CyberWire Daily - Iranian APT data extraction tool described. LockBit gang comes under DDoS. Twitter whistleblower security claims made public. Greek natural gas supplier under cyberattack. Updates on a hybrid war.
Episode Date: August 23, 2022Iranian APT data extraction tool described. LockBit gang comes under DDoS. Twitter whistleblower security claims made public. Poland and Ukraine conclude cybersecurity agreement. Greek national natura...l gas supplier under criminal cyberattack. Update to the Joint Alert on Zimbra exploitation. Addition to CISA's Known Exploited Vulnerabilities Catalog. Johannes Ullrich from SANS on Control Plane vs. Data Plane vulnerabilities. Our guest is David Nosibor, Platform Solutions Lead for UL to discuss SafeCyber Phase II. And, finally, targeting and trolling, with an excursus on Speedos. Really. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/162 Selected reading. New Iranian APT data extraction tool (Google) LockBit gang hit by DDoS attack after Entrust leaks (Register) Former security chief claims Twitter buried ‘egregious deficiencies’ (Washington Post) Ex-Twitter exec blows the whistle, alleging reckless and negligent cybersecurity policies (CNN) Twitter’s Ex-Security Head Files Whistleblower Complaint (Wall Street Journal) Deception, Bots, and Foreign Agents: The Twitter Whistleblower’s Biggest Allegations (Time) The Ministry of Digital Transformation, State Service of Special Communication and Information Protection and the Council of Ministers of the Republic of Poland signed Memorandum of understanding in the cybersecurity field. (State Service of Special Communication and Information Protection) Greek natural gas operator suffers ransomware-related data breach (BleepingComputer) Greek gas operator refuses to negotiate with ransomware group after attack (The Record by Recorded Future) Announcement | (DESF) Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite (CISA) US government really hopes you've patched your Zimbra server (Register) CISA Adds One Known Exploited Vulnerabilities to Catalog (CISA) Speedo-wearing Russian tourists leak defence secrets on Twitter (The Telegraph) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Iranian APT data extraction tool described.
Lockpick gang comes under DDoS.
Twitter whistleblower security claims made public.
Poland and Ukraine conclude cybersecurity agreement.
Greek national natural gas supplier under criminal cyber attack.
Update to the joint alert on Zimbra exploitation.
Addition to CISA's known exploited vulnerabilities catalog,
Johannes Ulrich from SANS on control plane versus data plane vulnerabilities.
Our guest is David Nassibor, platform solutions lead for UL to discuss safe cyber phase two,
and targeting and trolling with an excursus on Speedos.
Really?
From the CyberWire studios at DataTribe, I'm Trey Hester, filling in for Dave Bittner with your CyberWire summary for Tuesday, August 23rd, 2022.
Google's threat analysis group this morning published the results of its investigation into Charming Kitten. The Iranian government-sponsored threat group has been observed using a new extraction tool the researchers call Hyperscape.
It's used to extract user data from Gmail, Yahoo, and Microsoft Outlook accounts.
Google explains, quote,
The attacker runs Hyperscape on their own machine to download victims' inboxes
using previously acquired credentials. We've seen it deployed against fewer than two dozen
accounts located in Iran. The oldest known sample is from 2020, and the tool is still
under active development. We have taken actions to re-secure
these accounts and have notified the victims through our government-backed attacker warnings.
End quote. The tool depends on having the victim's credentials. Hyperscape requires the victim's
account credentials to run using a valid authenticated user session the attacker has
hijacked or credentials the attacker has already acquired. It spoofs the
user agent to look like an outdated browser, which enables the basic HTML view in Gmail.
Once logged in, the tool changes the account's language settings to English and iterates through
the contents of the mailbox, individually downloading emails as.eml files and marking
them as unread. After the program has finished downloading the inbox,
it reverts the language back to its original setting and deletes any security emails from Google.
Earlier versions contain the option to request the data from Google Takeout,
a feature which allows users to export their data to a downloadable archive file.
End quote.
The report includes, as is customary,
a set of indicators that Hyperscape users can check as they defend their systems.
Researchers at Cisco Talos tweeted over the weekend that the blog operated by the LockBit gang had come under a heavy distributed denial-of-service attack.
Researcher Azim Shukui stated,
Someone is DDoSing the LockBit blog hard right now.
I asked LockBit Sup about it,
and they claim they are getting 400 requests a second from over 1,000 servers.
