CyberWire Daily - DDoS threat to Lithuania continues. Hacktivists hit Iranian steel mill. Bumblebee loader takes C2C markteshare. CISA adds Known Exploited Vulnerabilities. Music piracy. Where do spies go?
Episode Date: June 28, 2022Distributed denial-of-service attacks against Lithuania. Dark Crystal RAT described. Iranian steel mill suspends production due to cyberattack. Bumblebee rising. CISA adds to its Known Exploited Vulne...rabilities Catalog. Music pirate sites brought down by US and Brazilian authorities. Joe Carrigan looks at Apple’s private access tokens. Mister Security Answer Person John Pescatore drops some sboms. And where do Russian intelligence officers go after they’ve been PNGed? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/123 Selected reading. Lithuania targeted by massive Russian cyberattack over transit blockade (Newsweek) Russia's Killnet hacker group says it attacked Lithuania (Reuters) Killnet, Kaliningrad, and Lithuania’s Transport Standoff With Russia (Flashpoint) Ukraine Targeted by Dark Crystal RAT (DCRat) | FortiGuard Labs (Fortinet Blog) Cyberattack Forces Iran Steel Company to Halt Production (SecurityWeek) Iran’s steel industry halted by cyberattack (Jerusalem Post) Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem (Broadcom Software Blogs) CISA Adds Eight Known Exploited Vulnerabilities to Catalog (CISA) US, Brazil seize 272 websites used to illegally download music (BleepingComputer) Swiss intel service: Watch out for redeployed Russian spies (AP News) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Distributed denial of service attacks against Lithuania.
The dark crystal rat is described.
Iranian steel mill suspends production due to cyber attack.
Bumblebee rising.
CISA adds to its known exploited vulnerabilities catalog.
Music pirate sites are brought down by U.S. and Brazilian authorities.
Joe Kerrigan looks at Apple's private access tokens,
Mr. Security Answer Person John Pescatori
drops some S-bombs,
and where do Russian intelligence officers go
after they've been PNG'd?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 28, 2022.
Lithuania has said that the distributed denial-of-service attacks it's sustaining
probably originate with Russia, Security Week reports.
According to CNN, the nominally hacktivist outfit Killnet has now claimed responsibility.
Lithuania's National Cyber Security Center said,
It is highly probable that such or even more intense attacks will continue
into the coming days, especially against the communications, energy, and financial sectors.
Lithuania is attracting Russian attention because of its refusal to allow prohibited goods to be
shipped over its rail lines to Russia's non-contiguous region of Kaliningrad, an enclave surrounded by Lithuanian and Polish territory.
Flashpoint, which has been following Kilnet and related pro-Russian chatter,
finds that chatter to be notably aggressive.
They say, Flashpoint has identified chatter on various pro-Russian telegram channels,
claiming that the current standoff between Russia and Lithuania
could escalate to a full-fledged military confrontation, Telegram channels, claiming that the current standoff between Russia and Lithuania could
escalate to a full-fledged military confrontation, although no evidence of physical violence is yet
to take place between Russia and Lithuania as of this publishing. CERT-UA earlier this month warned
that Windows systems in Ukraine were under attack by Russian operators deploying the Dark Crystal rat.
Fortinet's FortiGuard Labs yesterday issued a description of how DC rat is being used.
While the precise infection vector is unknown, it's believed to be a form of phishing.
The payload is carried in malicious macros the victim is induced to run.
The typical use to which DC rat is put has been data theft,
but it also establishes persistence in victim systems and can be used to stage a broad range of other attacks.
The report concludes,
the RAT can be customized to the attacker's needs by adding plug-ins.
As the RAT primarily focuses on data exfiltration,
stolen data will likely be used as a stepping stone for further
activities against affected organizations. It can also lead to further damage such as a threat
actor maintaining persistence in the long term, stealing personally identifiable information,
and confidential data. Targets of this attack are likely in Ukraine. Having a foothold in the compromised Ukrainian organization
goes a long way toward inflicting long-term and unthinkable damage
due to the nature of this malware.
