Podcasts
CyberWire Daily
Ep 1879
The CyberWire Daily Podcast 8.7.23
Ep 1879 | 8.7.23

Pyongyang’s new friendship with Moscow apparently only goes so far. Reptile rootkit in the wild. Cloudzy updates. Cl0p’s torrents. And notes on cyber phases of Russia’s hybrid war.

Show Notes
Transcript

Dave Bittner: North Korean cyberespionage against a Russian aerospace firm. The Reptile rootkit is used against South Korean systems. An update on Cloudzy. Cl0p is using torrents to move data stolen in MOVEit exploitation. Andrea Little Limbago from Interos wonders about the dangers of jumping head first into new technologies? Rick Howard ponders quantum computing. And Meduza is back on Apple Podcasts.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Monday, August 7th, 2023.

North Korean cyberespionage against a Russian aerospace firm.

Dave Bittner: Solidarity against what Russian T.V. is calling “the Collective West” is one thing, but Pyongyang isn’t sentimental enough to let that stand in the way of industrial espionage.

Dave Bittner: Reuters reports that North Korean operators have successfully penetrated NPO Mashinostroyeniya, a rocket design bureau headquartered in a Moscow suburb. The apparent industrial espionage wasn't deterred by Russia's attempts to cultivate closer relations with Pyongyang, which it views as a potential supplier of ammunition and other matériel for the war against Ukraine.

Dave Bittner: SentinelLabs researchers are the source for the technical details in the Reuters report, and they found two instances of a North Korean compromise of NPO Mashinostroyeniya. One, the compromise of an email server, was by ScarCruft. The second involved a Windows backdoor, "OpenCarrot," which has been associated with the Lazarus Group. The relationship between the two compromises remains unclear. They could be cooperating, or Pyongang may consider the target important enough to hedge its bets by assigning the Russian firm to two different intelligence groups, to "multiple independent threat actors," as SentinelLabs puts it.

Dave Bittner: SentinelLabs, in the course of its usual monitoring of North Korean cyber activity, "identified a leaked email collection containing an implant with characteristics related to previously reported DPRK-affiliated threat actor campaigns." This led to discovery of the larger campaign. It's evidence of Pyongyang's determination to advance its missile development program, a goal it probably considers more important than any new collaborative relationship with Moscow.

Reptile rootkit used against South Korean systems.

Dave Bittner: Threat actors are using the open-source kernel module rootkit Reptile to target Linux systems in South Korea, the Hacker News reports. This isn’t Reptile’s first appearance in South Korean networks: companies there have seen it before. The AhnLab Security Emergency Response Center (ASEC) said in a report on the malware that the initial point of access in this most recent wave remains unclear.

Dave Bittner: The researchers were, however, able to provide considerable information about the malware itself. “Upon examination, the Reptile rootkit, reverse shell, Cmd, and startup script were all included, allowing the basic configuration to be ascertained. In this particular attack case, apart from Reptile, an ICMP-based shell called ISH was also utilized by the threat actor. ISH is a malware strain that uses the ICMP protocol to provide the threat actor with a shell. Typically, reverse shells or bind shells use protocols like TCP or HTTP, but it is speculated that the threat actor opted for ISH to evade network detection caused by these communication protocols.”

Dave Bittner: While the targeting of South Korean companies, might suggest a North Korean operation, there’s at present no attribution. The open-source rootkit is in principle available to several distinct threat actors, and it’s entirely possible that Pyongyang has nothing to do with Reptile. 

An update on Cloudzy.

Dave Bittner: Halcyon has published an update on Cloudzy, an ISP that provides services to various APTs and ransomware affiliates. Halcyon’s researchers were contacted by the IPXO address marketplace, which was leasing fourteen IP ranges to Cloudzy. Halcyon states, “The IPXO representative informed Halcyon that, based on the research report, they are taking and will continue to take action to prevent additional abuse. They asked for additional intelligence from Halcyon, which was provided for their consideration.”

Dave Bittner: Halcyon’s report said that Cloudzy, despite its self-presentation as a company incorporated in the US, is for the most part staffed by employees of Tehran-based company abrNOC. 

Dave Bittner: Cloudzy said in a statement to CSO that it’s investigating the situation. “At this moment, our team is actively investigating the claims made in the reports through proper legal channels. We believe it is essential to thoroughly review the allegations to ensure a fair and accurate understanding of the situation. Once the investigation is complete, we will be more than willing to provide a comprehensive statement and engage in an open dialogue about the findings.”

Dave Bittner: Thus we’ll all await the outcome of Cloudzy’s self-examination.

Cl0p using torrents to move data stolen in MOVEit exploitation.

