CyberWire Daily - No crackdown on ransomware from Moscow (at least so far). Cyber Partisans in Belarus. A long-running Chinese cyber campaign. Phishing and other cybercrime. Mercenaries.
Episode Date: September 15, 2021That Russian crackdown on ransomware gangs people thought they were seeing? Hasn’t happened, at least according to the FBI. The Cyber Partisans take a virtual whack at President Lukashenka’s gover...nment in Belarus. Operation Harvest is complicated and long-running. Phishing with a promise of infrastructure funding. The criminal market for bogus vaccine cards. Johannes Ullrich from SANS on dealing with image uploads - vulnerabilities in conversion libraries. Our UK correspondent Carole Theriault on Deepfakes - what you need to know now. And a deferred prosecution agreement in a “cyber mercenary” case. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/178 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
That Russian crackdown on ransomware gangs people thought they were seeing hasn't happened,
at least according to the FBI.
The cyberpartisans take a virtual whack at President Lukashenko's government in Belarus.
Operation Harvest is complicated and long-running,
fishing with the promise of infrastructure funding,
the criminal market for bogus vaccine cards,
Johannes Ulrich from SANS on dealing with image uploads,
vulnerabilities in conversion libraries,
our UK correspondent Carol Theriault on deep fakes,
what you need to know now,
and a deferred prosecution agreement in a cyber mercenary case.
From the CyberWire studios at DataTribe, I'm Elliot Peltzman, filling in for Dave Bittner, with your CyberWire summary for Wednesday, September 15th, 2021.
Hope that Russian authorities were cracking down on ransomware gangs has proved to be a false dawn.
FBI Deputy Director Paul Abate yesterday told the Intelligence and National Security Summit what o'clock it was.
And dawn is still a long way off.
The Bureau has seen no evidence of Russian cooperation or unilateral action against the cybergangs. The record quotes Abate as saying, quote, based on what we've seen, I would say
there is no indication that the Russian government has taken action to crack down on some ransomware
actors that are operating in the permissive environment that they've created there.
End quote.
The U.S. has requested action and cooperation,
but these haven't been forthcoming.
Quote,
I would say that nothing's changed in that regard,
the deputy director added.
The temporary occultation of the R-Evil gang
after some high-profile ransomware attacks
were followed
by some direct talk from Washington to Moscow had raised hopes in some quarters that the U.S.
had succeeded in altering Russia's toleration and encouragement of privateering in cyberspace.
But that appears not to have been the case. R-Evil is back, and if you take the gang at its word,
they were more or less just out for a smoke, and now break time is over.
The U.S. is thus mulling what to do about ransomware in particular,
as a matter of national policy.
The director, NSA, General Paul Nakasone, told the AP that,
quote, even six months ago, we probably would have said,
ransomware, that's
criminal activity. But if it has an impact on a nation like we've seen, then it becomes a national
security issue. If it's a national security issue, then certainly we're going to surge toward it,
end quote. The surge would involve, at the very least, increased attention to the problem and
more of the familiar imposition of
costs on the bad actors. While you can't shoot your way out of the problem entirely, there may
be a role for more aggressive action. Bloomberg quotes the U.S. National Cyber Director Chris
Inglis, also speaking at the Intelligence and National Security Summit, to the effect that,
quote, there is a sense that we can perhaps fire some cyber bullets
of a kind and shoot our way out of this. That will be useful in certain circumstances. If you
had a clear shot at a cyber aggressor and I can take them offline, I would advise that we should
do that so long as the collateral effects are acceptable, end quote. But of course, attacks
against specific adversary assets in cyberspace, and with respect to ransomware we're talking mostly about Russian assets, are unlikely to be sufficient to deter Russian leadership.
Chris Inglis says,
quote,
It does, however, seem to be the case that NSA and U.S. Cyber Command are indeed contemplating a surge against ransomware in cyberspace.
The Washington Post this morning reported on the fortunes of Cyber Partisans, a dissident hacktivist group in Belarus. The group, thought to be composed of about 15 Belarusian expatriates
and believed to have the support of some dissidents within Belarus' security apparati,
has been an inveterate critic of President Lukashenko's government.
The cyberpartisans now claim to have obtained access to recordings of more than 5 million calls,
outlining repressive measures the government instituted after last
year's disputed presidential election, widely believed to have been fraudulent. Evidently,
the regime not only taps its own operators, but is also sufficiently leaky to have lost
control of the recordings to the cyberpartisans. McAfee this morning published a study of
Operation Harvest, a cyberespionage campaign the researchers believe to be operated by a Chinese threat group, either APT-27, aka Emissary Panda, or APT-41, Wicked Panda or Winty. Perhaps both.