A cyber attack has struck one of Iran's major steel companies on Monday,
forcing it to halt production, Security Week reports.
The attack struck the state-owned Khuzestan Steel Company and two other
major steel producers. An anonymous hacking group, Gangeske Durande, which is predatory
sparrow in the Jerusalem Post's translation, has claimed responsibility for the attack,
saying that it was done to target the aggression of the Islamic Republic.
The group shared alleged closed-circuit footage from the Khuzestan Steel Company,
in which a piece of heavy machinery on a steel billet production line malfunctioned and caused a fire.
CEO of Khuzestan Steel, Amin Ebrahimi, said nothing of the footage and claimed the attack was thwarted,
saying,
attack was thwarted, saying, Fortunately, with time and awareness, the attack was unsuccessful,
and noting that everything should return to normal by the end of Monday.
Neither of the other steel producers targeted in the attack noted damage or production issues.
Predatory Sparrow has been heard from before, CyberScoop observes, notably in 2021's wiper attacks against Iran's rail system,
and Checkpoint has obtained samples from the most recent incident that link it to the earlier attack.
Relatively little is known about the group beyond, that is, their self-presentation as hacktivist opposed to the Islamic Republic.
The Symantec Threat Hunter team, part of Broadcom Software, this morning released a report on the Bumblebee loader.
The researchers characterize it as a recently developed malware loader and say that it has quickly become a key component in a wide range of cybercrime attacks
and appears to have replaced a number of older loaders,
which suggests that it is the work of established actors and that the transition
to Bumblebee was pre-planned.
The rapidity with which Bumblebee has achieved a central position in criminal-to-criminal
markets indicates not only the C2C market's relative efficiency, but the extent to which
it's come to resemble the functioning of legitimate markets.
The Symantec Threat Hunter team concludes, Bumblebee's links to a number of
high-profile ransomware operations suggest that it is now at the epicenter of the cybercrime
ecosystem. Any organization that discovers a Bumblebee infection on its network should treat
this incident with high priority, since it could be the pathway to several dangerous ransomware threats. Their study includes a long set of indicators of compromise.
CISA yesterday added eight vulnerabilities to its known exploited vulnerabilities catalog.
Five of the issues are with Apple products.
The other three affect Google Chromium, Red Hat, and Mitel.
Federal civilian executive branch agencies falling under Binding Operational
Directive 22-01, reducing the significant risk of known exploited vulnerabilities,
must address the eight issues by July 18, 2022. In each case, CISA tells its charges to
apply updates per vendor instructions. While the private sector in the U.S. and elsewhere,
of course, isn't bound by BOD 22-01, it's prudent for all organizations to take a close look
and consider remediating these vulnerabilities. Full details are available in the catalog.
U.S. and Brazilian authorities have seized some 272 websites that had been used to illegally download copyrighted music.
The domains of six of the pirate sites were in the U.S., but the vast majority, 266 of them, were Brazilian domains.
Brazilian police collared six suspects in 30 search and seizure raids.
suspects in 30 search and seizure raids. And finally, if you're a Russian spy, and to speak more precisely, an intelligence officer, where'd you rather work? In the GRU's aquarium back home,
for example, or maybe someplace nice like Geneva? We're just spitballing here, but we're guessing
that Geneva wins, hands down. Anywho, the AP reports that the Swiss Federal
Intelligence Service, in the annual report it issued yesterday, has reached a similar conclusion.
Russia's war against Ukraine has resulted in a number of Russian intelligence officers,
officers operating under diplomatic cover, finding themselves expelled from their stations
in Western countries.
