CyberWire Daily - Notes from six months of hybrid war. Oktapus criminal campaign. Exotic Lily and Bumblebee Loader. Insights derived from DNS traffic. US DHS shutters its Disinformation Governance Board.
Episode Date: August 25, 2022Ukrainian and Russian cyber operations at six months. Oktapus criminal campaign compromises 9931 accounts in more than 130 organizations. Exotic Lily and Bumblebee Loader. Insights derived from DNS tr...affic. Chris Novak from Verizon on DHS Cyber Safety Review Board's report on the Log4j investigation that Verizon conducted. Dave Bittner sits down with our guest Dr. Scott Crowder, CTO and VP, Quantum Computing, Technical Strategy and Transformation for IBM Systems to discuss the increasingly urgent need for industries to prepare for security threats that quantum could unleash. And the US Department of Homeland Security shutters its Disinformation Governance Board. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/164 Selected reading. How Ukraine used Russia’s digital playbook against the Kremlin (POLITICO) Ukraine's volunteer 'IT army' responds to Russian hackers, minister says (ABC News) Overview of the Cyber Weapons Used in the Ukraine - Russia War (Trustwave) How Russia-Ukraine cyberwar is impacting orgs: Two-thirds say they have been targeted (VentureBeat) Twilio hackers breached over 130 organizations during months-long hacking spree (TechCrunch) Roasting 0ktapus: The phishing campaign going after Okta identity credentials (Group-IB) Bumblebee Malware Loader: Deep Instinct Prevents Attack Pre-Execution (Deep Instinct) Akamai’s Insights on DNS in Q2 2022 (Akamai) Following HSAC Recommendation, DHS terminates Disinformation Governance Board (US Department of Homeland Security) Homeland Security Scraps Disinformation Board Attacked by GOP (Bloomberg) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Ukrainian and Russian cyber operations at six months.
Octopus criminal campaign compromises
9,931 accounts in more than 130 organizations. Exotic lily and bumblebee loader. Insights
derived from DNS traffic. Chris Novak from Verizon on DHS's Cyber Safety Review Board's
report on the Log4J investigation. Dave Bittner sits down with our guests, Dr. Scott Crowder,
CTO and VP,
Quantum Computing, Technical Strategy, and Transformation for IBM Systems to discuss
the increasingly urgent need for industries to prepare for security threats that quantum
could unleash. And the U.S. Department of Homeland Security shutters its disinformation From the CyberWire studios at DataTribe, I'm Trey Hester, filling in for Dave Bittner with your CyberWire summary for Thursday, August 25th, 2022. Politico reviews Ukraine's offensive cyber operations during the hybrid war Russia launched
in February, and it concludes, loosely, that Kyiv has successfully executed portions of a playbook
hitherto associated with Moscow. The article outlines four areas where it regards Ukraine
as having been particularly successful. The first has come to be generally recognized.
Ukraine has been far more successful than Russia at influence operations, controlling the narrative.
It's done so without widespread use of coordinated inauthenticity, and it's operated in a highly
distributed way that contrasts sharply with Russian's centralized,
top-down approach to propaganda. It's also relied heavily on truth-telling.
Moscow's approach has found some limited traction in Africa and Latin America.
The Ukraine has been far more successful in shaping international opinion.
The second success is related, insofar as it also involves an influence campaign.
Ukraine has succeeded in
persuading Western tech companies to abandon Russia, effectively inducing an undesirable
form of internet autarky Russia has long sought. Third, Ukraine has succeeded in attracting
international hacktivist support. Their work has largely been at a nuisance level, but it's been
embarrassing to its Russian targets. Russia also made extensive
use of hacktivists, but these have for the most part been at best privateers and often fronts for
units of intelligence and security services. Ukraine has succeeded in crowdsourcing some of
their cyber operations. Volunteers, many of them domestic, have also provided defensive resiliency
to Ukrainian networks, ABC News reports. And finally, Ukraine has been able to use data against Russian interests,
including both analytic tools from firms including Palantir and facial recognition
tools from Clearview AI. In a look at the Russian phases of the cyber conflict,
Trustwave researchers described the distinctive and characteristic tool of Russian operations,
wipers. Those tools saw some success in the early days of the invasion,
but have grown less prominent as the war has progressed.
