CyberWire Daily - Belgium’s MoD suffers Log4shell attack. A man-in-the-middle concept. APT activity. Five Russians face US charges (one’s in custody). Fortunes of coin-mining. Holiday greetings from CISA and the FBI.
Episode Date: December 21, 2021Belgium’s Ministry of Defense comes under attack via Log4j vulnerabilities. A cellular handover, man-in-the-middle exploit is described by researchers. The FBI says an APT group is exploiting unpatc...hed Zoho ManageEngine Desktop Central servers. The US charges five Russian nationals with a range of cybercrimes. Coin-miners in China feel some heat. Ben Yelin describes a Meta lawsuit targeting anonymous phishers. Our guest Todd Carroll of CybelAngel explains the shifting tactics of “troll farms”. And, Grinchbots aside, CISA and the FBI offer holiday greetings and advice. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/243 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Belgium's Ministry of Defense comes under attack via log4j vulnerabilities.
A cellular handover man-in-the-middle exploit is described by researchers.
The FBI says an APT group is exploiting unpatched Zoho Manage Engine desktop central servers.
The U.S. charges five Russian nationals with a range of cybercrimes.
Coin miners in China feel some heat.
Ben Yellen describes a meta-lawsuit targeting anonymous phishers. Thank you. From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, December 21st, 2021.
Belgium's Defence Ministry told the news service VRT yesterday that the ministry had sustained an attack via log-for-shell vulnerabilities.
The ministry's representative said the incident began last Thursday
and that while the ministry has been working to contain
the exploitation and keep networks running, some portions of its networks have been unavailable.
The ministry's Facebook page yesterday posted a note telling inquirers not to expect full
service from its sites yet. The register quotes Belgium's Center for Cybersecurity,
not a Ministry of Defense organization, as saying,
companies that use Apache Log4J software and have not yet taken action can expect major problems in the coming days and weeks.
End quote.
NATO, whose headquarters are in Brussels, didn't respond to the Register's inquiry about whether the Atlantic Alliance's networks were affected.
Register's inquiry about whether the Atlantic Alliance's networks were affected.
Lavanier's take is that the incident was both foreseeable and probably preventable.
The publication notes that the attack occurred four days after CERT-B issued its own version of the warning most national cybersecurity authorities shared, urging a prompt upgrade
to Log4J version 2.17.0 or later.
In fairness to the MOD, patching an issue like this isn't always easy or straightforward.
There's no attribution so far of responsibility for the incident.
Both nation-state intelligence services and criminal organizations have exploited vulnerabilities in Log4J,
and some press mentions of Chinese, Iranian, North Korean, and Turkish threat actors
amount to little more than a priori possibilities.
Those were the countries whose intelligence services were first mentioned in dispatches
as having begun to scan for Log4Shell.
And an attack that degrades a network is certainly consistent with criminal activity.
And an attack that degrades a network is certainly consistent with criminal activity.
Some of the better-known gangland operations have taken an interest in Log4J vulnerabilities.
ThreatPost, for example, has an account of the attack chain the Conti ransomware gang is using to take advantage of Log4Shell.
Researchers at New York University Abu Dhabi have published research on a vulnerability in the handover procedures cellular networks use to preserve service with minimal latency for mobile users.
They've demonstrated the possibility of man-in-the-middle attacks,
specifically a new type of fake base station attack in which the handover procedures,
based on the encrypted measurement reports and signal power thresholds are vulnerable.
End quote.
The US FBI warns that unnamed foreign intelligence services are actively exploiting a vulnerability,
CVE-2021-44-515, in Zoho Manage Engine Desktop Central servers.
Quote,
Since at least late October 2021,
APT actors have been actively exploiting a zero-day,
now identified as CVE-2021-44-515,
on ManageEngine Desktop Central Servers.
The APT actors were observed compromising Desktop Central Servers,
dropping a web shell that overrides a legitimate function of Desktop
Central, downloading post-exploitation tools, enumerating domain users and groups, conducting
network reconnaissance, attempting lateral movement, and dumping credentials.
There's a fix available. Affected organizations are advised to apply the upgrades Zoho provided
in an early December security advisory.