It's a complex and long-running effort marked by multiple privilege escalation and persistence techniques
and presence in the network. The security firm Inkey reports finding a new phishing campaign
prompted by the recent U.S. infrastructure bill. The hoods send a bogus email purporting to be from
the U.S. Department of Transportation. The fish bait says, essentially, that since a trillion bucks in change
is about to flow from the government to those savvy enough to position themselves for it,
you too, recipient, should ring the bell on that gravy train.
Basically, the crooks are after Microsoft credentials, and their approach is direct,
simple-minded, and, alas, all too likely to persuade them unwary.
The email simply says,
U.S. DOT, that is, the U.S. Department of Transportation,
invites your business to submit bids for the department's projects,
followed by a big blue click here button.
It continues,
Quotes will be submitted online in the bid system after signing in.
Experienced textual critics of U.S. government requests for proposals will be moved to skepticism,
but those unused to government work might bite on that fish bait.
As vaccine mandates are planned and brought into effect, the criminal market for bogus vaccine passports has surged with the new policy-driven demand, security firm
Checkpoint reports. The key conclusions that they reached in their study are that the criminal
market for fake vaccine certificates has expanded globally to 28 countries. The most recent additions
are Austria, Brazil, Latvia, Lithuania, Malta,000 vendors of phony certificates operating on Telegram.
That number has now swollen by an order of magnitude, with more than 10,000 hoods now hawking bogus vaccine passports.
10,000 hoods now hawking bogus vaccine passports. Demand is driving up prices. They currently range from about 85 to 200 USD per document. Since President Biden began talking about a vaccine
mandate, the value of a U.S. card has doubled from 100 to 200 USD. As a general rule, Checkpoint
thinks everyone should be aware that genuine vaccination certificates aren't sold over the internet.
As their report puts it,
As a general statement, genuine health-related certificates are not sold over the internet.
Anybody who is offering to sell such documents over the internet are clearly doing so illegally.
We recommend people not engage with sellers publishing on such groups or marketplaces anywhere across the web.
And insofar as it makes sense to talk about price gouging in a criminal market, dog bites man, crooks are greedy.
And finally, the U.S. Department of Justice has reached a deferred prosecution agreement
with three former intelligence and military personnel who provided services to the UAE
that violated export and commuter abuse laws in the course of work they undertook on behalf of
the UAE. Quote, 34. And a former U.S. citizen, Daniel Gehrig, 40, all former employees of the U.S. intelligence
community, or the U.S. military, entered into a deferred prosecution agreement that restricts
their future activities and employment and requires the payment of $1,685,000 USD in penalties to
resolve a Department of Justice investigation regarding violations of U ways of doing business abroad,
with not only the permission, but with the positive encouragement of U.S. law.
But, providing unlicensed export-controlled defense services in support of computer network
exploitation, in a commercial company creating, supporting, and operating systems specifically
designed to allow others to access data without authorization from computers worldwide, The Emirati company that hired them was identified by the New York Times as Dark Matter.
The three gentlemen who reached the agreement must pay almost $7 million USD
and forego the opportunity to ever receive a security clearance.
They also agreed to keep their noses clean and cooperate with investigators for the next three years.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
In Nina Schick's book on deepfakes,
she writes that the rapid rate of change
has made our information ecosystem ripe for exploitation.
Increasingly, bad actors ranging from the nation states to lone influencers are using this new set of circumstances to spread
disinformation or information that is meant to mislead. And she says compounding this issue with
the fact that we're still in the foothills of the AI revolution. It's going to lead to a further evolution of our information ecosystem.
And that's where the idea of deepfakes come in.
Where are we at with them?
They became a thing a few years ago.
But they keep bobbing in and out of the press
as though there's something nebulous about them.
I asked Javad Malik, he's a security guru at KnowBe4,
what his view on deepfakes.
Here's what he had to say.
I think from deepfakes point of view, there's two use cases that I think we're going to
see more of, which is quite frightening.
One is where they're using a layered attack.
And by that, I mean is where you might get a text message and to reinforce that you'll get an email and then to reinforce it
you'll see a deep fake video i might send you a whatsapp message saying hey corral check check
out this video and then i'll email you say did you did you check your phone check that out and
then i might text you to get your notice right and then because you're receiving the same message on multiple
platforms, it becomes far more believable and you're more likely to get sucked into it because
you're like, well, if these people believe it, then it must be true. In a layered attack,
we're going to see more use of that. The second part is really in misinformation and disinformation campaigns the truth is kind of like on one end and
complete falsehood is on the other end it's the gray area in between that a lot of people are
always on the fence about they they can they can be shifted one way or another and and the deep
fakes they're very good when they use sparingly in
small amounts just to mix in the right amount of doubt into something to cause you to question the
validity of something so um they're sneaky exactly you just just the right amount you're just sneaky
exactly that's that's the perfect term and what it does is it's just enough to sow those seeds of doubt into it just to get you thinking,
well, you know, maybe, you know, the government is doing this. Maybe the DVLA is after us like
this. Maybe, you know, there's all these kinds of little things that you can do. And by that,
what you create is dissent because you divide people's opinions. The small changes or small
differences of opinion can have really big impacts very quickly.
