CyberWire Daily - Log4j updates, with a side of Fancy Bear. Roots of Huawei’s career as a security risk. Tropic Trooper is back. Meta boots “cyber mercenaries.” Other cyberespionage incidents.
Episode Date: December 17, 2021It seems that Fancy Bear may be interested in Log4shell after all. CISA issues Emergency Directive 22-02, which addressed Log4j. Huawei’s reputation as a security risk may be traceable to a 2012 inc...ident in an Australian telco’s networks. Tropic Trooper is back, and interested in transportation. Meta kicks out seven “cyber mercenary” surveillance outfits. PseudoManusrypt looks curiously indiscriminate. Johannes Ullrich from SANS Technology Institute on making the great Chinese firewall work for you. Our guest is Terry Halvorsen from IBM on next-gen cybersecurity efforts to fix the cybersecurity inequity. And the US Commission on International Religious Freedom is reportedly hacked. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/241 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
It seems that Fancy Bear may be interested in Log4Shell after all.
CISA issues Emergency Directive 22-02, which addresses Log4J.
Huawei's reputation as a security risk may be traceable to a 2012 incident.
Tropic Trooper is back and interested in transportation.
Meta kicks out seven cyber-mercenary surveillance outfits.
Pseudo-manuscript looks curiously indiscriminate.
Johannes Ulrich from the SANS Technology Institute
on making the Great Chinese Firewall work for you.
Our guest is Terry Halverson from IBM
on next-gen cybersecurity efforts
to fix the cybersecurity inequity.
And the U.S. Commission on International Religious Freedom
is reportedly hacked.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, December 17, 2021. One of the mysteries about Log4Shell so far has been the relative absence of Russian exploitation, whether by privateers or intelligence services. To review the bidding, given the extensive activity observed on the part of China,
North Korea, Iran, and Turkey, where have the Russian threat actors been?
BGR noted that the usual Russian operators seem to have been quiet so far.
Mandiant, in its own rundown of cyber espionage taking advantage of Log4J vulnerabilities, sensibly said,
quote, we expect threat actors from additional countries will exploit it shortly if they haven't
already. In some cases, state-sponsored threat actors will work from a list of prioritized
targets that existed long before this vulnerability was known. In other cases, they may conduct broad exploitation and then conduct further
post-exploitation activities of targets as they are tasked to do so. End quote.
There are signs now that Fancy Bear, Russia's GRU, has been actively exploiting Log4J
vulnerabilities. Security Scorecard just this morning reported that it's observed Drovorub activity and use of the Drovorub toolkit points to Fancy Bear, APT-28, Russia's GRU military intelligence service.
Drovorub, which means woodcutter, is a toolkit developed by the GRU's 85th Main Special Services Center for use against Linux systems.
Drovorub has been described as a kind of attacker's Swiss army knife with multiple uses.
And that activity has been extensive.
Security Scorecard regards Russian reconnaissance, probing, and probable exploitation
as comparable in scale to what's been observed from China.
More developments can be expected, the researchers write. Quote, it's important to remember that we are still in the
very early days of trying to understand the security issue and how it's being used by threat
actors. End quote. There may be reason to think that self-propagating worms are under development
to take advantage of log4j bugs.
Researcher Greg Linares believes at least three groups are working on a log4j worm.
Security Week, which cites Linares, also quotes other researchers who think the news of a coming
worm is unproven at least, unlikely at best, or probably likely to lead to worms less serious
than some of the high-profile cases observed earlier this century.
Log4J is from Apache's open-source library,
and some have asked if the vulnerability exposed as Log4Shell should call into question the very idea of using open-source software.
The short answer would be, according to some, not at all.
software? The short answer would be, according to some, not at all. IT World Canada has a useful discussion of the issue, in which they point out that the Open Source Security Foundation is well
funded, backed by deep-pocketed tech firms, and that securing open source software is not a
hobbyist's labor of love. MIT Technology Review takes a contrary view, arguing that the security of open-source
software is indeed overlooked and underfunded. Their article quotes Veracode's CTO, Chris Weisepal,
who says, quote, the open-source ecosystem is up there in importance to critical infrastructure
with Linux, Windows, and the fundamental internet protocols. These are the top systemic risks
to the Internet. End quote. The U.S. Cybersecurity and Infrastructure Security Agency this morning
issued Emergency Directive 22-02, directing the U.S. federal agencies that fall within its remit
to identify and update all vulnerable systems no later than 5 p.m. Eastern Standard
Time on December 23rd. CISA gives the agencies until December 28th to report completion.
A coda to the required actions suggests the complex challenge of addressing complex environments.
Quote, these required actions apply to agency applications in any information system,
including an information system used or operated by another entity on behalf of an agency
that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information,
i.e., all applications in agency ATO boundaries.
