Mirai’s new variant targets IoT devices. Volt Typhoon investigation continues. Hacktivism in Senegal. Lessons learned from Ukraine.

Dave Bittner: New Mirai malware uses low complexity exploits to expand its botnet and IoT devices. The latest on Volt Typhoon. DDoS hits government sites in Senegal. The Pentagon's cyber strategy incorporates lessons from Russia's war, while the EU draws lessons from Ukraine's performance against Russia. Joe Carrigan explains Mandiant's research on URL obfuscation. Mr. Security Answer Person John Pescatore plays security Whack-a-mole, and NoName disrupts a British airport.

Dave Bittner: I'm Dave Bittner with your CyberWire Intel briefing for Tuesday, May 30, 2023.

New Mirai malware uses low-complexity exploits to expand its botnet in IoT devices.

Dave Bittner: Palo Alto's Unit 42 discovered a new variant of Mirai targeting IoT devices using several vulnerabilities to propagate itself and add machines to its botnet. This variant exploits four vulnerabilities. Researchers at Unit 42 explain that the infected machines then become a part of Mirai's botnet and can be used to conduct such further actions as DDoS attacks. The researchers note that this Mirai strain has been seen in several campaigns, and they assess that these were all conducted by the same threat actor.

Update on Volt Typhoon.

Dave Bittner: US government officials are still determining the extent to which their systems were infiltrated by the recently disclosed Volt Typhoon cyberattack. CNN writes that NSA's cybersecurity director Rob Joyce said, US officials are still trying to verify that Chinese hackers have been kicked out of networks they've broken into during the months long campaign. He added that NSA had been investigating this incident since last year. Secretary of the Navy Carlos Del Toro told CNBC that the Navy has been impacted and wasn't surprised by the announcement of the cyberattack. Specific details about the motives and ultimate goal of the attack are still undetermined, but Secureworks researcher Mark Barnard contends that the threat actors are aiming for strategic intelligence, writing that they're ultimately trying to avoid a Chinese affiliation. He says that they're after that strategic long-term access to organizations that are working very closely with the military and have extremely valuable data that they may potentially be able to mine for military intelligence value.

DDoS hits government sites in Senegal.

Dave Bittner: An array of Senegalese government websites were targeted by DDoS attacks that took them offline on Friday, Reuters reports. The hackers behind the DDoS attacks call themselves Mysterious Team and claimed to work on behalf of the Senegalese people. The group claims its origins are in Bangladesh. But, as Reuters observes, the connection between Senegal and Bangladesh isn't clear. The activists were seen using the hashtag FreeSenegal in tweets. Senegal is seeing heightened political tensions with protests abounding over what Reuters simply calls a host of issues. As of Saturday, the presidential website was said to be back online, while some other government sites remained in a process of recovery.

Pentagon's cyber strategy incorporates lessons from Russia's war.

Dave Bittner: The US Department of Defense has sent its 2023 cyber strategy to Congress. The Department says the strategy represents an evolution of the 2018 Department of Defense Cyber Strategy, and "provides direction" for the implementation of the 2022 National Defense Strategy in cyberspace. The Strategy itself is classified, but an unclassified fact sheet released by the department emphasizes that the cyber aspects of the hybrid war between Russia and Ukraine have helped inform the strategy. It identifies the principal threats in cyberspace as China, Russia, North Korea, Iran, violent extremist organizations, and transnational criminal organizations, who are often aligned with the foreign policy objectives of the governments that support and protect them.

The EU draws lessons from Ukraine's performance against Russia.

Dave Bittner: Josep Borrell, the EU's foreign policy lead, reflected recently on the lessons Europe might learn from Ukraine's combat record, which he finds generally impressive and worthy of emulation. He brackets cyber with electronic warfare and thinks Ukraine has shown the importance of both. He says that electronic warfare capabilities including but not limited to cyber are increasingly relevant.

NoName disrupts British airport's system.