Dave Bittner: The Cl0p ransomware group is using torrents to leak data stolen via the MOVEit vulnerabilities, BleepingComputer reports. Decentralized torrents offer a more efficient way for the group to distribute the data, while making it more difficult for law enforcement to shut them down. BleepingComputer explains, “Even if the original seeder is taken offline, a new device can be used to seed the stolen data as necessary. If this proves successful for Clop, we will likely see them continue to utilize this method to leak data as it’s easier to set up, does not require a complex website, and may further pressure victims due to the increased potential for broader distribution of stolen data.”

The cyber phase of Russia's hybrid war: a view from Kyiv.

Dave Bittner: Yurii Shchyhol, head of Ukraine's State Special Communications Service, expressed his organization's war aim: "Our goal is to push them back into the intellectual and IT Middle Ages." Making that push is complex. It will, in Shchyhol's account, involve effective defense and enough international support of sanctions to throttle Russia's IT supply chain.

Dave Bittner: He reviewed the cyber phase of Russia's war in an interview published by the Kyiv Independent. He described Russian cyberattacks as unrelenting. They began as a preparation in January and February last year, in the weeks before Russia's conventional, kinetic invasion. Wiper attacks were the defining feature of that cyber prep. "It all started with an attack on state authorities, it was the largest attack in 17 years," Shchyhol said. Those initial successes have not been repeated, even though Ukraine has seen, by Shchyhol's accounting, about twenty Russian cyber attacks each day since last February's invasion.

Dave Bittner: Shchyhol puts successful defense down to quick application of lessons learned during the run-up to the war. That preparatory phase accelerated learning that had, however, been going on for some years. Moscow had mounted cyber operations at the lower end of the spectrum of conflict during Russia's invasion and conquest of Crimea in 2014, and Ukraine profited from lessons learned the hard way from such incidents at the NotPetya campaign of 2017. During the present war, successful defense has benefited greatly from quickly developed effective cooperation with both the private sector and friendly foreign governments. Shchyhol also expressed gratification over the way interagency cooperation within the Ukrainian government had improved since the beginning of the war, as the previously endemic infighting over agency equities has been replaced by an atmosphere of general collaboration.

Dave Bittner: Sanctions against Russia have also been effective, and should, Shchyhol said, continue. "They must be excluded from all international organizations and isolated from the civilized world to prevent them from accessing technologies. Only then can there become a guarantee of our future security." Despite Russia's partially successful efforts to evade sanctions, the country remains dependent on Western (and especially US) systems. "In six months to a year, it will reach a point where it won't function at all, impeding their ability to launch attacks," Shchyhol told the Independent. "Thus, time is working in our favor.”

Meduza was removed from, then restored to, the Apple Podcasts platform.

Dave Bittner: Finally, Meduza, an independent Russian-language news service operating from Riga, Latvia, said Friday that Apple removed Meduza's flagship podcast "What Happened" from the Apple Podcasts streaming platform. What Happened focuses on news affecting Russia, and Meduza isn't particularly sympathetic with the Russian regime. Apple's suspension notice read, "We found an issue with your show, [What Happened], which must be resolved before it’s available on Apple Podcasts. Your show has been removed from Apple Podcasts." Meduza says that no further explanation was offered, but the outlet says that it was effectively outlawed by Russia this past January, when it was designated an "undesirable organization."

Dave Bittner: According to Meduza, Roskomnadzor, Russia's Internet governance authority, complained to Apple about Meduza earlier this summer, and Meduza believes that Roskomnadzor's complaint may have prompted the suspension. Whatever the cause, the ban was short-lived. Meduza wrote in a Sunday update, "Two days after it was removed, 'What Happened' is again available on the Apple Podcasts streaming platform. Apple did not provide a reason for suddenly removing and restoring the podcast." 

Dave Bittner: It’s an unusual incident. Apple, like other companies, tries to comply with local laws where it operates, but Cupertino isn’t in the habit of saying “how high” when Roskomnadzor cries “jump.” If nothing else, the incident illustrates the challenges platforms face as they try to straddle the divide between publisher and common carrier. Perhaps Roskomnadzor should consider traveling to Riga itself. Peacefully, of course. 

Dave Bittner: [A joke–”travel to Riga” is Russian slang for throwing up, because it sounds like someone vomiting–”pah-yeckh-ul fuh–REE-goo.” The way an American or an Australian might say, “He spent last night talkin’ to Rrrraaalph and LOOOu-eeeze,” a Russia would say, “Rudolf Vladimirovich went to Riga after he left the saloon.”]

Dave Bittner: Coming up after the break, Andrea Little Limbago from Interos wonders about the dangers of jumping head first into new technologies. Our own Rick Howard ponders quantum computing. Stay with us.

Dave Bittner: And it is always my pleasure to welcome back to the show, Rick Howard. He is the CyberWire's own Chief Security Officer. Also our Chief Analyst. Rick, welcome back.

Rick Howard: Hey, Dave.

