Russia here, Russia there, Russia everywhere.
Dave Bittner: Legal action against Star Blizzard's FSB operators. A critical Bluetooth vulnerability has been discovered. How the GRU faked celebrity videos in its Doppelgänger campaign. The persistence of Log4j vulnerabilities. Lack of encryption as a contributor to data loss. Supply chain breaches plague the energy sector. Our guest is Allan Liska, creator of a new comic book featuring the adventures of Johnny Dollar, a hard-nosed cyber insurance investigator. And Russian activists make clever use of QR codes.
Dave Bittner: Today is Friday, December 8th, 2023. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Legal action against Star Blizzard's FSB operators.
Dave Bittner: The Five Eyes intelligence alliance has issued a comprehensive cybersecurity advisory about a sophisticated spearphishing campaign run by a Russian FSB operation named Star Blizzard. Known by various aliases like SEABORGIUM and Callisto Group, Star Blizzard is considered to be part of the FSB's Centre 18. The advisory highlights Star Blizzard's tactics, which include targeting personal email addresses for their perceived weaker security compared to organizational ones. The emails start with innocuous content tailored to the recipient's interests and gradually build trust before directing the target to an FSB-controlled server that mimics a legitimate service, where credentials are harvested.
Dave Bittner: Active since 2019, Star Blizzard primarily focuses on the UK and the US, alongside other NATO countries and nations close to Russia. The group's interests lie in academia, defense, governmental organizations, NGOs, think tanks, and politicians, engaging in "hack-and-leak" operations aimed at discrediting specific targets. This operation is also believed to be involved in disrupting investigations into Russian war crimes in Ukraine.
Dave Bittner: The US State Department, responding to these threats, has offered up to $10 million for information leading to the identification or location of individuals engaged in malicious activities against US critical infrastructure, particularly those directed by a foreign government. This includes FSB personnel recently indicted by a federal grand jury in San Francisco for hacking into networks in the US, UK, NATO countries, and Ukraine. The indicted individuals, Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, face significant prison sentences if convicted, although they are currently out of reach.
Dave Bittner: Additionally, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned Peretyatko and Korinets, requiring all their properties in the US or controlled by US persons to be blocked and reported. This action, coordinated with UK partners, prohibits all dealings involving the property of these sanctioned individuals by US persons or within the US. Despite these measures, the Russian embassy in London has dismissed the advisory, calling it a "poorly staged drama."
A critical Bluetooth vulnerability has been discovered.
Dave Bittner: A critical Bluetooth vulnerability has been discovered by Marc Newlin of SkySafe, affecting macOS, iOS, Android, and Linux devices. It allows attackers to remotely control devices by emulating a Bluetooth keyboard connection. This flaw, present in the Bluetooth protocol's implementation, facilitates unauthorized pairing without user consent.
Dave Bittner: The exploit enables attackers to perform actions like installing apps or executing commands, depending on the device's platform. It remained undetected due to its simplicity and affects devices differently; for instance, Android devices are vulnerable when Bluetooth is enabled.
Dave Bittner: Newlin, who plans to release exploit scripts soon, has informed major tech companies and Bluetooth SIG. Most affected devices have patches, but some, including Apple's, remain vulnerable. This vulnerability underscores the need for robust cross-platform security measures in widely-used protocols like Bluetooth.
How the GRU faked celebrity videos in its Doppelgänger campaign.
Dave Bittner: The Russian GRU's Doppelgänger campaign manipulated the Cameo video service to produce content falsely portraying Ukrainian President Zelenskyy as a "corrupt drug addict." Cameo allows users to commission personalized videos from celebrities, which the GRU exploited to create and distribute misleading messages. These videos were addressed to a "Vladimir," subtly hinting at Russian President Putin, and were later edited with emojis, media logos, and circulated on social media to reinforce false claims about Zelenskyy's alleged substance abuse issues.
Dave Bittner: Microsoft highlighted this operation to illustrate that Russian influence efforts persist beyond the death of Yevgeny Prigozhin, a key figure in Russian propaganda who owned the Wagner Group and the Internet Research Agency. This indicates Russia's continued capability in executing sophisticated and wide-reaching malign influence operations, showcasing the resilience and adaptability of their propaganda and disinformation strategies.
The persistence of Log4j vulnerabilities.
Dave Bittner: A report from Veracode reveals concerning trends in application security: 38% of applications are using vulnerable versions of Log4j, with 2.8% still susceptible to Log4Shell vulnerabilities. Alarmingly, 32% of applications employ Log4j 1.2.x, an end-of-life version since 2015, which no longer receives updates or patches. The core issue is not developers' skillset but a combination of insufficient information and resources, including time and staffing. This scarcity significantly delays vulnerability fixes—up to 13.7 times longer to address half of them. Additionally, developers lacking context about how a vulnerable library affects their application can take over seven months to resolve 50% of their vulnerability backlog.
Lack of encryption as a contributor to data loss.
