CyberWire Daily - Article 5? It’s complicated. Influence ops for economic advantage. SOHO routers under attack. YTStealer described. RansomHouse hits AMD. A NetWalker affiliate cops a plea.
Episode Date: June 29, 2022NATO's response to Killnet's cyberattacks on Lithuania. Influence operations in the interest of national market share. SOHO routers are under attack. YTStealer is out and active in the wild. RansomHou...se hits AMD. CISA releases six ICS security advisories. The most dangerous software weaknesses. Betsy Carmelite from Booz Allen Hamilton takes a look back at Biden’s executive order on cyber. Our guest is Philippe Humeau of CrowdSec on taking a collaborative approach to security. And a guilty plea in the case of the NetWalker affiliate. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/124 Selected reading. Could the Russian cyber attack on Lithuania draw a military response from NATO? (Sky News) Pro-PRC DRAGONBRIDGE Influence Campaign Targets Rare Earths Mining Companies in Attempt to Thwart Rivalry to PRC Market Dominance (Mandiant) ZuoRAT Hijacks SOHO Routers to Silently Stalk Networks (Lumen) New YTStealer Malware Aims to Hijack Accounts of YouTube Content Creators (Hacker News) RansomHouse Extortion Group Claims AMD as Latest Victim (RestorePrivacy) RansomHouse gang claims to have some stolen AMD data (Register) CISA releases 6 Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency) 2022 CWE Top 25 Most Dangerous Software Weaknesses (CISA) Netwalker ransomware affiliate agrees to plead guilty to hacking charges (The Record by Recorded Future) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
NATO's response to Kilnet's cyber attacks on Lithuania,
influence operations in the interest of national market share,
Soho routers are under attack,
YT Steeler is out and active in the wild,
Ransom House hits AMD,
CISA releases six ICS security advisories,
the most dangerous software weaknesses,
Betsy Carmelite from Booz
Allen Hamilton takes a look back at Biden's executive order on cyber. Our guest is Philippe
Humeau of CrowdSec on taking a collaborative approach to security and a guilty plea in the From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 29th, 2022. Sky News asks the inflammatory question,
could the Russian cyber attack on Lithuania draw a military response from NATO?
And then gives the more ironic answer, not so fast.
An opinion piece frames the issue like this.
A NATO member is under attack. Normally,
the meaning of this would be frighteningly clear, but this is an attack with a difference,
not a physical attack, but a cyber attack, and working out what a cyber attack means is never
simple. The issues involve responsibility. Killnet presents itself as a patriotic hacktivist
operating independently of Russian government control,
and proportionality.
The cyberattacks haven't been particularly damaging
and in any case have fallen short of producing kinetic effects,
consequences in real life.
Reuters reports that China has been engaging in an influence operation directed at
arousing popular protests against Australian, Canadian, and U.S. rare earth mining companies.
The sector is one in which China has a significant national interest, and the firms singled out for
intention include Linus Rare Earths Limited, Appia Rare Earths and Uranium Corporation, and
USA Rare Earth. The campaign, Dragon Bridge, discovered and named by Mandiant, seems aimed
at market dominance. It makes heavy use of inauthentic social media. Mandiant said in its
report, the campaign used inauthentic social media and forum accounts, including those posing as residents in Texas,
to feign concern over environmental and health issues surrounding the plant,
including via posts to a public social media group predisposed to be receptive to that content.
Dragonbridge doesn't seem so far to have been particularly effective,
but Mandiant thinks the approach
on display, particularly the micro-targeting of the audience it seeks to reach, bears watching.
Lumen's Black Lotus Labs reports that small office home office, that's Soho routers,
are under active attack by operators using the ZOO-RAT remote-access Trojan. The operators are after bigger fish than
home offices. Remote work has made SOHO routers an attractive point of entry into larger networks,
and that appears to be the case here. Luhmann's report says,
The sudden shift to remote work spurred by the pandemic allowed a sophisticated adversary to
seize this opportunity to subvert the traditional
defense-in-depth posture of many well-established organizations. The capabilities demonstrated in
this campaign, gaining access to SOHO devices of different makes and models, collecting host and
LAN information to inform targeting, sampling and hijacking network communications to gain
potentially persistent access to inland devices
and intentionally stealth C2 infrastructure, leveraging multi-staged silo router-to-router communications,
well, that points to a highly sophisticated actor that we hypothesize
has been living undetected on the edge of targeted networks for years.
