-states. Who's behind RedStinger remains an open question. Whoever it turns out to be, WIRED points out, the ability to quietly mount offensive cyber campaigns over a fifteen-year period is remarkable.

Just war principles and hacktivist auxiliaries.

Dave Bittner: And finally, in war even a just cause doesn't always equate to just conduct. Ukrainian-aligned hacktivists have conducted deception operations designed to unmask the identities of Russian officers and cause other mischief in the lives of enemy leaders. Some of those actions have involved deceiving the officers' family members (specifically their wives) into unwitting participation. Just Security has a thoughtful overview of the ways in which this and other activity in cyberspace have served to erode respect for the customary principles on which the norms of armed conflict are founded. Specifically, the principle of discrimination between combatant and noncombatant seems to be flouted by much hacktivist activity. While it might seem that deceiving a family is trivial in comparison with ordering the bombing of a hospital, which one of the Russian officers caught up in the deception is alleged to have done, any coarsening of moral sensibilities is dangerous. Governments need to exercise control over their auxiliaries as much as they do over their regulars.

Dave Bittner: Coming up after the break, Grayson Milbourne from Open Text Cybersecurity, discusses IoT and the price we pay for convenience. Our guest is Matthew Keeley with information on an open source domain spoofing tool, Spoofy. Stay with us.

Dave Bittner: Matthew Keeley is Senior Applications Security Engineer at SeatGeek and was previously Senior Security Consultant at Bishop Fox where he developed an open source tool called "Spoofy" which checks domains against SPF and DMARC records.

Matthew Keeley: With most common cybercrime being phishing, it only makes sense to have a tool that can sort of tell if domains can be spoofed. And so, what I mean by that is when somebody sends an email to you, a lot of times what can happen is when you receive the email what an attacker can do is they can actually change the name of where the email came from or the location of where it came from or anything like that. And in doing so, you can spoof the email so that it lands perfectly in the victim's inbox and looks legitimate. So, what attackers are doing is they're sending these spoofed emails into victim's, you know, inboxes and a lot times it's for phishing, sometimes it's for sending, you know, wires to different locations, sometimes it's to get credentials, sometimes it's to download malware, but ultimately the reason that the spoofy tool was built was to be able to determine and identify why domains were accepting these malicious emails and how to prevent them.

Dave Bittner: Well, if we can dig into a little bit more of the background here of where do we stand with existing tools that are trying to help with this sort of thing, things like DMARC?

Matthew Keeley: Right. So, there are some existing tools, but not a lot of them are completely accurate in terms of domain spoofing. So, domain spoofing is quite complex and it goes rather deep into the SPF and DMARC records. So, what those are is basically with the role of SPF, which is the Sender Policy Framework, what it does is it acts as a text record on the DNS settings for a given domain. And so, what it will do is it acts like a guest list for a party for example. And so, it will specify what email servers are allowed to send emails on behalf of that domain. So, a good example that I give in one of the blog posts that I've written about it, is that if you have a domain and you want your HR system greenhouse to be able to send, you know, send emails on your behalf, what you do is you can actually set that up in the SPF record and so those emails will be able to send as your domain, CyberWire.com for example and send through it like that. And so, what we sort of run into is that attackers can abuse the way that these SPF and DMARC records are setup to be able to land these domains in the inboxes. And there are tools to be able to monitor and track the records; however, they're quite ambiguous and not always one-to-one with the RFC for SPF or DMARC. And so what we find is that there is a ton of domains out there that are still misconfigured and a lot of people just don't know it.

Dave Bittner: So, Spoofy is an open source tool here, walk us through it. What exactly does it do?

Matthew Keeley: Yeah, so Spoofy is a Python3 tool. It's an open source tool, and basically what it will do is it will take in a list of domains and it will validate the SPF and DMRC records of those domains. So, there is a huge chart that a very great researcher named Alex [inaudible name] created, and it's all the logic of every single edge case that could possibly happen when you have a SPF and a DMARC record. So, what he did is he took a list of about I'd say about 50,000 domains and he went through them all one by one to figure out every single edge case that happen when you send an email to some sort of inbox. And so, what we ended up finding and what we created Spoofy to do is to catch all those edge pieces, so you could have a perfect SPF record that works just as you would expect it to, but some weird, you know, syntax error or something weird that you setup in the DMARC record and everything can go wrong and the domain can still be spoofed. So, what Spoofy does is it's a tool that handles the scalability of that. So, it will take in a huge list of domains, it can--it's multithreaded so it can go anywhere from a 100 domains to a couple hundred thousand domains and it will validate those SPF and DMARC records and tell you if the domain is spoofable or not.

