CyberWire Daily - Mirai’s new variant targets IoT devices. Volt Typhoon investigation continues. Hacktivism in Senegal. Lessons learned from Ukraine.
Episode Date: May 30, 2023New Mirai malware uses low-complexity exploits to expand its botnet in IoT devices. The latest on Volt Typhoon. DDoS hits government sites in Senegal. The Pentagon's cyber strategy incorporates lesson...s from Russia's war, while the EU draws lessons from Ukraine's performance against Russia. Joe Carrigan explains Mandiant research on URL obfuscation. Mr. Security Answer Person John Pescatore plays security whack-a-mole. And NoName disrupts a British airport. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/103 Selected reading. Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices (Unit 42) US officials believe Chinese hackers may still have access to key US computer networks (CNN) Chinese state-sponsored hackers infiltrated U.S. naval infrastructure, secretary of the Navy says (CNBC) US military intelligence also targeted by Chinese hackers behind critical infrastructure compromise (SC Magazine) Senegalese government websites hit with cyber attack (Reuters) DOD Transmits 2023 Cyber Strategy (US Department of Defense) Fact Sheet: 2023 DOD Cyber Strategy (US Department of Defense) Lessons from the war in Ukraine for the future of EU defence (European Union External Action) Investigation Launched After London City Airport Website Hacked (Simple Flying) Maryland high school listed on Zillow for $42K in ‘creative’ senior prank (New York Post) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
New Mirai malware uses low-complexity exploits to expand its botnet in IoT devices.
The latest on Volt Typhoon.
DDoS hits government sites in Senegal.
The Pentagon's cyber strategy incorporates lessons from Russia's war,
while the EU draws lessons from Ukraine's performance against Russia.
Joe Kerrigan explains Mandiant's research on URL obfuscation.
Mr. Security Answer Person John Pescatori plays security whack-a-mole.
And No Name disrupts a British airport.
I'm Dave Bittner with your CyberWire Intel briefing for Tuesday, May 30th, 2023.
Hello, Altos.
Unit 42 discovered a new variant of Mirai targeting IoT devices,
using several vulnerabilities to propagate itself and add machines to its botnet.
This variant exploits four vulnerabilities.
Researchers at Unit 42 explain that the infected machines then become a part of Mirai's botnet
and can be used to conduct
such further actions as DDoS attacks. The researchers note that this Mirai strain has
been seen in several campaigns, and they assess that these were all conducted by the same threat
actor. U.S. government officials are still determining the extent to which their systems were infiltrated by the recently disclosed Volt Typhoon cyber attack.
CNN writes that NSA's cybersecurity director Rob Joyce said,
U.S. officials are still trying to verify that Chinese hackers have been kicked out of networks they've broken into during the months-long campaign.
He added that NSA had been investigating this incident since
last year. Secretary of the Navy Carlos del Toro told CNBC that the Navy has been impacted
and wasn't surprised by the announcement of the cyber attack. Specific details about the motives
and ultimate goal of the attack are still undetermined, but SecureWorks researcher
Mark Bernard contends that the threat actors are aiming for strategic intelligence, writing that
they're ultimately trying to avoid a Chinese affiliation. He says that they're after that
strategic long-term access to organizations that are working very closely with the military
and have extremely valuable data that they may potentially be able to mine
for military intelligence value.
An array of Senegalese government websites were targeted by DDoS attacks
that took them offline on Friday, Reuters reports.
The hackers behind the DDoS attacks call themselves Mysterious Team
and claim to work on behalf of the Senegalese
people. The group claims its origins are in Bangladesh, but as Reuters observes, the connection
between Senegal and Bangladesh isn't clear. The hacktivists were seen using the hashtag
Free Senegal in tweets. Senegal is seeing heightened political tensions with protests abounding over what Reuters
simply calls a host of issues. As of Saturday, the presidential website was said to be back online
while some other government sites remained in a process of recovery.
