CyberWire Daily - Cyberespionage, privateering, hacktivism and influence operations, in Ukraine, Russia, the Middle East, and elsewhere. Criminals need quality control, too. A new entry in CISA’s KEV Catalog.
Episode Date: December 6, 2022A Chinese cyberespionage campaign is believed to be active in the Middle East. Poor quality control turns ransomware into a wiper, and a typo crashes a cryptojacker. A large DDoS attack is reported to... have hit a Russian state-owned bank. Privateers compromise Western infrastructure to stage cyberattacks. Cyber operations against national morale. A look at the Vice Society. Ben Yelin on the growing concerns over TicTok. Ann Johnson from Afternoon Cyber Tea speaks with Charles Blauner about the evolution of the CISO role. And CISA has added an entry to its Known Exploited Vulnerabilities Catalog. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/232 Selected reading. BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign (Bitdefender Labs) The Story of a Ransomware Turning into an Accidental Wiper | FortiGuard Labs (Fortinet Blog) Syntax errors are the doom of us all, including botnet authors (Ars Technica) Russia's No. 2 bank VTB suffers largest DDoS in history (Computing) Russia compromises major UK and US organisations to attack Ukraine (Lupovis) Russia’s online attacks target Ukrainians’ feelings (POLITICO) Vice Society: Profiling a Persistent Threat to the Education Sector (Unit 42) CISA Adds One Known Exploited Vulnerability to Catalog (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A Chinese cyber espionage campaign is believed to be active in the Middle East.
Poor quality control turns ransomware into a wiper and a typo crashes a cryptojacker.
A large DDoS attack is reported to have hit a Russian state-owned bank.
Privateers compromise Western infrastructure to stage cyber attacks.
Cyber operations against national morale.
A look at the Vice Society.
Ben Yellen on the growing concerns over TikTok,
Anne Johnson from Afternoon Cyber Tea speaks with Charles Blauner
about the evolution of the CISO role,
and CISA has added an entry to its known exploited vulnerabilities catalog.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, December 6th, 2022.
Bitdefender has published a report describing a Chinese cyber espionage operation targeting telecom providers in the Middle East.
The threat actor gained initial access by exploiting the proxy shell vulnerability in Microsoft Exchange Server.
After gaining access, the threat actor deployed multiple tools to establish persistence,
move laterally, and escalate privileges.
These included the Irafow and Quarian backdoors and the Pinkman agent.
Bitdefender suspects backdoor diplomacy, a China-linked APT discovered last year by researchers at ESET. ESET noted that
the group primarily targets ministries of foreign affairs in the Middle East and Africa,
and less frequently telecommunication companies. Bitdefender attributes the campaign to backdoor
diplomacy based on the domains used for command and control. Yesterday, we discussed recent developments in ransomware,
highlighting the increased professionalization of ransomware gangs.
However, not all threat actors are moving toward business-like functions
and may be disorganized.
Poor quality control causes the hoods as many problems
as it would a legitimate business.
A sample of open-source ransomware toolkit Kryptonite
has been found to act as a wiper, Fortinet reports.
Researchers say that the sample never offers the decryption window,
causing it to act as a wiper,
and say that they believe this was unintentional.
In their report, Fortinet writes,
The ransomware was not intentionally turned into a wiper.
Instead, the lack of quality assurance led to a sample that did not work correctly.
The problem with this flaw is that due to the design simplicity of the ransomware,
if the program crashes or is even closed, there is no way to recover the encrypted files.
This sample demonstrates how a ransomware's weak architecture and programming
can quickly turn it into a wiper that does not allow data recovery.
Although we often complain about the increasing sophistication of ransomware samples,
we can also see that oversimplicity and a lack of quality assurance
can also lead to significant problems.
On the positive side, however, this simplicity
combined with a lack of self-protection features allows every antivirus program to easily spot
this malware. And it's not just ransomware that's got its QA problems either. Cryptojackers need
some attention too. The crypto mining botnet KMSDBot, which could also be used for DDoS attacks,
has been described by Ars Technica as a complex malware with no easy fix.
Akamai researchers, however, witnessed the controller of the botnet accidentally send a malformed command.
The botmasters neglected to put a space between an IP address and a port in a command,
and it caused a panic crash and an error that read index out of range. As Ars Technica says,
because there's no persistence, the bot stays down, and malicious agents would need to reinfect
a machine and rebuild the bot's functions. Akamai Principal Security Intelligence Response Engineer Larry Kashtaler
says that almost all of the KMSD bot activity being tracked by the company has stopped.
