CyberWire Daily - Tension in Eastern Europe. A Hong Kong watering hole. US, EU join the Paris Call. Cybermercenaries. CISA’s plans for countering disinformation, and for forming a white-hat hacker advisory group.
Episode Date: November 12, 2021Notes on rising international tension in Eastern Europe. A watering-hole campaign in Hong Kong. The US and the EU have joined the Paris Call. NSO Group’s prospective CEO resigns his position before ...formally assuming it. Void Balaur, a cybermercenary group, is active in the Russophone cyber underground. Johannes Ullrich on leaked vaccination cards and Covid tests. Our guest is Carolyn Crandall of Attivo Networks on what organizations should be focused on to protect Active Directory. CISA intends to increase its capacity to work against misinformation and disinformation. CISA also intends to recruit white hat hackers to an advisory board. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/218 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Notes on rising international tension in Eastern Europe,
a watering hole campaign in Hong Kong.
The U.S. and the EU have joined the Paris call.
NSO Group's prospective CEO resigns his position before formally assuming it.
Void Balaor, a cyber mercenary group, is active on the Rucifone cyber underground.
Johannes Ulrich on leaked vaccination cards and COVID tests.
Our guest is Carolyn Crandall of Ativo Networks on what organizations should be focused on to protect active directory. Thank you. From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, November 12, 2021. Since international conflict inevitably brings cyber conflict in its wake,
we begin with a brief account of rising tension in Eastern Europe.
Ukraine has expressed concern over Russian troop movements near its borders,
and other governments have seconded Kiev on the matter.
Bloomberg quotes U.S. Secretary of State Blinken
as saying the deployments resemble the run-up to the 2014 invasion of Crimea.
There are also problems between Belarus and its neighbors.
Minsk's push of migrants over the Polish, Latvian, and Lithuanian borders,
which foreign policy calls exporting instability, and Belarusian President Lukashenko's threats to stop natural gas deliveries to the EU should the EU sanction Belarus, according to the Washington Post, are additional sources of friction.
of friction. According to the BBC, in the view from Warsaw, the Russian and Belarusian actions represent a campaign coordinated by Moscow. Bloomberg writes that the U.S. has warned the
EU of the possibility of a Russian attack against Ukraine, but Russia's ambassador to the UN,
according to the Military Times, says there will be no invasion unless Russia is provoked, and then cites alleged
instances of provocation, which would seem to undercut peaceful reassurances.
Expect cyber tensions to rise accordingly.
Google's threat analysis group has outlined a watering hole campaign apparently designed
by a well-resourced group, likely state-backed,
exploiting a macOS Zero Day to spy on Hong Kong democracy advocates. Google's researchers write,
quote, the watering hole served an XNU privilege escalation vulnerability, CVE-2021-3869,
unpatched in macOS Catalina, which led to the installation of a previously unreported
backdoor. Google disclosed its discovery to Apple, and Apple patched the vulnerability
in the last week of September. Google doesn't say which state is the likely backer of this
particular campaign, but the report is being widely received as calling out a Chinese
intelligence operation.
The Chinese services have been taking a greater interest in Taiwan lately, too.
That's the conclusion Taiwan's National Defense Report for 2021, released Tuesday,
describes significant increases in Chinese collection against what Beijing regards as a breakaway province.
against what Beijing regards as a breakaway province.
Breaking Defense sees Taipei's report as echoing many of the conclusions of the U.S. Defense Department's China Military Power Report,
which also sees Taiwan as one of China's principal targets.
The U.S. and the EU have announced that they'll join the Paris call
for trust and security in cyberspace,
agreeing to support the call's nine principles.
The U.S. adherence to the call represents a change from the previous administration's policy.
So far, 80 states, 36 public authorities and local governments, 391 organizations and members of civil society, and 706 companies have joined.
The Paris Call's nine principles are worth reviewing.
First, protect individuals and infrastructure.
Second, protect the Internet.
Third, defend electoral processes.
Fourth, defend intellectual property.
Fifth, non-proliferation.
Six, lifecycle security.
Seven, cyber hygiene.
Eight, no private hackback.
And nine, international norms.
The CEO-designate of controversial intercept vendor NSO Group
has stepped down before formally assuming leadership of the company, Reuters reports.
Isaac Ben-Benisti explained in his letter to NSO Group's chairman that
special circumstances arising from the company's placement on a U.S. blacklist
render it impossible for him to carry out his vision for the firm's future.
NSO Group has been controversial in many countries,
and its position as a prominent vendor of readily abused surveillance
tools has become an embarrassment to the Israeli government. The Jerusalem Post reports that the
Palestinian Authority said this week that several employees of its foreign ministry have had NSO's
Pegasus tool installed on their phones. The Israeli Defense Ministry, the Post says, declined to comment, and NSO groups
said that it's not the operator of the products it sells. Any abuse, in the company's view,
is the responsibility of the operators. Trend Micro has published an extensive report on a
cyber-mercenary operation it's calling Void Balaor, and whose activities the researchers say at first appeared
to be associated with GRU's APT-28, or Pawn Storm. On further review, however, they think it
likelier to be linked to the mercenary group also known as Rocket Hack, which was itself described
earlier this year. Void Balaor has been advertised in underground C2C markets since 2017,
at least. As far as Trend Micro can tell, the group has an exclusively Russophone clientele.
