CyberWire Daily - War crimes in cyberspace? Iranian cyberespionage (and a possible APT side-hustle). A backdoor for Roblox. Darkweb C2C trader sentenced. eBay newsletter conspirator pleads guilty. CIA gets a CISO.
Episode Date: May 13, 2022Ukraine holds its first war crimes trial. Are there war crimes in cyberspace? Iranian cyberespionage (and a possible APT side-hustle). Roblox seems to have been used to introduce a backdoor. CISA issu...es ICS advisories. Darkweb C2C trader sentenced. The last conspirator in the strange case of the eBay newsletter takes a guilty plea. Carole Theriault looks at Google’s new approach to cookies in Europe. Our guest is Mary Writz of ForgeRock on the growing importance of mobile device authentication security. And CIA gets a CISO. For links to all of today's stories check out our CyberWire daily news briefing: httpshttps://thecyberwire.com/newsletters/daily-briefing/11/93 Selected reading. Ukraine to put first Russian soldier on trial for war crimes | DW | 12.05.2022 (Deutsche Welle) Russian soldier on trial in first Ukraine war-crimes case (AP NEWS) First Russian soldier goes on trial in Ukraine for war crimes (the Guardian) The Case for War Crimes Charges Against Russia’s Sandworm Hackers (Wired) Iranian hackers exposed in a highly targeted espionage campaign (BleepingComputer) Iranian APT Cobalt Mirage launching ransomware attacks (SearchSecurity) Iranian Hackers Leveraging BitLocker and DiskCryptor in Ransomware Attacks (The Hacker News) Iranian Cyberspy Group Launching Ransomware Attacks Against US (SecurityWeek) Please Confirm You Received Our APT | FortiGuard Labs  (Fortinet Blog) Roblox Exploited with Trojans from Scripting Engine (Avanan) Ukrainian cybercriminal sentenced to 4 years in U.S. prison for credential theft scheme (CyberScoop) Ukrainian sentenced to 4 years for selling hacked passwords (The Record by Recorded Future) Ex-eBay exec charged with harassing newsletter publishers pleads guilty (Reuters) CIA selects new CISO with deep private sector experience (The Record by Recorded Future) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Ukraine holds its first war crimes trial.
Are there war crimes in cyberspace? Iranian cyber espionage. Roblox seems to have been used to introduce a backdoor. CISA issues looks at Google's new approach to cookies in Europe.
Our guest is Mary Ritz of ForgeRock on the growing importance of mobile device authentication security.
And CIA gets a CISO.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 13, 2022. A captured Russian soldier has been placed on trial by Ukrainian authorities for the shooting of a civilian in the early days of the war.
He's described variously in the press as a commander, even a tank division commander.
But he's a 21-year-old sergeant, a tank commander, which makes him a vehicle operator, barely a leader at all.
a tank commander, which makes him a vehicle operator, barely a leader at all.
And note that a sergeant in the Russian army does not have the authority or discretion that sergeants, even young ones, are commonly entrusted with in Western armies.
According to Deutsche Welle, the accused soldier's unit was fleeing Ukrainian forces east of Kyiv.
His tank disabled, the soldier is said to have fired at, stopped, and stolen a
civilian car. As they were driving away seeking safety, the soldier is said to have shot and
killed a 62-year-old man to prevent him from revealing their position. The soldier is said
to have acknowledged the killing but has yet to enter a plea. He's quoted as saying,
I was ordered to shoot. I shot one round at him. He
falls and we kept on going. It's not known who ordered him to shoot or how the order was received.
We open with this discussion because it establishes a context for a movement to
hold Russian operators accountable as war criminals for their actions in cyberspace.
criminals for their actions in cyberspace. The casual murder of civilians is obviously a war crime, and waging aggressive war is a recognized crime against peace. But what about cyber attacks?
Under what conditions might a cyber operation constitute a war crime? Wired reports that the
Human Rights Center at UC Berkeley's School of Law has formally requested that the Office of the Prosecutor for the International Criminal Court in The Hague
consider prosecuting the GRU's Sandworm Group for war crimes.
Those crimes weren't committed during the present war, however.
The alleged crimes were the December 2015 targeting of electric utilities in western Ukraine and the 2016 takedown of portions of the grid around Kyiv,
affecting hundreds of thousands of civilians.
The Human Rights Center is interested in bringing cyberspace under the scope of international law
and in securing recognition of cyberspace as a fifth domain of warfare.