Intezer this morning announced its discovery of malware
it's calling YT Stealer. The malware has been aptly named as the sole function is to steal
authentication cookies from YouTube content creators. YT Stealer is different from other
malware in that it only harvests credentials for YouTube and not any other service. If authentication codes are found in a browser's database files in the user's profile folder,
the malware launches the browser in headless mode on the infected operating system
and adds the cookie to the cookie store.
The malware then uses a library called Rod to control the browser,
and it navigates to the creator's YouTube Studio
page and steals information about the channel and encrypts it, sending it to a command and
control center whose domain name is ubot.solutions.
UBOT Solutions appears to be a company registered in New Mexico that describes itself by saying
that it provides unique solutions for getting and monetizing targeted traffic.
U-Bot may well be connected outside the American Southwest.
Its red-eye logo that appears on its Google business listing could be found, Inteser points out,
on Apparat.com, an Iranian video-sharing website.
YT Steeler is a C2C play.
The researchers say that YT Steeler is probably sold to other threat actors.
They note that YT Stealer often isn't the only dropped malware on a device.
Redline and Vidar have been seen alongside the YT Stealer malware.
Much of the dropped malware is disguised as pirated versions of video and image software
and game mods and cheats.
Using only legitimate versions of software is a good way to have better control
over what ends up on your computer, researchers conclude.
The Hacker News has a summary of Inteser's report.
Ransomhouse, a data extortion gang relatively new on the cybercrime scene,
has claimed a successful breach of Advanced Micro Devices, AMD, the well-known chip manufacturer.
Restore Privacy reports that Ransom House posted what it claims represents
a small sample of the data stolen to its dark web site.
Ransom House, which announced itself to the world this past
December with some immodest bragging about its website, and the gang teased its AMD breach last
week with a riddle. So, name a company that pretty much everyone knows. Its name consists of three
characters. The first character is A. Players were invited to send their guesses in the channel to get a link in a private message.
The gang this week revealed that the victim was AMD,
and the company yesterday sent Restore Privacy a note acknowledging an incident.
The chipmaker said,
AMD is aware of a bad actor claiming to be in possession of stolen data from AMD.
An investigation is currently underway.
in possession of stolen data from AMD.
An investigation is currently underway.
The Register reports some industry consensus that Ransom House seems unlikely to become a major player
on the ransomware scene.
The skepticism seems largely to consist of disapproval
of the gang's swaggering self-promotion,
which does indeed come across as a bit skid-like
and Ransom House houses poor attention to detail.
Those 450 gigabytes of company data they claim to have, for example,
are those gigabytes or gigabits?
A proper member of the underworld would know the difference.
The U.S. Cybersecurity and Infrastructure Security Agency yesterday released
six industrial control system security advisories,
details of which may be found at the usual place, CISA.gov.
The Homeland Security Systems Engineering and Development Institute, sponsored by CISA and
operated by MITRE, has released the 2022 Common Weakness Enumeration Top 25 Most Dangerous
Software Weaknesses. It's a new publication, and the Institute explains,
this list demonstrates the currently most common and impactful software weaknesses.
Often easy to find and exploit, these can lead to exploitable vulnerabilities
that allow adversaries to completely take over a system, steal data, or prevent applications from working.
The report includes recommended
mitigations for the vulnerabilities listed. And finally, there's a guilty plea in the case of
the Canadian NetWalker affiliate, Sébastien Vachaudet-Jardin, Mejure Vachaudet-Jardin,
specifically copped to four charges, conspiracy to commit computer fraud, conspiracy to commit wire fraud,
intentional damage to a protected computer, and transmitting a demand in retaliation to
damaging a protected computer. His sentence could total up to 40 years, but some allusion to offers
of cooperation suggests that his sabbatical at Club Fed could be substantially lower than this,
that his sabbatical at Club Fed could be substantially lower than this,
should he give law enforcement enough leads on his underworld friends.
The accused had an interesting, if not unheard of, work life.
Before the Royal Canadian Mounted Police got their man at his home in Quebec last year,
he'd worked as an IT consultant for Canadian government agencies while he was moonlighting as a ransomware operator,
the record reports. A Canadian court already sentenced him to seven years before sending
him south of the border to give the Yankees their shot at him. He'll be doing time somewhere in
North America. How much of it will be stateside is now up to the U.S. District Court for the
Middle District of Florida, Tampa Division.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC
programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Security company CrowdSec is taking an innovative approach to collaborative security,
releasing a lightweight open-source user agent that detects intrusions and shares what it finds with the community.
Philippe Humeau is CEO of CrowdSec, and he explains that a good way to wrap your head around this project is to think of the popular GPS navigation app Waze.
