The US has a new cyber workforce and education strategy. US hunts disruptive Chinese malware staged in US networks. Malware warnings, and an update on Russia’s hybrid war.
Dave Bittner: The US issues a National Cyber Workforce and Education strategy. Hunting Chinese malware staged in US networks. CISA warns of Barracuda backdoor. WikiLoader malware is discovered. P2Pinfect is a malware botnet targeting publicly-accessible Redis servers. Johannes Ullrich from SANS describes attacks against YouTube content creators. Rick Howard previews his conversation with AWS Ciso CJ Moses. And Russia’s SVR continues cyberespionage against Ukrainian and European diplomatic services.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Monday, July 31st, 2023.
The US issues a National Cyber Workforce and Education Strategy.
Dave Bittner: As expected, the White House, through the Office of the National Cyber Director, released the National Cyber Workforce and Education Strategy early this morning. The plan builds on the National Cybersecurity Strategy, released on March 1st of this year. It's an ambitious, "whole-of-nation" effort. A number of agencies have been given specific roles and missions, and the strategy includes a long and heterogeneous list of private-sector partners. The strategy isn't confined to educating Americans for jobs in the cybersecurity workforce. One of its objectives is to raise cybersecurity awareness and basic skills among the population at large. The motivation for this aspect of the strategy is the pervasiveness of activities in cyberspace in commerce and other aspects of daily life. The document "charts a course for preparing Americans for today’s jobs and enable everyone to participate fully in our interconnected society." The strategy, especially as outlined in the accompanying factsheet, represents a mix of the genuinely strategic--large-scale, enduring objectives, with a general approach to achieving them--and the highly specific, that is, the low-level tactical work particular agencies will undertake to support the strategy. The strategy outlines three "guiding imperatives:"
"Leverage adaptable ecosystems to effect change at scale."
"Enable the lifelong development of cyber skills."
"Grow and enhance the cyber workforce through improving its diversity and inclusion."
Dave Bittner: The educational component of the strategy concentrates, it’s worth noting, on regional universities and community colleges, which have long formed a significant fraction of Federally sponsored cybersecurity centers of excellence.
US hunts Chinese malware staged in US networks.
Dave Bittner: On Saturday the New York Times, citing unnamed Administration officials, reported that the US was hunting for disruptive Chinese malware that's been quietly staged in US systems. The Times' report is the result of interviews conducted over the past two months. The consensus among both government and industry experts is that Volt Typhoon precedes Microsoft's report "by at least a year." Investigation has shown that the Chinese campaign is more widespread than initially believed, and that the US work to find and "eradicate" the malware has been in progress for some time. The infestation extends beyond telecommunication systems and is, geographically global, not confined to Guam or even to US territory, but there do seem to be higher concentrations of the malware in the vicinity of US military installations.
Dave Bittner: Observers speculate that China is hedging against any US intervention in a Chinese invasion of Taiwan. The Times reports that there's disagreement within the Administration as to whether the malware is designed narrowly to cripple US military operations, or whether wider spread disruption of US society would be the goal. In any case, the US government is said to regard the apparent shift from collection to disruption as both significant and disturbing.
CISA warns of Barracuda backdoor.
Dave Bittner: The US Cybersecurity and Infrastructure Security Agency (CISA) has published three malware analysis reports on malware variants exploiting CVE-2023-2868, a remote command injection vulnerability affecting Barracuda Email Security Gateways (ESGs). One of the malware strains, called “Submarine,” was deployed by the suspected Chinese threat actor UNC4841, BleepingComputer reports.
Dave Bittner: CISA’s description shows malware built for persistence and lateral propagation. The alert says, “SUBMARINE is a novel persistent backdoor executed with root privileges that lives in a Structured Query Language (SQL) database on the ESG appliance. SUBMARINE comprises multiple artifacts—including a SQL trigger, shell scripts, and a loaded library for a Linux daemon—that together enable execution with root privileges, persistence, command and control, and cleanup. CISA also analyzed artifacts related to SUBMARINE that contained the contents of the compromised SQL database. This malware poses a severe threat for lateral movement.”
WikiLoader malware discovered.