Switzerland has extradited Russian national Vladislav Kulshin of Moscow to the U.S.,
where he faces charges related to hacking in furtherance of insider trading.
Four indicted co-conspirators remain at large. He arrived in the U.S. on Saturday, and the charges against him were unsealed yesterday in the U.S. District Court for the District of Massachusetts.
The U.S. Justice Department says,
and securities fraud, and with obtaining unauthorized access to computers, wire fraud,
and securities fraud. A conspiracy implies conspirators, and the U.S. alleges that Mr.
Klyushin had four partners in crime. Moscow residents Ivan Yermurkov and Nikolai Rumayantsov are also charged with conspiring to obtain unauthorized access to computers and to commit wire fraud and securities fraud
and with obtaining unauthorized access to computers, wire fraud, and securities fraud.
The U.S. Attorney for the District of Massachusetts points out
that Mr. Ermikov is an alumnus of the GRU, Russia's military intelligence service,
and that he's also wanted for his alleged role in influence operations
intended to disrupt the 2016 U.S. elections.
Mr. Ermakov seems to have had fingers in several pies.
He also faces charges in connection with hacking and disinformation operations
that targeted international sporting federations, anti-doping agencies, and anti-doping officials,
all of which allegedly occurred while Russia was in bad odor
with the Olympic movement for bringing chemically enhanced athletes to the Games.
Two other alleged co-conspirators, both of Russia's second city, St. Petersburg,
are Mikhail Vladimirich Irzak and Igor Sergeyevich Sladkov.
Mr. Klyushin, Mr. Ermikov, and Mr. Rumyantsev, the U.S. attorney
says, all worked for M-13, a Moscow-based security company that said it offered penetration testing
and advanced persistent threat emulation, which the U.S. attorney points out both seek exploitable
vulnerabilities in a computer system purportedly for defensive purposes. The company's website
said that its solutions were used by the administration of the President of the Russian Federation,
the government of the Russian Federation, federal ministries and departments,
regional state executive bodies, commercial companies, and public organizations.
We hope they were a best value provider. We'll add that Switzerland is a swell place to vacation,
but they do have a functioning
extradition treaty with the United States. If you're looking for a holiday spot, we hear
Chelyabinsk is nice this time of year. China cracked down on widespread and power-hungry
crypto mining operations back in May, but CNBC reports miners have been able to evade the law
by spreading their operations out to make their consumption of electricity less obvious.
This seems to be a case of the inherent difficulty of enforcement as opposed to the states turning a blind eye toward illegal coin mining.
In any case, some of the miners CNBC talks to clearly worry about being brought to justice.
Quote,
CNBC talks to clearly worry about being brought to justice.
Quote,
We never know to what extent our government will try to crack down to wipe us out,
one who asked to be identified by his nickname Ben said.
Some are considering looking into offshoring their operations until the heat dies down.
The regular dry spell that's drawn down water levels in hydroelectric dams has also been a problem for
the coin miners. They're accustomed to moving their rigs around to take advantage of other
power sources, but again, with the heat on, that's becoming harder to do. For all of their difficulties,
CNBC says that Chinese coin miners account for about 20% of the global production of Bitcoin,
but given too much official attention,
they're increasingly thinking about moving to a softer environment,
particularly America.
So, listeners stateside,
you may find Ben moving into a friendly part of your local power grid.
Wired publishes an update on another holiday season problem,
the Grinch bots that automate online ordering of in-demand products,
toys, gaming consoles, and the like,
in order to create scarcity and drive a lucrative reseller's market.
And finally, the U.S. Cybersecurity and Infrastructure Security Agency,
that's CISA, and the FBI are offering some sound holiday security advice,
even presenting it, and why not, in the hom are offering some sound holiday security advice,
even presenting it, and why not, in the homely form of a hallmark moment.
SISA Director Jen Easterly and the FBI's Assistant Director of the Cyber Division,
Brian Vordren, seated with small presents and a nice snowman puppet between them,
point out that while the holidays are times of happy distraction and lighter-than-usual staffing, there are still ways of staying safe online. They recommend identifying IT employees
who can be available on weekends and holidays if you need to surge to handle an incident or
ransomware attack. Remind your people to use strong passwords and not to reuse them in different
accounts. Put multi-factor authentication
in place for remote access.