Akamai describes the situation as a strong example of the fickle nature of technology.
So stay in school, kids. Even if you're an aspiring criminal, spelling and punctuation still count. Make your English teacher proud.
Reuters reports that state-owned VTB, Russia's second-largest bank, has sustained a major DDoS attack.
VTB said in a statement quoted by Reuters,
The bank's technological infrastructure is under an unprecedented cyber attack from abroad,
the largest not only this year but in the whole time the bank has operated.
While VTB said the attack originated outside of Russia,
it also said it was disturbed by the amount of attack traffic originating from Russian IP addresses
and that it was cooperating fully with official investigation.
Computing reports that VTB said customer funds and data were safe.
Reuters includes an interesting disclaimer above its story, stating,
This content was produced in Russia where the law restricts coverage of Russian military operations in Ukraine.
That doesn't suggest falsehood, but perhaps some want of useful context.
That doesn't suggest falsehood, but perhaps some want of useful context.
In any case, VTB says it's got the matter under control, which is in all likelihood true.
Scottish deception-as-a-service security firm Lupovus ran an exercise to see whether its honey traps would attract Russian cyber operators.
They did. The researchers found that the most concerning finding from our study
is that Russian cyber criminals have compromised the networks of multiple global organizations,
including a Fortune 500 business, over 15 healthcare organizations, and a dam monitoring
system. These organizations were based in the UK, France, the US, Brazil, and South Africa,
and Russian criminals are rerouting through their networks to launch cyber attacks on Ukrainian
targets, which effectively means that they're using these organizations to carry out their
dirty work. A surprising fraction of the attacks targeted healthcare organizations.
The findings re-emphasize the important role cybercriminals
continue to play in Russia's war effort. Whether they're functioning as patriotic
hacktivists or privateers, the underworld is clearly the Kremlin's principal cyber auxiliary.
Alexander Potai, deputy chairman of Ukraine's State Service of Special Communications and
Information Protection of Ukraine, characterized Service of Special Communications and Information Protection of
Ukraine, characterized Russian hybrid operations and their cyber components especially as representing
an assault on Ukrainian morale. Politico quotes him as saying, classic cyber attacks, phishing,
DDoS threats, ransomware on critical infrastructure, these cyber attacks continue, but we have a new method of
cyber attack to influence political processes, social processes, civil society, and political
society to destabilize the social political situation in different countries, cities, and
regions. So the cyber attacks are serving the same end as the missiles. They are not there to affect the
enemy's military capabilities directly, but rather to establish mindshare in civil society.
The Vice Society, Palo Alto Network's Unit 42 finds, is interested in education, but not in a
good way. Unlike some of their competitors in the ransomware game, the Vice Society doesn't write much code from scratch,
nor does it play in the typical ransomware-as-a-service market.
Instead, they seem to prefer to use forks of pre-existing ransomware strains.
Unit 42 explains,
unlike many other ransomware groups such as Lockbit
that follow a typical ransomware-as-a-service model,
Vice Society's operations are different,
in that they've been known for using forks of pre-existing ransomware families
in their attack chain that are sold on dark web marketplaces.
These include the Hello Kitty and Zeppelin strains of ransomware,
as opposed to Vice Society developing their own custom payload.
The gang goes after K-12 schools in particular because, first,
they're often vulnerable, less well-protected than bigger operations,
and second, because they hold a great deal of valuable personal data.
The Unit 42 report concludes,
Vice Society and its consistent targeting of the education industry vertical,
particularly around the September timeframe, serves as a warning that this group has shaped their campaigns to take advantage of the school year in the U.S. It's likely they'll maintain use of these tactics to impact the cyber threat landscape moving forward as long as their activities continue to be lucrative for them.
as long as their activities continue to be lucrative for them.
And finally, CISA yesterday added CVE-2022-4262 to its known exploited vulnerabilities catalog.
The issue is a type confusion vulnerability in Google Chromium version 8.
Agencies are expected to apply updates per vendor instructions no later than December 26th.
And so, federal executive civilian agencies, look to your patching.
Coming up after the break, Ben Yellen on the growing concerns over TikTok.