The U.S. Department of Defense has sent its 2023 cyber strategy to Congress. The department says
the strategy represents an evolution of the 2018 Department of 2023 cyber strategy to Congress. The department says the strategy represents an evolution
of the 2018 Department of Defense cyber strategy
and provides direction for the implementation
of the 2022 National Defense Strategy in cyberspace.
The strategy itself is classified,
but an unclassified fact sheet released by the department
emphasizes that the cyber aspects of the hybrid war between Russia and Ukraine have helped inform the strategy.
It identifies the principal threats in cyberspace as China, Russia, North Korea, Iran, violent extremist organizations, and transnational criminal organizations,
who are often aligned with the foreign policy objectives
of the governments that support and protect them. Josep Borrell, the EU's foreign policy lead,
reflected recently on the lessons Europe might learn from Ukraine's combat record,
which he finds generally impressive and worthy of emulation. He brackets cyber with electronic warfare and thinks Ukraine has shown
the importance of both. He says that electronic warfare capabilities, including but not limited
to cyber, are increasingly relevant. Russian hacktivist auxiliaries affiliated with the
No Name Group claimed responsibility for a denial-of-service attack that briefly disrupted London City Airport's website Sunday morning.
Simple flying reports.
Flight operations were unaffected.
And finally, if you were browsing Zillow,
one of the more widely consulted real estate sites,
you may have noticed that Meade Senior High School at Fort Meade, Maryland,
was listed for sale, and that at just
$42,069, it was a steal. The listing said the property boasted 12,458 square feet with 20
bedrooms, 15 baths, a spacious kitchen, and a private basketball court. Sorry, speculators and
flippers, but the New York Post says it was just a prank by graduating seniors.
The school's administration thought the asking price was way too low.
In any case, Zillow has now removed the listing, so you're out of luck if you're thinking of putting in a bid.
In any case, congratulations to all graduates of the class of 2023.
Go Mustangs.
Coming up after the break,
Joe Kerrigan explains Mandiant's research on URL obfuscation.
Mr. Security Answer Person John Pescatori
plays security whack-A-Mole.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
Hi, I'm John Pescatori, Mr. Security Answer Person.
Our question for today's episode,
Hey, Mr. Security Answer Person,
seems like we've been talking about transitioning cybersecurity away from whack-a-mole for decades now.
Has anyone actually made any progress doing that?
Well, to skew old, I think I can claim credit
for actually being the first to use that
analogy in 2006 or so. My actual statement said something like success would mean transitioning
from whack-a-mole to more chess-like strategies versus abandoning whack-a-mole because I never
felt that would happen. Here's why. Chess is a bounded problem. The board is a fixed size,
the pieces can only make certain moves, and the players take turns.
Cybersecurity is not bounded. None of those rules apply.
The board, think software and people vulnerabilities, is infinite.
The bad guys can move their pieces in all kinds of crazy directions,
and they don't have to wait for us to take our turn before they act.
By the way, this is exactly why artificial
intelligence and machine learning can beat experts at chess, but not so much at cybersecurity.
Cybersecurity is essentially an infinite game. Many CISOs are fans of Simon Sinek's 2019 book
Infinite Game Theory. To quote Mr. Sinek, changeable, and infinite games have no defined end point. There are no winners or losers,
only ahead and behind. Well, I'll quibble a bit with Mr. Sinek's last point. There are winners
and losers. If you lag behind the bad guys and they find you, you and your business will clearly
be losers. So I always explain, we really can't abandon whack-a-mole, but we can use strategies
to focus more on the most likely and or most damaging holes the evil little varmints will
pop out of.
If you want to be all fancy schmancy about it, call that a risk-based approach, but here's
what I mean.
First, throw some 90% rules at the problem, such as, 90% of business revenue comes from
10% of applications used.
Watch those holes more carefully. 90% of
successful attacks succeed by using phishing attack front ends to compromise reusable passwords.
