CyberWire Daily - Daggerfly swarms African telco. EvilExtractor described. Patriotic hacktivism in East Asia. Updates on Russia's hybrid war suggest that cyber warfare has some distinctive challenges.
Episode Date: April 21, 2023Daggerfly APT targets an African telecommunications provider. EvilExtractor is an alleged teaching tool apparently gone bad. A Chinese speaking threat group is active against Taiwan and South Korea. E...urope’s air traffic control is under attack. Cecilia Marinier from RSAC and Barmak Meftah, a judge of ISB, discuss the RSA innovation sandbox. Awais Rashid from University of Bristol on the cybersecurity of smart farming. Forget about those evil maids. What about these evil sys admins? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/77 Selected reading. Daggerfly: APT Actor Targets Telecoms Company in Africa (Symantec) EvilExtractor – All-in-One Stealer (Fortinet Blog) Chinese-language threat group targeted a dozen South Korean institutions (Record) Xiaoqiying/Genesis Day Threat Actor Group Targets South Korea, Taiwan (Recorded Future) WSJ News Exclusive | Europe’s Air-Traffic Agency Under Attack From Pro-Russian Hackers (Wall Street Journal) Intelligence Leaks Cast Spotlight on a Recurring Insider Threat: Tech Support (Wall Street Journal) Russia’s invasion of Ukraine is also being fought in cyberspace (Atlantic Council) CFP European Cybersecurity Seminar 2023-2024 (European Cyber Conflict Research Initiative) #CYBERUK23: Russian Cyber Offensive Exhibits ‘Unprecedented’ Speed and Agility (Infosecurity Magazine) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Daggerfly APT targets an African telecommunications provider.
Evil Extractor is an alleged teaching tool gone bad.
A Chinese-speaking threat group is active against Taiwan and South Korea.
Europe's air traffic control is under attack.
A look at the RSA Innovation Sandbox.
Awais Rashid from University of Bristol on the cybersecurity of smart farming.
And forget about those evil maids.
What about those evil sysadmins?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Friday, April 21st, 2023.
Symantec yesterday published a report on a campaign by the Daggerfly Advanced Persistent Threat against an unnamed
African telecommunications company. Also known as Evasive Panda or Bronze Highland, Daggerfly is in
all likelihood associated with China. The ongoing campaign abuses the legitimate AnyDesk remote
desktop software to deploy previously unseen plugins
from the MGBot malware framework.
Those plugins' capabilities suggest
that Daggerfly's goal is information collection.
Symantec's post includes a set of indicators of compromise.
Fortinet today blogged about the aptly named Evil Extractor,
an info-stealer targeting Windows operating systems.
Fortinet says it was developed by a company named Codex, which claims that the software product is an educational tool.
However, research conducted by FortiGuard Labs shows cybercriminals are actively using it as an info stealer.
Fortinet reports that based on their traffic analysis, March saw a significant increase in malicious activity with the tool. Hosted by the website evilextractor.com, it's usually introduced
by a phishing email. It usually pretends to be a legitimate file, such as an Adobe PDF or Dropbox file, but once loaded, it begins to leverage PowerShell malicious activities.
It also contains environmental checking and anti-VM functions.
Its primary purpose seems to be to steal browser data and information from compromised endpoints and then upload it to the attacker's FTP server.
The malware includes many features and can be used in ransomware campaigns as well.
Victims seem to be mostly located in the U.S. and Europe,
and Evil Extractor's developer, Codex, has continued to update the InfoStealer.
Chinese-speaking threat group Genesis Day has been targeting research and academic organizations in South Korea, the record reported yesterday.
The attacks, which seem to be intended for data exfiltration, occurred in January of this year,
and it appears that a new round of attacks has been launched against Japanese and Taiwanese organizations.
An analysis by Recorded Futures' Insict Group says that 12 South Korean research and academic websites were attacked,
suffering website defacements in which the adversaries replaced each hosted website with their own in a compromised server.