Dave Bittner: Fortanix has published the results of a study conducted by Enterprise Strategy Group looking at encryption and key management. The primary finding is that the lack of encryption significantly contributes to sensitive data loss, despite high confidence in cryptographic capabilities. Currently, on average, 51% of an organization’s sensitive data is stored in the cloud, projected to increase to 68% in two years. Notably, 36% of respondents currently store over 60% of their sensitive data on public cloud services, a figure expected to rise to 68% within 24 months. Surprisingly, 4% of organizations store all their sensitive data in the cloud, a number anticipated to more than triple to 13% in the same timeframe.
Supply chain breaches plague the energy sector.
Dave Bittner: A study by SecurityScorecard reveals that 90% of the world's 48 largest energy companies experienced a supply chain data breach in the last year. This analysis covered the cybersecurity posture of major coal, oil, natural gas, and electricity companies in the US, UK, France, Germany, Italy, and their suppliers, spanning over 21,000 domains. In the last 90 days, 264 breach incidents were identified, linked to third-party compromises.
Dave Bittner: The US fared the worst, with all top 10 energy companies suffering third-party breaches, while UK firms had the highest average security rating. Despite only 4% of over 2000 third-party vendors experiencing breaches, these incidents significantly impacted their clients. The report also notes the prevalence of fourth-party breaches, with all US and UK companies affected in the past year, and 92% of global energy firms exposed to such risks.
Dave Bittner: This growing concern for supplier breaches is emphasized by new SEC breach reporting guidelines, recognizing supplier risk as a material business risk. The report suggests that proactive and systematic risk management strategies are essential to prevent the increasing trend of supply chain attacks.
Dave Bittner: Coming up after the break, my conversation with Allan Liska, creator of a new comic book featuring the adventures of Johnny Dollar, a hard-nosed cyber insurance investigator. Stick around. [ Music ] Allan Liska is a well-known and respected cybersecurity researcher. He's also a fan of both comic books and classic radio serials, and combining all of those interests led him to the creation of a new comic book titled "Yours Truly, Johnny Dollar".
Allan Liska: I grew up in the DC area, and every Sunday night, our local NPR station has a thing that they've had for decades now called "The Big Radio Broadcast" where they replay old radio serials. And my favorite -- oh, you're familiar. Okay.
Dave Bittner: Oh, yes. You know, if you hadn't brought that up, I was going to bring it up myself. I too was a regular listener of that show.
Allan Liska: My favorite of all of the radio serials was "Yours Truly, Johnny Dollar". And, you know, for people who don't know Johnny -- "Yours Truly, Johnny Dollar", Johnny Dollar is a freelance cyber insurance investigator and his tagline is "The man with the action-packed expense account."
Dave Bittner: Yes. To be fair, the original Johnny Dollar had nothing to do with cyber because back when the original Johnny Dollar ran, there was no cyber. But I don't know if like you, I was both intrigued, excited, and also a little confused about the notion of an insurance investigator with an action-packed expense account.
Allan Liska: Right. When I was a teenager, I had no idea what an expense account is. Now, I'm painfully familiar with the concept. But, you know, the funny thing is as I kind of grew and matured in my security career, I met other people who loved Johnny Dollar as well, and sort of the tagline and in particular the action-packed expense account became a running joke among a lot of especially incident responders because, yeah, you spend your life on the road going from incident to incident much like Johnny Dollar, not nearly as exciting most of the time. But still, it's kind of a fun tagline.
Dave Bittner: Yeah. So, what led you to the update here of turning Johnny Dollar to cybersecurity?
Allan Liska: One, I found out was that Johnny Dollar's in the public domain. He'd make a really good comic book character but I only know about fighting ransomware, and then I'm like, well, yeah, that's what he would be doing now, right? You know what I mean, back then, he was fighting gangsters and corrupt bankers, and so on. Well, the modern equivalents of that are these ransomware groups. And so, why not turn it into a cyber insurance investigator? And I kind of threw the idea out on Twitter. And a bunch of people were like, "Oh, yeah. I definitely would back that." And so, we started a Kickstarter.
Dave Bittner: And so, you successfully raised your goal, in fact, you exceeded your goal, you got like three times the amount that you had set out to do. What were some of the challenges here of updating Johnny Dollar for the modern age?
Allan Liska: So, there's two separate challenges. There is, as you say, updating him for the modern age but keeping the core of the character the same, right? And that's a challenge because you could go with a man-out-of-time theme where he kind of looks like a bit of a buffoon, you know, think Inspector Gadget or something where, you know, it's really the niece that is actually the brains behind everything. But I didn't want that because Johnny Dollar has always been competent and I wanted him to continue to be competent. And so, writing him so that he has the feel of the '50s character but, you know, understands technology, understands what's going on, and still keeps that sort of cutting edge for him. And then, of course, the other challenge is most incident response cases don't involve fist fights or Johnny getting bunk on the head or gun fights, or anything like that so there's some embellishment that has to go on here in order for this to be an effective comic book medium because him sitting at a computer typing for two weeks straight while he's in the middle of incident response is not going to be a good comic book. And then there's the challenge itself of putting together the comic book. And that's a whole other separate set of challenges for somebody who's never done it before.