The Federal Intelligence Service urges those countries, and especially its own government,
to take seriously the possibility that Russia would try to redeploy such operators against
other Western targets. Not only is it sound counterintelligence practice to keep the bad
guys out, but the report observes doing so could help
ensure that Russian intelligence capabilities will be weakened with lasting effect. So read
and heed Western counterintelligence operators, and good hunting.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached.
of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io. Mr. Security Answer Person
This is John Pescatori and welcome to Ask Mr. Security Answer Person.
Short drill downs into timely security issues with a lot of hype busting.
Here's the question that came in for today.
Hey, Mr. Security Answer Person,
in one of your earlier segments,
when asked about zero trust,
you pointed out it was overhype,
saying it was mentioned 11 times
in President Biden's 2021
cybersecurity executive order.
Well, there was another term mentioned 11 times
in that executive order,
software bill of materials, or SBOM.
My security team recently raised that as a critical initiative for us in software supply
chain security, but our procurement and software folks say, no way, not feasible.
What's the bottom line here?
Okay, here's the deal.
Your security team is definitely right, because events from Heartbleed to Log4J have hammered
home the need for something like SBOM to solve a serious security problem.
The procurement and app dev folks are looking at SBOM as something they don't need for something like SBOM to solve a serious security problem. The procurement and
app dev folks are looking at SBOM as something they don't need and something that would just
cause them more work. These segments are too short to fully explain SBOM, but here's a quick
background. You can do an internet search on SBOM-O-Rama, I'm not kidding, if you want to dig
in in detail. In the old days, software applications were monolithic.
Your dev team or a software vendor wrote and compiled every line of code into one big old executable.
It was kind of like a restaurant that only served steaks.
You knew you were getting beef and maybe a mysterious sprig of parsley.
But with the rise of open source code and modern modular software development methodologies,
developers learned that they could find pieces of code or even entire libraries that they could reuse for boring common functions, and they could focus on
the fun parts of the application. It was kind of like the steak restaurant changed to being a salad
bar. Your meal now had dozens of ingredients from many suppliers, just as modern applications often
contain dozens of external code segments or libraries. SBOM is kind of like one of those
nutrition fax panels on the packaged food
put on the side of the salad bar for each item. You could tell who provided those deviled eggs
and maybe even how old they were. It would tell you if there'd been any E. coli recalls
on any of the lettuces. No help if you don't read them, but for those who care, good information.
We need this for supply chain security reasons. But think of all the work it would take for every
salad bar to post those salad bar bills
of materials and keep them accurate and up to date.
That is where much of the pushback on SBOM comes from.
This is critical because for a bill of materials to be useful, it must document the ground
truth of the piece of software and always be available for the latest release as well
as all past releases.
Which seems like a lot of work to commercial and open source developers, who often don't use secure development methodologies, which essentially already require that SBOM-like
information be captured.
But there's a bigger issue.
Most enterprises don't have accurate software inventories of the high-level software and
apps they actually have in use.
They're essentially lacking a meta-SBOM, if you will.
It's not uncommon for a vulnerability scan to show the configuration management database
is only 80% complete.
If the top of the supply chain, your organization,
has Rogapps running,
you will always have blind spots throughout the entire
supply chain. This brings us back
to good old basic security hygiene.
Sort of good news
is that while there's a lot of forward movement around
SBOM standards and implementations,
it is unlikely to be ready for a prime time
before 2024.
So take advantage of the hype today
and pull on SBOM now
to first raise your level of basic security hygiene
around configuration management
and software inventory,
as well as addressing the issues
of in-house development
using open source apps and libraries
and production software and internal tools.
Then begin your lobbying
of the software and procurement organizations
to begin requiring SBOM compliance from all software and cloud app vendors
to be ready when SBOM is more fully baked.
And by the way, practice saying SBOM three times fast
before doing any management briefings on it
to avoid accidentally using a nearly identically sounding term
that may get you some odd looks.
Mr. Security Answer Person.
Thanks for listening.
I'm John Pescatori, Mr. Security Answer Person.
