CyberWire Daily - CyberFront Z's failed influence operation. Iranian operators target Albanian government networks. CISA issues two ICS security advisories. CISA and ACSC issue a joint advisory on top malware strains.
Episode Date: August 5, 2022CyberFront Z's failed influence operation. Iranian operators target Albanian government networks. CISA issues two ICS security advisories. Andy Robbins of SpecterOps to discuss Attack Paths in Azure. ...Denis O'Shea of Mobile Mentor talking on the intersection of endpoint security and employee experience. CISA and ACSC issue a joint advisory on top malware strains. for links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/150 Selected reading. Quarterly Adversarial Threat Report (Meta) Meta took down Russian troll farm that supported country’s invasion of Ukraine (The Hill) Russia's Infamous Troll Farm Is Back -- and Sh*tting the Bed (Rolling Stone) Meta’s threat report highlights clumsy attempt to manipulate Ukraine discourse (TechCrunch) Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations (Mandiant) CISA Alert AA22-216A – 2021 top malware strains. (The CyberWire) 2021 Top Malware Strains (CISA) Digi ConnectPort X2D (CISA) Cisco Releases Security Updates for RV Series Routers (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Cyberfront Z's failed influence operation.
Iranian operators target Albanian government networks.
Andy Robbins of Specter Ops is here to discuss attack paths in Azure.
Dennis O'Shea from Mobile Mentor talks about the intersection of endpoint security and employee experience.
And CISA and ACSC issue a joint advisory on top malware strains.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, August 5th, 2022.
Facebook's corporate parent Meta released its adversarial threat report for the second quarter of 2022 yesterday.
Prominently featured in the report is Meta's account of its monitoring of and action against a large Russian troll farm that had been marshaled to support Moscow's narrative
concerning Russia's war against Ukraine. It's connected to the notorious Internet Research
Agency, itself connected with Russian attempts at influence operations during recent U.S. elections.
Russian attempts at influence operations during recent U.S. elections. In this case, the flagship of the influence operation is called Cyberfront Z. The report reads,
We're also sharing our threat research into a troll farm in St. Petersburg, Russia,
which unsuccessfully attempted to create a perception of grassroots online support
for Russians' invasion of Ukraine by using fake accounts to post pro-Russia comments
on content posted by influencers and media on Instagram, Facebook, TikTok, Twitter, YouTube,
LinkedIn, and Russian social media networks. Our investigation linked this activity to the
self-proclaimed entity Cyberfront-Z and individuals associated with past activity by the Internet
Research Agency. Coordinated inauthentic behavior is Meta's and previously its subsidiary Facebook's
term of art for organized trolling in the service of disinformation. The term is self-explanatory.
Instead of attacking disinformation on the basis of content, and thereby seeking directly to moderate and control content,
the company has typically gone after campaigns that use false persona, inauthentic identities, with evidence of coordination of central direction.
Meta's report explains what it found and what it did about its discovery.
The report says, we took down a network of Instagram accounts operated by
a troll farm in St. Petersburg, Russia, which targeted global public discourse about the war
in Ukraine. This appeared to be a poorly executed attempt, publicly coordinated via a telegram
channel, to create a perception of grassroots online support for Russia's invasion by using fake accounts to post pro-Russia comments
on content by influencers and media. Cyberfront Z was, in Meta's estimation, the Z-team,
that is, definitely not the A-team, not even the junior varsity. The report says,
this deceptive operation was clumsy and largely ineffective, definitely not A-team work. On Instagram,
for example, more than half of these fake accounts were detected and disabled by our
automated systems soon after creation. Their efforts didn't see much authentic engagement,
with some comments called out as coming from trolls. We also found instances of the trolls
who sprinkled pro-Ukraine comments on top of the paid pro-Russia commentary
in a possible attempt to undermine the operation from within.