To our knowledge, Void Balaur has never advertised in underground forums that were
not Russian-language oriented. However, there used to be a website on rockethack.me
that was registered on February 21, 2018,
and that was available on its bare IP address until at least December 2020.
On the website, Void Balaur listed services such as hacking into mailboxes
or flooding them with spam, distributed denial-of-service attacks,
and flooding phone numbers in Commonwealth of Independent States or CIS countries only.
For what it's worth, the criminal word of mouth about Void Balaor is pretty favorable.
The feedback that Void Balaor receives on underground forums is unanimously positive.
Posters mention that the hacking service delivers the requested
information on time, while others commented positively on the quality of the delivered
information from mailboxes. Yet others posted about passport details they had requested.
End quote. Void Balaor's offerings would be equally attractive to criminal gangs and
espionage services. The latter, Trend Micro points out,
would regard the cyber mercenaries as strategic assets.
Some developments at the U.S. Cybersecurity and Infrastructure Security Agency
are worth mentioning.
First, the agency continues to issue advisories on ICS security.
CISA yesterday released 18 industrial control system advisories.
Second, Director Easterly said that her agency intends to increase its capacity
to work against disinformation and misinformation.
The Hill reports that the move to expand that capacity
is motivated by the experience of the 2020 U.S. election.
is motivated by the experience of the 2020 U.S. election.
And third, CISA intends to bring a set of white-hat hackers into a cybersecurity advisory board,
which, according to the account in Roll Call, would not only serve as a source of advice, but would also help preclude the growth of an underground market for zero days.
And finally, some sad news for the cybersecurity industry. Alan Poller, founder
of the SANS Institute and for many years a leader in the sector, passed away Tuesday at the age of
76. He's being especially remembered for his contributions to education in the field. Our
condolences to his family, friends, and colleagues. His was a life well lived, and he will be missed.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
BlackCloak.io.
Ativo Network's recently released research highlighting the gaps in security for Active Directory and that many organizations are struggling to identify the best tools and techniques to do so.
Carolyn Crandall is Chief Security Advocate and CMO at Ativo Networks.
Active Directory, it's remarkable
for it being the main directory services
of most organizations.
However, it's not often thought about.
It's more relegated to kind of a plumbing maintenance.
But what's been seen in so many major attacks today
is that attackers are getting in and they're exploiting Active Directory.
And because it really is the keys to the kingdom, they're then able to conduct these massive attacks and demand very large ransomware payments.
And so what is happening is organizations are needing to rethink how they protect their Active Directory and try to find ways to kind of build
that castle and remote around Active Directory, especially in today's distributed world. It's just
now there's no longer a perimeter border. So now you've got to think about it as far as identities
and how they'll access this resource and how to better protect it, given that that's how they'll
be trying to exploit it and get in.
So what are you and your colleagues there at Ativo tracking in terms of how folks are coming at Active Directory?
So we track it on many fronts. We like to follow the attacker.
And if you start at the endpoint, you look at the exposed credentials and how the attacker is able to find the attack paths and
the access into Active Directory. And they're looking for everything from the credentials that
may be left there so that they get privileged access. And then they're looking for other
exposures and vulnerabilities to be able to get in so that they can take control. And once they
are able to get control, then they're able to do things like download mass amounts of malware.
They can reset security policies.
They can do things to hide their tracks.
They can delete backups.
They can do all kinds of damaging things.
And so once you hit that Active Directory level, you're looking at the visibility to those exposures.
at the visibility to those exposures. Plus, you're also looking at the live attack activity in order to see when those things such as a mass account change is being made or mass password
changes or things like DC shadow or DC sync type of attacks or those favorite golden ticket
type of attacks that can be quite deadly. And so you're really looking for that activity to be able to detect it before any real damages can be done.
And how do users get insights onto that?
I mean, what are your recommendations in terms of detection methods?
Yeah, a lot has changed.
I mean, before, a lot of people would be using logs and other things to look for unusual behavior.
and other things to look for unusual behavior.
But unfortunately, there's just not enough AD administrators and time,
quite honestly, to do this in the manual way that's been done before.
And so what you've seen in the last year is a lot of automation coming around automated Active Directory security assessments.
And you can use tools for that.
So there you can see visibility to vulnerabilities and also the exposure.
So not just, you know, are you patched, but also where those misconfigurations are there.
And then there's also some really cool two levels of technology.
One is to see if an attacker is trying to enumerate Active Directory.
And then there's also cool concealment technology
that's out today
that actually hides
the Active Directory objects
from the attacker
and then will misdirect them.
And they do this
by feeding it disinformation.
And it's amazing
because if the attacker's
using their typical tools,
like say Bloodhound or Mimikatz,
they're going to do their query.