Group IB reports that phishing attacks against employees of Twilio and Cloudflare that
impersonated Okta's Identity and Access Management Services formed part of a campaign that compromised 9,931 accounts in more than 130 organizations.
Most of the victims were in the United States and were Okta users. Group IB explains,
quote, the initial objective of the attackers was clear, obtain Okta identity credentials
and two-factor authentication codes from users of the targeted organizations.
With this information in hand,
the attackers could gain unauthorized access to any enterprise resources the victims have access to.
End quote. The attackers showed a mixture of sophistication and inexperience, making the use
of simple commodity tools in a convincing way, but with static pages and a phishing kit ill-configured
for mobile devices. The researchers developed some information on the threat actor behind what appears to be a criminally motivated operation.
Subject X, as Group IB calls him, is thought to be a 22-year-old software developer working from
the U.S. state of North Carolina. Group IB has shared what it knows with law enforcement.
Deep Instinct has released a report describing the Bumblebee loader.
The threat actor used a phishing email to gain trust and then sent malicious files to the victim
under the guise that the files were for a file-sharing platform.
The files execute a script that drops the Bumblebee payload.
This has been found by researchers to be consistent with activity from threat actor Exotic Lily.
And Google's tag says, quote,
Exotic Lily seems to operate as a separate entity,
focusing on acquiring initial access through email campaigns
with follow-up activities that include deployment of Conti and Diavol ransomware,
which are performed by a different set of actors, end quote.
Exotic Lily has been described by Google's threat analysis group
as a financially motivated initial access broker that works closely with elements of the Russian underworld, particularly the game tracked as FIN12 or Wizard Spider.
Thus, Exotic Lily is a player in the C2C market.
Akamai this morning released a report detailing insights into DNS traffic in quarter two of this year.
detailing insights into DNS traffic in quarter two of this year.
Researchers found that just over 12% of devices monitored by Akamai interacted at least once with domains associated with malware and ransomware.
Malware and ransomware had the highest level of interaction,
with 63% of potentially compromised devices interacting with those types of domains,
whereas 32% of interactions were with phishing domains and 5%
were with C2. High-tech and financial services were the most impersonated industries, with
consumer attacks making up over 80% of phishing attacks. Crypto was also found to be the most
used phishing toolkit found in over 500 domains. And finally, the U.S. Secretary of Homeland
Security Alejandro Mayorkas yesterday
announced that his department was canceling plans to establish a disinformation governance board.
Quote, in accordance with the Homeland Security Advisory Council's prior recommendation,
Secretary of Homeland Security Alejandro Mayorkas has terminated the Disinformation Governance Board and rescinded its charter effective today,
August 24, 2022. With the HSAC recommendations as a guide, the department will continue to address
threat streams that undermine the security of our country consistent with the law while upholding
the privacy, civil rights, and civil liberties of the American people and promoting transparency
in our work, end quote. The Disinformation Governance
Board had drawn criticisms as a step toward erosion of freedom of speech, which, of course,
the department was at pains to dispute, but nonetheless induced a pause in the board's
formation and a request for advice, which the department has now received and accepted.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and
their families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
NIST, the U.S. National Institute of Standards and Technology,
recently selected four new industry-wide cryptographic standards to help protect against the coming threat of quantum computers.
It's complicated stuff, and so to help explain it all,
I reached out to Dr. Scott Crowder.
He's CTO and VP for Quantum Computing,
Technical Strategy and Transformation for IBM Systems. So quantum computers in general are really good at three kinds of math.
So far, that's been proven.
And one kind of math is solving, simulating nature.
So the math around chemistry, materials development, all those kinds of problems.
You know, chemistry, materials development, all those kinds of problems.
The second type of math that's really relevant for this conversation is around finding patterns in complex data.
And factoring in discrete log kind of fall into that category.
So the good news for society is also really good stuff that, you know, it can do as well, you know, in machine learning and other places.
But for this conversation, the reason why we really are interested is because quantum computers, when they get big enough, will be good at that kind of math.
And the third kind of math is kind of search, which has implications for portfolio optimization,
risk, all that kind of stuff.
It also can be applied for some of the symmetric as well.
But the good news from a crypto point of view
or a decryption point of view
is that that speed up is only polynomial.
So you can just increase the number of bits
in your symmetric system
and you probably will be quantum resistant
for quite some time.
