CyberWire Daily - Dealing with Follina. SeaFlower steals cryptocurrencies. Cyber phases of a hybrid war, with some skeptical notes on Anonymous. And the war’s effect on the underworld.
Episode Date: June 14, 2022Dealing with the GRU's exploitation of the Follina vulnerabilities. SeaFlower uses stolen seed phrases to rifle cryptocurrency wallets. Ukraine moves sensitive data abroad. Anonymous claims to have ha...cked Russia's drone suppliers and to have hit sensitive targets in Belarus. Rick Howard reports on an NSA briefing at the RSA Conference. Our guest is Ricardo Amper from Incode with a look at biometrics in sports stadiums. And the effects of war on the cyber underworld. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/114 Selected reading. Follina flaw being exploited by Russian hackers, info stealers (Computing) Chinese Hackers Adding Backdoor to iOS, Android Web3 Wallets in 'SeaFlower' Campaign (SecurityWeek) How SeaFlower...installs backdoors in iOS/Android web3 wallets to steal your seed phrase (Medium) Ukraine Has Begun Moving Sensitive Data Outside Its Borders (Wall Street Journal) Anonymous claims hack on Russian drones (Computing) How the Cybercrime Landscape has been Changed following the Russia-Ukraine War (Kela) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Dealing with the GRU's exploitation of the Foligno vulnerabilities,
Seaflower uses stolen seed phrases to rifle cryptocurrency wallets.
Ukraine moves sensitive data abroad.
Anonymous claims to have hacked Russia's drone suppliers
and to have hit sensitive targets in Belarus.
Rick Howard reports on an NSA briefing at the RSA conference.
Our guest is Ricardo Amper from ENCODE with a look at biometrics in sports stadiums
and the effects of war on the cyber underworld.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 14th, 2022. CERT-UA maintains its conclusion that Sandworm, a GRU operation, was responsible for exploiting
Folina to compromise Ukrainian media organizations' computing reports. Compromised
Word documents are carrying the async RAT Trojan as a malicious payload. Folina is a remote code execution vulnerability.
It's listed as CVE-2022-3190, assigned a severity rating of 7.8 out of 10 by Microsoft,
and it uses the Microsoft Support Diagnostic Tool to download and execute malicious script.
It's being called low-interaction remote code execution, not zero-click, because there's
some interaction required for execution, but not much. All it takes is for a victim to preview a
malicious file. Ars Technica notes that Microsoft has issued instructions for mitigation, explaining
how to disable MSDT, but hasn't yet said whether it will issue a full patch.
Security Week reports that digital advertising security company Confiant has discovered a
campaign sending backdoored versions of iOS and Android Web3 wallets. The attackers have
cloned the legitimate sites of the wallets and have included links to download them,
which contain the app's legitimate
functionality, but which also exfiltrates the user's seed phrase in order to steal the victim's
cryptocurrency. Confiant says that the cyber criminals running this campaign have not yet
been identified but are likely Chinese, as much of the data found are in Chinese and contain
information from Chinese and Hong Kong IP addresses.
The Wall Street Journal reports that Ukraine has begun to store sensitive data abroad,
backing up its information to render it less vulnerable to Russian physical or cyber attack.
George Dubinsky, the country's deputy minister of digital transformation, said,
To be on the safe side, we want to have our backups abroad.
Among the earlier transfers was a program to back data up to a secure private cloud
with servers located in Poland.
Priority has been given to protecting VIP databases,
that is, databases deemed essential to the operation of Ukraine's economy.
Anonymous claims to have successfully hacked into Russia's drone suppliers,
if not exactly the drones themselves.
Tweets on behalf of the hacktivist collective include statements saying,
Russian UAV drones plans and tactics hacked.
We hope this information will help the war to end as soon as possible.
No war is justified.
Accounts of exactly what Anonymous obtained are confused and unclear,
but it does not appear to have been a direct attack on the Russian military,
as some sources said.
Images posted of files allegedly stolen appear to include promotional literature
and a list of companies involved in the production or trade
of the Kronstadt Group's Orion E armed drone, an export model.
Computing notes sensibly that the nature of Anonymous makes it impossible to ascertain if the hacked data is genuine,
although cybersecurity experts do think that most of the collective claims of successful attacks are true. Anonymous
also claims to have engineered significant disruption of government activities in Belarus.
They tweeted, access to 26 ministries, centers, and banks of the Belarusian government has been
restricted as a result of attacks by me, your Anon spider. There are no independent reports of such activity, which have to be
received with skepticism. Somebody would surely have noticed such widespread disturbances.
Kala Cybersecurity Intelligence has researched the effects Russia's war against Ukraine has
been having on the cybercrime landscape, detailing new developments in the cybercriminal underground
as a result of the conflict.
The effects are being produced by new criminal opportunities,
by the effect of Western sanctions and by new Russian restrictions on certain online services.