Fill in those holes with two-factor authentication. 90% of the remaining attacks would be stopped by
essential security hygiene controls. Work with IT to pave over those holes.
hygiene controls. Work with IT to pave over those holes. Businesses that have applied just those three rules can focus on nine or ten critical holes versus having to spread equal attention
across 1,000 different places to look. You still need fast reactions, but the proactive steps mean
you no longer need superhero speed or strength to reduce, if not avoid, business damage.
Then you can apply the freed-up staff time towards some strategic moves and more lean-forward operation techniques
like threat hunting, purple teaming, data encryption, etc.
that will be the equivalent of turning pawns into additional queens on the board.
So I'll stick up for the whack-a-mole-chess hybrid goal.
A lot of the enterprises who have not shown up in the news for breaches
have been doing just that,
getting more effective and more efficient
in increasing the odds of successful mole whacking,
freeing up skilled analysts' time for taking advanced steps
to identify future new holes
and maybe even fill in some of the old ones.
Plus, with advanced whack-a-mole skills,
you'll be able to win gigantic stuffed animals for your kids or your significant other at the
local carnival. Thanks for listening. I'm John Pescatori, Mr. Security Answer Person.
Mr. Security Answer Person with John Pescatori airs the last Tuesday of each month right here on the Cyber Wire. Send your questions for Mr. Security Answer Person to questions at thecyberwire.com. And joining me once again is Joe Kerrigan.
He is from Harbor Labs and the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Hello, Joe. Hi, Dave. This is-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
This is some interesting research from the folks over at Mandiant.
This is a report written up by Nick Simonian, and it's titled,
Don't At Me, URL Obfuscation Through Schema Abuse.
Can you unpack this here, Joe?
What are they describing here?
Okay, so we have to understand first how URLs work and what a URL is. Okay.
And it is the universal resource locator. Yep. So there was an RFC that was out in the early 90s,
1738. And if you remember the early 90s, Dave, we weren't really concerned about any of this security thing. Right. So I guess the way they're designed,
if you want to talk about a URL,
is you have a scheme or what's usually a protocol.
Then you have two slashes.
And then you have a field for a user,
followed by a colon,
followed by a password,
followed by an at sign,
followed by a host indication of some kind,
then another colon and a port, and then a slash, and then the URL path.
Now, where it gets tricky is the HTTP specification says,
we're going to follow the URL specification,
but we're not going to use username and password in HTTP.
Ah, okay. We're going to ignore anything before the at sign.
So, but I also think there's a distinction here because I think most of us, when we think about
a URL, probably the first thing that comes to mind is something, an HTTP request, right?
Going to a website. That's right. It's the same, it's the same, I don't want to say error, but it's the same thinking that when people think internet, they think of the web and only the web.
Right.
There's a lot of services on the internet and a lot of different protocols running.
Okay.
And the web is just the one that people use the most.
Yeah.
So they're familiar with HTTP and HTTPS.
Right.
And they know that some of them might even, a lot of them might even know the difference
between the two of them, right?
Right.
Which is important.
Hopefully our audience does.
Yeah, I would hope so.
So what's going on with this at sign issue here?
What happens is if I have an at sign in a web,
an HTTP or HTTPS URL,
everything before it gets ignored per the specification.
So I can say, hey, Dave, here's a link to google.com and put in
http://google.com at joesmaliciouswebsite.com.
Oh, I see.
And where you go is just joesmaliciouswebsite.com.
Okay.
And that's what happens.
But there's more obfuscation that's going on here as well, including some things, honestly, I didn't know about until I
read this article. Okay. Go on. So we have all these different domain names. We're familiar with
DNS and how that works, right? I type in google.com to go to Google services,
but my computer in the background goes,
well, I don't know what that is.
Let me go ask DNS what that is.
And DNS comes back with an IP address.
Right.
