CyberWire Daily - PLA spyware keeps Tibetans under surveillance. Cyber conflict between Ukraine and Russia, some conventionally criminal, other state-directed. US Executive Order addresses supply chain resilience.
Episode Date: February 25, 2021FriarFox is a bad browser extension, and it’s interested in Tibet. Ukraine accuses Russia of a software supply chain compromise (maybe Moscow hired Gamaredon to do the work). Egregor hoods who escap...ed recent Franco-Ukrainian sweeps are thought responsible for DDoS against Kiev security agencies over the weekend. A look at Babuk, a new ransomware-as-a-service entry. VMware servers are patched. Verizon’s Chris Novak looks at the 2021 threat landscape. Our guest is Andrew Hammond from the International Spy Museum. And a US Executive Order on supply chain security. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/37 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Firefox is a bad browser extension, and it's interested in Tibet.
Ukraine accuses Russia of a software supply chain compromise.
Maybe Moscow hired Gamerodon to do the work.
Egregor Hoods, who escaped recent Franco-Ukrainian sweeps,
are thought responsible for DDoS against Kiev security agencies over the weekend.
A look at Babook, a new ransomware as a service entry.
VMware servers are patched.
Verizon's Chris Novak looks at the 2021
threat landscape. Our guest is Andrew Hammond from the International Spy Museum and a U.S.
executive order on supply chain security.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, February 25th, 2021.
Security firm Proofpoint this morning released a study of a Chinese People's Liberation Army threat actor, TA-413,
that's deployed a malicious Firefox browser extension, Friar Fox, in a surveillance campaign directed against Tibetans.
TA-413 has also used Scanbox and Sepulcher malware in its operations so far this year.
The unit's targets include Tibetan groups, both domestic and in the Tibetan diaspora.
Proofpoint assesses TA413's toolset as technically limited,
but quite effective against dissident communities, which, after all, have what Proofpoint aptly calls a low barrier to compromise.
which, after all, have what Proofpoint aptly calls a low barrier to compromise.
The campaign also suggests a shift to more open-source tools on the part of the PLA.
Ukraine's National Security and Defense Council has accused Moscow of compromising a Ukrainian government file-sharing system, the System of Electronic Interaction of Executive Bodies.
the System of Electronic Interaction of Executive Bodies.
ZDNet thinks the group responsible is Gamerodon,
a group widely regarded as a proxy for Russian intelligence services.
Gamerodon has certainly been active against Ukrainian targets in the past,
but it's an odd duck.
While often thought of as an advanced persistent threat,
that is a government-run operation,
in some respects it doesn't really act like a government agency, or even a straight-up contractor like Iran's Mabna
Group. For one thing, Gamerodon doesn't restrict its targeting the way a government operation
normally would, nor is it entirely indiscriminate in the way the lower-end cyber-criminal gangs
tend to be. For all that, Gamerodon is both noisy and aggressive.
Research by Cisco's Talos Group suggests that Gamerodon is also a mercenary player
in the criminal-to-criminal market.
Talos wrote in its recent report on Gamerodon,
We should consider the possibility of this not being an APT at all,
rather being a group that provides services for other APTs while doing its own attacks on other regions. So, a kind of contractor, perhaps, a criminal organization that hires its services out to intelligence services,
but that also does business with other criminals while its principal state sponsor, by general agreement Russia, turns a blind eye.
So, Gamerodon is one of the most active and undeterred actors in the threat landscape.
It does the work of an APT, but it uses a cybercriminal style.
It's worth noting that the operation the NSDC describes seems to be a software supply chain
compromise. As NSDC tweeted,
the attack belongs to the so-called supply chain attacks. Methods and means of carrying out this
cyber attack allow to connect it with one of Russia's hacker spy groups. This is therefore
a different matter entirely from the distributed denial of service attacks Ukraine complained of
at the beginning of the week. The DDoS attack
targeted both the National Security and Defense Council and the SBU Security Service, Bleeping
Computer reports. And Ukrainian authorities did claim that the attack had its origins in Russia,
in, as they put it, Russian traffic networks. The NSDC describes the DDoS thusly. Vulnerable
government web servers are infected with a virus that covertly makes them part of a botnet used for DDoS attacks on other resources.
At the same time, security systems of Internet providers identify compromised web servers as a source of attacks
and begin to block their work by automatically blacklisting them.
Thus, even after the end of the DDoS phase,
the attacked websites remain inaccessible to users.
End quote.
But it seems that this denial-of-service harassment
was probably the work of the Egregor criminal gang,
thought to be retaliating for the arrest of three of its members
by the Ukrainian participants
in a big bilateral Franco-Ukrainian law enforcement sweep.
Alleged members of Egregor, we should of course say, allegedly engaged in criminal activity.