But for asymmetric, it's a little bit more serious
because the fundamentals of factoring
and discrete log and elliptical curve, et cetera, et cetera, really do need to get changed.
Quantum computing, when they get large enough and low enough errors, will be able to do that math very efficiently.
You know, I think my perception certainly has been for a number of years that I guess in my mind, I kind of lumped quantum computing in with nuclear fusion.
Whereas, you know, there's that old joke about how it's always 20 years away, no matter when you ask.
But it seems as though we're getting closer with this technology. Where do we stand today?
What do folks in the business estimate a realistic timeline might be?
Yeah, I mean, so I'm not going to give you a date
for the decryption part
because I never want to underestimate human ingenuity.
But from just basic making quantum computers practical,
when I started getting involved in this six years ago now,
we had a five qubit system
that we had just put on the cloud
and let people play with.
And the error rates on the fidelities on those things were like 99%.
And to make them practical, we need to get the scale of them up to in the hundreds to thousands.
for the basic operations into 99.99% or 99.999% fidelity,
because then you can start using error mitigation to trade off.
And over the last six years, we've gone from five qubits to 127.
We'll be at 433 this year, over 1,000 next year.
So from a scale point of view, we're rapidly improving. And then from a gate error improvement, we've gone
over an order of magnitude improvement in the last five years, and we demonstrated in the last year,
99.9% to cubic gate fidelities. So at IBM, we've kind of published a year by year, very detailed
roadmap, you know, going out to the middle of this decade to 2026 with what we're going to deliver every year to kind of cut through
the hype and say, okay, today these systems are not big enough or low enough error rates in order
for them to be practical, better than classical computers. But if we keep marching along,
by the middle of this decade, they will. And that's probably when you're going to see the first practical use for other
applications, not decryption, but for other applications like machine learning, like
simulating nature, et cetera, et cetera. It's going to take a little while beyond that to get the
systems large enough to really do the kinds of things that we're all worried about from a decryption point of view.
Well, let's go through the things that NIST has put out here.
What strikes you as really deserving our attention here in the stuff that they've put out? one standard for methodology for PKE,
which is Crystals Kyber.
And they put out three standards for digital signature,
Crystals Lithium, Falcon, and Sphinx.
The first three that I mentioned are all based on
some methodology of lattice cryptography.
And then the last one uses a stateless hash
methodology. Our team, not me
personally, but our team in IBM Research has been working on this for many, many years.
And in fact, the first three came out of
IBM Zurich, working with their collaborators.
So, you know, we feel fairly confident.
Well, we felt fairly confident that NIST was going to select them because we had done a lot of work beating on them and making sure that we felt that those were going to be quantum resistant.
And then the fourth one, you know, we actually hired the guy who contributed to that one
as well. So we feel, we feel, personally, we feel like, I feel like, you know, NIST has done a good
job of due diligence on these, you know, kicking the tires and have selected good standards here
for the first round of these. And I think it's now at the point where we need to start working with, you know, government agencies and industrial clients, you know, in key areas where we need to protect the infrastructure to understand how we're going to leverage this, these algorithms, these schemes to implement, you know, starting with the areas that are the largest risk and then working from there.
The areas that are of the largest risk and then working from there.
Is it at all possible that we could have something along the lines of a Sputnik moment where one of our adversaries suddenly comes out and says we're farther ahead of this than we had expected them to be?
I would be surprised, but I'm not sure I would give too many people, you know, I wouldn leverage error mitigation or some other technique
to be able to use more noisy quantum computers to do, you know,
effectively, you know, a variation of Shor's algorithm or something like that.
That would surprise me a little bit less than, you know,
an adversary all of a sudden having, you know, a quantum system
that's like four years ahead of
the state of the art in IBM
or one of the other large
players that are putting a lot of investment in.
That being said, I wouldn't
bet the national security on it.
I think
that's
why it was important for NIST to do
what NIST has done and the Biden
administration and the Biden administration and
the U.S. government over multiple administrations really taking this seriously and asking the
agencies across the board to get their act togethers and put plans in place to become
quantum safe. That's Dr. Scott Crowder from IBM Systems.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Chris Novak.
He is Managing Director for Security Professional Services at Verizon.