Genesis Day shared on its public telegram channel that the Korea Internet
and Security Agency was intended to be the first governmental target of the group. The group also
made unverified claims of cyber attacks against the U.S., Ukraine, Taiwan, Japan, and South Korea's
Ministry of Health and Defense Ministry. Genesis Day seems to be that rare bird,
a disinterested patriotic hacktivist crew.
The record reports that there were no ties discovered
between the Chinese government and the threat actor,
but that the hackers also sought neither fame nor profit from the attacks.
Di Wu, senior threat intelligence analyst at Insikt Group, said,
Based on the analysis of the group's telegram channels, postings on special access forums, and its presence on a clear net website, we conclude that this is a hacktivist group primarily motivated by patriotism toward China, and it will likely conduct similar cyber attacks against Western and NATO targets,
as well as any country or region deemed hostile to China.
The European air traffic control agency Eurocontrol reports that it's under cyber attack by Russian actors.
Eurocontrol's website has a terse account of the attack, which appears to be of the familiar DDoS variety.
Eurocontrol says the attack is causing interruptions to the website and web availability
and that there's been no impact on European aviation. The Wall Street Journal reports that
Killnet has claimed responsibility. The claim is entirely consistent with Killnet's record.
Nuisance-level DDoS has been their specialty.
Support personnel can represent as much of an insider risk to security as can line personnel, sometimes more because of the way they can be overlooked or disregarded.
This can be seen, for example, in the so-called evil maid attacks that might be carried out by an actual member of a cleaning crew.
The Wall Street Journal offers reflections on the ongoing investigation of the Discord Papers leaks,
especially for what they reveal about the access that IT personnel acquire to sensitive information in the course of their daily work.
information in the course of their daily work. The journal writes,
Airman Teixeira, the alleged leaker of the Discord papers, worked on cyber transport systems,
a role that involved work to keep communication systems up and running, according to an Air Force job description. The story goes on to point out that another notorious leaker, Edward Snowden,
was also in tech support. Mr. Snowden, was also in tech support.
Mr. Snowden, who lives in Russia,
was described by officials at the time of his leak in 2013 as a systems administrator.
Their motives, alleged in Airman Teixeira's case, were quite different, but the access their positions gave them had much in common.
The European Cyber Conflict Research Initiative
has issued a report on a conference that studied Russian methods of cyber warfare.
The ECCRI writes, in line with its doctrine of information confrontation, Russia employed a
variety of cyber operations during the war at an unprecedented scale. The primary goals of
wartime operations, sabotage, influence, and espionage have remained constant. Cyber operations
provide new opportunities to achieve age-old objectives. The study focuses on what Russia
achieved, most prominently a high cyber operational tempo, as opposed to the many and obvious ways Russian cyber-operations fell far short of pre-war expectations.
The takeaways may be this.
Cyber-attack tools, tactics, techniques, and procedures tend to have a short life.
Once used, they're blown, at least if they're used against an opponent who pays attention,
and above all, an opponent who learns.
Coming up after the break, a look at the RSA Innovation Sandbox.
Awais Rashid from University of Bristol on the cybersecurity of smart farming.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
RSA Conference is right around the corner, and one of the highlights of the show is the annual Innovation Sandbox, a friendly competition providing hopeful startups with
the chance to pitch their wares to a group of distinguished judges and perhaps catch
the eye of investors and partners. My guests today are Cecilia Marignier, Senior Director
at RSA Conference for Innovation and Scholars, and one of the Innovation Sandbox judges,
and one of the Innovation Sandbox judges, Barmak Mefta, co-founder and general partner at Ballistic Ventures.
Barmak Mefta starts us off.
I'm actually really excited to be part of that incredible group of folks that are going to judge some of the best entrepreneurs that we see out there. And, you know, what we do as venture capitalists is, you know, we look at a lot of ideas every year.
Now, you know, what we do as venture capitalists is, you know, we look at a lot of ideas every year.
And, you know, patterns start to emerge.
And sort of applying the same pattern matching towards some of the most innovative companies, especially in the early stages of entrepreneurship, is really an incredible thing to do. So for me, it's a natural extension of what I do every day.
