CyberWire Daily - Section 230 survives court tests. Pre-infected devices. IRS cyber attachés. DraftKings hack indictment. Notes on the hybrid war.
Episode Date: May 19, 2023Section 230 survives SCOTUS. Lemon Group's pre-infected devices. The IRS is sending cyber attachés to four countries in a new pilot program. A Wisconsin man is charged with stealing DraftKings creden...tials. Russian hacktivists conduct DDoS attacks against Polish news outlets. An update on RedStinger. Grayson Milbourne from OpenText Cybersecurity discusses IoT and the price we pay for convenience. Our guest is Matthew Keeley with info on an open source domain spoofing tool, Spoofy. And war principles and hacktivist auxiliaries. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/97 Selected reading. “Honey, I’m Hacked”: Ethical Questions Raised by Ukrainian Cyber Deception of Russian Military Wives (Just Security) A Mysterious Group Has Ties to 15 Years of Ukraine-Russia Hacks (Wired) CloudWizard APT: the bad magic story goes on (SecureList) Ukraine at D+441: Skirmishing along the line of contact, and in cyberspace. (The CyberWire) Russian dissident gets three years in prison colony for DDoS attacks on military website (Cybernews) Europe: The DDoS battlefield (Help Net Security) Russian hackers hit Polish news sites in DDoS attack (Cybernews) 18-year-old charged with hacking 60,000 DraftKings betting accounts (Bleeping Computer) Garrison Complaint (Department of Justice) IRS-CI deploys 4 cyber attachés to locations abroad to combat cybercrime (IRS) IRS deploys cyber attachés to fight cybercrime abroad (The Hill) Cybercrime gang pre-infects millions of Android devices with malware (Bleeping Computer) This Cybercrime Syndicate Pre-Infected Over 8.9 Million Android Phones Worldwide (The Hacker News) Lemon Group’s Cybercriminal Businesses Built on Preinfected Devices (Trend Micro) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Section 230 survives SCOTUS, Lemon Group's pre-infected devices.
The IRS is sending cyber-attachés to four countries in a new pilot program.
A Wisconsin man is charged with stealing DraftKings credentials.
Russian hacktivists conduct DDoS attacks against Polish news outlets.
An update on Red Stinger.
Grayson Milbourne from Open Text Cybersecurity discusses IoT and the price we pay for convenience.
Our guest is Matthew Keeley with information on an open source domain spoofing tool, Spoofy.
And war principles and hacktivist auxiliaries.
I'm Dave Bittner with your CyberWire Intel briefing for Friday, May 19th, 2023. The Supreme Court made decisions on two cases concerning the liability of social media platforms
that contain terroristic content.
Both cases, Twitter versus Tomne and Gonzalez versus Google,
were initiated by the families of ISIS victims in Paris and Istanbul.
The case against Twitter raised the question of whether the platform can be accused
of aiding in terrorism for hosting tweets from ISIS.
The case against Google asks if their recommendation system is protected
under Section 230 of the Communications Decency Act, which Article 19 explains,
grants legal immunity to online platforms for content posted by third parties
and allows platforms to remove objectionable content without exposing themselves to liability.
The Supreme Court unanimously ruled in favor of Twitter and dismissed the case against Google.
favor of Twitter and dismiss the case against Google. A cyber criminal gang called Lemon Group has been leveraging pre-infected Android devices for malicious activity, Trend Micro reports. No
fewer than 8.9 million devices, primarily budget phones, have been affected. According to the
Hacker News, the gang has also been seen branching out to Android-based IoT devices.
Bleeping Computer reports that the pre-installed malware, Gorilla,
allows the hackers to load additional payloads, intercept texts, and hijack WhatsApp.
The infected devices were reportedly reflashed with new ROMs,
although it was not determined how the devices were initially infected.
with new ROMs, although it was not determined how the devices were initially infected.
As the researchers explain, reflashing is reprogramming and or replacing the existing firmware of a device with a new one. The highest rates of infestation have been found in the U.S.,
Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, the Philippines, and Argentina.
South Africa, India, Angola, the Philippines, and Argentina.
The IRS announced yesterday that it would begin a cyber attaché pilot program extending to four countries. The Hill reported that attachés will be sent to Australia, Colombia, Germany,
and Singapore. This is not the first instance of IRS criminal investigation agents being sent abroad, and the IRS has a permanent cyber attaché at The Hague in the Netherlands.
In a statement announcing the program, IRS CI Chief Jim Lee said,
In order to effectively combat cybercrime, we need to ensure that our foreign counterparts have access to the same tools and expertise we have in the United States.
