Some intelligence services understand the value of being underestimated.
Dave Bittner: StripedFly gets reclassified. YoroTrooper is interested in the Commonwealth of Independent States. The current state of DDoS attacks. Ukrainian hacktivists deface Russian artists' Spotify pages. Trolls amplify a Musky meme. In our Industry Voices segment, Matt Howard from Virtru explains securing data at the employee edge. Our guest is Seth Blank from Valimail, to discuss email security and DMARC. And while trolls might like Mr.Musk, the crooks heart Mr. Gosling.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Thursday, October 26th, 2023.
Dave Bittner: Kim Zetter reports, in her Zero Day newsletter, that the StripedFly cryptominer has turned out to be more malign than hitherto believed. When Kaspersky discovered it in 2017, they wrote it off as a simple piece of criminal malware, designed for cryptomining. They also wrote it off as uninteresting and unsuccessful, yielding its proprietors nothing more than chump change. All they got from mining Monero alt-coin came to just ten bucks in 2017, and only $500 in 2018. Not enough to interest even a spoiled script kiddie.
Dave Bittner: Apparently, however, StripedFly was actually interested in collecting information, not cryptocurrency. Kaspersky "discovered the miner was actually a cover for a sophisticated spy platform that has infected more than one million victims around the world since 2017."
Dave Bittner: StripedFly seems, rather, to be a carefully designed espionage toolset that masked itself as an uninteresting, stumblebum criminal operation. Zetter explains: "The spy components include ones for harvesting credentials from infected machines; for siphoning .PDFs, videos, databases and other valuable files; grabbing screenshots; and recording conversations through an infected system’s microphone. The platform also has an updating function that lets the attackers push out new versions of it whenever Windows and Linux operating systems get updated. The malware gets pushed out from encrypted archives stored on GitLab, GitHub, and Bitbucket."
Dave Bittner: StripedFly gains initial access to its targets through a variant of EternalBlue, an exploit attributed to an actor Kaspersky tracks as the Equation Group. Kaspersky studiously avoids attribution to nation-state services, but the Equation Group is widely believed to be associated with the US National Security Agency. EternalBlue was blown by the ShadowBrokers in April of 2017, a month after Microsoft patched the vulnerability the malware was designed to support. Since then other services, notably China's Ministry of State Security, have used variants of EternalBlue, but it's not at all clear who's responsible for StripedFly. It does seem clear, however, that it's an espionage operation, and not a low-grade criminal caper.
Dave Bittner: In the espionage world, it usually pays to be underestimated.
YoroTrooper is interested in the Commonwealth of Independent States.
Dave Bittner: In more cyberespionage news, researchers at Cisco Talos yesterday published the conclusions of their investigation of YoroTrooper, a cyberespionage operation that focuses on the Commonwealth of Independent States, the rump organization of former Soviet Republics who haven’t yet been invaded and who retain more-or-less voluntary ties to Russia. YoroTrooper has been active since June of last year. Cisco Talos thinks YoroTrooper is based in Kazakhstan, but that it seeks to leave a false trail designed to misrepresent itself as an operation run from Azerbaijan. It uses, for example, Kazakh VPN exit nodes.
Dave Bittner: YoroTrooper relies "heavily" on phishing to direct its victims to credential harvesting sites. This is also consistent with what ESET has observed about the group it tracks as SturgeonPhisher. ESET regards SturgeonPhisher as significantly overlapping YoroTrooper.
Dave Bittner: Talos researchers believe that YoroTrooper is working to wean itself from commodity malware in favor of "new custom malware spanning across different platforms such as Python, PowerShell, GoLang and Rust."
Dave Bittner: The threat actor isn't purely devoted to offensive operations against its targets. YoroTrooper also shows a repeated pattern of defensive scanning, checking Kazakhstan's state-owned email service, mail[dot]kz for evidence of hostile activity.
The current state of DDoS attacks.
Dave Bittner: Cloudflare has published its DDoS Threat Report for Q3 2023, finding that “Gaming and Gambling companies were bombarded with the largest volume of HTTP DDoS attack traffic, overtaking the Cryptocurrency industry from last quarter.” That’s not surprising. The gaming and gambling sector is particularly sensitive to anything that affects their services’ availability. If you can’t get onto FanFight, you’re likely to bounce to SportingBookie. It’s a quick gratification clientele. When an ordinary Joe is looking for some action, he probably wants it now.