And this fell on my lap, and I couldn't be happier to be part of it.
What are some of the things in your mind that set apart the competitors that can really launch someone to the top?
Yeah, I think, you know, as I look at the submissions and sort of look at the trends in the industry in general, I put them into two distinct categories. There's what I would
call evolutionary ideas, which only occur in cybersecurity, probably more than any other area
in technology. And those fall into the category of old security controls that have to be reinvented
because of compute architecture changes and what we call adversarial obsolescence,
which is the adversary forces the obsolescence of old security controls. And so you have to think about new ways of doing what probably has become obsolete.
So in that category, think of application security as making a huge comeback.
So the idea of giving the appropriate tools in the hands of the developers
so security can be built into the fabric of the software, that's an evolutionary idea, but
the move to the cloud has sort of forced the reinvention of that. I would say data security
falls into that category. Cryptography falls in that category. And then the second distinct
themes that we look at are revolutionary ideas, which are, you know, trends that haven't necessarily happened yet, but we see the emergence of those happen.
You know, a couple of examples I can point out to, you know, giving developers the appropriate APIs or SDKs so they can build cyber features into the fabric of the software has never been done before.
This is something revolutionary and brand new.
something revolutionary and brand new.
There's an emergence of Web3 technology that really, from a market timing perspective,
we might be two to three years out still,
but I think it's a trend that's going to emerge.
And so we look at both.
And I wouldn't necessarily say one is more important than the other,
but they kind of fall into different themes.
And we love innovative companies that play in either group.
Cecilia, you all recently announced the finalists for this year's Innovation Sandbox.
What strikes you as you look at that list?
Are there any trends here or anything that they have in common?
Or is it a wide spectrum of possibilities here?
I'll see that, Dave, is why I brought Barmak on.
But I'll just say one piece about it myself. And then I do want to actually let Barmak kind of speak to the trends. One of the things that was really amazing this year was just the much this industry, how quickly it's moving and
how important this is. And so overall, I want to tell all the people that submitted, congratulations,
because gosh, I'm so grateful that you're doing this into our industry to help us out.
It was a very competitive field. So I've already spoken to a couple of companies who didn't make
it and they were like, why not? I'm like, my goodness. It was just a crazy great field.
So, Barmak, I'm going to let you talk a little bit about some of the themes that came up.
You've already addressed some of the big themes, but maybe more specifically about the companies themselves for the top 10.
Yeah, absolutely.
Yeah.
I mean, I'd like to echo what you said, Cecilia, which is, you know, the number of submissions from what I heard from Cecilia have increased dramatically, which is awesome to see.
It's an area, again, in technology that continues to evolve.
So the number of companies since I started my career in cybersecurity, gosh, better part of 18 years ago,
has exponentially increased, which is really awesome to see as well.
But yeah, high level, I pointed out to the kind of the two main themes that have been evolving over the last eight to 10 years.
We see that still evolving.
And let's see if I have to pick some examples.
The other thing I would point out that's really important to point out is how much time the judges put in to give the appropriate due process to each of these submissions.
I mean, these are entrepreneurs that put their blood, sweat, and tear into these submissions that worked really hard. And so we want to ensure that we,
that we hear all of them and we read, you know, all the submissions. And so we take our job very
seriously and, you know, all the judges put in a ton of time to ensure that we select the top 10
appropriately. But, you know, I mean, some of the examples I can pick in the top 10 submissions,
again, I think, you know, there's one company that deals with Web3 security, for example.
Market timing might not be ideal,
but it's a really innovative way of thinking about
how do we secure the infrastructure
for Web3 as it emerges.
There's probably four or five companies
that fall into the application security area,
spanning the gamut of how do we outfit developers with more appropriate tools
and effective tools so they can find security vulnerabilities and be able to fix those security
vulnerabilities during the software development lifecycle, which is really awesome. And it's been
a quest of the industry for a long period of time. In fact, my first company, Fortify,
was kind of one of the first application security companies that came to market. So it's really
heartening to see that emerging. There's a couple of companies of the first application security companies that came to market. So it's really heartening to see that emerging.