Joseph Garrison, an 18-year-old from Wisconsin,
was charged yesterday for hacking into approximately 60,000 DraftKings sports betting accounts in November of 2022.
The complaint filed by the FBI explained that Mr. Garrison was able to purchase credentials from a third-party site and sell around 1,600 of the hacked accounts, causing about $600,000 to be withdrawn from the victims.
Bleeping Computer explains that Mr. Garrison is also accused of running a dark web trafficking site that sells hacked accounts.
trafficking site that sells hacked accounts. The complaint alleges that law enforcement had located an undated picture showing that Goat Shop had sold over 225,000 products
for a total sales revenue of over $2 million. Polish news agencies were taken offline yesterday
by distributed denial-of- service attacks, Cyber News reports.
The Polish government attributes the actions to Russian hacktivists.
Such groups are well known to function as auxiliary cyber forces.
DDoS campaigns have become a characteristic feature of Russia's hybrid war.
HelpNet Security, citing a study by Aurelian,
reviews the ways in which DDoS attacks attend geopolitical conflict.
TASS is authorized to disclose that Yevgeny Kotikov has been convicted of crimes
intended to disrupt the Russian Federation's IT infrastructure.
Kotikov was reportedly involved in a computer DDoS attack
organized by the Ukrainian side on the information systems
of subjects of the critical information infrastructure of the Russian Federation.
He will serve three years in a penal colony.
CyberNews has a description of the conditions that accompany such a sentence.
Suffice it to say, they are not good.
Malwarebytes has recently reported on a cyber espionage group of
uncertain provenance, Red Stinger, which appears to have selected targets on both sides of Russia's
war against Ukraine. Kaspersky researchers this morning released a report on a group they call
Cloud Wizard, and which they explicitly identify not only with Red Stinger, but also with the groups responsible for earlier operations in the region going back as far as 2008.
Kaspersky, as a matter of policy, doesn't attribute cyber operations to nation-states.
Who's behind Red Stinger remains an open question.
Whoever it turns out to be, Wired points out,
the ability to quietly mount offensive cyber campaigns over a
15-year period is remarkable. And finally, in war, even a just cause doesn't always equate to
just conduct. Ukrainian-aligned hacktivists have conducted deception operations designed to unmask
the identities of Russian officers and cause other
mischief in the lives of enemy leaders. Some of those actions have involved deceiving the
officers' family members, specifically their wives, into unwitting participation.
Just Security has a thoughtful overview of the ways in which this and other activity in cyberspace
have served to erode respect for the customary principles
on which the norms of armed conflict are founded.
Specifically, the principle of discrimination
between combatant and non-combatant
seems to be flouted by much hacktivist activity.
While it might seem that deceiving a family is trivial
in comparison with ordering the bombing of a hospital,
which one of the Russian officers caught up in the deception is alleged to have done.
Any coarsening of moral sensibilities is dangerous.
Governments need to exercise control over their auxiliaries as much as they do over their regulars.
Coming up after the break,
Grayson Milbourne from OpenText Cybersecurity discusses IoT and the price we pay for convenience.
Our guest is Matthew Keeley
with information on an open-source domain spoofing tool,
Spoofy.
Stay with us.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Matthew Keeley is Senior Application Security Engineer at SeatGeek and was previously Senior Security Consultant at Bishop Fox,
where he developed an open-source tool called Spoofy,
which checks domains against SPF and DMARC records.
With most common cybercrime being phishing,
it only makes sense to have a tool that can sort of tell if domains can be spoofed.
And so what I mean by that is when somebody sends an email to you,
a lot of times what can happen is when you receive the email,
what an attacker can do is they can actually change the name of where the email came from
or the location of where it came from or anything like that.
And in doing so, you can spoof the email so that it lands perfectly in the victim's inbox and looks legitimate.
So what attackers are doing is they're sending these spoofed emails into victims' inboxes.
And a lot of times it's for phishing.
Sometimes it's for sending wires to different locations.
Sometimes it's to get credentials.
Sometimes it's to download malware.
But ultimately, the reason the Smoofy tool was built
was to be able to determine and identify
why domains were accepting these malicious emails
and how to prevent them.
Well, if we can dig into a little more of the background here, where do we stand with
existing tools that are trying to help with this sort of thing?
Things like DMARC.
Right.
So there are some existing tools, but not a lot of them are completely accurate in terms
of domain spoofing.
So domain spoofing is quite complex and it goes rather deep into the SPF and DMARC records.
So what those are is basically with the role of SPF, which is the sender policy framework,
what it does is it acts as a text record on the DNS settings for a given domain.
And so what it will do is it'll act like a guest list for a party, for example.