As of this writing, the attack appears to be active.
LockBit promised more resources and to drain the DDoSers money, end quote,
and added in the thread that the ALF-V gang seemed to be undergoing a similar attack.
According to the register, LockBit,
a Russian criminal operation, said that it came under an attack because it had, in its own turn,
hit the large U.S. authentication firm Interest with ransomware earlier this summer.
Bleeping Computer reports that LockBit is blaming Interest for the DDoS attack.
Quote, DDoS attack began immediately after the publication of data and negotiations.
Of course it was them. Who else needs it?
In addition, in the logs, there is an inscription demanding the removal of their data.
End quote.
LockBitSup, the public face of the gang, told Bleeping Computer.
But it's unclear who's behind the DDoS attack.
Interest hadn't yet responded to Bleeping Computer at the time they published.
And it's entirely possible a rival gang, for example, could be behind the attack.
Peter Mudge Zatko, a well-known white-hat hacker who served for a time as Twitter's
chief of security before being dismissed in January by Twitter's CEO, had filed a
whistleblower report against his former employer, The Washington Post reports.
The complaint, which Zatko filed with the U.S. Securities and Exchange Commission, the Department of Justice,
and the Federal Trade Commission, alleges, according to The Post, quote,
that Twitter violated the term of an 11-year-old settlement with the Federal Trade Commission by
falsely claiming that it had a solid security plan. Zotko's complaint alleges he had warned
colleagues that half of the company's servers were running out-of-date and vulnerable software,
and that executives withheld dire facts about the number of breaches and lack of protection for user data,
instead presenting directors with rosy charts measuring unimportant changes.
End quote.
For its part, Twitter says it investigated Zotko's claim at the time he made them and found them without merit.
Zatko's claim at the time he made them and found them without merit.
The governments of Poland and Ukraine have concluded a memorandum of understanding concerning cybersecurity, formalizing cooperation in the fifth domain. Ukraine's SSS-CIP describes
the purpose of the agreement as organization of joint efforts for, quote, repelling the enemy
in cyberspace, end quote. The statement adds, quote, the gas provider DEFSA disclosed over the weekend that it had been the victim of a ransomware attack.
disclosed over the weekend that it had been the victim of a ransomware attack.
Quote,
DESFA suffered a cyberattack on part of its IT infrastructure by cybercriminals that have tried to gain illegal access to electronic data,
with a confirmed impact of the availability of some systems
and possible leakage of a number of directories and files.
End quote.
Bleeping Computer connects the incident with RagnarLocker,
a pioneer of double extortion attacks that both steal and encrypt data.
RagnarLocker, which claimed responsibility and leaked proof-of-compromise data Friday,
is a gang long believed to be based in Russia.
An attack on a European natural gas distributor during Russia's war against Ukraine
is consistent with privateering aligned with Moscow's interests.
The record reports that DEFSA has quite properly refused to negotiate with its attackers.
The Cybersecurity and Infrastructure Security Agency, also known as CISA,
and the Multi-State Information Sharing and Analysis Center yesterday updated alert AA22-228A,
threat actors exploiting multiple CVEs Against Zimbra's Collaboration Suite,
to Include Two New Detection Signatures.
Exploitation of Zimbra remains a threat, so the alert is worth a look.
CISA especially urges organizations that may not have checked their systems for vulnerability
to look for evidence of five vulnerabilities.
Patches are available for all of them.
of five vulnerabilities.
Patches are available for all of them.
CISA has also added CVE-2022-0028,
a vulnerability in Palo Alto Network's PANOS to its catalog of known exploited vulnerabilities.
It's a, quote,
reflected amplification denial of service vulnerability,
end quote.
Filtering policy misconfiguration could permit, quote,
a network-based attacker to conduct reflected and amplified TCP denial-of-service attacks.
End quote. U.S. federal civilian executive branch agencies overseen by CISA have until September 12 to apply Palo Alto's update.
Finally, in an update on the menace to operation security presented by selfies and social media,
Ukraine's defense ministry has credited holiday photos taken by Russian tourists in occupied Crimea with providing valuable targeting information.
The ministry tweeted, quote,
Maybe we are being too hard on Russian tourists.
Sometimes they can be really helpful.
Like this man, taking a picture of Russian air defense positions near Yevpatoria in occupied Crimea.
Thank you and keep up the good work.
End quote.
The picture shows a middle-aged guy in speedos posing, evidently deliberately, in front of a Russian missile launcher.