Ensure that potentially risky services
like RDP are properly configured,
secured, and monitored.
Talk to your people
about how to recognize phishing.
And finally,
as you resolve to remain prepared
and alert,
review your incident response plans.
They close with warm holiday wishes, which we
heartily return. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. If you are a regular user of online social media,
you have likely seen posts come by that are quite obviously the work of some sort of troll farm,
laughably spewing misinformation or blatantly partisan points of view, repeated by multiple
accounts that were created moments ago in a fit of algorithmic scripting. These troll farms continue
to increase in number and sophistication. Todd Carroll is chief information security officer and
VP of cyber operations at security firm Cyble Angel and was previously special agent in charge of the
FBI's Chicago field office. I reached out to him for his take on troll farms. Well, we see them
popping up all over the place. You know, they've been in Southeast Asia, you know, the old Eastern
European countries. Now we see them more popping up in Africa, right? So, I mean, I don't think they're
that very hard to find or they're being set up by on behalf of a foreign nation that is trying to
potentially use that to push an agenda or to push a certain message to influence via social media
a certain cause or whatever. So, I mean, you know, for example,
right, so you want an example on this. So if I wanted to push an agenda right behind a certain
candidate versus another one and I want to influence it from a foreign point of view,
right, whether it's another country that feels that this would be more favorable or to actually
increase the discourse between,
you know, the population inside a country, then these trolling farms could push certain messages
or whether it's true information or disinformation that's against the other candidate or in support
of, and that's what the information is. So it's, it's looked at in social media that there is,
the messaging is higher, you know, that the, you
know, I see this more, so maybe it's the truth or the message is even being pushed out where
before it wouldn't be because the information is completely false.
And what techniques do they use to put these messages out there?
Usually the main social media, Facebook, Twitter are probably the two most popular ones and probably will continue as that's where, you know, from if we look at from a U.S. point of view.
Right. That's where a lot of people sit and a lot of people, right or wrong, take reading it or you're ingesting it or you believe it, then you kind of, in your back of your mind, you're developing a, you know,
is this the truth? Is this what's going on? I keep seeing the same thing about this candidate or
this cause or whatever the issue being pushed is at that time.
What about the platforms themselves? To what degree are they trying to tamp down these sorts of things?
Yeah, they are.
I mean, it's, you know, we see it all the time.
You know, Facebook is out there saying they shut down 1,500, you know, accounts that do this.
But they're just going to pop up under something else, right?
It's a little difficult probably for them. I know they're spending more and more time,
especially as the media is spending more time calling these fake accounts out. They're working
on it, but it's not, you know, that's, listen, Facebook and Twitter was set up for people to
share information and share their opinions. And it's probably a little bit difficult for them to
find these accounts, but when they do, they've been pretty reactive to shutting them down.
For organizations who are concerned about this sort of thing, what are your recommendations for them to keep on top of it?
Is this a threat intelligence type of thing or how should they go about it?
Definitely a threat intelligence type because this is information that's being spread that could be targeting your company, could be targeting your geopolitical
views. It could be, you know, us as individuals, us as companies. So I think being aware that
there's this activity that's out there, right, not taking all your information from one source,
seeing when the sources are posted, right? If most of them are coming out of Africa,
they're like businesses, right? They show up at nine to five, you know, at that timeframe,
you know, does most of the people, you know, in the U S post at three in the morning,
right? You know, I don't, well, I have some, some relatives that do, but, um, we, we don't,
it's kind of awareness that these things do exist and not just taking what's out there for granted and educating yourself, but then also calling out.
If you're a company, you know this information is wrong.
Working with the authorities or working with Facebook and Twitter to call out these groups to get them shut down, especially if they're targeting your company.
That's Todd Carroll from Cyble Angel.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security
and also my co-host over on the Caveat podcast.
Hello, Ben.
Hello, Dave.
Interesting story from the folks over at The Record by Recorded Future.
It's titled Meta, Facebook, sues operators of 30—
It's still hard to get used to, isn't it?
It is.