Dave Bittner: Cloudflare offered some interesting details. Eighty-nine hyper-volumetric HTTP DDoS attacks in Q3 2023 surpassed 100 million requests per second (rps), with “the largest peaking at 201 million rps — a figure three times higher than the previous largest attack on record (71M rps).” These large attacks were part of “a sophisticated and persistent DDoS attack campaign that exploited the HTTP/2 Rapid Reset vulnerability (CVE-2023-44487).” The Rapid Reset campaign began in late August.
Ukrainian hacktivists deface Russian artists' Spotify pages.
Dave Bittner: The Record reports that Ukrainian hacktivists (and in this case they appear to be freelancers, not an organized auxiliary) compromised the Spotify pages of Russian artists who've been prominent supporters of President Putin's regime and its war against Ukraine. They replaced the artists' profile picture with a blue and yellow banner and messages urging Russia to "Stop war in Ukraine."
Dave Bittner: The hacktivists did some coup counting in Telegram channels, and on Spotify, which suspended its news service into the Russian market last year in protest of the war. Spotify said at the time, "We are deeply shocked and saddened by the unprovoked attack on Ukraine." But it still has some Russian users. Spotify said it quickly restored the defaced pages.
Dave Bittner: Official Russian opinion seems accurately represented by singer-songwriter propagandist Grigory Leps, one of the artists whose page was hit. Leps said, through a spokesman, "Spotify is not at all interesting to us, it is an enemy platform, we are on our own. Therefore, it’s not at all interesting what’s happening [there].” Mr. Leps has been under US sanctions since October 2013 for his work as a money mule for the Brothers' Circle criminal gang. The EU sanctioned him last year over his involvement with the war effort.
Dave Bittner: Early this month the polymathic American tycoon Elon Musk began, for obscure reasons of political comment, posting rude Internet memes involving a flatulent teenager with Ukrainian President Zelenskyy’s face superimposed.
Dave Bittner: WIRED reports that Russian accounts on X, the platform formerly known as Twitter, have flocked to Mr. Musk's posts (and news reports about them) giving them the greatest amplification they're capable of. It's a program of coordinated inauthenticity, Researchers at Cardiff University say the troll accounts have the usual marks of inauthenticity: "low or zero follower numbers, a lack of identifiable personal details, [they] mostly just reply to other accounts’ posts, and produce anti-Ukraine and anti-Zelensky messaging, which mirror wider Russian narratives."
Dave Bittner: Some of the trolls photoshopped Mr. Musk into a Russian uniform as a token of esteem. We can’t make out the rank. We hope it’s at least Starshina [STAR-shee-nuh].
Ryan Gosling is totally a bigger enchilada than Elon Musk.
Dave Bittner: And, finally, McAfee Labs has updated its tally of celebrities whose names are misused by cybercriminals. Ryan Gosling is the current top banana. Mr. Musk comes in only at number six, behind Mr. Gosling, Emily Blunt, Jennifer Lopez, Zendaya, and Kevin Costner, and only just nosing out Al Roker. We have no idea what this means.
Dave Bittner: Discuss among yourselves, but don’t be surprised if a certain maverick tycoon builds hisself a Barbie Dream House. Maybe it could be virtually constructed in Minecraft. So, yeah, talk among yourselves.
Dave Bittner: The global pandemic and the shift to employees working from home accelerated the trend of organizations shifting their data security strategies from perimeter centric to data centric. Matt Howard is Senior Vice President and Chief Marketing Officer at Virtru. And in this sponsored industry voices segment, he explains why modern information security must protect both structured data in the cloud and unstructured data at the employee edge.
Matt Howard: Yeah, every organization in the world has a data estate. 20% of the give or take is structured. Rows and columns. Increasingly, our database is now in public cloud infrastructure. But 80% of it is in various forms of unstructured data. And you know, if you're just beginning a journey now, getting your arms around how do you sort of get better security posture with respect to all of this data estate, it seems like the current state of the industry right now is to focus first on governing structured data in rows and columns in the public cloud and turning some attention. But inevitably, more and more over time to getting a grasp, if you will, on all of the unstructured data that's sensitive to the business and inevitably leaves the business through a variety of different workflows.
Dave Bittner: Do you understand the focus that most folks have on doing their structured data first? And why does that come up short?