Kela researchers have found, for example,
that people are getting transportation out of Ukraine through hacking sites
rather than through legitimate sites and services,
and there has been an increase in demand for money transfer service as both Russia and Ukraine now
have laws in place dictating limits on the amounts that can be transferred and the locations to which
money may be transferred. These are the traditional services black markets have traditionally offered
in wartime, and cybercriminals
have not been slow to pivot from online fraud and carding to take advantage of the desperate.
What's made legitimate remittances harder has also made criminal transactions more difficult.
The blind eye the Russians have traditionally turned toward money laundering, for example,
is now seeing a bit more clearly, and life has grown a bit
more challenging for the underworld. And, of course, Western sanctions have made it difficult,
in some cases difficult to the point of impossibility, for, say, ransomware victims to
pay their extortionists, especially when the ransomware operators are working from Russia,
as so many of them do. VPN services have also seen a spike in demand.
Kayla writes,
The spike can be caused by the arrival of new users hoping to acquire accounts for reliable VPN services,
especially since Russia has started to block URLs linked to some of them,
while to legally pay for remaining VPNs is hard without having non-Russia-issued
Visa and MasterCard credit cards. There's nothing inherently illegal about VPNs, but they're
restricted in Russia, where the government has enacted censorship laws to stifle access to sites
that offer what the Kremlin regards as disinformation, that is, comment and reporting
that don't reflect the official Russian
line on the special military operation. Facebook and Instagram are among the platforms being
censored, and the cyber underworld has been quick to offer illicit VPN services to those who want
to see the news the government would rather go unreported, or at least unheard. Kayla has also
found that the war is affecting both cyber-criminal online communities
and C2C markets for ransomware and other crimeware.
The actors behind the Raccoon Stealer malware reported on a forum
that their core developers are unable to continue to produce the malware
because of a special operation and that work on Raccoon Stealer has been suspended.
The gang hints that the suspension is due to the war. Chatter about the effects of war has also
appeared on the Russophone Cybercrime Forum. There's some debate there about the nature and
justification of Russia's war, despite the forum's rules against such political discussion.
And of course, as we've seen, ransomware gangs have taken sides in the war,
usually Russia's side.
Conti is the most famous of these.
Some of the gangs, wishing for freedom to pursue criminal gain,
have sought to keep operations as normal as possible by declaring their neutrality.
Whether that will work for them seems an open question.
It's tough to continue operating when your protection has grown shaky.
Do you know the status of your compliance controls right now, like right now. We know that real-time visibility
is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Thank you. Learn more at blackcloak.io stadiums, arenas, or theaters, where thousands of people need to get in and out of a facility in a way that, ideally, is both efficient and secure.
Ricardo Amper is CEO of Encode Technologies,
a company that's using biometrics to keep those lines moving securely.
The trick to making it right is that it has to be a combination of a number of things.
First of all, it has to be a combination of a number of things. First of all, it has to be
secure. So we use the same technology that major banks, you know, the top three digital banks use,
healthcare, etc. So it has to be secure. And the second one that you mentioned,
it has to be able to streamline entrances while making sure that it's secure,
and at the same time, provide a platform to further expand the use cases and then become a complete engagement platform for fans.
You know, in preparation for our conversation today,
I was thinking about some of the biometric methods that we use in our daily lives,
and I was thinking about something like Face ID on an iOS device where it is extraordinarily reliable.
But in the off case that it doesn't work, you have a password to fall back on.
Is it similar here where the biometric authentication, the face scan allows you to get in quickly, but you still bring your ticket along just in case?
Look, there's different ways how this can be implemented.
Our favorite one is one that's great for privacy.
So after you prove your identity, we generate a QR code where your biometric is embedded there.
It's not on the server.
It's not anywhere where it can be stolen.
And so when you come to this stadium, you scan the QR code and then with a device that's offline, that's not connected to the internet, extracts that kind of biometric data from your QR code,
reads your face at the time of entrance, and then matches up and then deletes it. So it's incredible
because no one knows that you're there. No one is using facial recognition in any creepy way,
but it's actually a super private centric way to be able to streamline the entrance and you can
tie your ticket, you can tie your credit card. And so once the identity is there,
then there's a number of experiences
that open up. Let's talk about privacy. I mean, what are the things that are in place there to
ensure that people feel comfortable with it? First of all, privacy is our North Star. Everything
that we develop, it's developed around privacy. So what does that mean is that we always ask for consent, so we don't sell or support any use cases that are surveillance or something that's not without consent.
Secondly, the data is yours, and you can extract it, delete it, transfer it as you want.
as a picture, it's stored as a two kilobyte string,
which even if it was hacked,
would have been impossible to deduce your face from it.
And four, in the specific case,
it's not stored in the cloud. It's just stored in your QR code that's on your phone.
And so these are a number of privacy measures
that can allow these type of experiences,
which provide a lot more security,
but at the same time, enhance privacy. Even more that if human beings would check it.
Now, what about the actual security at the facility? Say, for example, there is some sort
of incident, you know, there's someone, there's a disagreement, there's a physical altercation, something like that. Would stadium security be able to have access to this to help them do the
things they need to do? Yes, absolutely. So our system allows for stadium personnel to be able
to block people if they generate some type of problem or if other people have generated in the past
and you have kind of frames or videos
that you can fit into the system.