Dave Bittner: Russian hacktivist auxiliaries affiliated with the NoName group claimed responsibility for a denial of service attack that briefly disrupted London City Airport's website Sunday morning, Simple Flying reports. Flight operations were unaffected.

Congratulations, class of 2023

Dave Bittner: And, finally, if you are browsing Zillow, one of the more widely consulted real estate sites, you may have noticed that Meade Senior High School at Fort Meade Maryland was listed for sale and that, at just $42,069, it was a steal. The listing said the property boasted 12,458 square feet with 20 bedrooms, 15 baths, a spacious kitchen, and a private basketball court. Sorry, speculators and flippers, but the New York Post says it was just a prank by graduating seniors. The school's administration thought the asking price was way too low. In any case, Zillow has now removed the listing, so you're out of luck if you're thinking of putting in a bid. In any case, congratulations to all graduates of the Class of 2023. Go Mustangs.

Dave Bittner: Coming up after the break, Joe Carrigan explains Mandiant's research on URL obfuscation. Mr. Security Answer Person John Pescatore plays security Whack-a-Mole.

John Pescatore: Hi, I'm John Pescatore, Mr. Security Answer Person. Our question for today's episode: Hey, Mr. Security Answer Person. Seems like we've been talking about transitioning cybersecurity away from Whack-a-Mole for decades now. Has anyone actually made any progress doing that? Well, to skew old, I think I can claim credit for actually being the first to use that analogy in 2006 or so. My actual statement said something like success would mean transitioning from Whack-a-Mole to more chess-like strategies versus abandoning Whack-a-Mole because I never felt that would happen. Here's why. Chess is a bounded problem. The board is a fixed size, the pieces can only make certain moves, and the players take turns. Cybersecurity is not bounded. None of those rules apply. The board thinks software and people vulnerabilities is infinite. The bad guys can move their pieces in all kinds of crazy directions, and they don't have to wait for us to take our turn before they act. By the way, this is exactly why artificial intelligence and machine learning can beat experts at chess but not so much at cybersecurity. Cybersecurity is essentially an infinite game. Many CISOs are fans of Simon Sinek's 2019 book, Infinite Game Theory. To quote Mr. Sinek, Finite games like football or chess have known players, fixed rules, and a clear endpoint. The winners and losers are easily identified. Infinite games, games with no finish line like business or politics or life itself, have players who come and go. The rules of an infinite game are changeable, and infinite games have no defined endpoint. There are no winners or losers, only ahead and behind. Well, I'll quibble a bit with Mr. Sinek's last point. There are winners and losers. If you lag behind the bad guys and they find you, you and your business will clearly be losers. So, as I explained, we really can't abandon Whack-a-Mole, but we can use strategies to focus more on the most likely and/or most damaging holes the evil little varmints will pop out of. If you want to be all fancy shmancy about it, call that a risk-based approach. But here's what I mean. First, throw some 90 percent rules at the problem such as 90 percent of business revenue comes from 10 percent of applications used. Watch those holes more carefully. Ninety percent of successful attacks succeed by using phishing attack front ends to compromise reusable passwords. Fill in those holes with two-factor authentication. Ninety percent of the remaining attacks would be stopped by essential security hygiene controls. Work with IT to pave over those holes. Businesses that have applied just those three rules can focus on nine or ten critical holes versus having to spread equal attention across 1000 different places to look. You still need fast reactions, but the proactive steps mean you no longer need superhero speed or strength to reduce, if not avoid, business damage. Then you can apply the freed up staff time towards some strategic moves and more lean-forward operation techniques like threat hunting, purple teaming, data encryption, etc. that will be the equivalent of turning pawns into additional queens on the board. So I'll stick up for the Whack-a-Mole chess hybrid goal. A lot of the enterprises who have not shown up in the news for breaches have been doing just that, getting more effective and more efficient and increasing the odds of successful mole whacking, freeing up skilled analyst time for taking advanced steps to identify future new holes and maybe even fill in some of the old ones. Plus, with advanced Whack-a-Mole skills, you'll be able to win gigantic stuffed animals for your kids or your significant other at the local carnival.