Anne Johnson from Afternoon Cyber Tea speaks with Charles Blauner about the evolution of the CISO role.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI. Thank you. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Anne Johnson from Microsoft is host of the Afternoon Cyber Tea podcast,
and on a recent episode, she speaks with Charles Blauner about
the evolution of the CISO role. So I know you were in the industry when the CISO role first
came to be. Can you share with us some of the history and the evolution of the role from your
perspective? Sure. So in a lot of ways, Steve Katz, who's a good friend of both of ours,
Steve Katz, who's a good friend of both of ours, became the first CISO in 1995.
Citibank back then had an event in 1994.
Young Russian broke in, stole a bunch of money.
And there was this realization that this is a business issue.
And so I had actually been working for Steve.
He was my boss at J.P. Morgan.
He left to go to Citi and become the first CISO in 1995. And I joined him together with others like Rhonda McLean, Bank of America,
and I was at J.P. Morgan shortly thereafter. But back then, it was not a business function.
Back then, the idea of the CISO's job was basically keep off the front
page of the Wall Street Journal, the New York Times, stay out of trouble with the regulator.
And you had a very sort of narrow focus that was really about protecting the data,
especially in banking because of things like the Graham-Leach-Bliley Act, which was one of the first times the word customer privacy came up in U.S. law.
So you had this very narrow function.
It was basically keep out of trouble.
And if you were lucky, in banks, once a year, you met with the board for about five minutes.
It was the law, and that was good.
And if you were lucky, you might get a really tough question about one of the board members' personal credit cards.
But the world changed, and over time, we started to really think about this as a risk management discipline.
What were some of the key paradigm shifts you saw?
And in addition to what you've talked about, what were some of the surprises along the way, those aha moments that you said, wow, we could have or should have been thinking about this, or wow, I'm surprised this is in my remit? From when the early days, it was a bunch of young kids who were getting whistles out of crackerjack bottles to hack the telephone system for free dial tone, to sophisticated criminal organizations, to nation state actors.
And now to a point where you've got actual criminal organizations that are as good, if not better than a lot of nation state actors.
that are as good, if not better, than a lot of nation-state actors.
And so you have one piece of pretty radical change,
and then you sort of layer on the various technology changes.
Then you think about the next radical change, distributed computing,
and now cloud or public cloud is the next thing. And each of those things have driven radical changes
in the underlying security technology.
What advice do you have to CISOs
who need to make that transition
from being viewed as a blocker
to really being viewed as an enabling business partner?
So the most important thing I think for CISOs
is to really understand the core of how your company makes money.
That will drive everything.
How a bank makes money.
One thing, actually, how a bank makes money is lots of different things.
How a pharmaceutical company makes money.
How a consumer package company makes money.
You really need to understand how your company makes money,
right? And you need to understand the key sort of business processes that support that.
The other thing is with the sort of digital transformation that's underway to a greater or lesser degree, depending on what industries
you're in, that digital transformation creates an opportunity and risk sort of pair about
how do you do the business in this new digital world? And how do you take the maybe non-technical business controls that may have existed and
how do you make those things happen in as frictionless a way as possible?
That's Anne Johnson from Afternoon Cyber Tea speaking with Charles Blauner.
You can hear the entire interview
on the Afternoon Cyber Tea podcast.
That's right here on the Cyber Wire podcast network. CyberWire Podcast Network.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the Caveat podcast.
Hello, Ben.
Hello, Dave.
Interesting article came over.
This is written by Brooke Singman over on the Fox Business website.
It's titled, TikTok poses legitimate national security concerns,
according to Treasury Secretary Yellen.
First of all, Ben, Treasury Secretary Janet Yellen, relative of yours?
Yeah, she's my great aunt.
No, I'm just kidding.
It's spelled differently.
She spells it the incorrect way of Y-E-L-L-E-N.
I'm Y-E-L-I-N.
I see.
But certainly hasn't stopped me from making many jokes about it.
So let's dig into this story here.
This is about TikTok, the potential national security concerns.
This is something that's been talked about for a while here.
What do we make of Secretary Yellen addressing this specifically?
So we've heard about this going back several years to the Trump administration,
where there were legitimate threats to shut down TikTok in the United States. TikTok is owned by ByteDance. That is a Chinese company based in
Beijing. And because it's based in China, a lot of US officials have warned that the Chinese
Communist Party could compel that company with the full force of the law, to turn over American users' data. The consequences of using our data is it could expose us to propaganda.
It could learn things about our own citizens that we don't know about ourselves.
