Cyberespionage tradecraft, including shopping in the C2C market. Seeking satcom resilience. Sanctions against disinformation. A quick look at current OT threats.
Dave Bittner: C2-as-a-service with APTs as the customers. Cyberespionage activity by Indian APTs. Gamers under attack. StarLink limits Ukrainian access to its systems. The EU levies new sanctions against “digital information manipulation.” Ukraine's Security Service takes down money-laundering exchanges. Ben Yelin unpacks fediverse security risks. Our guests are Mike Marty, CEO of The Retired Investigators Guild, & Tom Brennan, executive director of CREST, discussing their efforts on cybercrime investigation and cold case resolution. And Nozomi's OT IoT security report, sees a lot of opportunistic, low-grade whacking at industrial organizations.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Tuesday, August 1st, 2023.
C2-as-a-service (and APTs are the customers).
Dave Bittner: Researchers at Halcyon have published a report looking at command-and-control providers used by ransomware gangs. Specifically, the researchers point to the Cloudzy virtual private server (VPS) provider as “the common service provider supporting ransomware attacks and other cybercriminal endeavors.” Cloudzy is incorporated in the US, but the researchers believe the company “almost certainly operates out of Tehran, Iran – in possible violation of U.S. sanctions.”
Dave Bittner: The researchers state, “Threat actors that are assessed to be leveraging Cloudzy include APT groups tied to the Chinese, Iranian, North Korean, Russian, Indian, Pakistani, and Vietnamese governments; a sanctioned Israeli spyware vendor whose tools are known to target civilians; several criminal syndicates and ransomware affiliates whose campaigns have spurred international headlines.”
Cyberespionage activity by Indian APTs.
Dave Bittner: CYFIRMA researchers describe a cyberespionage campaign that uses a bogus app, "SafeChat," to install spyware into targeted Android devices. The payload is believed to be an Android version of Coverlm, malware that captures call logs, texts, and geolocations. The targets seem concentrated in South Asia, notably in Pakistan, and BleepingComputer says the activity is associated with an Indian government APT, Bahamut. Some observers have attributed the operation to "mercenaries," but CYFIRMA's report disagrees. "We are unable to disclose the specific target location of the sensitive cyber-attack, due to its sensitivity and security concerns," the company's report says. "However, we can confirm that the target serves the interests of one nation state government. While some security organizations initially identified the threat as originating from a mercenary group, our own analysis indicates that it is, in fact, an Indian APT group acting on behalf of one nation state government. Several reasons support this conclusion."
Dave Bittner: The Hacker News reports that another group, "Patchwork," also believed to have ties to Indian operators, is deploying the EyeShell backdoor against Chinese universities and research institutes. Researchers at the KnownSec 404 Team note that the activity, which also prospects some targets in Pakistan, shows some overlaps with SideWinder and the DoNot Team, both of which have also been associated with India.
Games under attack.
Dave Bittner: BleepingComputer reports that attackers are exploiting the BleedingPipe remote code execution vulnerability affecting many Minecraft mods running on Forge. An article from Minecraft security community MMPA states, “BleedingPipe is an exploit being used in the wild allowing FULL remote code execution on clients and servers running popular Minecraft mods on 1.7.10/1.12.2 Forge (other versions could also be affected), alongside some other mods. Use of the BleedingPipe exploit has already been observed on unsuspecting servers. This is a vulnerability in mods using unsafe deserialization code, not in Forge itself.”
Dave Bittner: MMPA adds, “This vulnerability has already been exploited many times and many 1.7.10/1.12.2 modpacks are vulnerable, however any other version of Minecraft can be affected if an affected mod is installed. This vulnerability can spread past the server to infect any clients that might join, though we do not know if there is any such malware in the wild.”
Dave Bittner: A different game is also under attack. TechCrunch reports that hackers are spreading a worm via a vulnerability affecting the 2009 version of Call of Duty: Modern Warfare 2. Maurice Heumann, a security researcher who claims to have found and reported the bug to Activision in 2018, says the company never issued a patch for the flaw. Heumann told TechCrunch, “It’s a simple buffer overflow with only very few limitations. Writing a full-fledged exploit is a simple task.”
Dave Bittner: The incidents aren’t principally important to the gamers themselves, but are instead worrisome because the games can serve as entry points to wider networks.
StarLink limits Ukrainian access to its systems.
Dave Bittner: StarLink, which shortly after Russia's invasion last year played a vital role in restoring connectivity disrupted by early and successful Russian cyberattacks against the ViaSat networks that had served Ukraine, is now selectively blocking Ukrainian military access to its systems. The Telegraph reports that an attack by surface drone boats against Russian naval units in the Black Sea was canceled, reports say, when StarLink withdrew the connectivity that would have been necessary to control the operation. StarLink is controlled by Elon Musk, who has said he didn't want his system used in support of long-range offensive operations. He's selectively denied access to the network when he disapproves of attacks it appears likely to be used to execute. Mr. Musk has previously expressed approval of an ill-advised peace plan for Ukraine that would have essentially accepted the widely discredited plebiscites Russian occupation authorities staged in conquered Ukrainian territory. Ukraine is interested in acquiring a communications infrastructure that's less dependent upon Mr. Musk’s diplomatic and geopolitical judgment.