And so it'll specify what email servers are allowed to send
emails on behalf of that domain. So a good example that I give in one of the blog posts that I've
written about it is that if you have a domain and you want your HR system greenhouse to be able to
send emails on your behalf, what you can do is you can actually set that up in the SPF record.
And so those emails will be able to send as your domain,
cyberwire.com, for example, and send through like that.
And so what we sort of run into is that attackers can abuse the way
that these SPF and DMARC records are set up
to be able to land these domains in the inboxes.
And there are tools to be able to monitor and track the records.
However, they're quite ambiguous and not always one-to-one with the RFC for SPF or DMARC.
So what we find is that there's a ton of domains out there that are still misconfigured,
and a lot of people just don't know it. So Spoofy is an open source tool here.
Walk us through it. What exactly does it do?
Yeah, so Spoofy is a Python 3 tool.
It's an open source tool.
And basically what it will do
is it will take in a list of domains
and it will validate the SPF and DMARC records
of those domains.
So there's a huge chart
that a very great researcher named Alex Royce created.
And it's all the logic of every single edge case
that could possibly happen
when you have a SPF and a DMARC record.
And so what he did is he took a list of about,
I'd say about 50,000 domains,
and he went through them all one by one
to figure out every single edge case that could happen
when you send an email to some sort
of inbox. And so what we ended up finding and what we created Spoofy to do was to catch all those
edge cases. So you could have a perfect SPF record that works just as you would expect it to,
but some weird syntax there or something weird that you set up in the DMARC record,
and everything can go wrong and then the domain can still be spoofed.
So what Spoofy does is it's a tool that handles the scalability of that.
So it will take in a huge list of domains.
It's multi-threaded, so it can go anywhere from 100 domains
to a couple hundred thousand domains.
And it will validate those SPF and DMARC records
and tell you if the domain is spoofable or not.
And so who is this for? What's the ideal use case here?
Yeah, so a lot of the feedback we've been getting is mostly people that are in IT on the blue teaming side.
Originally, I wrote it as Red Team Tool, and it's actually a tool that's listed in the course by Rastamouse, the Red Team Ops course.
But it can be used by both.
So Red Teamers are using it to find domains that they can send spooked emails on behalf of
and then go and trick set for their organization.
And Blue Teamers are taking their list of domains.
So they may take it out of GoDaddy or Route 53.
They're pumping in their their listed domains and validating
that their SPF and DMARC records are correct. So sort of one of those tools that we intentionally
wrote for red teamers, and then it started actually being more popular in the blue team space.
Why was it important for you and your colleagues to make this an open source project?
So the thing with open source tools is it's supposed to help everybody, right?
So if we wanted it just to be a red team tool,
more on the malicious side,
it wouldn't really make sense in that aspect.
There are tools out there that do
some of the stuff that Spoofy does.
However, we took a lot of what the other tools were doing
and then combined it all into one tool
that basically will check your
SPF includes.
It'll check everything.
Being open source, we get a lot more
community feedback. It's useful
for anybody that wants to use this
sort of thing.
We're not gatekeeping this technology.
It should be able to be used by
anybody to protect their domains.
And people can get it on GitHub, yes?
Yep, absolutely.
So it's on GitHub.
I think it's github.com slash MattKeeley slash Spoofy.
And we just released version 1.01, which allows for multi-threading.
So now we can go through about 1,000 domains in roughly 15 seconds.
So a lot more scalability in that aspect.
That's Matthew Keeley from SeatGeek.
You can learn more about Spoofy
on the Bishop Fox website.
Be sure to check out the extended version
of this interview.
It's part of CyberWire Pro.
And joining me once again is Grayson Milbourne.
He is Security Intelligence Director at OpenText Security Solutions.
Grayson, it's always a pleasure to welcome you back to the show.
I think like a lot of folks over the holiday, my home was populated with some additional IoT devices.
It seems inevitable these days, but you make the point that IoT in general is something that we need to keep an eye on.
Yeah, you know, it's one of these great new conveniences that technology has added to our lives. And while it's great that we can connect things and have little robots that keep our house nice and tidy,
a lot of people really don't think about the security element of this.
And some unfortunate data has come to light recently that shows that the vendors of these convenience
applications and robots and smart appliances, they're collecting a lot more information than
I think people realize. And as one example, there was a story a couple weeks ago about data coming
on to the internet from Roomba vacuums and people in the bathroom. Right, right. You know, wait a second.
I thought I was just getting a clean floor.
And now my pictures are on the internet.
Wait a second.
And so that's just one example.
But the reality is, is when we really look at IoT devices across the board,
security is very frequently not even part of the thought process, right?