For federal information systems hosted in third-party environments,
such as cloud, each agency is responsible for maintaining an inventory of its information
systems hosted in those environments, FedRAMP authorized or otherwise, conducting all necessary
reporting to CISA accounting for such systems, and working with service providers directly for
status updates pertaining to and to ensure compliance with this directive." End quote.
Vendors are working to patch their products against Log4Shell, and it's proving to involve the struggle most observers have foreseen, Reuters reports.
As the patches are issued, they should, of course, be applied when practical, and if you're
a Fed, applied by Christmas Eve, lest ye face the wrath of Director Easterly, which would be like a
visit from the ghost of Christmas yet to come. The Cyber Wire's continuing coverage of Log4Shell
can be found on our website. Bloomberg reports that U.S. reservations about Huawei as a security threat have been confirmed
by revelation of a 2012 incident in which Australian security authorities traced a
malware infestation to a malicious Huawei update. Bloomberg writes, quote,
The incident substantiated suspicions in both countries that China used Huawei equipment as
a conduit for espionage,
and it has remained a core part of a case they've built against the Chinese company,
even as the breach's existence has never been made public, the former official said.
Australian security services determined that a Huawei software update installed on the network of a major Australian telecommunications company contained malicious
code that recorded data transiting the network and sent its take back to China. The malware was
self-limiting, apparently in hope of evading detection. It deleted itself after several days
of persistence in the network. The Australians shared their discovery with their American
counterparts, who then detected a similar attempt against a U.S. network.
The incidents had not been formally disclosed, but they provide a clear motivation for the strong suspicion of Huawei that's marked both U.S. and Australian policy over the past decade,
especially with respect to allowing that company a place in 5G infrastructure.
with respect to allowing that company a place in 5G infrastructure.
Tropic Trooper is back, and as security firms Trend Micro and Kaspersky write,
the threat group has a new name and a new target set.
It's now also being called Earth Centaur,
and it's resurfaced to go after targets in the transportation sector.
MITRE assesses Tropic Trooper as an unaffiliated threat group that is probably a hired gun, but notes that its favorite targets have been in
Taiwan, Hong Kong, and the Philippines. It's been associated with Pirate Panda,
which suggests that its customers are probably in Beijing.
Facebook parent Meta has banned six commercial surveillance firms and one unidentified entity,
all of whom it characterizes as cyber mercenaries, from its platforms.
The companies affected include Cobweb Technologies, Black Cube, Cognite, and Blue Hawk CI, all based in Israel,
India's Beltrox, Citrox of North Macedonia, and one unidentified entity
operating from China. Up to 50,000 users may have been affected by the banned company's products.
The University of Toronto's Citizen Lab has called out Citrox and its Predator tool
as worthy of special attention. Predator was installed, they find, on the phones of at least two Egyptian dissidents.
Kaspersky has identified a mass spyware campaign
they're calling pseudo-manuscript
because of the features it shares
with the Lazarus Group's manuscript malware.
But attribution is unclear.
Pseudo-manuscript is indiscriminate
in un-Lazarus-like ways,
and it's been seen to use a data exfiltration mechanism hitherto associated with China's APT-41,
known both for cyber espionage and a financially motivated APT side hustle.
It's also been distributed in some cases by the Glubtiba botnet, a Russian tool.
also been distributed in some cases by the Glubtiba botnet, a Russian tool. About 35,000 systems have been attacked, with most targets being either governments or industrial control systems.
Security firm Avast reports finding a targeted attack by an unknown threat actor using a back
door in what the security firm identifies only as a small, lesser-known U.S. federal government
commission associated with international rights. Ars Technica says the victim is the U.S. Commission
on International Religious Freedom. The commission hasn't, Avast says, responded to its disclosures
or attempts to engage it, and so little is known about how effective the attack was. But the researchers think it's
reasonable to conclude that the attackers were able to intercept and possibly exfiltrate all
local network traffic in the organization. It looks like an espionage operation. An intelligence
service might find the commission interesting in its own right if that service should be serving
a regime that regarded religious
freedom as a burr under its saddle. But compromising a small commission might be useful for other
reasons, connections to non-governmental organizations, the possibility of being able
to pivot from the commission to other more inherently interesting or U.S.-allied agencies,
and so on. And finally, operators of industrial control
systems get an early stocking stuffer from the U.S. Cybersecurity and Infrastructure Security
Agency. CISA yesterday released 27 more industrial control system security advisories,
which is seriously useful and a lot better than a lump of coal.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. There is a continuing push at the federal level to bring government agencies up to speed with their cybersecurity
and rare bipartisan agreement that it is indeed a national priority.
One of the issues to overcome is inequity between government agencies,
leveling the playing field government-wide.
