CyberWire Daily - Cyber phases of Russia’s hybrid war seem mostly espionage. Belgium accuses China of spying. LockBit ransomware spreads. And Micodus GPS tracker vulnerabilities are real and unpatched.
Episode Date: July 20, 2022What’s Russia up to in cyberspace, nowadays? Belgium accuses China of cyberespionage. LockBit ransomware spreading through compromised servers. Malek Ben Salem from Accenture explains the Privacy En...hancing Technologies of Federated Learning with Differential Privacy guarantees. Rick Howard speaks with Rob Gurzeev from Cycognito on Data Exploitation. And Micodus GPS tracker vulnerabilities should motivate the user to turn the thing off. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/138 Selected reading. Continued cyber activity in Eastern Europe observed by TAG (Google) Declaration by the High Representative on behalf of the European Union on malicious cyber activities conducted by hackers and hacker groups in the context of Russia’s aggression against Ukraine (European Council) China: Declaration by the Minister for Foreign Affairs on behalf of the Belgian Government urging Chinese authorities to take action against malicious cyber activities undertaken by Chinese actors (Federal Public Service Foreign Affairs) Déclaration du porte-parole de l'Ambassade de Chine en Belgique au sujet de la déclaration du gouvernement belge sur les cyberattaques (Embassy of the People's Republic of China in the Kingdom of Belgium) LockBit: Ransomware Puts Servers in the Crosshairs (Broadcom Software Blogs | Threat Intelligence) Critical Vulnerabilities Discovered in Popular Automotive GPS Tracking Device (MiCODUS MV720) (BitSight) CISA released Security Advisory on MiCODUS MV720 Global Positioning System (GPS) Tracker (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
What's Russia up to in cyberspace nowadays?
Belgium accuses China of cyber espionage.
Lock-bit ransomware is spreading through compromised servers.
Malek Bensalam from Accenture explains the privacy-enhancing technologies of federated learning with differential privacy guarantees.
Rick Howard speaks with Rob Gerzeev from Psycognito on data exploitation.
And my CODIS GPS tracker vulnerabilities could motivate users to turn the darn thing off.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 20th, 2022.
Late yesterday, Google's Threat Analysis Group published a full report on what it's seen recently of Turla and
other actors aligned with the Russian cause. Turla is indeed impersonating the Azov regiment
and is offering malicious apps that misrepresent themselves as a kind of do-it-yourself kit
patriotic Ukrainians can use to conduct DDoS attacks against Russian networks.
The apps do nothing of the kind, but instead install malware on the devices to which they're downloaded.
Tagg writes,
Terla, a group publicly attributed to Russia's Federal Security Service,
recently hosted Android apps on a domain spoofing the Ukrainian Azov regiment.
This is the first known instance of Turla distributing Android-related malware.
The apps were not distributed through the Google Play Store,
but hosted on a domain controlled by the actor
and disseminated via links on third-party messaging services.
We believe there was no major impact on Android users
and that the number of installs was minuscule.
Other Russian groups, tag mentions, and dispatches include the GRU,
also known as APT28, Sandworm, or Fancy Bear,
and a privateering spinoff of the possibly defunct Conti gang.
These are exploiting the now-patched Folina remote code execution vulnerability
in the Microsoft Windows support diagnostic tool.
TAG's observations confirm earlier reports by CERT-UA.
The report says,
The Sandworm campaign used compromised government accounts to send links to Microsoft Office documents
hosted on compromised domains, primarily targeting media organizations in Ukraine.
domains, primarily targeting media organizations in Ukraine. TAG has also observed an increased number of financially motivated actors targeting Ukraine. One recent campaign from a group tracked
by CERT-UA as UAC0098 delivered malicious documents with the Folina exploit in password-protected
archives impersonating the state Tax Service of Ukraine.
We assess this actor as a former initial ransomware access broker
who previously worked with the Conti ransomware group
distributing the ICE-to-ID banking trojan
based on overlaps in infrastructure, tools used in previous campaigns,
and a unique cryptor.
Cyber espionage continues elsewhere,
with phishing as its principal mode of gaining access.
Ghostwriter, operated by the intelligence services
of Russia's ally Belarus,
has continued to work against its customary targets,
especially Poland,
and the Russian threat group Cold River,
also called Kalisto,
but best known as Gamerodon or Primitive
Bear, continues to send credential phishing emails to targets including government and defense
officials, politicians, NGOs and think tanks, and journalists. Cold River has also used Dropbox and
Google Drive to host malicious PDFs. The European Union yesterday issued a statement
deploring Russia's conduct in cyberspace and the way in which its offensive activities have
spilled over to countries other than Ukraine. The statement draws particular attention to the
nuisance-level DDoS attacks EU member states have recently experienced. The statement reads,
the latest distributed denial-of-service attacks against several EU member states have recently experienced. The statement reads, The latest distributed denial of service attacks against several EU member states and partners
claimed by pro-Russian hacker groups are yet another example of the heightened and tense
cyber threat landscape that EU and its member states have observed.