Matt Howard: No, yeah, I totally understand it. I mean listen, we all know how hard it is to be in the security sort of risk management business in today's world. If I'm putting myself in the shoes of the customer, I think I got to start somewhere. And getting a grip on structured data with regards to, you know, databases is familiar. That's data you typically possess as part of some IT infrastructure. Whether it's on prem or in the cloud. And it makes sense as a starting place. I think the other thing that's practically speaking been true for the last decade plus is that everybody understands how much unstructured data is out there. Everybody understands how sensitive it is and how it's a good idea to govern it. But if we're honest, there hasn't been a really easy scalable way to address the unstructured data challenge historically. I think that's beginning to change. And as a result, I think we're beginning to see kind of a rising tide. And inevitably, in the next year or two, three, four, you're going to see more and more budget, more and more attention shift from governing just structured data to absolutely prioritizing governance and control and risk management with respect to the unstructured data estate.
Dave Bittner: And how does this intersect with folks who have to think about things like compliance and regulatory regimes?
Matt Howard: Well it's one of the key drivers of that rising tide I just mentioned, for instance not the key driver, is absolutely regulatory regimes and the need to comply. We could be talking about things like HIPAA. We could be talking about things like CMMC and ITAR. We could be talking about things like CJIS. But any number of data security, data privacy, regulatory regimes in any number of different vertical or industries, you know, require that organizations do a better job of governing this sensitive unstructured data that they possess and that they inevitably share with third party customers, partners outside the organization. And it's a key driver. So, to the extent that the tide is rising now, compliance is a key driver. I think over time, in addition to compliance, you're going to basically see organizations continue to mature with respect to just security hygiene in general. Organizations that are on a journey to mature with respect to zero trust security controls. As we know, it's a journey not a destination. And on that journey, you'll eventually turn your attention to unstructured data as well. And at that point, you'll see drivers being both compliance and security.
Dave Bittner: How about folks who want to have more control over the actual usage of the data itself? I mean we think about data that's within an organization. But even talking about data that's outside of the organization as well. Are we in a place now where that's becoming more and more practical?
Matt Howard: I mean, listen, so yes, absolutely. It's one thing to imagine you sharing sensitive file with a partner externally via an email workflow and wanting to have governance and control over that email and that file so that you can do something like revocation. Or expiry. Take it back two weeks from now after you've decided you no longer want that person to have access to it. Very, very important. But also I think really interesting is this idea of how much of our data as an organization today are we just sort of storing in public clouds like, I don't know, Google? Azure? Amazon? We store it there. We trust these large public cloud hyperscalers to essentially act as, you know, security by proxy. We hope that they do their job well. In some cases, as we saw this past summer with the state department situation at Microsoft, it doesn't always work out that way. But nonetheless. If you are running an organization and you're storing sensitive data in a public cloud, you have to ask yourself, is it encrypted? And if it is, who holds the key? And increasingly what we're seeing is customers saying I'm willing to store data in a public cloud, but I want to be the one to hold the encryption key. Because I don't want the public cloud provider, Google, Amazon, or Microsoft, to potentially be in a situation where they have to, I don't know, answer to some law enforcement subpoena to decrypt the data. I want to be the one to ultimately hold the key because it's my data. And so more and more, this idea of sharing data externally and being in control of your own destiny because it's your data, it belongs to you, you should be the one that's able to determine who has access to it and who doesn't.
Dave Bittner: Someone who's interested in taking this journey and is shopping around for providers. Any words of wisdom on the types of questions they should be asking?
Matt Howard: Yeah, I mean, listen, at the end of the day, I think open standards matter. I think if you're not careful, you can kind of find yourself in a situation where you're, you know, subject to vendor lock-in almost accidentally. If you're really sort of thinking about your longer term strategy as it relates to a zero trust security transformation and you're looking at your entire data estate and you're wanting to kind of view it holistically, you'll obviously have a collection of strategies and vendors and technologies that you can employ to govern your structured data, discovery, classification, tagging, and protection by proxy. You'll have another path to kind of explore with regard to really granular controls that can be applied to these unstructured data workflows. Like the type that we just spoke about. Obvious, for my two sense, I mean, my company Virtru certainly plays very strongly in the unstructured data portion of that journey. And you know, would just encourage folks to kind of keep an open mind with an emphasis on open standards. And then probably most importantly, I think it'd be important to really kind of pressure test vendors with respect to, you know, who's been there and done it and can vouch, you know, for their competencies. Not by virtue of anything they say, but more importantly, what customers have to say.
Dave Bittner: That's Matt Howard from Virtru. Both Google and Yahoo recently announced that they're upping their game when it comes to email security. That by February of 2024, they're essentially going all in on DMARC. For an explanation of what that means, I spoke with Seth Blank, Chief Technology Officer at zero trust email authentication provider, Valimail.