And so when that person either tries to get their fan ID
or is standing in front of the stadium,
as the person tries to enter with his face,
he will be stopped.
So there's a number of ways that you can create these blacklists
and it creates the right incentive for people to behave well.
What's the reaction been so far?
I mean, biometrics is certainly not without controversy.
How's the adoption rate going for you?
Yeah, there's a lot of controversy,
but because there's a lot of,
there's a massive lack of knowledge and confusion.
So when you talk about biometrics or facial recognition, there's two parts.
The surveillance side, which is against every privacy law, it's trying to recognize you.
You don't know what's happening.
You never gave consent.
You don't get access to the data.
you, you don't know that's happening, you never gave consent, you don't get access to the data.
And so it's creepy and it should be actually regulated and eliminated in most of the cases.
When it comes to our technology, it's always with consent.
And so once you go into the stadium, you go with your consent that you participated on
the program, that you're using your biometric to get in.
And so it's a way once people get authenticated and, you know, they have the incentive to perform well,
but every economic activity gets just easier and more productive.
That's Ricardo Ampere from Encode Technologies.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep
your company safe and compliant.
And joining me here is Rick Howard. He is the CyberWire's Chief Security Officer, also our Chief Analyst.
Rick, you and I and several other members of our CyberWire team were in full force last week at the RSA 22 conference.
And as part of that, you were invited to attend a press conference that was put on by the NSA.
Who was there? Yeah, it was late in the
afternoon on my last day of the conference, and we were tucked away on the third floor of the
Moscone Center. I mean, there was nobody up there at that point. There was a long table down the
middle of the room with me and three other journalists on one side and the NSA contingent
on the other. Rob Joyce was there.
He's the director of cybersecurity strategy and oversees the NSA's cybersecurity directorate.
And their mission is to prevent and eradicate cyber threats to the Department of Defense,
national security systems, and the defense industrial base, or the DIB, as the cool kids
call it.
They had Natalie Pettori was there. She's the
chief of the NSA's Enduring Security Framework, essentially the intelligence sharing function
between the NSA and the feds, plus the DIB. And Christina Walter, she's the chief of defense for
the DIB. And so you're saying DIB here. What exactly is DIB? Well, as you can imagine, the
federal government uses a lot of commercial contractors.
And according to the CISA website, more than 100,000 defense industrial-based companies and their subcontractors.
And many of these companies run material systems for the government, both on the unclassified and classified networks.
And so these companies make up the dib.
And the dib has its own ISAC, their Information
Sharing and Analysis Center, right? Yeah, it's called the National Defense ISAC, and it's part
of the NSA's job is to share intelligence, provide security and intelligence products with the DIB
community. For example, according to Natalie Pettori, besides intelligence on the latest threats, the NSA's enduring security framework provides white papers to the Dib and to the public, by the way, on thorny security topics like security guidance for 5G cloud infrastructure in terms of integrity, data protection, network isolation, lateral movement detection, and just general purpose threats to 5G in general.
And then Morgan Adamski, she's the chief of the Cybersecurity Collaboration Center.
She talked about the NSA offering of protective domain name system services that is injected with NSA's unique threat intel.
And this is a free surface to all the Dib companies.
So those are the kinds of
things those folks provide to those groups. Well, looking at the intelligence sharing side
of things, how are they doing there? Well, the Dib intelligence sharing program has been around
for a long time. And I asked Rob to give us an update on the current status and future direction.
My takeaway from that exchange was that the National Defense ISAC is in the same boat
as many of the other ISACs
and ISALs in existence out there.
They're all pretty good
at sharing IOCs with each other,
indicators of compromise.
Probably not as good
at sharing intrusion kill chain tactics,
techniques, and procedures
for known adversary campaigns,
you know, along the lines
of the minor attack framework.
And they're all struggling with automating the process.
Remember, the DIP companies range in size from giant Silicon Valley security vendors like Cisco
to mom-and-pop startups who provide key services as a subcontractor to the larger prime.
So establishing a level playing field of resources, it's a really tough problem.
But they've made huge strides since their founding and have made progress every day.
And the protected DNS service is a great example of that.
They have other security services like that on the table discussing about those kinds of things for future deployment.
How interesting is it to you that you were invited to this at all?
I mean, this sort of outreach,
I'm not speaking to you personally,
I'm just saying this type of outreach. Yeah, why the hell were you there, Rick?
Don't they know who you are or aren't?
But this sort of outreach is a bit of a pivot
for some of these agencies, right?
Well, I mean, for this, you know,
the government, the federal government's been talking
about the private-public collaboration, okay, for years.
And this effort at the RSA conference is one way they can get the information out to show people that they are contributing to this effort.
And, you know, when we started doing this way back in the early 2000s, there wasn't a lot of sharing going on between the commercial sector and the government.
And like I said before, we've made huge strides in that area.
Yeah.
All right.
Well, thanks for keeping us up to date here.
Rick Howard, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Rachel Gelfand, Liz Ervin,
Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.