These particular alleged hoods seem to have belonged to Egregor's ransomware-as-a-service sub-gang.
French authorities in particular had blood in their eyes because, as France Inter reports,
Egregor was, allegedly, implicated in
ransomware attacks against hospitals. So, Paris and Kiev, good hunting, go get them, they're,
allegedly, bad guys. Researchers at McAfee this morning released their study of Babouk ransomware,
a new strain detected earlier this year.
It's another entry into the ransomware-as-a-service market,
whose operators hawk it in both Russophone and Anglophone criminal-to-criminal markets.
It uses the familiar attack vectors common in the ransomware space,
phishing emails, of course, but also exploitation of compromised accounts
and access gained through unpatched systems with known vulnerabilities.
Babook's criminal customers seem so far to be most interested in hitting victims in the transportation,
healthcare, plastics, electronics, and agriculture sectors.
Their activity has extended to a number of geographical regions,
and the malware doesn't use the sorts of local language checks often employed to keep the
operators out of hot water in countries whose legal systems tend to be vigilant and unforgiving.
McAfee's notes on Babook see an interesting division of labor across its two principal
linguistic communities. The operators will use an English-language forum for announcements,
but a Russian-language forum for affiliate recruitment and ransomware updates.
ZDNet reports that more than 6,700 VMware servers were exposed to a remote code execution
vulnerability, now patched.
Proof-of-concept exploit code was posted online yesterday, and researchers at Bad Packets report seeing mass
sweeps in progress looking for vulnerable servers. Positive Technologies, which has been working with
VMware to address the vulnerability, has published a technical analysis of what's up and what's at
stake. Patches are available from VMware. And finally, U.S. President Biden yesterday signed an executive order directing a
comprehensive review of the resilience of American supply chains. The order includes, but isn't
limited to, software supply chains. Other areas specifically addressed include biomedical supply
chains, an obvious nod in the direction of COVID-19 vaccine development and delivery,
and IT hardware. Several cabinet departments are directed to look at the chains they have
a particular responsibility for or interest in, and the tasking runs through most of the
departments, from agriculture to transportation. The order's comments about securing the U.S.
supply of chips, the semi-conducting kind, drew good reviews from a surprising source, Huawei.
The Washington Post reports, with some show of surprise, that the Shenzhen tech giant likes what it sees.
Huawei's U.S. CSO Andy Purdy told the Post, quote,
It seemed like Huawei was a distraction while the U.S. wasn't doing enough to address real cybersecurity supply chain risk,
and not doing enough to make sure America can build the competitive lead that America has over China and technology innovation.
So, in Shenzhen's view, disaggregating security from economics is a move in the right direction.
There will have to be a number of other steps before the
security-based barriers to Huawei's participation in U.S. markets will fall, but Huawei is hopeful.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
If you find yourself in Washington, D.C., you may consider a trip to the International Spy Museum,
a place that houses many things that are surely of interest to listeners of this program.
I recently caught up with Dr. Andrew Hammond.
He's historian and curator at the International Spy Museum.
I think the way that I would describe it would be an Aladdin's cave of thousands of really cool objects from the world of international espionage and intelligence.
And those include things from the real world that were used by agencies like the CIA and MI6, but also stuff from the fictional world. So we have one of James Bond's cars in our entry
foyer. So for me, it's like an Aladdin's cave of really cool stuff. We've got a bunch of exhibits
on a variety of different topics that guide the uninitiated through the world of intelligence and espionage, but also give people
that are more in the know lots of really good food for thought. So I think that's probably the way
that I would approach that. As the Spy Museum's historian and curator, how do you approach your
job? How do you select the things that are you going to bring into the
organization to then share their story with the public? I mean, for me personally, I just look for
a really interesting story behind the artifact. So with espionage and intelligence, some people
are more into the tech stuff. Some people are more into the gadgets.
For me, I'm more into the story.
So there can be a really cool story behind the object.
For our audience of cybersecurity specialists,
are there any artifacts that you have there
that you think would be particularly interesting to them?
Yeah, there's one that I absolutely love and I get really excited about. And some people think
that maybe I have some kind of mental illness because of it. And it's a shard from the Aurora
test and I think it was 2007. So why does that matter?
So some of your listeners will know this,
but the Aurora test in 2007,
they were basically using cyber zeros and ones
to affect the physical world.
And they essentially just threw an electrical current
out of balance until this generator exploded.
So we have a piece of metal from that test.
So you look at it, and you're thinking, it's a piece of metal.
A piece of metal is a piece of metal is a piece of metal.
But it's the story that's behind it.
And the whole history of the world, we've been going down a certain path.
And I think with that generator test, I think we turned a corner. I think we turned a corner
in terms of the cyber world and in terms of moving forward into a new era. So we can even
think about things like, say, nuclear weapons or other missile delivery systems.