Dave Bittner: And so who is this for? What's the ideal use case here?

Matthew Keeley: Yeah, so a lot of the feedback we've been getting is mostly people that are in IT on the Blue Teaming side. Originally I wrote it as a Red Team tool and it's actually a tool that's listed into the course by RastaMouse, the Red Team Ops course, but it can be used by both. So, Red Teamers are using it to find domains that they can send spoofed emails on behalf of and then go and fix that for their organization and Blue Teamers are taking their list of domains, so it may take it out of GoDaddy or, you know, Route53, they're pumping in their list of domains and validating that their SPF and DMARC records are correct, so sort of one of those tools that we intentionally wrote for Red Teamers and it started actually being more popular in the Blue Team space.

Dave Bittner: Why was it important for you and your colleagues to make this an open source project?

Matthew Keeley: So, the thing with open source tools is it's supposed to help everybody, right? And so, if we wanted it just to be a Red Team tool, more on the malicious side, it wouldn't really make sense in that aspect. There are tools out there that do some of the stuff that's Spoofy does; however, we took a lot of what the other tools were doing and then combined it all into one tool that basically will check what your SPF includes, it will check everything. So, being open source we get a lot more community feedback. It's useful for anybody that wants to use this sort of thing, and you know we're not sort of gatekeeping this technology. It should be able to be used by anybody to protect their domains.

Dave Bittner: And people can get it on GitHub, yes?

Matthew Keeley: Yep, absolutely. So, it's on GittHub. I think it's GitHub.com/mattkeeley/spoofy and we just released version 1.01 which allows for multithreading, so now we can go through about a 1000 domains in roughly 15 seconds., so a lot more scalability in that aspect.

Dave Bittner: That's Matthew Keeley from SeatGeek. You can learn more about Spoofy on the Bishop Fox website. Be sure to check out the extended version of this interview. It's part of CyberWire Pro.

Dave Bittner: And joining me once again is Grayson Milbourne. He is Security Intelligence Director at Open Text Security Solutions. Grayson it's always a pleasure to welcome you back to the show. I think like a lot of folks over the holiday, my home was populated with some additional IoT devices. It seems inevitable these days. But you make the point that IoT in general is something that we need to keep an eye on.

Grayson Milbourne: Yeah, you know, it's one of these great new conveniences that technology has added to our lives and while it's great that we can connect things and have little robots to keep our house nice and tidy, a lot of people really don't think about the security element of this, and some unfortunate data has come to light recently that shows that the vendors of these convenience applications and robots and its smart appliances, they're collecting a lot more information than I think people realize. As one example, you know, there was a story a couple weeks about data coming onto the Internet from Roomba vacuums and people in the bathroom and.

Dave Bittner: Right. Right.

Grayson Milbourne: You know,, "Wait a second I thought I was just getting a clean floor and now my pictures are on the Internet. Wait a second." And so, that's just one example, but the reality is is when we really look at IoT devices across the board, security is very frequently not even part of the thought process, right? They want to make something and bring to market and learn about as much as they can about you in that process, and protecting your information, you know as we've seen, if you look at the Roomba box it doesn't say that it has a camera, right? It doesn't, you know, they're not advertising these additional functionalities and I think that's a really serious security and privacy breach.

Dave Bittner: What about for folks who are in charge of protecting organizations? You know, what sort of IoT vigilance should they have?