There's a couple of companies that deal with application security more from an administrative perspective,
which is how do we outfit the chief information security officer so they can have central audit control
and a single pane of glass view towards what's happening upstream in their software development lifecycle.
and their software development lifecycle.
And finally, there is one company that provides APIs and an SDK that allows developers that need to build cyber features
into the fabric of the application to go to one place
to grab all the APIs to need to build those cyber features
into the fabric of the application.
They're coining the term SPAS, which is Securing Platform as a Service.
So all of them, awesome companies,
all of them great companies, very innovative.
And I bet we're going to have a hard time selecting
who's going to be the best among all of them.
But at least we're really proud of the top 10.
Yeah, I don't envy the task you all have for you there.
Cecilia, I want to close with you.
I mean, the week of RSA Conference is a busy week for everybody.
What's the equation here for folks to carve out some time in their schedule to make sure
that they check out the Innovation Sandbox, things like the Launchpad and the Early Stage
Expo programs?
Why should folks spend their time here?
So everybody in this industry is very aware of how quickly our adversaries are actually
moving and how innovative they are.
I think that spending time learning more about what we are doing on the good fight side to
address those concerns is what makes innovation here so important.
And because, Dave, we've had just such a long year
and long history of identifying
some of the most incredible companies
that are really changing how we address cybersecurity now
in the Innovation Sandbox Contest,
I want you to go check out Launchpad.
It's just great, and the Early Stage Expo.
This is a great opportunity for those
that are caring about how tomorrow's adversaries might be acting.
How can we address them today?
Come and see this at the Innovation Sandbox Contest.
See what's happening.
That's Cecilia Marignier from RSA Conference and Barmak Mefta from Ballistic Ventures.
There's a lot more to this conversation. If you want to hear the full interview, head on over to CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews.
And it is always my pleasure to welcome to the show Dr. Weiss Rashid.
He is the director of the National Research Center on Privacy, Harm Reduction, and Adversarial Influence Online at University of Bristol.
Professor Rashid, always a pleasure to have you back on the show. You know, I am fascinated by the intersection of cybersecurity
and things that are out there in the real world. And I know you and your colleagues have been doing
some work when it comes to smart farming. I was hoping you could share with us some insights on
that today. Yes, thank you for having me back again. Farming, like any other sector,
is seeing increased deployment of digital technologies.
You could call this effectively Internet of Things,
but for farming.
And you can see a number of application areas
with regards to this in smart farming.
For example, in horticulture,
you can use this to monitor, for example, crop health. You can use it to monitor, for example, in horticulture, you can use this to monitor, for example, crop health,
you can use it to monitor, for example, you know, irrigation levels, or even kind of weather and
responding to particular weather, or, you know, pest control and those kinds of things. And in
other other types of farming, like dairy farming, it can also be used to monitor, for example,
like dairy farming.
It can also be used to monitor, for example,
animal health, feed, movement, grazing,
and providing more kind of free grazing and all those kind of things.
So there is a lot of applications
of Internet of Things and technologies
in smart farming.
So what specifically are the cybersecurity concerns here?
So that's really where the challenge lies, because like with all other sectors, digital technologies offer a lot of benefits.
But of course, you can also start to see that as technologies are deployed there, they are not necessarily always considered with security built in.
considered with security built in, especially not too dissimilar to, for example, what we saw in industrial control system security.
Devices are being deployed in rugged settings.
Farmers are not cybersecurity experts, nor do they have to be.
And even a number of companies who are moving into this space, they're specifically coming in from an agriculture background rather than necessarily from a cybersecurity background or those kind of practices that have been built in, say, for example,
in the enterprise setting just currently do not exist. So examples would be that, for example,
you may have a farm and it would run what you would call a flat network. So everything is
connected to everything else. There is no isolation. Often things are controlled from a
single PC, which is then shared by a number of people on the farm. This may not be regularly
updated. And devices are out there in the open, and they may not always be getting regular updates.