Your smartphone would share your position, your heading, your speed, and you would eventually as a human add other stuff like ISO something happening on the road or a speed trap or whatever.
happening on the road or a speed trap or whatever.
We are very similar in this in the way that we are sharing with each other what aggression we are facing and blocking
so that all the others can benefit from those sightings.
And this is a collaborative network in this sense.
So if you're protecting yourself from attacks,
then you're also protecting the next door hospital
or this retirement house
or this media outlet and so on and so forth. What's going on behind the scenes here to
collaborate this sort of sharing? Yeah, well, what we saw is that people are mostly willingly
willing to help each other. What happens is that they don't have any product or tool to help them
doing so. So the first thing we thought about is it has to be free, because if Waze would have costed like just one euro,
it would never have become the network we know about. So yeah, it had to be open source and free
so that the majority of the people could access it. And what we see is that the bad guys, they
are collaborating with each other, all of them, all the meaningful cyber criminal groups
are collaborating with each other.
And we are not.
We are behaving as single entities
facing an army.
And that just doesn't work.
We need to team together
if we want to tackle
these large-scale problems.
As for every complex problem,
you need the collaboration.
Like a complex problem
is sending people to the moon.
You cannot possibly do it by yourself. Whereas a complicated problem is a problem that is maybe
very difficult, but you can solve it on your own. So here we are facing a complex problem,
and we need tools for that. How does it get managed? How do you not become overwhelmed
with signaling from the folks who are taking part in this? Yeah, well, first of all, it has to be mentioned, it's all automated. So no one is like validating
whatever or sending manually or clicking on anything. It's just servers that are fending
attacks, you know, based on behavior. So if someone is, for example, scanning you or trying
to guess your password or injecting credit card numbers to verify if they are still valid or trying to buy automatically a product from your website.
All of these are nefarious behavior you want to block. And anytime you block one of them,
the signal that you blocked this IP address trying to have this behavior is shared with a central
server, with central servers. And those servers that are doing what we call stream processing, so they are literally processing
the stream that is flowing through them, they are sorting the real signals from the fake
signals.
Because we have a problem here, which is called the Byzantine general problem, like for the
blockchains and Bitcoin, for example.
So we cannot take for granted that everyone is well-intended
here. And maybe they're trying
to lure us into thinking that, I don't know,
Googlebot is a bad
actor, has a bad behavior,
and want us to block the IP of Googlebot.
Obviously, we don't want that to happen.
So we have algorithms clearing out
the noise, clearing out
the attempts to
do shenanigans with this consensus.
And when the consensus is reached, meaning when 150 currently machines decide that this
IP aggressed them altogether and it needs to be banned, then they issue a ban order
to the whole network saying this IP has been seen too many times, having too many times
this bad behavior, and it should be blocked on site
until it's having normal behavior again.
Why is it important that this be an open source project?
Well, there are two things in open source
that are often misleading.
One is open source so that everyone can look into the product
and code it and extend it.
And the second thing is it's free.
It doesn't have to be one with the other.
I mean, you can be open source and not free at all.
But here, this is both.
So the point of being free is that money is the first friction to adoption.
And obviously, we are after network effect.
So the larger we are, the more efficient we are.
We already have tens of thousands of machines, but we aim for millions.
And this gives us a real-time overview of what's happening over the Internet
and the capacity of blocking IP addresses used by the cybercriminals in real time.
So the more, the merrier.
And this is where it is important that it's free.
And also, the open-source part makes it so that you can adapt it to your own IT landscape
or your own technological zoo.
You know, we cannot possibly cover all the options that are now offered by the market.
What we can do, though, is make it very easy for you to be able to adapt the software in your own context.
And how is it funded?
Well, that's a great question because, yeah, if it's free and if it's open source, well, how do we make money?
Well, that's a great question because, yeah, if it's free and if it's open source, well, how do we make money?
So I'm not part of those guys thinking that we should, you know, dress like monks and not earn money or whatever.
I'm hiring a bunch of great professionals that have opportunities all year long.
And I want them to be 100% focused on what they're doing and not have inside jobs or whatever.
So I pay them well.
And to pay them well, we have to make money.
So for now, we are founded by VCs, namely Brega in France, B-R-E-E-G-A.
But we are about to be not profitable, but to start monetization.
And how we do this is like, take it like this.
We are gathering a lot of signals, extremely valuable signals that are also vertically accurate. So we know if this IP is aggressing medias, if it's aggressing hospitals,
if it's aggressing automotive or energy industry or banks, you know.
So this is extremely precious data.
And a lot of people are willing to buy them just to protect themselves.
You know, they may not want to use the product for whatever reason,
because maybe they don't have the time to deploy it.