The Telegraph explains that such open sources are delivering targets to Ukrainian forces.
Ukraine's defense minister is, we think, obviously trolling its Russian opposition.
Overhead imagery provides much more timely and accurate target indicators than does any selfie
by Ivan Spidotevich. That said, tourist, soldier, and bystander photos posted to social media have
been an OPSEC headache for Russian forces since the invasion began and have probably contributed
more to an understanding of the Russian order of battle than to direct targeting.
But still, if you must take a selfie while enjoying the sun and the fun, it's better
if there's a Samtel in the background.
Keep snapping, bros.
If order of battle and picks of combat vehicles are your hobby, well, we hear that everyone
needs one.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
In 1894, William Henry Merrill Jr. founded the Underwriters Electrical Bureau,
later known as the Electrical Bureau of the National Board of Fire Underwriters.
For most of the organization's life, they were known by the name UL, Underwriters Laboratories,
and their certification was the standard for safety in electrical products.
and their certification was the standard for safety in electrical products.
These days, UL has updated their name and their brand to UL Solutions,
expanded their mission to applied safety science, including cybersecurity.
David Nosobar is product lead for UL's SafeCyber platform.
We have, first of all, an increasing volume and sophistication of security attacks.
And as part of these attacks, we see that connected devices are being one of the main attack vectors with obviously supply chain components being part of that and representing a huge problem for their lack of security. So we can go along and ultimately talk about the targeted attacks targeting critical infrastructures,
industrial and automotive players, as well as their suppliers.
We see that about a quarter of organizations, 25% have experienced a supply chain attack in the past year.
And ultimately, this is a testament to the fact that hackers are finding more and more
ways to exploit those attack vectors and ultimately cause great harm to businesses and even
individuals.
And now, the second thing we need to talk about is why this is happening.
And one of the key reasons is the lack of expertise, security expertise in most companies
to prevent and fix these issues related to security.
And the thing is, this is due to security having been relegated at the back of the queue
over speed to market when we
look at connected device manufacturers that were looking at gaining market share and favoring
innovation.
And security had been considered as a costly element and ultimately hampering that speed
to market.
Well, that momentum, like I said, is shifting because of the great harm
that's been happening with the attacks that we've been witnessing. And the third element to look at
is governments and industry bodies waking up to this and seeing the damage that it's causing and
finally starting to push regulations and policies to address device security. And the SolarWinds attack was pretty much a great wake-up call in that regard in 2020.
And with those three elements that we've quickly recapped,
it's all about how we can democratize product security for every connected device stakeholders so that they can essentially play ball and implement the right security measures to essentially mitigate those threats and risks. with speed to market and security along with compliance, since we have regulations being
enforced, such as, if we can mention the executive order from the U.S. government
imprisoning Biden in May 2021, ultimately imposing device manufacturers and suppliers to come up with
software building materials and encouraging
supply chain transparency. How can those connected device stakeholders make sure they are having the
right information while also having the means to implement what's needed? This is where SafeCyber
comes into play. SafeCyber is a security and compliance posture management platform for product security and development teams that are working at those device manufacturers, OEMs, suppliers, and system integrators.
SafeCyber is essentially hosting a suite of digitally enabled solutions, applications per se. This is representing the gateway to UL's product security expertise and aiming at democratizing connected device security.
So we have for now two solutions on the platform that are MaturityPath and BinaryCheck.
MaturityPath is more focused on the product security processes and governance side of things, helping organizations assess that,
helping organizations assess that,
while Banner Recheck is more on the product security testing side of things
and available in a self-service capacity for these organizations.
Well, help me understand, you know, I think like a lot of folks,
I certainly have a lot of folks, I certainly
have a long history with UL and, you know, growing up and seeing the UL logo on consumer products and
so on. Is this part of the for-profit side of UL? So that's correct. So let me provide a bit more
background as to why UL Solutions is tackling security in addition to
safety. And there's actually a simple reason for that, because today there's no safety without
security. And this is pretty much put in full display when we look at, for example, a connected car today with a lot of software components,
essentially having a computer on the wheels, so to speak, if we are finding security risks
at the car level, this could actually impact the safety of its passengers, right? So at the end of
the day, for you will, it's quite a natural element to tackle to ensure the overall safety of citizens and people at large and make the with a global network of IoT and OT security labs
across the world, along with a roster of security experts and advisors that are specialized
in securing several ecosystems, right?