Dave Bittner: Researchers at Proofpoint this morning described a new strain of commodity malware they’ve dubbed “WikiLoader.” The malware has been active since at least December 2022. Proofpoint calls WikiLoader “sophisticated,” and designed for staging secondary payloads. It’s evasive, and both detection and analysis have proven challenging. It’s positioned in the criminal-to-criminal market as a rental, one that’s used by several threat actors, and Proofpoint expects WikiLoader to find customers among the initial access brokers.
P2Pinfect, a malware botnet targeting publicly-accessible Redis servers.
Dave Bittner: Cado Security Labs reports a new malware campaign targeting publicly-accessible deployments of the Redis data store. The malware, “P2Pinfect,” is written in Rust and is designed for botnet creation. P2Pinfect gains initial access by exploiting the Redis replication feature. The researchers explain, “Replication allows instances of Redis to be run in a distributed manner, in what’s referred to as a leader/follower topology. This allows follower nodes to act as exact replicas of the leader, providing high availability and failover for the data store.” After initial infection, the malware drops a payload which renames “wget” and “cur,” probably in an attempt to slow down incident response.
Dave Bittner: As its name suggests, P2Pinfect then creates a peer-to-peer botnet in which each infected server serves as a single node. Cado explains that “This allows the entire botnet to gossip with each other without using a centralised C2 server. It is assumed that commands are issued by propagating signed messages across the network.”
Dave Bittner: The malware also includes a worming feature that works to propagate the infection to new servers. In researching a version of the malware specifically geared toward Windows, researchers at Palo Alto Networks’ Unit 42, who’ve also looked at P2Pinfect, have concluded that a cryptomining payload was not included in the malware. “There are instances of the word ‘miner’ within the malicious toolkit of P2PInfect,” Unit 42 wrote. “However, researchers did not find any definitive evidence that cryptomining operations ever occurred.”
SVR cyberespionage against diplomatic services.
Dave Bittner: Recorded Future's Insikt Group is tracking a cyberespionage campaign against diplomatic services that Russia's SVR ran between February and June of this year. The researchers don't have a great deal of direct insight into the targets' environment, but their reasonable conjecture is that the operation has reflected Russia's continuing interest in European governments, especially their diplomats. As is commonly the case, the attack begins with spearphishing, the phishbait being such lures as an ambassador's schedule, an invitation to an embassy reception, or, in a case we've seen before, an ad for a used BMW.
Dave Bittner: The message redirects to a compromised domain from which BlueBravo (as Recorded Future calls the SVR threat actor) installs malware that gives it persistence in the target's network. BlueBravo has cycled through at least three major tools this year. The one most recently used the researchers call "GraphicalProton," a loader that's staged in an ISO or ZIP file. GraphicalProton exploits legitimate services, especially Microsoft OneDrive for delivery to the target.
Dave Bittner: And so the cyber activity in Russia’s hybrid war seems to have contracted to familiar espionage, with a big side-helping of disinformation.
Dave Bittner: Coming up after the break, Johannes Ullrich from Sands describes attacks against YouTube content creators. Rick Howard previews his conversation with AWS Ciso CJ Moses. Stay with us.
Dave Bittner: And it is always my pleasure to welcome back to the show, Rick Howard. He is the Cyberwire's Chief Security Officer. Also our Chief Analyst, and he is the host of the "CSO Perspectives Podcast." Rick, over this summer, you have been quite buys. Of course, you've done a little bit of vacation time, you've done some [chuckling] internal N2K cybersecurity work, but you've also been doing some company travel. You went out to California, and spoke at the annual Google Sales Conference. You keynoted at the Rocky Mountain Information Security Conference in Denver, and then you went back out to Anaheim, California, and you covered the AWS Reinvent Conference, to see what the latest developments were in AWS Security. And now, you're back [laughing] and you're releasing a new episode of the "CSO Perspectives Podcast." So, first of all, welcome back [chuckling] and second, what do you have in store for us in this new season of "CSO Perspectives"?