Dave Bittner: So, on this week's "CSO Perspectives" podcast, you were talking about quantum computing and the potential impact to enterprise security. And Rick, I have to say, I think I will join a lot of people out there who say that I do not understand a whole lot about what quantum computing really is or how it works under the hood, but what I do know --

Rick Howard: It's a big club.

Dave Bittner: It's like Richard Feynman, who you know, like there's the quantum mechanics man said that he didn't even -- he didn't understand quantum dynamics. So, I don't feel that bad about my limited understanding. But what I do know is that when it finally gets here, we're going to have computers that are much faster than the computers we have today. But I'm reminded of like what we say about fusion energy. You know, like it's always 20 or 30 years away no matter when you ask. Are we -- are we in that mode with quantum computing?

Rick Howard: That's what it feels like most of the time, you know, because you're right about that, Dave. Quantum computing is in a class of near-future technologies that when and if they ever get here, are going to fundamentally change how we all live our lives. Not just in the cybersecurity and tech worlds but for, you know, everybody on the planet. But for as long as I can remember, like you said, these technologies have always been just over the horizon. Like, you know, artificial general intelligence, AGI, 5G networking, autonomous vehicles, and abundant solar energy. And like you said, it doesn't matter how many years go by, it's always just 30 years away. But what I've noticed this past year or so, that a collection of quantum experts have started to consciously reduce their estimates about when quantum will be ready for the masses. Some are saying it's like five to 10 years away. So it might be time for the general security practitioner to do a little planning.

Dave Bittner: So, what is the risk here, Rick? I mean, I know it has something to do with breaking modern day encryption algorithms, which sounds bad.

Rick Howard: Bad, yeah.

Dave Bittner: Is this the end of times? Should we shut down the internet, go back to the Pony Express? Smoke signals, all that kind of stuff? Just say that was a bad idea and we should never do that again?

Rick Howard: Well, I would say that'd be plan B, Dave, alright?

Dave Bittner: Okay.

Rick Howard: An alternate plan, plan A, if we're going to, you know, label things, okay, might be to really think about what's at stake here. So thanks to quantum characteristics of, get this, superposition and entanglement, and I don't even pretend to understand what those two words mean, quantum computers are massive parallel processing machines. And as my friend Dr. Georgianna Shea says, not a new supercomputer but a new super-duper computer, right? So I really love that characterization. Right? Because by the way these things are designed, they won't be able to break all encryption schemes, but they will be exceptionally good at breaking modern-day asymmetric encryption schemes. These are all the things that are the engine behind every day internet commerce and probably the lynch pin to protecting many government secrets worldwide. And when we get there, the world is going to change. So in this episode, we're going to explain all of that in detail and talk about some of the ongoing efforts to buy down the risk before we get to that milestone.

Dave Bittner: Alright, well I will look forward to checking that out for sure. The podcast is "CSO Perspectives." You can learn all about how you can access that on our website, thecyberwire.com, also n2k.com. Rick Howard, thanks so much for joining us.

Rick Howard: Thank you, sir.

Dave Bittner: And joining me once again is Andrea Little Limbago. She is Senior Vice President of Research and Analysis at Interos. Andrea, it is always my pleasure to welcome you back to the show. I, over the years, have become convinced that we are a reactive species. That humans, by our nature, are not good at getting in front of things. That things have to get really bad before we're willing to change. And that's a long way around of saying that something I want to check in with you on, when it comes to technology and security, are we always catching up or do we even have the ability? Is it in our DNA to get ahead of things?

Andrea Little Limbago: It's a great question. And I think in general, I tend to agree with you on that. But I think we need to try not to be.

Dave Bittner: Right. So we have aspirations.

Andrea Little Limbago: We have to have aspirations not to be. And part of it, you know, so much of it goes back to, you know, whether it's the cycle and companies have to report on that quarterly earnings versus, you know, two years out. So it's short-term, long-term thinking, which I think always dampens our ability to think longer term. But you know, I'm slightly optimistic that we're starting to have some food these thoughts and considerations at least in cybersecurity. Yet these were discussions that weren't had at all during some of the previous big booms and -- or technological shifts for the industry. And so, but the one I'm keeping an eye on right now a lot because I'm not, you know, the jury's out on this one on generative AI, it's going to have a big impact. We're already seeing that. You know, it was an enormous leap. You know, some people say that machine learning advances, you know, advanced more in, you know, say six months than in the previous decades. I mean, it really was a significant shift. With ChatGPT and all the other large language model that were out there. But my concern is that we're seeing, because of that, it's almost like the Gold Rush. Everyone's jumping onto it and putting it into their products, using it in different ways, both personally and professionally. And there's a whole lot of concern about like what is the security of that data, how's data privacy, what's occurring with that, there are cooperate infringement lawsuits going on right now over the training data, and there's a whole lot going on around that. And there are, though, not the most vocal voices in the room, but there are voices talking about the security of it. And advising companies that if you're looking at implementing generative AI, which plenty of benefits, make sure security is part of it. And not an afterthought. And I think that those companies that do, when they think about integrating generative AI, that do look at the security components of it, they'll be the ones that are less surprised going forward, because we're going to see everything from -- and we already have. We've seen data links, because some engineer's putting source code into it from a company. We've seen that. There are regulations, you know, around Europe talking about potentially halting the use of some of these. The US has a whole AI working group to look into how to properly regulate going forward. So whether it's the regulatory risks or data leaks, data breaches, malicious uses of the generative AI, there's at least discussions going on now warning people to take security into account and not as an afterthought. And I don't think we had that as much, you know, 10 years ago. So I think that, at least the discussion is there. We'll see if people heed the advice or not. Or if they just want to jump in too quickly.