Thanks for listening. I'm John Pescatore, Mr. Security Answer Person.

Dave Bittner: Mr. Security Answer Person with John Pescatore airs the last Tuesday of each month right here on the CyberWire. Send your questions for Mr. Security Answer Person to questions@thecyberwire.com.

And joining me once again is Joe Carrigan. He is from Harbor Labs and the Johns Hopkins University Information Security Institute and also my cohost over on the Hacking Humans podcast. Hello, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: Some interesting research from the folks over at Mandiant. This is a report written up by Nick Simonian. And it's titled, Don't @ Me: URL Obfuscation Through Schema Abuse. Can you unpack this here, Joe?

Joe Carrigan: Sure.

Dave Bittner: What are they describing here?

Joe Carrigan: Okay. So we have to understand first how URLs work and what a URL is.

Dave Bittner: Okay.

Joe Carrigan: And it is a universal resource locator.

Dave Bittner: Yep.

Joe Carrigan: So there is an RFC that was out in the early '90s, 1738. And if you remember the early '90s, Dave, we weren't really concerned about any of this security thing.

Dave Bittner: Right.

Joe Carrigan: So I guess the way they're designed, if you want to talk about a URL --

Dave Bittner: Yeah.

Joe Carrigan: -- is you have a scheme or what's usually a protocol. Then you have two slashes. And then you have a field for a user, followed by a colon, followed by a password, followed by an at sign, followed by a host of -- indication of some kind, then another colon and a port and then a slash and then the URL path. Now, where it gets tricky is the HTTP specification says we're going to follow the URL specification, but we're not going to use username and password in HTTP.

Dave Bittner: Ah. Okay.

Joe Carrigan: We're going to ignore anything before the at sign.

Dave Bittner: So -- but I also think there's a distinction here because I think most of us when we think about a URL, probably the first thing that comes to mind is something -- an HTTP request.

Joe Carrigan: Correct.

Dave Bittner: Going to a website.

Joe Carrigan: That's right. It's the same -- it's the same I don't want to say error, but it's the same thinking that, when people think internet, they think of the web and only the web.

Dave Bittner: Right.

Joe Carrigan: There's a lot of services on the internet and a lot of different protocols running.

Dave Bittner: Okay.

Joe Carrigan: And the web is just the one that people use the most.

Dave Bittner: Yeah.

Joe Carrigan: So they're familiar with HTTP and HTTPS.

Dave Bittner: Right.

Joe Carrigan: They know that -- some of them might even -- a lot of them might even know the difference between the two of them, right.

Dave Bittner: Right.

Joe Carrigan: Which is important.

Dave Bittner: Hopefully our audience does.

Joe Carrigan: Yeah. I would hope so.

Dave Bittner: So what's going on with this at sign issue here?

Joe Carrigan: So what happens is, if I have an at sign in the -- in a web -- an HTTP or HTTPS URL, everything before it gets ignored, per the specification. So I can say, Hey, Dave. Here's a link to google.com and put in HTTP://google.com @ Joe's malicious website.com.

Dave Bittner: Oh. I see.

Joe Carrigan: Right. Where you go is just Joe's malicious website.com.

Dave Bittner: Okay.

Joe Carrigan: And that's -- that's what happens. But there's more obfuscation is going on here, as well, including some things, honestly, I didn't know about until I read this article.

Dave Bittner: Okay. Go on.

Joe Carrigan: So we have all these different domain names. We're familiar with DNS and how that works, right? I type in google.com to go to -- to go to Google services, but my computer in the background goes, well, I don't know what that is. Let me go ask DNS what that is. And DNS comes back with an IP address.

Dave Bittner: Right.