Rick Howard: Well, thanks Dave. It's great to be back in the saddle again. And for this episode of "CSO Perspectives," I'm taking advantage of that opportunity I got while attending the AWS Reinvent Conference. Besides the trip that our mutual producer, Jenn Ivan, and I made to Disneyland for one magical evening, and we should do an entire show just to talk about that escapade. I have stories, Dave, I'm just saying. Right? I got to sit down with the AWS Ciso CJ Moses. Now, CJ got his start in the U.S. Air Force, back in the late 1990s working for the Office of Special Investigations as a Computer Crime Investigator, chasing hackers around the world, back when the Internet was still the wild, wild West. He worked for the FBI in [inaudible] doing cyber stuff as a civilian, and then in 2010, he took a job at Amazon, and worked his way up the ladder, and he eventually became the AWS Ciso two years ago. And Dave, you know, I get to talk to a lot of Cisos in this job. But CJ is a special case. If AWS was its own company, and not owned by Amazon, it would be a Fortune 500 company in its own right, with 58.7 billion dollars in revenue in 2022, slightly below Morgan Stanley, and slightly above Tesla. So CJ, you know, obviously has a huge job. Not only protecting the internal AWS environments, but also protecting all of the environments that most of us, as customers, use while deploying the service. And of course, he spends a lot of the time thinking about strategy and tactics, and since I just published a book on cybersecurity strategies and tactics, we had a rollicking conversation about what that means at AWS.
Dave Bittner: Hm! Can you give us an example?
Rick Howard: Well, in my book, I include an entire chapter on resiliency as a strategy, and the tactics you might need to pursue that strategy. But CJ's great insight is that traditional resiliency is about ensuring that your data and systems are always available. If there is an availability issue, you can't get to those resources for whatever reason. They exist, there's just some technical issue preventing access. But CJ says that durability is a more important adjective for resiliency. It means that without durability, not only can you not get to your data and systems, they are no longer there. You'll never be able to get access, because they're gone. And I wish I had that little bit of insight, when I wrote that chapter in my book. That is some really interesting ideas.
Dave Bittner: You know, as it reminds me of a friend of mine, who used to describe-he was a a commercial insurance agent, and he would often invoke a vision of a-he called it a "Wile E. Coyote smoking hole in the ground."
Rick Howard: [Laughs] I love the metaphor.
Dave Bittner: Well, before I let you go, what is the phrase of the day over on your "Word Notes Podcast" this week?
Rick Howard: Well, you're going to laugh, Dave, but this week's phrase is Apple's iCloud keychain, and before we did the episode, I thought I knew what that was, but it turns out, I didn't. But you know that Apple considers that a password manager, similar to Last Pass, and One Password? I didn't know that, okay? I guess I should have known that [laughter], but how did that pass me by? I don't know. So anybody in the audience, if you're like me, download this episode, and get some edumacation, because I definitely did not know that.
Dave Bittner: Yeah, it's an interesting thing, I think there is a lot of functionality built into iCloud Keychain that is kind of hidden, and people just don't know about it, and I don't know if that is Apple not doing a great job of promoting it, or what? But, I'll be looking forward to tuning in, and finding out what you have to say about it. As always, Rick Howard, thanks for joining us.
Rich Howard: Thank you, sir.
Dave Bittner: And joining me once again is Johannes Ullrich. He is the Dean of Research at the Sands Technology Institute. And also, the host of the "ISC Stormcast Podcast," Johannes, it's always great to have you back. I know something you've have had your eye on are threat actors, targeting YouTube content creators. What's going on here?
Johannes Ullrich: Yeah, so what we observed, we have written about, like a few months ago, was that relatively popular YouTube accounts, with sometimes millions of followers were compromised, and then used for crypto coin scams. The scams are all pretty much the same. They have a fake video of Elon Musk, advertising some kind of giveaway or such, to trick people to send them crypto coins. But what we really didn't sort of know is how did they get access to these accounts? And a little bit of breakthrough came there, I think it was two months ago, or a month a go, Linux Tech Tips, which is one of the big tech YouTube channels, was compromised by just one of those scams. They talked a little bit about how it happened. So this helped us actually to then do some more target searches for the attack, but you know, it turned out to be spearfishing.
Dave Bittner: Hm!
Johannes Ullrich: And they're particularly going after these creators by basically sending them a fairly well-done fake sponsorship offer.