EU levies new sanctions against “digital information manipulation.”
Dave Bittner: Cybernews reports that several organizations and individuals have been sanctioned for their participation in disinformation designed to support Russia's invasion of Ukraine. This latest round of sanctions addresses a campaign the EU calls "Recent Reliable News." The effort involved the creation and operation of more than two-hundred-seventy proxy news outlets that flacked coordinated Russian propaganda. The entities under sanction include InfoRos (a news outlet closely connected to the GRU, and regarded as the coordinator of Reliable Recent News), ANO Dialog (a Russian not-for-profit connected to Russia's Department of Information and Technology), the Institute of the Russian Diaspora, the Social Design Agency, Structura National Technologies, and two Russian IT firms. The EU has frozen their assets and prohibited EU citizens from funding the sanctioned organizations in any way. The individuals who've been sanctioned are now forbidden from entering or passing through EU countries.
Ukraine's Security Service takes down money-laundering exchanges.
Dave Bittner: Cybercrime, of course, continues even under wartime conditions. Yesterday Ukraine's Security Service announced that it had disrupted a network of illicit fund-transfer sites that were engaged in converting Russian rubles into Ukrainian hryvnia. The network made use of various sanctioned Russian crypto payment services to turnover currency each month worth more than $4 million, Bank Info Security reports. The Security Service of Ukraine said that "underground exchange points" were found and shuttered in Kyiv, Kharkiv, Rivne and Sumy.
Nozomi's OT IoT security report, H1 2023.
Dave Bittner: Nozomi Networks has published its OT/IoT Security Report for the first half of 2023, looking at “a high volume of network scanning indications in water treatment facilities, cleartext password alerts across the building materials industry, program transfer activity in industrial machinery, OT protocol packet injection attempts in oil and gas networks, and more.”
Dave Bittner: The researchers note, “There are three main categories of OT/IoT cyber incidents: opportunistic, targeted, and accidental. Over the past six months, opportunistic attacks remain the most prevalent and will continue to flood traffic via DDOS attempts, enumerate common weaknesses and vulnerabilities for initial access, and trial and error malware strains regardless of network domains and target systems.”
Dave Bittner: So, recently at least, industrial organizations seem to be facing much the same sorts of attacks other organizations do. Whether state actors like Volt Typhoon, who intrusions into US networks American authorities are currently working to find and neutralize, would represent a more focused and disruptive threat to industrial processes themselves, remains to be seen.
Dave Bittner: Coming up after the break; Ben Yelin unpacks fediverse security risks, our guests are Mike Marty, CEO of the Retired Investigators Guild, and Tom Brennan, executive director of CREST, discussing their efforts on cybercrime investigation and cold case resolution. Stay with us.
Dave Bittner: Tom Brennan is executive director of CREST Intentional, a global nonprofit that focuses on accreditation and certification of cybersecurity professionals within their member companies. CREST recently announced a partnership with another nonprofit organization called The Retired Investigators Guild, The RIG for short, along with the release of a co-authored research paper titled; "Building an Effective Cybercrime Unit." Mike Marty is CEO of The RIG.
Mike Marty: You know, our mission is a pretty simple one; it's restoring America's faith in law enforcement and continuing the tireless pursuit of criminals in the interest of victims of violent crime. And one of those things, the vehicle in which violent crime usually is riding in, is some sort of cyber component. That's where I believe the connection between CREST and RIG is so important. We assist law enforcement agencies with subject matter experts to help them in major crimes investigations.
Dave Bittner: You all shared some interesting statistics here about folks who have retired from law enforcement and how an organization like The RIG really gives them an opportunity to use their skills beyond retirement.
Mike Marty: Yeah Dave, it's one of those things that you know, I'm a retired homicide investigator. Retired from the Douglas County District Attorney's Office as the chief investigator, working numerous homicides that span the globe. The average lifespan for somebody like me upon retirement is between six and nine years. That's a lot of mental issues, a lot of medical and health related issues that come with the job. What we attempt to do with RIG investigators is reinvigorate them, get them passionate about the things that they're subject matter experts in, and direct them to helping solve cold cases and assisting with major active cases.
Dave Bittner: Let's dig into this research paper, this is Building an Effective Cybercrime Unit, what are you all hoping to accomplish here with the paper?