We strongly condemn this unacceptable behavior in cyberspace
and express solidarity with all countries that have fallen victim.
We remain determined to address and investigate malicious cyber activities
affecting international peace, security, and stability,
including the security of the European Union and its member states,
their democratic institutions, citizens, businesses, and civil society.
The statement made a point of reminding all that the EU had condemned Russian cyberattacks against Ukraine
as early as January 14th of this year,
a date that seems to mark the onset of the preparation phase of Russia's hybrid war.
There's other cyber-spying out and about.
Belgium's foreign ministry has accused China of an extensive cyber espionage campaign
against numerous Belgian targets, including the country's ministries of interior and defense.
The specific threat groups singled out include APT 27, APT 30, APT 31, and Gallium.
This last group also tracked as SoftCell and UNSC-2814. The Foreign Ministry's
statement said in part, Belgium strongly denounces these malicious cyber activities,
which are undertaken in contradiction with the norms of responsible state behavior,
as endorsed by all UN member states. We continue to urge the Chinese authorities to adhere to these norms
and not allow its territory
to be used for malicious cyber activities
and take all appropriate measures
and reasonably available and feasible steps
to detect, investigate, and address the situation.
China says, in effect, prove it,
and by the way, you can't,
because China, as usual, is the real victim here. The response of the Chinese embassy in Brussels is familiar stuff, reading in part,
We have taken note of the statement,
statement about the so-called malicious cyber attacks by Chinese hackers without any evidence.
On the one hand, the Belgian side refuses to provide the factual basis, and on the other hand,
it makes groundless accusations and deliberately denigrates and smears China.
We express our strong dissatisfaction and our firm opposition. On the issue of cybersecurity,
China is square, frank, and open. China has always been a strong advocate of cybersecurity and one of the main victims of cyber attacks.
Various other whoppers follow. If you're curious, do read the whole thing.
Our European desk tells us the statement sounds better in French, but then most things do.
Researchers at the Semantic Threat Hunter team, part of Broadcom's software,
this morning reported that threat actors are targeting servers with LockBit ransomware.
Their goal is to spread the ransomware through compromised networks.
One attack utilizing LockBit has been seen identifying domain-related information,
creating a group policy, and
executing a gpupdate-slash-force command to update the group policy.
The threat actors behind Lockbit, which Symantec tracks as SIRFID, first appeared in September
2019 and quickly expanded its operations through a network of affiliates.
This version of Lockbit delivers a double extortion attack,
both encrypting files and threatening public exposure of stolen data.
LockBit is selective in its targeting, sparing Russia
and a small selection of countries in the near abroad.
LockBit is a ransomware-as-a-service operation,
and it's replaced the now possibly defunct Conti
atop the C2C
market leaderboard.
Its rise is thus particularly opportunistic, but Symantec sees other keys to its success.
They say, Lockbit's success is also due to its developers' and affiliates' continued
evolution of features and tactics, which include the malware's fast encryption speed, ability to
target both Windows and Linux machines, its brash recruitment drives, and high-profile targets.
In addition, as previously mentioned, the launch of a rewards program for vulnerabilities in
LockBit's code and for suggestions on improving the ransomware-as-a-service operation will no
doubt help the ransomware remain a serious threat to organizations.
Researchers at BitSight have issued a report on vulnerabilities
in the popular MyCodus MV720 automotive GPS tracker.
The MVS720 is designed for both fleet management and theft protection.
In addition to simply tracking vehicles in which it's installed,
the MV720 offers anti-theft, fuel cutoff, remote control, and geofencing features.
All of these are susceptible to exploitation in a variety of ways.
As BitSight puts it,
the exploitation of these vulnerabilities could have disastrous and even life-threatening implications.
For example, an attacker could exploit some of the vulnerabilities to cut fuel to an entire fleet of commercial or emergency vehicles.
Or the attacker could leverage GPS information to monitor and abruptly stop vehicles on dangerous highways.
Attackers could choose to surreptitiously track individuals or demand
ransom payments to return disabled vehicles to working condition. There are many possible
scenarios which could result in loss of life, property damage, privacy intrusions, and threaten
national security. The researchers say they've been trying to get through to MyCOTUS since
September of last year,
and the account of their attempts at responsible disclosure form a story of virtue under trial worthy of Samuel Richardson's Clarissa.