Not only talking about ICS and industrial manufacturers, but also automotive, healthcare, the connected home and
consumer electronics at large, as well as smart buildings and payments. That's David Nosebor
from UL Solutions.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. And joining me once again is Johannes Ulrich. He is the Dean of Research at the SANS
Technology Institute and also the host of the ISC Stormcast podcast. Johannes, always great to welcome you back.
Yeah, thanks for having me again.
So, interesting topic that you have been looking into here, looking at some vulnerabilities
and sort of contrasting between control planes and data planes.
What's going on here?
Yeah, it's actually a distinction that a reader of our diaries reminded me of.
And if you're looking at your network security devices, routers and such, you should distinguish between control plane and data plane.
Data plane is sort of what you basically consider what goes through the device.
So your packets that are being passed along.
Control plane is usually where you find the security vulnerabilities.
That's like your web-based admin interface.
And if you ever listen to me, I get sick of saying it,
well, block access to that admin interface.
That's sort of one of the common issues here.
But lately we have seen some interesting issues with the data plane,
which is much more difficult to control.
Because that's, after all, considered a little bit transparent.
And historically, I think people haven't really paid much attention there
because the data plane is conceptually pretty simple.
You get the packet, you look at some headers,
and you pass it on or you block it.
But it turns out that, well, it has many things.
Once you look deeper into it, it's not quite as simple.
And for example, there are these application layer gateways.
What they are doing is they're doing very complex operations on packets on the application layer.
Let's dig into that. Help me understand what's going on here.
Yeah, so let's look at a recent example here.
And this was of this real tech vulnerability that affected their SIP so their
voice over IP application layer gateway. These gateways they do have to do NAT they do have to
rewrite IP addresses for 99% of the packet that's only affecting the headers your IP header and then checksums and such in UDP and TCP. But for protocols like SIP, you find that the IP
address is also embedded in the payload. Now the device, your router, has to rewrite that payload,
not just the headers. And that's where it gets complicated, because those payloads are not really
meant to be rewritten. They're a fairly
intriguing kind of protocols that are being used here. And that's essentially where they messed up.
Plus, the other problem you have with the data plane is that speed matters. For the control
plane, when you're connected to a web server, you have noticed a lot of these small routers,
the web service is a little bit sluggish kind of when you connect to it. And that's usually okay because you have like one user connecting to it
and you only need to connect to it once a month. Hopefully you connect to it once a month to
check if the firmware needs updating, but that's about it. On the data plane with gigabit connections
that people have now in their homes, speed matters. So developers are a little bit enticed to take some shortcuts here to keep things simple,
not necessarily check all the little details.
And that's exactly sort of what happened here with Realtek, where, well, if Realtek routers,
these particular routers, use or look at SIP traffic.
You have a very straightforward and easy to exploit buffer overflow just by them looking at it.
So you don't even have to use this protocol.
It's just the router receives a packet that is SIP.
It sends it to this application layer gateway.
Hey, does this need rewriting?
Oh, there's a buffer overflow here.
Let me execute the attacker's code.
So what's to be done here?
I mean, what are your recommendations?
Well, that's the hard part.
So definitely, you know, keep those firmwares updated.
But like in a real tech case, you may not have an update.
It's with a router sort of running end of life and such.
You may not find an update for this particular vulnerability.
The standard advice always, well, add a device before your router.
Kind of add a firewall in front of firewall to protect the firewall.
Well, you can see how we can sort of play that game.
It's firewalls all the way down, right?
Yeah, and that's not really realistic kind of for home user necessarily.
Yeah, and that's not really realistic kind of for home user necessarily.
Disable features as much as possible is certainly something that you can consider.
Like, keep it simple.
And lastly, in particular, if this is like, let's say, a cable DSL modem that your ISP provided,
you may not even have sort of a lot of insight in the configuration.
Just treat it as hostile. And then again, firewall after firewall. Now you have your firewall behind the ISP's firewall
to basically ignore what happens there. Yes, they can
still cut you off. They can still do it in all of service. But at least you don't
have that implant in your network that's controlled by an attacker.
All right.
Well, good information.
Johannes Ulrich, thanks for joining us.
Thank you.
And that's the CyberWire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technology.
Our amazing Cyber Wire team is Elliot Peltzman,
Brandon Karpf, Eliana White, Puru Prakash,
Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Thanks for listening.
We'll see you back here tomorrow. Thank you. insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.