They sue operators of 39,000 fishing sites.
This article caught my eye because it uses terms like describing this lawsuit as just weird and legal gymnastics,
which I thought made it perfect for us to talk about here.
Ben, what's going on here, Ben?
I feel like you send out the bat signal every time you see legal gymnastics.
That's my cue to enter.
Right.
So Meta is suing basically 100 John Doe, so anonymous individuals,
people who have actually sent out these phishing emails that are hosted through this,
how do you pronounce it?
I think it's NGROC.
NGROC service.
So they're trying to get an injunction against these John Does
and damages of at least $500,000 from the operators of these sites.
So these are individuals who have created phishing links
that are used to mimic sites that are under the meta domain.
So like Instagram and Facebook.
And obviously they're using those to collect your information.
What legal analysts have said here is this is a weird lawsuit
because it's very hard to go after anonymous people
who are posting these phishing emails or this phishing material.
We don't know who they are.
It's going to be really hard to enforce it in court.
And unless we can de-anonymize them, what I think Meta is trying to do here is set a
precedent that this type of action will not go unnoticed and there will be consequences
if we ever find out who it is.
So it's almost more about protecting their brand than it is about actually punishing
phishing actors.
So, you know, sometimes you file a lawsuit to protect your brand.
I get it.
If I was Meta and I had billions of dollars in legal resources, you know, I'd want to show my customers that I'm going after the people who are making your life miserable, stealing your information.
So I completely get it.
I don't think we're going to get a favorable judicial
ruling on this. Yeah, so that's my next question. How does a judge respond when an organization like
Meta puts this in front of them? Well, in a couple of ways. I mean, if it's an implausible claim that
doesn't allege a proper violation of the law, then the judge can just dismiss the case. And I could
very well see that happening.
If there is not an allegation that makes this worth going through our court system,
a judge might just say, all right, this is a waste of time. Let's dismiss this.
Before this goes any further. What they rarely do, but what they sometimes do is say to these
companies or to these attorneys, this is frivolous. You're wasting my time. Let's
impose some sanctions.
So we've seen that in a number of circumstances where lawsuits are so frivolous where you have to basically prove that the lawyers knew that the suit
was intended to be a publicity stunt or a messaging stunt.
I see.
And then you can try and get those lawyers disbarred or at least impose fines.
I don't know enough about this. I doubt we're
going to get to that level, but I could easily see a judge just reading this over and dismissing it
without commenting on the merits of the phishing scheme. What if the judge goes along with it and
says, absolutely, here's your ruling, and Meta has that in hand, what do they do with it?
That's a great question. I mean, we do get rulings on anonymous individuals all the time, and you can enforce it dependent on the statute of limitations if you ever get information on who that individual is.
So if they're ever unmasked, they could be charged or whatever or fined.
Right.
Because it's a civil suit, right?
It's a civil suit.
So, yeah, they'd be fined. They'd be fined. Right. Because it's a civil suit, right? It's a civil suit. So yeah, they'd be fined.
They'd be assessed damages.
Okay.
So yeah, I mean, if you're out there and your identity is unmasked, if they were successful
in this lawsuit, you know, that means that wherever this person is, if we have an extradition
treaty with them and they're overseas, then they could be brought into the United States
and forced to pay the civil penalty.
I see.
So it could put that shadow over them, maybe make them think twice about continuing their operations
if they have this specter of potential action against them.
Exactly.
And I think that's ultimately the most that's going to be done here.
I see.
You know, I also think it might go in the other direction where if a judge dismisses this suit,
people, you know, will say,
well, as long as I can maintain my anonymity
and collect from these phishing schemes
and, you know, make a little bit of money,
I'm going to be pretty well shielded from legal liability.
So, you know.
Yeah.
Might as well just stay the course on this one.
Which, you know, could be dangerous.
I think it's a gamble on the part of Meta.
But, you know, I see why they're doing it.
It's about their brand, and it's also about setting a precedent
that these types of phishing attacks are not going to be acceptable on their networks.
All right. Well, interesting development.
Ben Yellen, thanks for joining us.
Thank you. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karf, Eliana White,
Bharu Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Gilkey, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.