In brief, BitSight says Mykotas never replied, and eventually, when BitSight turned to the U.S. Cybersecurity and Infrastructure Security Agency,
CISA had no better luck getting through.
Guangdong-based MyCodus says on its website that it values customer feedback,
but there was no mention on their site of any of the issues BitSight uncovered,
nor are there any fixes or updates available.
So, what's a concerned driver to do?
Punch out, friend. Take the Martin Baker option.
BitSight thinks all users should disable their MV720s at once and stop using them until a reliable fix for the vulnerabilities is available.
CISA, while noting that no public exploitation of the vulnerabilities has so far been seen,
basically agrees and thinks users should take care to isolate their networks from the vulnerable devices.
Do you know the status of your compliance controls right now? Like, right now?
controls right now, like right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com
slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
My CyberWire colleague, Rick Howard, recently sat down with Rob Gerzeev from Psycognito to discuss a recent disclosure from CISA on data exploitation.
I'm joined by Rob Gerzeev, the CEO of Psycognito.
Rob, it's good to have you back on the CyberWire. Thank you, Rick. It's a pleasure to be here again. So back in November, CISA, the
U.S. Cybersecurity and Infrastructure Security Agency, released a report called Reducing the
Significant Risk of Known Exploited Vulnerabilities. And in it, they announced a new intelligence
report called the Catalog of Known Exploited Vulnerabilities.
What's going on here?
Yeah, it's a super interesting release where they cover one of the most important elements in cybersecurity
that is also one of the least discussed or well-understood areas in cybersecurity, I believe,
understood areas in cybersecurity, I believe, which is, and that's their data, that only 4% of the total number of CVEs that have been public actually got exploited.
So only 4% got exploited, but 50% of these vulnerabilities of these 4% actually get
exploited within less than 48 hours.
And 70% of these vulnerabilities get exploited within less than 48 hours. And 70% of these vulnerabilities get exploited within less than 28 days.
So when you think about mean time to remediation,
which on average is in the months,
obviously that's not nearly enough.
And so that's a super important statement that should make security teams,
security leaders inspect, you know, what they're doing today. Is their MTTR,
meantime through mediation, relevant enough? And it's related to the general
risk management question. So the report says that in 2020, industry partners identified a total of over
18,000 new cybersecurity vulnerabilities. And like you said, only 4% of those were used for
exploitation. I did the math. That's just 720 vulnerabilities compared to 10,000. So how do we
adjust our thinking here? What do we do with that information? The tricky thing or the interesting thing about cybersecurity and actually having done
offense and dealt with offense for years in intelligence agencies and other contexts
make the following quite obvious. There is the IT perspective, which is we have all of these systems.
We're building our architecture,
we want the architecture to be really great, really safe, easy to manage, great. But then
there is the attacker's perspective, which is related to this 4%, which is related to
path of least resistance. Interestingly enough, that path of least resistance actually leads attackers to look at subsidiaries, assets you don't even know about and don't monitor, third-party assets like this marketing campaign that this team in Europe or Asia or what have you have built for your company, but you're not managing it, might expose some of your customers' information, including PII.
But it's not in your asset inventory, and your application security testing tools are never monitoring it.
So that's the path of least resistance.
So on the one hand, yes, it's just 4% of the vulnerabilities, and that sounds great.
On the other hand, attackers are becoming more and more efficient.
These 48 hours for exploiting 50% of the vulnerabilities,
I think, makes that pretty obvious.
And then you have these blind spots in the broad sense,
whether it's subsidiaries, assets you simply don't know about,
third-party assets that put you and your data and customers at risk.
And then the most important question, I think, becomes,
how do I increase my coverage and prioritization?
So it seems counterintuitive, you know,
that we rate a vulnerability as being highly critical or highly, you know,
and if I was doing it, I would say, oh,
that's where the bad guys would go. But you talk about this idea of chaining, that bad guys are looking for initial entry into the victim's network, right? Can you explain what you mean by chaining?
Sure. So if you think about a third-party application that the marketing team has built with this other vendor.
And that has some of your customers' credentials on it.
And it has this SQL injection vulnerability, so attackers can gain these credentials from
that third-party asset.
And then, for example, everyone is talking about zero trust.
What almost no one is talking about is zero trust coverage, the deployment coverage.
So say that only half of your authentication mechanisms actually have zero trust deployed on them.
And now attackers can leverage the credentials they stole from that third-party website that is not really monitored or protected,
which is something we are seeing
even at the biggest banks, by the way.