Now, with everything being plugged into the grid, we can use zeros and ones.
We can use zero days to get into some of this stuff and to do stuff that's going to interact and interfere with the physical world.
That's Dr. Andrew Hammond, historian and curator at the International Spy Museum.
He's also the host of the International Spy Museum's podcast.
It's titled Spycast. Check it out.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And I am pleased to be joined once again by Chris Novak. He is the Global Director of Verizon's Threat Research Advisory Center. Chris, it's always great to have you back.
You know, it's hard to believe that we're already a couple months into 2021 here.
I want to check in with you and see what sort of things are on your horizon for the rest of the year.
Any predictions for what we might see?
So I wish I could say that I have really positive news,
but unfortunately my predictions, if I were to look into my crystal ball, unfortunately, I'd say that they're quite negative.
And normally, anybody who knows me would tell you that I'm a pretty optimistic kind of guy.
But I think when it comes to this, I look at, you know, for example, you look at the typical time it takes to discover the fact that a breach has occurred.
And most often we see that it's, you know, eight months or sometimes more.
And, you know, through no fault of anybody, I think the reality of it is we've all been
highly distracted by what's been going on with the pandemic.
And for good reason, right?
Life and safety typically takes priority for everybody.
But the challenge I see is if you look at the fact that most breaches take eight months
or more to discover, look at where we are. And it's actually kind of interesting the timing of
this conversation that you and I are having, because had we had this conversation just before
some of the recent big breaches that are now just starting to make the news, my prediction, man,
I would have, I should have played the lottery on what I'm saying here, because it's all coming
true starting now, right? And honestly, I think that played the lottery on what I'm saying here because it's all coming true starting now, right?
And honestly, I think that's going to unfortunately continue because so much of what happened during COVID is only now being discovered.
Yeah, that's a really interesting aspect is that lead time before discovery or revelation of know, bad guys could have been taking advantage of
all of the chaos that happened in the COVID transitions. I'm wondering though, I mean,
is there the reality that we'll be sort of settling in through 2021 that we've, you know,
organizations will have their new normal, they're going to be able to spend more. They're not so
much in a sort of a frantic transitional mode to say, okay, this is the way it's going to be for a little while.
Let's get our house in order. Let's settle in and, you know, sort of secure things,
knowing that this is how we're going to be operating here for the, at least for the short
term. Yeah. And I think there's, there's something to be said for that because I think you're right
that 2021, I think will, whatever the new normal will be, I think we will be settling into it, right?
People will be starting to go back to offices in some way, shape, or form.
And I think the biggest challenge we faced with 2020 and the pandemic was there was so much change and it happened so incredibly fast.
And, you know, people don't like change.
A lot of people want to be able to say,
look, I know what I'm doing today, this afternoon, tomorrow.
People generally like to have a plan and like predictability.
And I think that was something that we really just didn't have
for most of 2020 that made it very difficult.
I think some of the predictability will start to come back with 2021.
I'm not saying that we'll be like we were pre-COVID.
I think there's going
to be a lot of things different about how we operate for the next several years, but I think
predictability will start to come back in a new way. But I think the challenge that will still
exist on the cybersecurity front, unfortunately, I think is that so much, I mean, think about it.
If you were to look at the normal breach landscape and say that it's typically events are discovered about eight months after they've started, that's in a pre-COVID time period when our SOC was all in the building, sharing information, looking at the big giant screens, and everyone was plugged in 24-7 to what everybody else was doing.
For a good chunk of 2020, we were far from operating in ideal conditions, right? Many people were trying
to figure out how to move their gear to home, how to connect to the different systems or tools,
how to do their conference calls with their dogs barking in the background,
you know, whatever it is, right? And there's lots of distractions. Kids are learning at home and
tugging on their parents while their parents are probably trying to watch their sock screens to try and figure out if something's going on in the environment.
So I think if you even just assume that that adds somewhat of an additional delay to our
detection period, that means we're probably not looking at average detection of eight
months.
We're probably looking at average detection of nine to 10 months, right?
So if you think of where we are with, you know,
COVID really kind of hitting in March for a lot of, you know, the world,
you know, we're really just kind of getting into the beginning
of what would have been ideal detection.
But I think to your point, I hope we'll be settling in
and be in a better position to do the incident response
and actually tackling the problems in 2021.
Well, there's always 2022, right, Chris?
We can be optimistic towards that, right?
Tell me, I'll tell you, I really want to, that's for sure.
I'm hoping 2021 is great, but yeah, the data makes me question it.
All right, fair enough.
Well, Chris Novak, thanks for joining us.
You bet, Dave. Take care.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
But great taste speaks for itself.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technology.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.