Grayson Milbourne: Yeah, well so I think that that's really where businesses need to pay attention, because you can have a smart water heater or a toaster, or a lot of other like kitchen appliances are often becoming smarter and smarter today and a lot of offices have overlap there. And I think the challenge is that these devices can have vulnerabilities that can leak the network authentication data. And so, I think it's mostly important to segment them on your networks properly. And you can actually do this at home, and so the advice I give also to my friends and family is, that you know, IoT is really convenient, and also having a separate network for your IoT isn't that difficult to setup. I personally got a Mesh Network System for my house so that I have like a Mesh network that gives me a better Wi-Fi signal throughout the house. And I just put my IoT on the Mesh Network and it sits behind my router that has my regular Internet and then that broadcasts my Wi-Fi to my phone and to my PCs, but basically everything else that's not, you know, a personal device like that sits on the Mesh Network. Businesses can easily do something, you know, similar in which you know these devices only have limited access.

Dave Bittner: What about inventorying the devices themselves? I mean, I often hear people say that it's hard enough just keeping track of everything that's been hosed up to their network or their Wi-Fi.

Grayson Milbourne: Right. And so I, you know, technology has done somewhat of an improvement here. So, I can speak at least for Comcast, I have them in my house and they have an app that lets me tag devices by their MAC address when they join the network. You can set it up so you get an alert, and so I'm gone through and I've named the things that are on my network so that instead of it being, because a lot of them aren't as transparent as you had hoped they would be, and so that's one way, right? And then and just becoming more familiar with your router and modem and not looking at it like a black box that spits Internet out, but instead, you know, and it's they really I think made it user friendly at least in the ones I have experienced. You know, to be able to just block Internet access to certain devices based on the MAC, so you kind of have some firewall functionality within these routers today that's easily controlled through the mobile app. And so, I think that was one thing that helps. But another question I often get is, you know, how do I vet and choose and know which is the safest IoT device to get?

Dave Bittner: Right.

Grayson Milbourne: I think that that's actually still a big challenge that I would like to see industries solve through something sort of similar to Energy Star, but there could be you know securities star IoT. That.

Dave Bittner: Right.

Grayson Milbourne: You know, it's the setup standards that ensures that, you know, just data transmission is done using proper secure channels and that data storage is done properly, you know, abiding to like GDPR or something of a similar regulatory framework that ensures your data is protected. Unfortunately that doesn't yet exist, and so, I think one of the things that I always look for is, understanding where is my data stored? And most of the time they're pretty transparent about, you know, is it local to the device? Is it something that's up in the Cloud? And for me personally, when I shop for IoT devices, I really look for things that you know don't send a lot of information to the Cloud or that keep everything on my local network, because it worries me, right? For example, like I have a doorbell, a smart doorbell which I think is a really nice security feature, but I don't test like, you know, everybody who comes to my house you know that's not public knowledge, right? So, I know like I shopped around to find a doorbell that doesn't send the data to the Cloud. It keeps it all local, but I can still access it. So, you know, I think it depends on your own personal privacy boundaries, but there definitely competitive advantages to you know considering security as part of the device. And, in fact, some of the ones that I, you know, the example I mentioned, you know, that brand advertises based on that kind of security mindset. So, you can look for that, you know, in the meantime.

Dave Bittner: Yeah. And just be mindful to not be shopping strictly on price too.

Grayson Milbourne: Yeah. I mean, I think that's a very good point. AI there's a saying that, you know, "when something is free you're the product."

Dave Bittner: Right.

Grayson Milbourne: And so we look at social media like that and Facebook and these platforms that harvest your data for their data mining. You know, IoT is an extension of that in many ways. And if you think about just like the smart vacuum, like a Roomba, Amazon bought Roomba. Roomba has a good idea of what's in your house and where it is and if it's been moved and, you know, like what are they doing with all this information? And obviously, you know, they're going to argue that they're trying to you know be convenient and offer you know smarter more intelligent suggestions based on improved understanding of you, but you know, is that all they do with the data? Like how is it protected? You know, to me like those types of things make me nervous and so you know I try to limit my exposure in that regard.

Dave Bittner: Yeah. Alright, well good advice as always. Grayson Milbourne, thanks for joining us.

And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at the cyberwire.com. Be sure to check out this weekend's Research Saturday and my conversation with Willy Vasquez from the University of Texas at Austin. We're discussing his research, "The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 Decoders." That's Research Saturday, check it out. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your eople. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by Rachel Gelfand. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.