And then they're going to use these credentials
against these, even in some cases,
on-prem authentication mechanisms
that happen to be exposed to the internet
that are not protected with your zero trust solutions that you are
discussing with your board that you have deployed.
And we've actually talked to Fortune 500 companies that got bridged exactly this way.
So then this idea of chaining is really the adversary working their way across the intrusion
kill chain.
And they don't require a massively vulnerable exploit
in some piece of software.
They just need a way to get their toes on the network
and then they can move laterally
and move their way up the escalation chain
to accomplish their mission.
This is a long-term play.
This isn't a quick smash and grab operation.
Is that correct?
In many cases, it really depends on the
threat actor. So if you're thinking about Russia, you know, they're fine with spending a few months
gathering these credentials from this one asset, leveraging it over here, getting into the network,
then slowly establishing their infrastructure there and taking the next steps.
When such organizations do that, it's very hard to completely eliminate every attack path,
but that's quite rare.
And even the most advanced intelligence agencies and offensive organizations, by the way,
will still always prefer to rely on weak spots.
It's obvious. And it can massively slow them down if these are hard to find.
Well, it's good stuff, Rob. Who knew 4% of the vulnerabilities? That was a shocker to me. I
think I spit took my coffee all the way across the room on that one. So thank you, Rob, for coming on.
That's Rob Grzyw, the CEO of Psychognito.
Thanks for coming on the show, Rob.
Thank you, Rick.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Malek Ben-Salem.
She is the Technology Research Director for Security at Accenture.
Malek, it's always great to welcome you back to the show.
I want to touch base with you today on some privacy-enhancing technologies that I know you and your team have been tracking here. What can you share with us today? I think privacy enhancing technologies
have gained more interest recently, especially with the regulations that have been either,
you know, that went into effect like GDPR or the ones that are being developed, whether in the U.S. or in other countries.
So they've gained more interest.
And one of the later, more recent developments is this combination of a couple of privacy
enhancing technologies.
So one of them is federated learning, right?
So one of them is federated learning, right?
Federated learning is basically this idea where, or this machine learning approach where you can train a neural network model or machine learning model in general on a mixture of
local devices, for example, phones, right?
Or central and central devices.
example, phones, right? Or central and central devices. But it decouples the ability to do machine learning from the need to store data in a local, sorry, in a central server or on the cloud.
So you can do this distributed learning through this federated learning approach.
And it has been introduced. So Google uses it for a Gboard, for instance,
and for the prediction of, you know, next word prediction or the next emoji suggestion.
Differential privacy is another privacy enhancing technology. And what it does, it provides some guarantee on the privacy level
that is introduced. The way it works is it fuzzes the data. So it adds some noise to the data. So
if you're typing, for instance, the sensor is looking at your keystrokes and your patterns of typing,
then it introduces, you know, some noise for each keystroke. Now, the new development
is this ability to combine the federated learning approach with differential privacy so that now not only is the data kept local
at the endpoint devices, but also you can provide the end users
some guarantee about their privacy level.
So mathematical, you can give them a number on how much privacy they're getting.
And that's the key development that we've been, you know, watching.
I think this is great new development and is very promising for the advocates of privacy
as we can develop these algorithms that can automatically, you know, identify where to
continue training with the federated learning approach.
How can we deal with cases where, you know, we don't have enough number of devices to train on,
which may mean that, you know, privacy is lost, but how can we compensate for that with the
differential privacy approach? So, you know, developing these algorithms
that can combine the two, I think, is a very exciting new development. Can you give us an
example of what a possible use case would be for this combination? So definitely, as I mentioned,
you know, the next word prediction on mobile devices or, you know, your keystroke typing patterns,
things that you want to keep the information or the data local.
And, you know, if you train a central model, there is some information that has to be shared,
right, back and forth between your local machine
and the central model.
So how do we ensure that that happens with some privacy guarantees and that those privacy
guarantees are not just added to the individual prediction of the next work, so the individual
instance of training data, but also are added at the user level. So the individual instance of training data,
but also are added at the user level.
So for all of your data.
And are we still at the experimental stage with this
or are people actually deploying this?
People are actually deploying it,
but not at a very, at scale.
I know that Google has experimented with this and they've
deployed it for some
of their devices.
But they're currently
basically assessing how scalable the
approach is. But at a minimum
we know it's working. The
protocol is there, the algorithm is
there to make it work.
What are the impacts on the
accuracy of the neural network model
that is trained this way?
I think that's what has to be assessed.
All right.
Well, interesting stuff for sure.
Malek Ben-Salem,
thanks for joining us.
Thank you. Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabe, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.