While the operations of Cyberfront Z were labor-intensive,
they concentrated on commenting in social media with posts written by human operators,
they seem to have included only perfunctory gestures in the direction of
building convincing persona. The overall goal, however, was to create an impression of grassroots
opinion. The one-note concentration on the many evils of what Cyberfront Z characterized as
Ukraine's Nazi regime, however, seemed to have proven largely unpersuasive. In several channels, the comments attracted pro-Ukrainian and anti-Russian posts
that outnumbered CyberfrontZ's comments.
In all, Meta evaluates CyberforceZ as a fizzle.
They offer one caution.
Influence operations seek to become self-reinforcing,
and they do so in part by creating an impression of success.
The growing public awareness of and fear of disinformation can contribute to such reinforcement.
The report says, taking any claims of viral success at face value. Some threat actors try to capitalize on the public's
fear of influence operations by trying to create the false perception of widespread manipulation,
even if there is no evidence, a phenomenon we called out in 2020 as perception hacking.
Besides, it helps the trolls to look good to the boss, so there are local,
self-interested incentives for the trolls to look good to the boss, so there are local self-interested incentives for the
trolls to shine it on. Rolling Stone indelicately sums up the career of Cyberforce Z's IRA parent.
Their headline reads, Russia's infamous troll farm is back and sh**ting the bed.
In the middle of last month, the Albanian government disclosed that a range of government sites and services had come under cyber attack, and the campaign had succeeded in disrupting operations. down government systems as it worked to neutralize what Akshi characterized as sophisticated and coordinated foreign attack on the country's IT infrastructure. Yesterday,
Mandiant released a report on the incident that attributed the campaign to Iran. The company's
researchers identified the strain of ransomware used in the attack as a member of the Road Sweep
family. The operation was conducted with the pretense of
being the work of a front group, Homeland Justice, which was concerned to disrupt a conference of
the Iranian opposition organization, MEK. It also aimed to punish Albania's government for its
willingness to connive with the Iranian opposition by permitting the conference, the World Summit of Free Iran, to meet on its territory.
Mandiant sees the operation as unusually brazen.
They say,
This activity is a geographic expansion of Iranian disruptive cyber operations
conducted against a NATO member state.
It may indicate an increased tolerance of risk
when employing disruptive
tools against countries perceived to be working against Iranian interests. The U.S. Cybersecurity
and Infrastructure Security Agency released two industrial control system advisories yesterday.
And finally, oldies get as much love from cybercriminals as, say, Roy Orbison songs get play on our local classic rock station.
The U.S. Cybersecurity and Infrastructure Security Agency and the Australian Cybersecurity Center have issued a joint advisory describing the most significant strains of malware observed in 2021.
The list of top malware includes some familiar names like Agent Tesla, Formbook, Ersniff, LokiBot, NanoCore, CacBot, Remcos, TrickBot, and GootLoader.
None of these came out of nowhere, the agencies say.
Malicious cyber actors have used Agent Tesla, Azorolt, Formbook, LokiBot, NanoCore, Remcos, and TrickBot for at least five years.
Malicious cyber actors have used CackBot and Ersniff for more than a decade.
The malware strains are under continuing criminal development,
which accounts for their longevity. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Andy Robbins is product architect of Bloodhound Enterprise at SpecterOps.
He and his colleagues have been documenting attacks in Microsoft Azure that don't rely on exploiting some kind of vulnerability
that Microsoft can patch.
As an example, if I have a user in Azure Active Directory
and you have a user in Azure Active Directory,
my user may have some kind of role granted to it that lets me reset your password
and then take over your user. Well, the mechanism of that is the foundation of how Azure Active
Directory works and how it doles out permissions through role assignments. The misconfigurations that can pile up that introduce the attack paths that abuse
legitimate functionality, they are extraordinarily attractive to real adversaries because they are are difficult to audit. The misconfigurations that you find can be even more difficult to
remediate because people hate giving up any kind of privilege that they already have.
And for those two reasons, these things get worse over time. And so the end result is that if you're choosing attacks that abuse
legitimate functionality in any platform, you're going to have a very long shelf life for that
attack. It's going to be very hard for a defender to tell the difference between legitimate and illegitimate usage of those protocols.