Mr. Security Answer Person.
Mr. Security Answer Person with John Pescatori airs the last Tuesday of each month right here on The Cyber Wire.
Send your questions for Mr. Security Answer Person to questions at thecyberwire.com.
Thank you. designed to give you total control stopping unauthorized applications securing sensitive data and ensuring your organization runs smoothly and securely visit threat locker comm today to see how a default deny approach can
keep your company safe and compliant And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
You know, over on Hacking Humans, we talk a lot about authentication. Yes. And one of the ways that we get authenticated online,
or at least prove our humanity, is through the use of CAPTCHAs. CAPTCHAs. I'm going to quiz you
here. Any idea what CAPTCHA stands for? Actually, if you'd asked me this before I read this article,
I'd have said nope. But here's what CAPTCHA stands for. Completely automated public Turing, and then test to tell, computers and humans apart.
Okay, so I have a problem with this right off the bat, with the idea of a CAPTCHA.
First off, they suck.
Everybody agrees.
CAPTCHAs are awful.
Yeah.
But a completely automated public Turing test.
A Turing test is something that tests an AI
to see whether it's a good enough AI.
And if you can't tell the difference
between an AI and a human,
the AI passes the test.
So a CAPTCHA is,
it seems to me like it's designed to fail
if it's a Turing test.
It's an upside down.
Right.
Yeah.
It's a backwards implementation of it.
And we've seen all kinds of AI coming after these CAPTCHAs.
Sure.
And there's even the old robot clicking the button that says, I'm not a robot.
Yeah.
You've seen that?
That's pretty funny.
Well, this article is from Apple Insider.
It's written by Andrew Orr.
It is.
And it's about some stuff that came out of Apple's recently developer conference.
Right.
There's a lot to cover here.
They're talking about private access tokens hoping to replace CAPTCHAs.
What's going on here, Joe?
So the problem of validating that you're dealing with a human is a real problem on the web
because there are tons of automated ways to go through a web interface
and just stuff credentials or do whatever you want to do. So, CAPTCHAs are
the best option we have right now until this thing came out from Apple. Here's how it works.
First, this is something that's transparent to the user. So, it's low friction. And second,
this is done in addition to existing authentication methods. So, you'll still have like passwords and
usernames and even multi-factor authentication,
but now you'll also have this private access token or this PAT. So the protocol relies on a trusted
third party. And of course, in this case, because it's Apple doing it, they're going to say it's us.
Okay. So when the web server requests a PAT, the client device will contact an attestation server
to attest that this is a real person, right?
The Apple implementation uses the trusted enclave, right?
The keys and certificates stored in there.
Yeah.
And some state detection that's used on the hardware to detect if this is a valid request.
And then it issues a token that it signs.
Okay.
Right?
valid request, and then it issues a token that it signs.
Okay.
Right?
That token is then sent back to the web server, which validates Apple's signature on the token with one of their public keys.
Okay.
And then the user is granted access.
Okay.
So, it's essentially just Apple saying, yep, we think this is a real person.
And we've gone through our workflow to do it.
So, in other words, I access my mobile device with, say, Face ID or Touch ID. Correct. Apple
says, hey, that's good enough for us. We're convinced this is a real human. So, when this web
thing checks in with Apple's technology, it says, yep, we've checked in on this person. We think
it's real.
Go for it. Right. Okay. But the questions that aren't answered are, how did you check into it?
Yeah. Nope. Trust us. Right. And that actually, that's good because the next point here is that there's a good bit of privacy design into this protocol. The web server only gets the signed
token, the destination URL, and the IP address of the device, which it always needs, right? Yeah.
So the only thing you're sending to the web server is the token.
Now, the article breaks this down into a little more nuanced explanation where they talk about
service providers like Cloudflare getting the token and then passing the URL off.
Yeah.
But this could all be done by just a single website.
Okay.
You know, a web server.
There's no reason to have a third party in there.