Terry Halverson is general manager of IBM Federal and previously was chief information officer for the U.S.
Department of Defense. I think you will find some organizations in the federal government that are
very advanced in their cybersecurity practices and some that are still working their way to get up to the
standard that they want to. And so how do we go about getting them all up to the level where they
need to be? What needs to be done here? I don't know that I know everything that needs to be done,
but I would make a couple suggestions. And I think some of these suggestions apply as well to the commercial sector. I think
one of the first ones is you have to take a look at the size of your agency or your organization
and determine, am I large enough and can I afford on my own to say, do all of the things that you
have to do to have a very good cybersecurity program.
And I think one of the things that maybe the government might want to look at,
and I think commercial agencies might want to also look at that,
is sharing some of those response abilities.
I also think that becomes a much more efficient way of doing business.
Everybody trying to do every part of cybersecurity might not be the
best way to do that. This would allow agencies, if they share, to maybe form what I'll call a
cybersecurity coalition, share the expense, and probably be able to do a better overall job
of executing on their cybersecurity mission.
The other thing I'll add is I also think there is a role for industry to play here.
I'm very excited about the current administration really calling for industry to play a bigger
role.
Got CISA really working to reach out to industry to help solve the problems.
Because I think if we're going to really get a nation cybersecurity position and really improve
that, that it will take cooperation between the government and industry so that we have both a
secure government and a secure commercial sector. Let's dig into that some. I mean, can you give us your insights on some of the things that
we've seen coming out of the White House when it comes to cybersecurity?
I think the first thing most people look at is you have is the executive order.
You've got, you know, coming from the White House, coming from the president,
an executive order that says we're going to do some things, we're going to measure them within cybersecurity, and I think that's very good.
Some of the things apply just to the government, but some areas, like supply chain,
apply more broadly to both the commercial and the government sector, and I think that's a great start.
I think this administration will look at it as a start and we'll see some continued emphasis in some new areas where it will apply both to the commercial and the government sector.
Are you optimistic that we're on the right path here, that we're up to this task to be able to take on these challenges?
I'm optimistic that we're up to the task.
I think we still have more work to do. Like
I said, when we started this, I'm very happy that you, in this case, we've got, you know,
an administration at up to the president's level that seems to be very interested in making
cybersecurity a top priority. From what I have seen, this is an area where they're in one of
the two where we have really good bipartisan support in Congress to make cybersecurity better.
And I think within the last couple of years, what we have seen is both industry and government recognizing that, yeah, we're going to have to work together to solve this.
So I think the environment has come together and I think we have the right timing and the right capabilities to make it work, and we'll have to see if we'll follow through on all that.
That's Terry Halverson from IBM Federal.
Thank you. solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. And I'm pleased to be joined once again by Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute
and also the host of the ISC Stormcast podcast.
Johannes, it's always great to have you back.
You know, I know there's some research that you are working on.
You've been kind of poking around the edges of the infamous great Chinese firewall to
see if you can maybe leverage some of its capabilities there.
What have you been up to lately?
Yeah, so one thing I observed my home systems, I'm still one of the few people who runs their
own mail servers because I don't trust the cloud.
And I do see a lot of inbound spam connections from China.
I don't have normal email from China.
I don't like these geo blocks because they're hard to maintain.
So I figured, hey, let's make the Chinese create firewall work for me here.
let's make the Chinese create firewall work for me here.
And I added some keywords to my mail service banner that are commonly blocked by the create Chinese firewall.
And what happened?
Well, the sad part is not much.
So my view of the firewall
was definitely a little bit too simplistic here.
And over the two weeks
i did two weeks without the keywords two weeks with the keywords i didn't really see a significant
change in the traffic i still saw the same number of connections the same number of ip addresses
so it didn't even like one thing i was kind of hoping for that maybe some of those IP address that scanned me would get blocked by the great Chinese firewall or maybe my home IP would get blocked, but neither has happened yet.
And why do you suppose that is? I mean, are the spammers coming out of China using their own workarounds to get around the firewall?
to get around the firewall?
That could be one option.
I'm also thinking that maybe the firewall is a little bit more specific,
that it doesn't look at these banners,
which are usually not used to convey content
to an end user,
but maybe they're more looking at the email itself.
So that's one possible option here.
I may have picked the wrong keywords,
but I picked keywords that are commonly associated
with the firewall.
So there are some more or less accurate published lists of these keywords,
and I put a bunch of them in, so I probably hit a couple that should be blocked.
But that's something I'm still working on,
so there's still a little bit of research in progress here.
All right, well, looking forward to checking in with you
as you continue that research.
Johannes Ulrich, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Sagi Sadiq and Nir Ofeld from Wizz. We're discussing their recent Black Hat Europe talk about
the need for a cloud vulnerability database. That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.