And these misconfigurations, they emerge in basically every company's instance of Azure Active Directory or Active Directory.
So you don't have to relearn these tactics over and over and over and over. You can learn them once and then use those skills to attack almost any organization in the world.
So how is this playing out in the real world?
I mean, are we seeing this sort of targeting?
So we are.
There are various breach reports that come out. So for example, with SolarWinds, with CloudHopper, with real organizations that have been abused by trust relationships they have. So for example, the Target breach from a few years ago comes to mind. And these tactics that adversaries are employing, they are very,
very similar to what adversaries have been executing with on-prem Active Directory for
the past 20 years, for example. But right now is a very, very critical time for organizations to be aware of these tactics and to audit their
environments for opportunities for adversaries to attack them and to do something about that.
We don't want to get into the position that we are now with on-prem Active Directory where
20 years of misconfiguration debt have piled up so high that we can't do anything about it.
We need to understand these abuse primitives before the adversaries can understand and abuse
them. And so for that reason, we actually do a lot of research into attack primitives that are not
talked about publicly. And we discuss those new attack primitives
with some of our friends at Microsoft
before we publish them.
And then we do go ahead and publish them
on our SpectreOps Medium publication
for consumption by anybody.
Yeah, I can imagine, you know,
if you take Microsoft's point of view,
how they would be hesitant to go in and change anyone's settings because, you know, how do you know if something was configured in error or did somebody mean to do it that way?
Absolutely. Yeah. And I don't blame Microsoft whatsoever for, you know, what can only be seen as a very, very difficult decision they have to make when faced with something like this.
So I think that Microsoft is always going to be in this position where they're having to weigh between potentially breaking functionality in Azure for the sake of security.
for the sake of security.
And unfortunately, they are going to have to choose not to break functionality or to break existing workflows
in the name of security.
So there's always going to be responsibility
on Microsoft customers to cooperatively secure
their environments with Microsoft.
Where do you suppose we're headed with this?
How do you envision how this will work in the future?
There's a couple of angles there.
So, you know, we're talking about Azure Active Directory,
and certainly a lot of organizations are adopting Azure Active Directory.
are adopting Azure Active Directory.
But what we are seeing is that most organizations that we work with are not 100% migrating
all of their IT services into Azure.
They're keeping things in a hybrid situation.
So where I think this is going, where I think we are going,
is we are headed for a hybrid future, where we are probably for the most part, for most
organizations, always going to have some on-prem Active Directory component that is cooperating with an Azure Active Directory component
in order to facilitate the business operations that any enterprise needs to accomplish.
There are many examples of organizations that cannot fully go into a cloud computing environment
because of legal restrictions or compliance restrictions.
Certainly there are, let's say, military organizations that never will fully go into
the cloud. So we are definitely heading, in my opinion, for a hybrid future, at least in the next,
I would say, I would say the next 10 years is going to be a strongly hybrid decade.
That's Andy Robbins from Specter Ops.
There's a lot more to this conversation.
If you want to hear more, head on over to the CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
The team at endpoint management firm Mobile Mentor recently released a study looking at the security implications of the hybrid workforce and remote workers as we come out of the pandemic.
Dennis O'Shea is founder of Mobile Mentor.
Before the pandemic, work in a way was beautifully simple.
If you think back, people came to their place of work, they drove there usually, and then
they logged into a machine known by their employer. They worked there for a few hours or eight or nine
hours and they went home. And it was very simple. And then when the pandemic happened, there were
five big shifts that happened really, really quickly. First one was we were told, go home
and figure out how to work from home. And then we saw a 500% increase in cybercrime,
where the bad actors really went after schools and hospitals
and government organizations.