Dave Bittner: Yeah, well, give us some insight on that. Who did you bring in as your collaborators here?
Allan Liska: So, I found some really great artists. Marc Oliver, who's based out of Brazil, did a lot of the drawings. And then I got Shawn Decker who did the cover work for me and really captured the noir feel of Johnny Dollar on the cover. And then we found this amazing letterer Saida, who has done lettering for Marvel and DC and all of these great comic books that I actually love and I'm like, "Oh, wow, that's fantastic." But then, I had to find an editor as well because I had never written a comic book script. So I wrote the script and then I brought in a comic book editor to come in and edit everything to make sure that it actually flowed. And even then, we ran into some problems where I tended to be too wordy and we had to like narrow down so it fit into the panels. And then, you know, understanding the way action has to flow in the comic, you know, the typical new comic book writer mistakes of, you know, thinking of it like a television show where, you know, Johnny does this, this, and this. Well, he can't do all that in the same panel, right, it has to be separate panels but you don't want 12 panels on a page because then it becomes unreadable. So, it's a lot of work and I really appreciate everybody who collaborated on this project kind of holding my hand and walking me through and telling me what worked and didn't work and making and improving a better, you know, a better script and then a better book.
Dave Bittner: Can you give us a little bit of a preview here, tease us of the kinds of things that Johnny Dollar finds himself up against?
Allan Liska: Yeah. So, actually, we have a four-story arc planned. The first story he goes to Johnstown, Pennsylvania, which is where my parents are from, to deal with a ransomware attack at a steel mill and deal with an insider threat so the ransomware actors kind of bribing somebody. And it's more of a "who done it" as he has to figure out who the insider is as part of it. In the meantime, he meets up with some Russian gangsters. And if you're thinking that's weird in the middle of Johnstown, read the book and you'll understand it. And so, there's some fighting that goes on, and so on. The next issue, the one that we're working on now, in fact, we're almost finished with it, he flies to Milan, Italy, with a ransomware attack against the water plant there. And now, Johnny has really angered the ransomware actors and so they actually hire a hitman to come after him and so Johnny has to fight with a hitman as well as stop the ransomware actors from poisoning the water supply in Milan. So, that's much more adventure-packed than the first issue. And a fellow Johnny Dollar fan and cybersecurity person, Dr. Anjuli Shere, who I actually met during one of the ShareTheMicInCyber events. She took the lead on writing that issue. Stays true to the character but you get a very different story, which I really love. And I want to be very clear, Johnny Dollar is not me, it's not based on me, except there's one fight scene where Johnny uses a wine bottle to attack one of the people coming after him. Okay, that part could be me but the rest of it is very much not.
Dave Bittner: It would be a very fine vintage Cheffois. Or perhaps he would use the cheaper stuff too because it's more disposable.
Allan Liska: Right. You always use the cheap bottle to take out the bad guys.
Dave Bittner: There you go. Well, congratulations, Allan. Like I say, this is a real joy here. Who's your target audience? Who do you hope this finds?
Allan Liska: It's actually really funny because that's a question that people ask new comic book artists. And everybody else apparently says, "Oh, well, you know, people who love comic books." My target audience is cybersecurity professionals and people who love Johnny Dollar. So, two very niche markets but are apparently completely underserved by the comic book community. So, I'm hoping that we can make some inroads and especially for people who really love the original Johnny Dollar. I hope that they see that we really did our best to stay true to the character while updating him for a cybersecurity age.
Dave Bittner: That's Allan Liska, creator of Green Archer Comics and "Yours Truly, Johnny Dollar". [ Music ] And finally, the Record reports that Russian opposition activists affiliated with imprisoned leader Alexei Navalny have initiated an anti-Putin campaign using QR codes on billboards in major cities. These QR codes, originally linked to a creative competition were covertly redirected to the "Russia without Putin" website. The billboards bearing non-political messages like "Happy New Year, Russia" aim to subtly encourage people to vote against Putin in the upcoming March election. This digital approach, including a Telegram bot disseminating anti-Putin content, is a response to the ban on open anti-regime rallies in Russia. Authorities in Saint Petersburg and Moscow have started removing the billboards. Navalny's team acknowledges the likelihood of election result manipulation by Putin but asserts their goal is to highlight the nation's desire for change. The campaign's effectiveness and impact remain uncertain, especially considering Russia's history of penalizing online dissent. So, in Russia, billboards don't just sell products, they host revolutions one QR scan at a time. [ Music ] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the cyberwire.com. Be sure to check out this weekend's "Research Saturday" and my conversation with Dana Belling, a researcher at Carbon Black, sharing their work on hunting vulnerable kernel drivers. That's "Research Saturday", check it out. We'd love to know what you think of this podcast, you can email us at email@example.com. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500, and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin. Our mixer is Tré Hester with original music by Elliott Peltzman. Our Executive Producers are Jennifer Eiben and Brandon Karpf. Our Executive Editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week. [ Music ]