Seth Blank: DMARC stands for domain based message authentication reporting and conformance, which is a mouthful. There will not be a test at the end of this podcast.
Dave Bittner: Phew.
Seth Blank: But DMARC overlays SPF, which is sender policy framework, and DKIM, which is domain keys identified mail. And makes it -- it takes them from sort of machine to machine anti-spoofing technologies to actual machine to human anti-fraud technologies. And the way that works, to give you a really simple overview at 50,000 feet, is SPF's effectively a whitelist. Hey, I send mail from these systems that omit from these IPs. And that works great if you run your own network, have your own mail servers. But are awful in a shared services world. If you're sending through MailChimp or Marketo or Microsoft, everyone and their mom sends through those IPs, too. And so SPF isn't as helpful. Or in fact not helpful at all. DKIM uses PKI. We sign a message. And so when you receive the message, you can actually use the DNS to figure out -- to find the public key and you can go great, this message was actually sent by this domain and the message has not been tampered with in transit. The problem with both of these is that what they authenticate is not necessarily what is shown to the user. And so DMARC introduces, right, there were those three letters at the end, right? The concept of alignment. And alignment means what is authenticated is what is shown to the user. So with SPF or DKIM, I can say I am phisher.com, I authenticate as phisher.com, and then I tell the recipient I'm Dave Bittner. With DMARC, you cannot do that. That message would fail alignment. It's not authenticating what's shown to the user. And we're explicitly talking about the domain name in use. Not the actual text shown to the user. DMARC also gives you a report so you can see what is happening in your name, under the name of that domain, globally. So that you have this unparalleled visibility. Like this has never existed in email before. You can see globally what's happening in your name. And yeah, we talk to CSOs all the time, and the first DMARC report they see, almost invariably the words out of their mouth are "I can't unsee this." Because you just have no idea the amount of just garbage being sent as everyone to everyone. And then DMARC lets you -- the third thing, conformance lets you set policy. And you get to say for mail sent as me, if I haven't authenticated, I want you to straight up reject it or send it to spam. And so you finally with DMARC get control. And what this has done is DMARC has proven its mettle as being the truly powerful anti-fraud tool. And it's become increasingly mandated. And it's becoming -- you know, it is frankly like having a TLS for your website. You just need it. It's sort of that bare minimum bar. And it's been a best practice for a decade. But it's never been truly required outside of government mandates until now.
Dave Bittner: So what is the shift that's happening now? We've got some big players here who are taking a fresh approach to DMARC?
Seth Blank: Exactly. So we have Google and then Yahoo. And several other people in the industry who will be coming out over the next few weeks and months who will be subscribing to the same set of policies. And effectively what they're saying is the core concepts of DMARC, that authentication must be aligned with the from domain, right? What is being displayed to the user is paramount. And if you do not have aligned authentication, it doesn't count. And then they're requiring people have a DMARC policy of at least P equals none, which is effectively, you can get reports, but you're not saying yet what to do with unauthenticated mail. And what this does is it means that we can now tell as an email ecosystem who is sending the mail. Or more accurately, that when a user's looking at their inbox, the mail is from who it says it's from. And that's foundationally different. And it's taken, again, a decade of best practice and making it requirement that businesses do the hard work to authenticate their mail so that users cannot be deceived.
Dave Bittner: If I'm a security professional, you're responsible for defending my organization. How is this going to affect me?
Seth Blank: So I think this is powerfully effective. My hope is this is really meaningful to the security professional. DMARC has become increasingly a tool that security professionals have tried to implement. But there's been resistance. And the question has been why now? Why this over other approaches, right? Security professionals are inundated with the stacks, the FBI damages of last year there was 43 billion dollars due to BEC, this year the FBI reported 50 billion in damages. Right? That's 7 billion dollars in damages due to BEC over the last year alone. DEMARC's part of that, not all of it. There's been the Verizon Data Breach Report since 2016 going 91% of all cyber attacks start from email year after year after year. But the problem's getting bigger. And the effectiveness of IT teams to even take on DMARC as a project has been really low. The market stats we look at show only a 13.5% effectiveness of people actually getting protection from DMARC. And so the hope is this has changed the conversation from a pure project that IT would like to take on, that security would like to take on, to a necessity for the business that creates a significant security win for the business and the process. And then opens up other doors, especially if you're in a business to consumer, a B2C setting, where you can get a lot more ROI from marketing on top of it as well.
Dave Bittner: That's Seth Blank from Valimail. [ Music ] And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at firstname.lastname@example.org. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector. As well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer, Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliot Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening, we'll see you back here tomorrow.