So as an example, we've been testing some of the security of the devices that are deployed in these farms.
So, for example, we saw that the remote monitoring and management of some of the farming infrastructure had vulnerabilities using insecure protocols or default logins, for example, which is considered basic security practice in enterprise settings.
But these kind of things are not necessarily currently being utilized in itself. Then there are other things that are being utilized, for example,
in case of, say, dairy farming, collards, or think of them like sort of Fitbits,
Fitbits for cows. They could be on the legs or on the necks, which are used for animals to kind of come by themselves through gates to go out for grazing or come back in due course for milking and so on.
And again, our analysis shows that there are security vulnerabilities in these.
So you can, for example, create effectively jams. So if animals can't get in automatically for milking, then it puts them
in discomfort. Or if they can't go out grazing, then it's not good for their well-being.
And also cameras are often used to kind of monitor health, for example. And if those feeds can be
interfered with, again, basic security practices don't always exist. If those feeds can be
interfered with, then again, it leads to a serious welfare issue. So the fundamental
thing here is that there are a lot of potential advantages of using smart farming,
but the state of security is at a very early stage
and more needs to be done to build both fundamental security practices
but also understand what are the kind of nuanced needs of this sector so that we can
provide appropriate cybersecurity mechanisms.
And how do you propose we go about doing that?
As you mentioned, farmers are busy doing their farming.
So how do we provide them with the level of security they need and not interrupt the work they're doing to provide us with a reliable food supply?
Absolutely. So the key here is really, you know,
security of the food supply.
And an individual farm being impacted
is perhaps an impact on the individual farmer
and their business.
But given that a lot of these systems
are supplied by the same companies
or same manufacturers,
there is a risk of what we would call
common mode failures.
That, for example, one vulnerability impacts potentially hundreds of farms.
But that's also where the advantage is.
So our experience of actually working with the people in the agri-tech sector has been
really positive.
So the companies who provide these services or these technologies, they're actually very
keen to improve the security of these systems.
So when we found a vulnerability and we reported, you know, one of the organizers worked with us
and within three days, the fix was deployed across, you know, hundreds of farms
because they also provide managed services.
So the farmer does not really take responsibility for updating the equipment or so on.
This is all done by the company,
which means that they also have the potential to apply security fixes as they go along.
So multiple things need to be done. I think first, there's good practice of responding positively
to security vulnerabilities and actually improving the state of security is very, very important.
And the other is really sort of more work with the sector itself to bring up the kind of basic fundamental state of security into the product.
So that we start with those kind of practices that we have built in already in other areas.
For example, in enterprise settings, you know, about 20, 25 years ago, increasingly more in other critical infrastructure sectors to also bring them here. Of course, regulators have a role to play because
considering that the state of security in farming is very, very important for exactly safeguarding
the security of the food supply, but also integrity of that. So the issue here isn't
that, for example, you can disrupt a set of farms and impact, you know, sort of reaching from the farm to the table.
Potentially, if you interfere with treatment parameters, you know, there is impact on
destroying crops, for instance. And those are the kind of things that we need to be concerned about.
So there is a positive experience on our part, interacting with those who work in this sector.
But I think more needs to be done to build basic security practices. All right. Well, interesting insights for sure. Professor Awais Rashid,
thank you for joining us. Thank you. of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Coming up on this weekend's Research Saturday,
my conversation with Sharon Guz from Akamai,
discussing chatbots, celebrities, and victim retargeting,
and why crypto giveaway scams are still so successful.
That's Research Saturday. Check it out.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar,
Joe Kerrigan, Harold Terrio, Maria Vermatzis, Ben Yellen, Nick Vilecki, Millie Lardy, Gina Johnson,
Bennett Moe, Catherine Murphy, Janine Daly,
Jim Hochheit, Chris Russell, John Petrick, Jason Cole,
Jennifer Iben, Rick Howard, Peter Kilpie, Simone Petrella,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo
is easy. Learn more at ai.domo.com. That's ai.domo.com.