Tom Brennan: The goal of the paper is to outline some practices that are sometimes not well-discussed. One of the common themes that we found in speaking with organizations and agencies around the world, was you know, sometimes the large metropolitan locations have a pretty good framework that they pull from, but again, smaller organizations or organizations that might not be as staffed, you know, struggle with what that looks like. So we help them with identifying both the mapping to the strategy and some of the minimum standards and what some of those performance indicators may be in running an effective cyber squad, particularly investigating cybercrime. So there's a component there, as Mike mentioned, I think that whether it be a homicide, whether it be a kidnapping, whether it be something of, in that space, nowadays technology is used in just about everything, right? So there needs to be a component there that is looked upon and then also spin it around, when organizations are under attack, you know, we have law enforcement agencies that are being attacked physically, and electronically, and then data integrity is at risk. So let's say you have undercover operatives or you have individuals that are working on cases or matters, and the data integrity is you know, disrupted. That can cause significant impact to the victims affected.
Dave Bittner: You know, Mike, I'm course where we stand when it comes to law enforcement organizations having cybercrime units. I'm imagining there's such a broad spectrum, you know, there's small town police forces, all the way up to something like New York City, which is you know, a huge employer and everything in between. Overall what's your sense of where organizations stand in terms of trying to address this issue.
Mike Marty: Across the United States we're behind the eight ball. We're behind the eight ball because technology advances at such a rapid pace and corporations have the money to fund that, as far as investigations and preventing cybercrime. Local law enforcement agency in your small town, barely has the budget to keep men and women on the street, let alone protect their critical infrastructure and you know, some of the backbones of their IT network. So, you know, in my opinion, professionally speaking, I think that you know, law enforcement's behind the eight ball when it comes to how prepared we are, and then investigating those crimes, let's talk about subject matter expertise, you maybe have one computer forensics expert in a small town that services you know, many jurisdictions, so overworked and not enough men and women to do the job.
Dave Bittner: To what degree is there an educational component here as well? I mean you know, as you say, cybersecurity and in these cybercrimes, they evolve so quickly. I can imagine it's a challenge for a detective, a law enforcement officer just to keep up.
Mike Marty: Yeah, you know, just in standard training, right, most law enforcement agencies across the United States have anywhere between 24 and 48 hours of mandatory training just to be a basic peace officer. Then layer on top of that, the specialty assignments they have. Now let's talk about computer forensics or cybersecurity. That in and of itself is an educational path that is in its infancy right now in law enforcement. And so, you know, that's one of the things that I think this partnership between CREST and The RIG will help too, with our outreach into those law enforcement agencies to bring a trusted partner with us, you know, on our journey.
Dave Bittner: You know, Mike, you all sent over some statistics ahead of our interview here and I found it rather sobering how few organizations have cold case units. What is the response that you all are getting when you're reaching out to these understaffed organizations and saying yeah, you know, this may be a potential resource for you.
Mike Marty: It's been tremendous and welcoming. You know, I can tell you, as you know, a former chief, if somebody came to me with this opportunity to have no strings attached for free, subject matter expertise inserted in on a cold case or a major crime that's active, and I didn't have the bodies, this is huge. And so, you know, what we are combating right now is the funding piece. To fund us so that we can do these things at no cost for law enforcement agencies. But it's been overwhelming. Overwhelming support from law enforcement.
Dave Bittner: That's Mike Marty, CEO of The RIG, joined by CREST International Executive Director Tom Brennan.
Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Hello, Ben.
Ben Yelin: Good to be with you again, Dave.
Dave Bittner: So, Ben, you are still hanging out over on the platform formerly known as Twitter, right?
Ben Yelin: Yes, I'm a dead ender for [inaudible], previously known as Twitter.
Dave Bittner: Are you X-ing or whatever we call tweets these days.
Ben Yelin: Xeet, Xeeting, x-e-e-t, I guess is the preferred parlance. Yeah, as bad as it gets now, as awful as the user experience has become, I will be there until it's last dying day.
Dave Bittner: Why?
Ben Yelin: I think it's network effects, I already have a lot of friends and acquaintances who are on there, I have a lot of really interesting conversations with people, I've built up that network over a long period of time. And it's going to be very difficult to recreate somewhere else.
Dave Bittner: Yeah, can't let go. I understand.
Ben Yelin: I'm certainly not happy about it.
Dave Bittner: Right. It's like quitting smoking, right? Or something like that.
Ben Yelin: It is, yeah. No, I mean it's, you become so, your body becomes so dependent on it that it's just so hard to quit. Yeah, I mean I wish I could quit and I guess I should hold out the possibility that it gets so bad but I do consider myself a dead ender.
Dave Bittner: Okay. Well, I, and lots of people like me, have put our Twitter accounts into hibernation or deleted them altogether and found greener pastures over on Mastodon, which of course is the federated Twitter like service, I guess micro blogging is the probably correct term of art for what that--
Ben Yelin: Right, that feels very 2011, but I guess we're still calling it micro blogging.