You could have a third party in there.
I mean, there may be valid business reasons, but for this protocol,
there's no, it's not necessary. The attestation server only gets the data about the device
necessary to generate a token, right? So Apple never sees what website you're going to. All they
see is that you're requesting one of these tokens. I see. And they don't care where you're going,
right? That's not their business.
And they do a good, I would trust Apple.
Apple tends to be pretty good with privacy and security.
Yeah.
So one of the features of the protocol
is that each token is unique.
And this does two things.
First, of course, it prevents a replay attack, right?
Which is a cryptographic attack
where bad guys just send the same information
over and over again.
And if you're not equipped to deal with a replay attack,
if your protocol doesn't have that resilience built in there,
it's susceptible to that,
and it's really easy to defeat your protocol.
Okay.
So each one's unique to prevent that from happening.
Then, since every token must be generated
by the attestation server, the server that it tests,
it provides an opportunity to rate limit the requests.
Right? So now a malicious actor with a click farm can't send in 100 requests a second, right?
I see.
The attestation server goes, no, no, no, we're not issuing tokens for you.
Right? And that's the hope of how this works.
I see.
All right. So it's a pretty well-designed protocol and pretty good.
Web servers accessed through Safari and WebKit, which is the Apple web engine, will work automatically with PATs.
Other devices may not recognize the token process.
So Apple cautions developers to make sure that authentication doesn't block the main web page.
So, in other words, if you can't get a PAT, don't shut it down.
Yeah.
Don't shut down the transaction.
Maybe fall back to a CAPTCHA or something like that.
Fall back to a CAPTCHA.
Okay.
So, one of my concerns when I'm reading this is, is this something that Apple is going to keep to themselves as intellectual property and try to make privacy more of a differentiator in the marketplace for them?
Hmm.
Right?
It seems no.
The company is actually working
to make private access tokens a web standard,
which is nice, according to this article.
But there is no mention of tokens
working with Android or Windows,
probably because they're not out there yet.
But if everybody got on board with the standard,
or if enough people got on board with the standard
and the Internet Engineering Task Force
adopted it as a standard,
then everybody could do it.
And there's no reason why Google or Windows or anybody else could do it.
Could other organizations spin up their own attestation servers theoretically?
Sure.
If it's an open standard, absolutely.
I have two concerns with this protocol.
Okay.
And the first one is how you exploit it.
And you exploit it very similarly to the way you exploit the root certificate authorities.
You create a malicious attestation server that lets you go ahead and start issuing these things.
Now, that's kind of easy to mitigate, right?
Because you just say to, as the developer of a website or of a service like Cloudflare, you say, well,
I'm not going, I don't know who that is, so I'm not going to accept attestations from them or
tokens from them. Right. We're only going to accept attestations from servers that have been
attested to. Right. Servers that we trust. It's attestation all the way down. Right. Exactly.
And it comes to the same problem that theation all the way down. Right, exactly. And it comes to the
same problem that the root certificate authorities come to, right? Who do you trust? Yeah. That's
the same problem. The other concern I have is that this might lead to a less open web
because of that. A couple mitigations for that. One, you can always fall back to still using a
CAPTCHA, right? Or you can have an open foundation like the Mozilla Foundation or the
Electronic Frontier Foundation become an attestation provider or a token provider, right? So if that's
who you use, let's say you run Linux, right? So you don't have a large company behind you like
Apple or Microsoft or Google that develops your operating system, it's an open source operating system,
well, okay, I'm going to use Mozilla's private access token service
if Mozilla has enough money and funding to set one up or the EFF has one.
Right.
But it can be done.
Yeah.
It can be done.
I like this protocol.
I'm pretty pleased with it.
All right.
Well, good to know.
Thanks for explaining it to us.
Joe Kerrigan, thanks for joining us.
It's my pleasure.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Thanks for listening. We'll see you back here tomorrow. Thank you. solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.