Dave Bittner: It's a really interesting point in that, and I agree with you, and I think, you know, lots of folks are saying that the release of these large language models was an inflection point, perhaps even for society. And I think there's something to that. As opposed to like social media, which I think was more diffuse. It sort of, you know, it oozed into our society.

Andrea Little Limbago: That's right.

Dave Bittner: Rather than being a big -- rather than capturing everyone's imagination all at once. So there's a difference there. I'm curious, you know, you and I often talk geopolitics. And I worry that I'm being a big provincial in my thinking here. I mean, are there nations who part of their culture is being more cautious about these sorts of things? You know, I think we have, here in the US we have this move fast and break things cliche. But are there cultures who take a more measured approach?

Andrea Little Limbago: Well I think for sure the European governments are most vocal in raising concerns about it and wanting to make sure data privacy is implemented into it. There's been much more action at that level. But I would say, I think back to your initial point on human nature, I think for the most part, we're seeing organizations trying to jump on this and take that lead. Because boards are asking, you know, their executives, what is your plan to integrate this and to make sure that your competitors are not? They don't get that head start on it? And so it's framed. And so as long as it's competitive in the global economy, we're going to see a lot of jumping on it. But hopefully it's jumping and looking before leaping as opposed to just, you know, jumping and then looking backwards after and think oh, we should probably have secured that! Or oh, we probably should not put our IP into a question for a chatbot. But I do think there remains a big Europe-US gap. And then I'd say on the other end, on the authoritarian side, it's, you know, consume as much data as possible by the governments and have government control of it. So this very likely will just be another way to try to be used to gain control over information within their -- both, I should say, within their geographical domains and within their cyber domains.

Dave Bittner: What about the regulatory component here? I mean, is it -- when something happens this quickly, is the regulatory regime in a position to be able to be nimble?

Andrea Little Limbago: Not yet. At least in the US, not yet, no. But at least they're talking about it. And I think you make a good point as far as social media really did kind of take a bit of time to diffuse and really take over our lives. This happened really with a shock. The government's talking about this way more than they hopped on -- social media discussions took a very long time to really gain traction. But we're seeing some traction on this already. And part of it's due to some of the law suits. Especially through the training data, we've seen defamation law suits. Because if you ask a question into it, it can give false information about a person. We've seen that, even in Australia there's a lawsuit from a mayor. Who, I think, basically it said he was somebody who was a whistleblower put in jail, was the one actually, as a whistleblower, and putting someone else in jail. So there's been a bunch of different defamation law suits as well that are going into it. And then one thing we haven't even talked about is the wrong information that gets produced through it.

Dave Bittner: Right.

Andrea Little Limbago: And being concerned about that. It's a huge potential vector for disinformation or just for continuing to exacerbate or amplify wrong information because that's what's been fed into it by the training models. And we see that with like the hallucitations, the fake citations that basically are made up. They sound credible, they look like they're credible, but yeah, they're entirely made up.

Dave Bittner: Right, that's the thing. It'll give you wrong information with absolute confidence.

Andrea Little Limbago: Yeah. And so, the notion of like are we learning and being more proactive? And that's just one area, right? So we've got 5G looking ahead to 6G, we've got secure by design, this is pushing forward. And I think that would not have happened like 10, 15 years ago. So thinking about security by design as we're building out these new technologies. Those are the kind of things I see that give me optimism that at least some people are thinking about it now. But I'm not entirely sure that a few decades ago, security was on anyone's radar. Because there was a lot more optimism about, you know, the positive aspects of these technologies as opposed to them being used or weaponized.

Dave Bittner: Right. Alright. Well Andrea Little Limbago, thanks for joining us.

Andrea Little Limbago: Alright, thank you, Dave.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. Don't forget to check out the "Grumpy Old Geeks" podcast. I join Jason and Bryan on their show for a lively discussion on the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector. As well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin and Senior Producer, Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliot Peltzman. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening, we'll see you back here tomorrow.

 

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.