Dave Bittner: Hm!
Johannes Ullrich: So first of all, they appear to come from companies that are well-known to sponsor many YouTube channels, like for example in this case, we had Nord VPN. Again, this is not coming actually from Nord VPN, it just claims to come from Nord VPN, and the attacker went so far as to registering a special domain, Nordvpn-media.com, so a very plausible domain where a media contact for Nord VPN would use that to send email from, and then it had the usual PDF attachment, and then something that you may expect, some documents, more details about how to get in contact, and what they're willing to pay, or what their rules are, or whatever. And then that PDF, then, led to malware, there was a link in the PDF, once clicked, you download malware, they claimed it was additional documentation about how to sign up for their sponsorship offer, but it actually contained an info stealer, meaning, something that collects credentials. It put in then, of course, things like YouTube logins, and such.
Dave Bittner: I see. At the risk of blaming the victim here, do the folks who have been hit by this, do they have multi-factor authentication enabled?
Johannes Ullrich: They do, and that's something that Linux and [inaudible] sort of post-mortem of the incident talked about, they do have two-factor authentication enabled, and in fact, you probably do similar things, but you have your automatic pipeline, that processes your audio, and then some kind of API key that is being used to upload the audio, and that API key, actually particularly with YouTube, it's nothing you can easily limit to just allow video uploads, but once they have that API key, they have full access to your account. And that of course, then, you know, is used to change passwords, and basically take over the account.
Dave Bittner: So basically once they have access to your system, they're taking advantage of the API to get to your YouTube channel, and its credentials.
Johannes Ullrich: Correct, like often, whatever software you're using to produce the audio, the first time you set it up to connect to YouTube, you basically set up these API keys, really only help is here to keep those systems a little bit more isolated, where, if you are running some malware on your desktop, it doesn't have access to those API keys. But that's of course a larger production to really set it up correctly and still have a fast, functional system to actually publish all of your content.
Dave Bittner: Is there any sense for how helpful YouTube is being, with trying to get these accounts back?
Johannes Ullrich: Well that's another problem here, that YouTube is not that terribly helpful. If you're Linux Tech Tapes, which was like one of their top creators, yes, they got some help, but I think it even took them, what was it, sort of half a day kind of, to get everything straightened out. If you are a lesser creator, with merely like one or two million subscribers [laughter], then-
Dave Bittner: Only a couple million [laughing]!
Johannes Ullrich: [Laughing] Only a couple million subscribers [laughter continues] then you may have a much harder time to get through to YouTube. The other problem is that this API case, the way they should be done is that they have very specific permissions to prevent sort of this complete account takeover, if you are getting hold of one of those API keys. But of course, that's always hard to change in hindsight, if you are now limiting these credentials, then of course, all kinds of processes that people set up will break.
Dave Bittner: In the post-mortem, as you say, from the folks who run Linux Tech Tips, what changes have they made?
Johannes Ullrich: I believe they said that they basically are monitoring those keys more closely. Another important part here, is also, and we always talk about back-ups, but one thing the attacker did here was delete all of the videos.
Dave Bittner: Oh, wow.
Johannes Ullrich: So actually one of the major delays in getting everything back together was just the sheer time it takes to upload all of these videos.
Dave Bittner: Yeah. Alright, boy it's an interesting cautionary tale. Johannes Ullrich, thanks so much for joining us.
Johannes Ullrich: Thank you.
Dave Bittner: And that's the Cyberwire. For links to all of today's stories, check out our daily briefly at the Cyberwire.com. Don't forget to check out the "Grumpy Old Geeks Podcast." I joined Jason and Brian on their show for a lively discussion of the latest security news every week, and find "Grumpy Old Geeks" where all the fine podcasts are listed. We'd love to know what you think of this podcast. You can email us at email@example.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the Cyberwire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security team supporting the Fortune 500 and many of the world's pre-eminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment-your people. We make you smarter about your team, while making your team smarter. Learn more at N2K.com. This episode was produced by Liz Irvin, and Senior Producer, Jennifer Eiben. Our Mixer is Trey Hester, with original music by Elliott Pelsman. The show was written by our editorial staff. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.