Maybe they don't want to share anything, whatever.
They can still get the data out of the network, out of the community, but they have to pay a premium for that.
That's Philippe Humot from CrowdSec.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. and joining me once again is betsy carmelite she is a principal at booze allen hamilton
she's also the federal attack surface reduction lead betsy great to have you back um i want to
touch base with you today on the executive order that President Biden put out.
It's been about a year now. I want to touch base and sort of take stock of where we stand now, what worked and where there's still some work to be done.
Yeah, Dave, it has been a little more than a year since the president signed the executive order.
the president signed the executive order.
And it's important that we take a look at the current state of federal cybersecurity and do a bit of retrospective to see how far we've come and what we have left to accomplish.
We looked at this tactically and strategically.
So to mention a few items here tactically.
First, generally, the administration has demonstrated strong progress addressing the priorities
outlined in the EO, and CISA has played
a key role on this front. CISA resources have increased and it's working to be the key convener
to protect the.gov landscape. Secondly, tactically, the agency has taken several
measures, such as publishing the Vulnerability and Incident Response Playbook, ensuring that they have
access to all necessary information about incidents affecting federal agencies, and
also working with OMB to direct a review of the 650-plus unique cybersecurity-related
contract clauses for the contractor workforce.
And more strategically, the takeaway is that the cyber executive order
has successfully presented opportunities for improved risk management by really elevating
the importance of secure product development and supply chain risk management. So while the
checklists for supply chain security were necessary, it's critical to step back and
identify and address the potential
cyber threats that could affect the software supply chain, for instance.
Those threats will drive your protections and risk management strategies, and you can
uncover those through threat modeling, testing, and software emulation.
You know, in the year or so since this went into effect, what has been the response from the organizations that this affects?
Are they saying that it's been pretty reasonable and achievable?
Well, I think there's a belief that this has really spurred excellent progress.
progress. And there are a few areas where organizations and we as Booz Allen think we need to be proceeding further down the road as well. So while the executive order has taken
ambitious steps to modernize national cyber defenses and establish action from across
multiple entities with a lot of focus, rightfully so, on government and private sector coordination.
Continued work is needed to improve the nation's cybersecurity and improve the protection of
federal government networks. So, namely, the EO must really be supported and viewed as a
linchpin to drive the momentum of sustained federal cybersecurity. It's critical that resources continue to be aligned to CISA
so it can be a leader in the orchestration, risk management, defense operations,
connectivity, and protection of the dot-gov landscape.
And the EO also advanced proactive preventative cyber operations
by holding agencies accountable
for implementing enhanced detection and response capabilities. So how agencies approach and execute
enhanced threat detection is so critical, and this is going to be really important moving forward.
The EO specifically outlines more effective and agile federal government responses around detection.
And we've really been looking into new approaches specifically around detection.
So what do you suppose is to come? I mean, we're having this framework in place. Where are we
headed next? I'd actually like to look at that detection component because that's really just
going to be critical if you look at
these events such as Log4j and SolarWinds. Managing detection is really tough. In organizations with hundreds of thousands of end users, it's really tough. And in our work with clients with complex
security ecosystems, with thousands to millions of endpoints, we're looking to reimagine detection at scale.
And there are a few things that we think could really advance protection of the federal government.
But they're important concepts and tenets to remember as well.
Technology is never going to replace an analyst.
and tenets to remember as well.
Technology is never going to replace an analyst.
There's no security analyst that isn't busy constantly shifting their focus to something else.
Second, automation is key, but the focus of automation
should really be focused on getting detection
to the right people at the right time in the right format.
And third, to that note on the format,
standardization is key. So as you're
asking busy security analysts to further manipulate data on the fly, that only increases their workload
and puts off other work that they also need to do. So we see a lot of work in the traditional
SIEM architecture space that needs to be improved. So a lot of those architectures are fairly antiquated.
And we set out to introduce a new approach to detection
that involves an engine that uses Sigma rules to read logs outside of the SIM,
send alerts directly to the analyst for further review,
so reducing some of their level of effort.
It's written with Go to provide incredible speed
while decreasing performance overhead.
It's built with Kubernetes horizontal pod autoscaling
to address that scaling as needed.
And it uses GitOps to automatically pull new signatures
from Git or other sources of high-confidence analytics.
And so we see this, with this approach, we can increase visibility, so important,
decrease cost, and automate detections through a few small changes to already existing architectures.
All right. Well, Betsy Carmelite, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland at the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabe, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Thanks for listening.
We'll see you back here tomorrow. Thank you. through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.