Joe Carrigan: And, historically, with ipv4, which is the one that we all are very familiar with, when you see an IP address, it comes back with like 1.2.3.4, which is the pedantic example that's used in this -- in this article --

Dave Bittner: Yeah.

Joe Carrigan: -- which is a perfect example.

Dave Bittner: Yeah.

Joe Carrigan: And I'm sure that as I say some number between 1 and 255 dot something dot something dot something, everybody immediately envisions an IP address in their head. If they've been working in this field long enough, that's what happens.

Dave Bittner: Sure.

Joe Carrigan: Well, here's something you can do that I had absolutely no idea you could do this. You can represent that as just one long binary string, and web browsers will interpret it accordingly. So you can take that long binary string and turn it into a -- an integer, essentially a four-byte-long integer. In the case of 1.2.3.4, it can be represented as 16909060. And you can put that in after http://. And I did that. I found out what Google's IP address is by pinging google.com.

Dave Bittner: Yeah.

Joe Carrigan: I found a service online that will turn an IP address into an integer. And I went to HTTP:// that integer, and it gave me a warning about the certificate not being right because this certificate is for google.com and not whatever that integer is. But I went through anyway. And, sure enough, I wound up at google.com. It works just fine. This is new to me. I did not know this was possible.

Dave Bittner: Wow.

Joe Carrigan: You can also denote the -- denote the IP address in hexadecimal or in octal. And you can even mix octets if you want. We call these numbers octets. They're really just eight bits. But you can mix a -- you can define one octet as a hexadecimal number. You can define one octet as a decimal number by putting no prefix in front of it. And you can define another octet as an -- as an octal number by putting a zero in front of it.

Dave Bittner: Right.

Joe Carrigan: And it will work. So, really, the idea is now I'm obfuscating where you're going, and that's the entire attack. And I'm making you think that you're going someplace not malicious by putting a nonmalicious URL in front of the at sign, but everything in front of the at sign is disregarded in HTTP.

Dave Bittner: So it seems like they're taking advantage of is it fair to say a relic functionality or, you know, a functionality from -- that reveals the very early technical/nerdy start for all this stuff?

Joe Carrigan: Yeah, it does. It does. Making it hard for the HTTP to -- protocol to change. But, if you do that, you start being nonstandard.

Dave Bittner: Yeah.

Joe Carrigan: Right. Really, what's happening here is the HTTP, the protocol says, We're not going to use anything, any username or password here.

Dave Bittner: Right.

Joe Carrigan: There are other methodologies within HTTP to do that, so just disregard them. The real danger is, of course, just the social engineering potentials here.

Dave Bittner: Yeah.

Joe Carrigan: Right? Because if I send you, Dave, check out this thing I found on Instagram, instagram.com at some random number, random looking number slash my malicious link --

Dave Bittner: Yeah.

Joe Carrigan: -- it's not going to look like a malicious URL to you. It's going to look very similar to -- the only the only thing that's going to stand out is that at sign. And if you know to look for the at sign, okay. Maybe you find it. But if you don't know to look for the at sign, there's a good chance you're going to click on it. Well, this says instagram.com.

Dave Bittner: Right.

Joe Carrigan: And if you hover over it, it's even going to say, Hey, it goes to instagram.com.

Dave Bittner: Right.

Joe Carrigan: But -- well, it will look like that, but it doesn't actually.

Dave Bittner: Yeah, yeah. All right. Well, interesting stuff. I should -- I should also note that Mandiant has posted some YARA rules that you can use to detect this sort of thing, so hats off to them for that.

Joe Carrigan: Indeed.

Dave Bittner: Again, this is research from the folks over at Mandiant. Nick Simonian is the one who published this on their blog. It's titled Don't @ Me: URL Obfuscation Through Schema Abuse. Joe Carrigan, thanks for explaining it to us.

Joe Carrigan: My pleasure.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's Strategic Workforce Intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester with original music by Elliott Peltzman. The show was written by Rachel Gelfand. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll be back here tomorrow.