They want to make something, bring it to market,
and learn about as much as they can
about you in that process. And protecting your information, you know, as we've seen, if you look
at the Roomba box, it doesn't say that it has a camera, right? It doesn't, you know, they're not
advertising these additional functionalities. And I think that's a really serious security and
privacy breach. What about for folks who are in charge of protecting organizations? What sort of
IoT vigilance should they have? Yeah, well, so I think that that's really where businesses need to
pay attention because you can have a smart water heater or toaster or a lot of other, like, kitchen
appliances are often becoming smarter and smarter today, and a lot of offices have overlap there.
And I think the challenge is that these devices can have vulnerabilities that can leak the network authentication data. And so
I think it's mostly important to segment them on your networks properly. And you can actually do
this at home. And so the advice I give also to my friends and family is that IoT is really
convenient. And also having a separate network for your IoT
isn't that difficult to set up. I personally got a mesh network system for my house so that I have
like a mesh network that gives me better Wi-Fi signal throughout the house.
And I just put my IoT on the mesh network and it sits behind my router that has my regular
internet and then that broadcasts my Wi-Fi to my phone and to my PCs.
But basically everything else that's not a personal device like that sits on the mesh network.
Businesses can easily do something similar in which these devices only have limited access.
What about inventorying the devices themselves?
I mean, I often hear people say that it's hard enough just keeping track of everything
that's been hosed up to their network or their Wi-Fi. Right. And so, you know, technology has
done somewhat of an improvement here. So I can speak at least for Comcast. I have them in my
house and they have an app that lets me tag devices by their MAC address when they join the network.
You can set it up so you get an alert. And so I've gone through and I've named the things that are on my network so that instead of it
being, because a lot of them aren't as transparent as you would hope they would be. And so that's
one way, right? And then just becoming more familiar with your router and modem and not
looking at it like a black box that spits internet out. But instead, you know, they've really, I
think, made it user-friendly, at least in the ones I've experienced, to be able to just block internet access to certain devices based on the Mac.
So you kind of have some firewall functionality within these routers today that's easily controlled through the mobile app.
And so I think that's one thing that helps.
But another question I often get is, how do I vet and choose and know which is the safest IoT device to get?
Right.
And I think that that's actually still a big challenge that I would like to see industry solve through something sort of similar to Energy Star.
But there could be Security Star IoT that is a set of standards that ensures that just data transmission is done using proper secure channels
and that data storage is done properly,
abiding to GDPR or something of a similar regulatory framework
that ensures your data is protected.
Unfortunately, that doesn't yet exist.
And so I think one of the things that I always look for
is understanding where is my data stored. And most of the time, they're pretty transparent about, you know,
is it local to the device? Is it something that's up in the cloud? And for me personally,
when I shop for IoT devices, I really look for things that, you know, don't send a lot of
information to the cloud or that keep everything on my local network because it worries me, right?
For example, like I have a doorbell, a smart doorbell, which I think is a really nice security feature, but I don't trust everybody who comes to my house.
That's not public knowledge, right? So I shopped around to find a doorbell that doesn't send the
data to the cloud that keeps it all local, but I can still access it. So I think it depends on
your own personal privacy boundaries,
but there are definitely competitive advantages
to considering security as part of the device.
In fact, some of the ones that, the example I mentioned,
that brand advertises based on that kind of security mindset.
So you can look for that in the meantime.
Yeah.
And just be mindful to not be shopping strictly on price, too.
Yeah.
I mean, I think that's a very good point.
There's a saying that when something is free, you're the product.
Right.
And so we look at social media like that and Facebook and these platforms that harvest your data for their data mining,
you know, IoT is an extension of that in many ways. And if you think about just like the smart
vacuum or like a Roomba, Amazon bought Roomba. Roomba has a good idea of what's in your house
and where it is and if it's been moved and, you know, like what are they doing with all this
information? And obviously, you know, they're going to argue that they're trying to be convenient and
offer smarter, more intelligent suggestions based on improved understanding of you. But is that all
they do with the data? How is it protected? To me, those types of things make me nervous. And so
I try to limit my exposure in that regard. Yeah. All right. Well, good advice as always.
Grayson Milbourne,
thanks for joining us. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Willie Vasquez from the University of Texas at Austin. We're discussing his research, the most dangerous codec in the world,
finding and exploiting vulnerabilities
in H.264 decoders.
That's Research Saturday.
Check it out.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure
we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law
enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest
investment, your people. We make you smarter about your team while making your team smarter.
Learn more at n2k.com. This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by Rachel Gelfand.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Thank you. practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.