Chris, always great to have you back. I want to touch today on some work I know you and your colleagues have been doing when it comes to investigating Log4J.
What can you share with us today?
Sure. Yeah. Thanks, Dave. Always a pleasure to be here.
So, yeah, the thing you're referring to
there is the Cyber Safety Review Board. So for folks who may not be familiar, this was actually
created by President Biden's Executive Order 14028 for all the GovGeeks out there. And we really
kicked off in earnest February of this year. and the first investigation was into Log4J, as you noted.
And it's interesting.
It's a combination of government employees as well as private sector citizens essentially kind of looking at it through the lens of like an NTSB, but for cyber.
an NTSB, but for cyber. And the first report was just released a couple of weeks ago now,
and really gave some interesting insights into, you know, what it is that us as a cyber safety review board saw kind of manifesting in that log4j situation. It was, you know, arguably one of the
most serious software vulnerabilities that we've seen. And I think, you know, one of the things
that really jumped out at everybody throughout the course of that investigation, and you'll see it noted in the
report, is just the sheer challenge that every organization, large and small, had with just
simply understanding where Log4j existed in their environment. For folks who are not keeping track
on this one, it's a library that exists in lots of software, other open source software, other commercial software.
Log4j itself is part of an open source software foundation managed by Apache.
So that in and of itself created a lot of challenges for organizations, like I said, and just understanding where it exists to then be able to follow that up and say, how do we remediate it, right?
where it exists to then be able to follow that up and say, how do we remediate it, right?
Yeah.
I mean, is that revelation, would you consider that to be an aha moment of the investigation?
I would say it would be an aha moment for a lot of folks who were looking at the problem because I think historically everybody looked at vulnerability management in a lot of ways
through the lens of,
well, my vendor, my provider, my someone will give me a patch when something pops up. And
what I think became very clear to a lot of individuals and a lot of organizations,
especially if you're using things that are open source, is there may not be a specific
cadence that the open source software community will work towards in terms of
applying patches or releasing patches. Obviously, a lot of the work that we see that comes out of
the open source software community is fantastic work. Some of the smartest minds in the world
are contributing their talents to that work effort, but a lot of that is volunteer-based.
And so things happen on a kind of as-available type of basis.
There's not necessarily the same manner of operations as you might see, for example, for
a commercial off-the-shelf piece of software where you're paying for that licensed software,
you're paying for support. You may even have contractual terms that dictate, hey,
if there is an issue or a bug, there is a timeline for a fix or a patch or some way to address it.
When you're looking at open source, you don't necessarily have that.
And I think to your point, I think everybody deep down recognizes that,
but I think they started to see with Log4j the prevalence of it within a lot of other applications.
And so what are the recommendations going forward?
Yeah, so obviously one of the big things that comes out of it is this is, you know,
we've kind of referred to it as kind of almost an endemic kind of problem in the sense that
Log4J itself is going to be here for a while.
There's still a lot of organizations still trying to wrap their arms around it.
So a big piece of it is going to be monitoring and maturing vulnerability management practices
within and across organizations so that they can at least try to get caught up on what this one looks like.
And then also one of the big recommendations coming out of it is improving things like software bill of materials tooling and adoptability.
Because a key component of being able to identify that it even exists in your environment is knowing what the ingredients are. You know, I say it's kind of almost like if you have an allergy to a specific type of food,
knowing that it is part of your meal would be important. If you don't know kind of what that
makeup is, you're going to struggle in understanding that there may be something underlying there that
is a concern. So that software bill materials or SBOM is very important. Another thing that was
also a big recommendation coming out of it was evaluating the efficacy
of something like a cyber safety reporting system.
So kind of akin to,
and one of the things that we really looked closely at
is what the aviation sector did
in terms of how employees
and anybody involved in that sector
could report things that might be of concern
as it relates to security or safety.
And there was a manner in which that could be filtered out, reviewed, investigated,
and then determined what might ultimately happen from a mitigation or an improvement standpoint.
Might there be an opportunity to do something like that for cyber as well?
Yeah, that's fascinating. All right. Well, Chris Novak,
thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing
at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technology.
Our amazing CyberWire team is Elliot Peltzman, Brandon Karp, Eliana White,
Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, And I'm Trey Hester, filling in for Dave Bittner.
Thanks for listening.
See you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.