It could control software on millions of devices,
which could technically compromise those devices.
So that certainly presents a lot of risk.
TikTok is what the young people use these days.
It's very ubiquitous.
That's what I hear, yeah.
Yeah.
And what's so, I wouldn't say funny,
because this is very serious.
We're talking about national security implications.
But like most of TikTok is people making silly videos.
I'm on it just more for observational purposes,
and it's mostly at least the content that gets filtered to me
based on my personal characteristics are married couples with kids
sharing their foibles about raising toddlers.
It's just interesting that that's turning into a major national security threat.
But I think what we've heard from Secretary Yellen and from FBI Director Christopher Wray is without knowing how much this parent company is going to share with the Chinese government, I don't think we're properly able to assess our risk.
This is a powerful tool.
It is embedded with very advanced artificial intelligence.
In the words of former Secretary of State Mike Pompeo, it is an element of the Chinese security
apparatus. And so it certainly is something that could jeopardize national security, especially for
our, maybe our second biggest geopolitical foe at the moment, but certainly probably our biggest geopolitical foe in the long term.
So kids out there, if you are TikTok users
and this is how you communicate with your friends,
at least be aware that there's a possibility
that this is going to be curtailed in the United States
if a case can be made in front of the proper government bodies
that this presents an undue risk to national security.
And this is unprecedented, right?
I mean, we haven't seen a major social media platform taken down
or I guess banned is a better way to say it
because it would be access in the U.S. that would be restricted, right?
We have not seen this on
a large scale. So smaller apps have been
banned by this
committee in the Treasury Department. So the Treasury Department
has this Committee on
Foreign Investment in the United States.
They evaluate
national security risks associated with
foreign-owned companies, and
their decisions carry the force of
law, so they really do have the authority to shut this down. It would be a radical action. It would
get a lot of blowback, so I think you have to treat it very delicately. Even if you acknowledge
that it's a national security risk, is it worth shutting this down if it could lead to retaliation,
is it worth shutting this down if it could lead to retaliation or if people would try to use less secure TikTok alternatives
or through piracy get TikToks on their device
and you wouldn't be able to regulate it,
it would be even less secure than it is now.
So it's certainly not, making a decision to ban it
certainly would not be without risk.
But I think it's remarkable that
we've seen the government consider something like this when this is one of the top, not selling,
but one of the top free applications on Google and iOS. And TikTok is saying that they've got
this under control. They're claiming, you know, we're spun off, we're independent from
our Chinese mothership, if you were, you know, the parent company. So nothing to see here.
Your concerns are overstated. Yeah, I mean, so I don't think we should take that at face value
because the Chinese government is extremely powerful. I mean, they've been able to enforce
basically a lockdown of billions of people at a time in some major cities because of their
surveillance capabilities and their large law enforcement presence. Whether you agree with
the morality of that or not, and I suspect most people do not, especially those who listen to our show, that shows their
level of power and capability. So if you get on the wrong side of the Chinese Communist Party,
that's not going to be good for your company. So I think that gives companies the incentive to
comply with potential requests. And that's one of the natures of Secretary Yellen's concern here.
Can we imagine an outcome, some sort of middle ground here?
Is this an all or nothing, do you suppose?
I don't think it's an all or nothing.
I think an outright ban is within the realm of possibility but unlikely.
I think there could be some type of workaround
that they could figure out
where there's enforcement power
through the Department of Justice
that prevents this company from handing data
over to the Chinese Communist Party
with the threat that if you do,
we're going to ban this app in the United States.
That could be a potential
starting ground for negotiations. Or there's probably creative people out there who could
think of better solutions that don't lead to banning the application. But it's certainly
a risk that's out there. Yeah. Yeah. All right. Well, yet another one to follow.
And you and I will follow it, but more importantly,
my teenage son will be following it with great interest.
Yeah, I mean, think about all the time all the teenagers are going to have in this country
when TikTok is eliminated.
What are they going to do?
They have to go back to Facebook where all their grandparents are posting political memes.
Yeah, that ain't going to happen.
All right, well, Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead
is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLock evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Maria Vermatsis,
Ben Yellen, Nick Vilecki, Millie Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janine
Daly, Jim Hochite, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Bennett Moe, Catherine Murphy, Janine Daly, Jim Hochheit, Chris Russell,
John Petrick, Jennifer Ivan, Rick Howard, Peter Kilby, Simone Petrella, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.