And historically with IPv4,
which is the one that we all are very familiar with,
when you see an IP address,
it comes back with like 1.2.3.4,
which is the pedantic example that's used in this article,
which is a perfect example. And I'm sure that as I say some number between 1 and 255 dot something,
dot something, dot something, everybody immediately envisions an IP address in their head. If they've
been working in this field long enough, that's what happens. Well, here's something you can do
that I had absolutely no idea you could do this.
You can represent that as just one long binary string.
Huh.
And web browsers will interpret it accordingly.
So you can take that long binary string
and turn it into an integer,
essentially a four-byte long integer.
In the case of 1.2.3.4,
it can be represented as 16909060.
Huh.
And you can put that in after HTTP colon slash slash.
And I did that.
I found out what Google's IP address is
by pinging google.com.
Yeah.
I found a service online
that will turn an IP address
into an integer. And I went to http://thatinteger. And it gave me a warning about the certificate
not being right because the certificate is for google.com and not whatever that integer is.
But I went through anyway. And sure enough, I wound up at google.com. It works just fine.
Huh. This is new to me.
I did not know this was possible.
You can also denote the IP address in hexadecimal or in octal.
And you can even mix octets if you want.
We call these numbers octets.
They're really just eight bits.
But you can define one octet
as a hexadecimal number. You can define one octet as a decimal number by putting no prefix in front
of it. And you can define another octet as an, as an octal number by putting a zero in front of it.
Right. And it will work. So really the idea is now I'm obfuscating where you're going, and that's the entire attack. And I'm making you think that you're going someplace not malicious by putting a non-malicious URL in front of the at sign.
But everything in front of the at sign is disregarded in HTTP.
of, I mean, is it fair to say a relic functionality or, you know, a functionality from that reveals the very early technical slash nerdy start for all this stuff?
Yeah, it does.
It does.
And maybe it's time for the HTTP protocol to change.
But if you do that, you start being non-standard.
Yeah.
Right?
change. But if you do that, you start being non-standard, right? Really, what's happening here is the HTTP, the protocol says we're not going to use anything, any username or password
here. There are other methodologies within HTTP to do that. So just disregard them.
The real danger is, of course, just the social engineering potentials here. Yeah. Right. Cause if I send you, Dave, check out this thing
I found on Instagram, instagram.com at some random number, random looking number slash
my malicious link. Yeah. It's not going to look like a, a malicious URL to you. It's going to
look very similar to the only, the only thing that's going to stand out is that at sign. And
if you know to look for the at sign, okay, maybe you find it, but if you don't know to look very similar to, the only thing that's going to stand out is that at sign. And if you know to look for the at sign, okay, maybe you find it. But if you don't know to look for the at sign,
there's a good chance you're going to click on it. Well, this says Instagram.com.
Right. And if you hover over it, it's even going to say, hey, ghost Instagram.com.
Right. But, well, it will look like that, but it doesn't actually.
Yeah. Yeah. All right. Well, interesting stuff. I should also note that Mandiant has posted some Yaro rules that you can use to detect this sort of thing.
So hats off to them for that.
Indeed.
Again, this is research from the folks over at Mandiant.
Nick Simonian is the one who published this on their blog.
It's titled Don't At Me, URL Obfuscation Through Schema Abuse.
Joe Kerrigan, thanks for explaining it to us. It's my pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Thank you. cyberwire at n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead
in the rapidly changing world of cybersecurity.
We're privileged that N2K
and podcasts like The Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders
and operators in the public and private sector,
as well as the critical security teams
supporting the Fortune 500
and many of the world's
preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment, your people. We make you smarter about your team
while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin
and senior producer Jennifer Ivan.
Our mixer is Trey Hester,
with original music by Elliot Peltzman.
The show was written by Rachel Gelfand.
Our executive editor is Peter Kilby,
and I'm Dave Bittner.
Thanks for listening.
We'll be back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where
Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.