And that's where deepfakes will probably be really impactful.
I think he's right.
I think it is the people that are in the middle
that aren't strongly attached to one view or another
that are probably most vulnerable in this situation.
So those of us that consider ourselves in the grey area
maybe continue to exercise extra vigilance out there.
This was Carol Theriault for the Cyberware.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant. And I'm pleased to be joined once again by Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute and also the host of the ISC Stormcast podcast.
Johannes, it's always great to have you back.
You know, I can't help but thinking about images as
being benign. And I know I should have shed that assumption long ago, but it's still hard for me
to think of something like a good old JPEG or a GIF image as being anything but just what it is,
just an image. But that's not the case anymore. And you wanted to share some work that you and your colleagues have been doing when it comes to vulnerabilities in conversion libraries.
What's going on here?
Yeah, Dave.
Thanks for having me again.
And this is really sort of one of those off-overlook things.
It's actually not really new by any means.
But images can be code in some cases.
But images can be code in some cases.
But the main problem with images is that, first of all, there are so many formats and subformats. So you typically have to deal with dozens or so of different formats and the respective conversion libraries.
And then images are most of the time compressed.
And it turns out that whenever you deal with compressed data, it becomes a little
bit difficult to allocate the correct amount of memory. And that's how you end up with your
classic buffer overflow then. And that's what often happens with these libraries.
Now, where this really comes into play is if you are accepting image uploads, for example. So a lot of web applications allow customers, for example, to upload images,
or you have web applications where you allow, for example, PDFs to be uploaded,
which have similar issues, maybe even more so than your plain images.
And you have to then display them back either to an administrator that vets these images or to other users, for example, as part of a product review or whatever feature you have on your site that does allow users to upload images.
And so what's the potential problem here?
Probably the most obvious problem is what if you have a malicious file like a PDF?
That's probably what people are most familiar with.
And now an unsuspecting user is looking at the PDF
and is getting exploited.
Well, there's a way to prevent this.
And one common technique that developers
have used in the past in order to prevent exposing
their users to malicious content is they convert
those images or files. So, for example, for a PDF, you can convert them to PostScript. And then back
to PDF, there's a special version of PDF, PDF slash A, that avoids a lot of the problems. But
what you're doing then, and many people are not really aware of,
you're really sort of moving the problem
from the user to your server.
Basically, who do you want to rather have
hit by malicious code?
Is it your user browsing your website
or is it your server?
As a developer, well, let's go for the user.
Right, right.
Depending on who you're talking to and what day of the week it is, you might get a different answer on that, right?
Correct, yes.
And so that's also, like, if you want to, for example, change the resolution, change the size of an image, there is a very popular open source library called ImageMagick to do this with. And it had a number of issues,
and just recently again, that allowed NetHacker to trigger code execution on the server as the image
is reformatted. So what are your recommendations here then? I mean, is this a situation where,
you know, the software package you were just talking about,
has that been updated? Has it been patched?
Is this a matter of trusting your third-party code?
It is a little bit a matter of third-party code and trusting basically those libraries.
The latest vulnerability here, which was GhostScript vulnerability here in ImageMagick,
I'm not 100% sure if it has been fixed yet, but it was not fixed when the vulnerability
was first announced.
And it's also relatively easy to exploit vulnerability.
So you always have this window and how fast can you patch all of this stuff?
That's also another problem here.
Very common mitigation technique here is really just assuming that stuff will go wrong. Stuff happens so often
in IT. And isolate the process. Run the conversion in something like a Docker container, virtual
machine, whatever works for you. Something that you can easily reset after the conversion happens.
So whatever exploit may have happened there is not going to
leak any confidential data, it's not going to be persistent. And with that, you at least sort of
limit the impact of any vulnerability like that. All right. Well, interesting stuff.
Johannes Ulrich, thanks for joining us. Thank you. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and security leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.
co-building the next generation of cybersecurity teams and technology.
Our amazing CyberWire team is Brandon Karpf,
Trey Hester,
Puru Prakash,
Justin Sabey,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Valecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Iben,
Rick Howard,
Peter Kilpie, Dave Bittner, and I'm Elliot Peltzman.
Thanks for listening.
Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.