Dave Bittner: Right, right. And the big deal with Mastodon is that it is not centralized. It is part of the fediverse and federation means it functions more like email does, where instead of one big central place where everything happens, you have lots of servers peppered all over the world and you sign up to use a particular instance and that's where your stuff lives and it gets sent out to the rest of the fediverse and so this distributed model certainly has its pluses and minuses but you know, thanks to everything that's going on at Twitter, it's gained a lot of popularity. So, that leads me to this article from the EFF, the Electronic Frontier Foundation, and it's written by Cindy Cohn and Rory Mir, it's titled, "FBI Seizure of Mastodon Server Data is a Wake Up Call to Fediverse Users and Hosts to Protect Their Users." And evidently this deals with an individual who was hosting a fediverse instance, a Mastodon instance, who because of unrelated allegations had basically every piece of electronic equipment in his home seized by the police, including the Mastodon server that he was running.
Ben Yelin: Right.
Dave Bittner: That's an issue.
Ben Yelin: That's a huge issue. And it's something that's happened historically, the EFF was involved in a case 30 years ago, it's amazing that they've been in existence that long.
Dave Bittner: Yeah.
Ben Yelin: But good for them. And this involved a case called Steve Jackson Games versus The Secret Service. It concerned the seizure of vast amounts of equipment from an individual named Steve Jackson who had a games business in Texas. There were unfounded games of illegal behavior, they went in kind of just took everything from this guy's house.
Dave Bittner: The police did, yeah?
Ben Yelin: The police did, yeah, exactly. And in doing so, they nearly drove this company out of business, the EFF was involved in litigation, they won that case, but that hasn't changed federal law enforcement's approach. I think that this really runs afoul of the spirit of the 4th Amendment, which is about having particularized warrants. Now in each of these cases, there was a warrant, this wasn't a warrantless search.
Dave Bittner: Okay.
Ben Yelin: The government got authorization based on probable cause to go into this guy's house.
Dave Bittner: Right.
Ben Yelin: So that's good. But the warrant should not be so overbroad that it justifies the collection of all electronic equipment. It should only justify the collection of that very equipment or device or whatever that is necessary to investigate the case and anything that is deemed unnecessary to investigate the case should not be seized as part of that search process. And I think that would comply with the true spirit of the 4th Amendment which going back centuries, was about our English legal ancestors being concerned that the king was going to authorize a raid on somebody's house to just kind of see what they found.
Dave Bittner: Right.
Ben Yelin: See if there are any materials that were disapproved of by royalty and by the kind's minions.
Dave Bittner: Yeah.
Ben Yelin: So, that feels kind of oddly analogous to what's happened here and I think certainly the case with Mastodon is eye opening and I think should give us warning about what would happen if law enforcement continues on this path.
Dave Bittner: But Ben, if I'm law enforcement, and I have made the case to a judge that there's probable cause that this person is up to no good, how am I going to know if what I'm looking for, or how am I going to know the location of what I'm looking for until I have a chance to look around?
Ben Yelin: I mean, warrants should be as particularized as possible. You should describe the items to be searched or items to be seized in a very particular manner, otherwise it becomes overbroad. So if I said, I suspect Dave of committing computer crimes, and I raided your house and took every last piece of equipment, yes, that would probably comply with, I could probably get a warrant to do that, seems like federal law enforcement has been able to obtain warrants that are that broad, but it would be unfair, because it wouldn't be particularlized to the piece of equipment on which you were committing those crimes. I guess you aren't a great example, because unlike the person in this case, you are not hosting a key server involved in the fediverse, which has cross market impacts.
Dave Bittner: Well, but let's dig into that. I mean in the time we have left, you know, why should that matter that one of the pieces of equipment gathered also affected people who had nothing to do with any of this?
Ben Yelin: Yeah, I mean I just think it gives all of us a stake in trying to develop a better standard for this type of collection. Maybe we think it'll never affect us because we don't commit crimes, and we think if federal law enforcement is going to somebody's house, pursuant to a warrant, based on probable cause that that person has committed a crime, then what's in it for us? I mean who cares?
Dave Bittner: Right.
Ben Yelin: But the reason we care is it could be this person's house that has something like this collective dot social server used for Mastodon and that could affect all Mastodon users. I mean that's the way the fediverse works. So, yeah, I just think it gives everybody more of a stake in the outcome of these searches and seizures and it makes it more of a policy issue rather than just an issue for a single criminal defendant.
Dave Bittner: Right. Alright, interesting to ponder. Ben Yelin, thanks so much for joining us.
Ben Yelin: Thank you.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast, you can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like The CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben, our mixer is Tre Hester, with original music by Elliot Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening, we'll see you back here tomorrow.