And then we saw this crazy global chip shortage,
so that when organizations started hiring again,
kind of coming out the other side of the pandemic,
they weren't able to supply a laptop or a desktop to their employees,
which meant that the employee was using a bring-your-own
laptop or desktop for the first time in history. So now if you think about it from a security
perspective, the new security perimeter was the home office. And people are using sometimes a
personal computer on a consumer-grade internet connection that's being shared with the kids,
maybe on Zoom and TikTok and Netflix and all
that. And they're using their company data and Office 365 and all their applications is out
there in that less secure home environment. And then the other big thing that happened was
employees realized how easy it was to change jobs. The barrier was now so low that all you had to do
was take your current laptop, put it
in a FedEx package and send it away and open a new package and power up your new laptop
and you could stay sitting in the same seat, connecting to the same monitor, connect to
the same Wi-Fi and you had a new job.
And so all these changes really meant that the world shifted quite significantly and
very quickly for remote workers.
And we think it's not going back.
So we think that that lays the foundation for massive shift in how employers think about their employees
and being able to attract them, secure them, retain them over time.
Let's touch on the whole notion of passwordless authentication. I mean,
there's been a lot of momentum in that area. Is that a space that you think is the future?
I do. I do. And for two reasons. One, passwords were actually a great invention in 1961.
And then we found out in 2021, during the pandemic, they were the primary reason
organizations were getting hacked.
So compromised credentials leading to breaches and ransomware
and databases on the dark web and all that.
So we know now that passwords are the problem.
They're the weakest link.
And we also know that most people have too many passwords
and they're quite careless with them.
And we know from our research that 34% of people write their work passwords in a personal journal. 29% save
their work passwords on an app on their personal phone. And 21% save their work passwords on an
Excel spreadsheet. So people are fundamentally a bit careless with what they're doing with their passwords.
And as a society, we're also lazy in the way we create our passwords.
And we know from other research done by BBC
that 15% of people base their password on their pet's name.
And so the problem now is that the bad actors,
the cyber criminals, don't need to break into our networks,
our environments anymore.
They can just log in with our weakest password.
And so we fundamentally need to move away from passwords.
We need to kick that habit and go passwordless.
Unfortunately, most of us have the technology.
It's in our pockets, it's on our desks.
We have most of the components.
We need to join the dots and, you know, pull all the pieces
together. But we believe we have to go passwordless as a society. And we think the best predictor
of the future workplace is to study Gen Z now. The better we understand them, the better we can
anticipate what the future looks like. And when I think about that, I think reducing friction is the key way we're going to get Gen Z
to be really productive, really secure, and do great things in the world.
And that friction comes in three different forms.
If we apply old school security to Gen Z, we're going to create digital friction
and they will not respond well to more passwords and VPNs and domains and all that.
They'll probably walk. If we create physical friction, and if we say you have to more passwords and VPNs and domains and all that. They'll probably walk.
If we create physical friction, and if we say,
you have to drive into the CBD, you have to pay for overpriced parking,
pay for overpriced lunch, sit in a cubicle and work with people you probably don't like,
that's going to create a different kind of friction.
And then culturally, if we create friction by saying,
you're a problem generation, and make them feel like they're a problem,
and that they don't pay attention to our security,
we're going to create a massive problem for ourselves.
And we did this with the millennial generation.
So only 15, 20 years ago,
you might recall going to conferences or reading articles where people were speaking
and saying unkind things about the millennial generation.
And now we can stop and look back and think,
wow, look at what they've built. They've built the digital world we live in. They built, you know,
everything from Spotify to Facebook and TikTok and all of that. They've done amazing things,
despite all the unkind things we said about them. So when I think about Gen Z, I think it's up to us
to learn how to love Gen Z, how to empower them, how to secure them without creating additional friction.
And if we get it right, we're going to unlock the power of an amazing generation.
And we've got to be very deliberate in how we approach that.
That's Dennis O'Shea from Mobile Mentor. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out Research Saturday and my conversation with Deepan Desai from Zscaler's Threat Labs.
and my conversation with Deepen Desai from Zscaler's Threat Labs.
We're discussing how APTs, like the Lyceum Group,
create tactics and malware to carry out attacks against their targets.
That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabey, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.