They're going to get
the information back
that they think they're supposed to get. And so they're going to take action, but it's really
disinformation that can just steer them into a decoy. And here they kind of spill their beans,
right? Now they get all the information collected on their TTPs and they get information so they
can shut down that attack, but also get counterintelligence on how that attacker is attacking them. So it's super efficient. It throws off the real attackers. We see it all the time
with pen testers and the red teams come back and say, hey, I got into your Active Directory. And
now fortunately the defenders are like, well, no, not really. Here's every step you took,
you know, from 20 command sets in about what you're doing. So it's really fascinating technology.
You know, from 20 command sets in about what you're doing.
So it's really fascinating technology.
You want to know if somebody is in tampering with your Active Directory.
And it's a really no excuse situation anymore, right? You know, if it is your crown jewels and it can change and cause such damaging harm to your organization, that whether it's driven by compliance or insurance policies, things are going to get tighter.
And not protecting your
Active Directory could be seen as negligent behavior. And so we know it's coming in 2022,
a lot of changes around it. So I definitely encourage businesses to get ready for it
and to change their security architectures. It's not hard to do, not expensive to do either,
but get ready for the things that
are going to be expected around Active Directory protection, because it's just not acceptable not
to protect that valuable of a resource anymore. That's Carolyn Crandall from Ativo Networks.
There's a lot more to this conversation. If you want to hear the full interview,
head on over to CyberWire Pro and sign up for Interview Selects, where you'll
get access to this and many more extended interviews.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute and also the host of the ISC Stormcast podcast,
which I must admit is my second favorite daily cybersecurity podcast for obvious reasons.
Johannes, it's always great to have you
back. I wanted to touch base today about vaccination cards and COVID tests. You know, I recently went
in and got my booster shot, and I felt really good about that. But one of the things that struck me
is that there's nothing particularly secure about these cards that they're handing out these days.
Yeah, and that's part of the problem.
So, you know, fake cards.
But in order to get a fake card, a great fake card,
you need some information that looks legitimate. Like, for example, the lot number of the vaccine
should be one that actually has been used in a particular area.
That can sort of be used to identify fake cards.
What happens, sadly, more and more is these cards leaking. Now,
initially, we have seen people posting them on social media, but with some of the regulations,
for example, around travel, your airline or even a travel agent or someone that arranges travel for
you, a hotel may ask you to provide them with a copy of the card and what easier to
do than just send it to them in an email. And what we are seeing is these vaccination cards,
but also COVID test results leaking more and more. And essentially all it takes is a decent
Google query in order to find them. So that's one problem that people just overshare a little bit. And I
don't really want to just point to social media. It's also sending them as an email. For example,
what we found is there are a bunch of these cards and vaccination results and test results
on VirusTotal. VirusTotal, what a lot of people don't realize, makes essentially all the documents that you uploaded in public.
Now, you need paid access for the data to search it,
but still, it's public.
It's, after all, owned by Google.
So Google is in the business of making data like this public and searchable.
You know, I think that's a really interesting point.
I mean, do you have any insights into to what degree
are things that we send around
in email, attachments that go out via email, are bad actors scanning for that stuff actively?
Yeah, what often happens is, in particular with email attachments like PDFs, and often in this
case it is a PDF, that some organizations are essentially using scripts to upload these files to VirusTotal.
It saves them buying all of these virus scanners themselves and then trusting VirusTotal's results
whether or not a file is malicious or not, which is on the surface not a bad idea. But inadvertently
in sending these documents to VirusTotal, they make them public. And yes,
actually, COVID test results are probably one of the lesser issues here as far as confidential
documents that are being uploaded. So are you saying that really all it takes is a paid
membership to VirusTotal and you have access to all of these scanned documents? Correct. You have
to find the right keyword to search for,
and then it's essentially kind of like a Google search,
but just against the database of documents
uploaded to VirusTotal.
So you definitely should be a little bit careful,
and I don't want to take away from the value of VirusTotal.
They provide a very valuable service.
As an alternative, instead of uploading the document,
you can also just query a hash of the document with VirusTotal to see if it was already uploaded and either found to be malicious or not malicious.
So that's another option.
Not quite as good as uploading the actual document if you're trying to find malware, but probably a better compromise.
document if you're trying to find malware, but probably a better compromise.
I mean, is this a situation where perhaps folks should be using different services or, dare I say, paying for services to scan their email?
Yeah, it's not that terribly hard to build your own little virus portal and not that
terribly expensive necessarily, given that all you have to buy is a couple licenses for different
virus scanners and maybe create a script and probably you can even find one already exists
that does these scans for you on-premise on your systems.
But that's old-fashioned, David.
Nobody's doing anything on-premise anymore.
We all send our data in the cloud and cross our fingers and hope for the best.
Yes, I stand corrected, of course. All right. Well, Johannes Ulrich, thanks for joining us.
Thank you. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
If you find yourself with some free time this weekend, be sure to check out Research Saturday
and my conversation with Tara Gould from Anomaly.
We're discussing their research inside Team TNT's impressive arsenal, a look into a Team TNT server.
That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week.
Your business needs AI solutions that are not only ambitious, but also practical and Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.