The GRU's two cyberattacks are attractive cases for such purposes
because they're well-attested and unambiguously attributed.
They also had a clear kinetic effect.
They disrupted power distribution in portions of Ukraine.
And finally, and this is the most important for the laws of armed conflict,
the attacks were indiscriminate, not directed against a military target,
but instead directed against an essentially civilian population.
The extension of international law to cyberspace
and the deterrent effect this might have on other state actors
are the goals of the Human Rights Center's request.
Given that the sandworm hackers have already been indicted under domestic law,
including U.S. law, and have a price on their heads, as far as the individual operators are
concerned, an ICC action would amount to making the legal rubble bounce, but the Human Rights
Center is seeking to establish a principle. Fortinet describes a spear phishing effort against Jordanian diplomatic
targets that was evidently conducted by Iran. The lure is a familiar please acknowledge receipt of
this document come on, but the payload is more sophisticated than the usual run of criminal
phishing. The Excel macro in the phish hook may have been accompanied by anti-analysis features.
macro in the fishhook may have been accompanied by anti-analysis features. The malware itself slept for six to eight hours, and the attackers used DNS tunneling for command and control.
Their three command and control servers were also used unusually intelligently.
Two of them were tightly controlled and were brought up only at specific times.
The third server was apparently used for misdirection to make attribution more
difficult. Fortinet thinks the campaign was run by APT34, also known as Helix Kitten,
an Iranian government-directed threat group. Another Iranian threat group, APT35, or Charming
Kitten, has been, according to Hacker News, actively conducting ransomware attacks. The activity cluster is tracked by SecureWorks as Cobalt Mirage.
Two series of attacks are reported.
One uses BitLocker and DiskCryptor for financial gain.
The other, while it also deployed ransomware opportunistically,
is directed principally toward gaining access to and collecting intelligence from espionage targets.
Avanon reports that a Trojan file hidden within a legitimate scripting engine
that's used for cheat code is affecting users of the popular gaming platform Roblox.
The tool SynapseX installs an executable file that installs library files into the Windows system folder,
giving the program the potential to break applications, corrupt or remove data,
or send information back to the hacker.
SynapseX has legitimate uses, but in this case it's serving as a dropper,
and one of the files it's dropping is a backdoor.
The evident goal is to use Roblox as a way into networks of interest.
It's not simply a hack designed to annoy gamers.
CISA yesterday released an unusually large number of industrial control system advisories.
The U.S. Attorney for the Middle District of Florida has announced the sentencing
of Gleb Alexander Ivanov Tolpinsev,
a resident of Chernovosti, Ukraine, to four years in federal prison
for conspiring to traffic in unauthorized access devices and computer passwords.
He's also been ordered to forfeit the $82,000 he earned through his crimes.
Polish authorities arrested the suspect on October 3, 2020
and subsequently extradited him to the United States.
He copped a guilty plea on February 22 of this year.
It's a small but noteworthy blow against the C2C dark web markets.
Most of his criminal customers were interested in ransomware attacks and tax fraud.
They'll now need to shop
elsewhere. Reuters reports that David Harville, formerly eBay's director of global resiliency,
has taken a guilty plea to five counts of conspiracy and stalking. He is the last of
seven former eBay personnel to admit wrongdoing in the very strange case of stalking.
The victims were a mom-and-pop e-commerce newsletter,
e-commerce bites, run from Natick, Massachusetts,
whose observations about eBay,
nothing particularly harsh or out of the ordinary for online reviews,
for some reason became a burr under the online auction giant's saddle.
The entire affair is very difficult to understand. Were the perpetrators so caught up in the little theater of their imagination that they lost the self-awareness
that would have led them to see that what they were doing was criminal? And finally, to turn
from crime and end on a high note, congratulations to Rick Bache, CISO at AIG, who has agreed to return to government service.
He'll be assuming duties as the Central Intelligence Agency's Chief Information Security Officer and Director of the Office of Cybersecurity.
Our best wishes for a successful tour of duty.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
It's fair to say that for many of us, our mobile devices are taking an ever-increasing percentage of the time we spend online,
and even tending to day-to-day business tasks.
With that being the reality, the security of those devices is of paramount importance.
Mary Ritz is Vice President of Product Strategy for Consumer Identity at authentication technology provider ForgeRock.
for consumer identity at authentication technology provider ForgeRock.
21% of millennials open one of their mobile apps 50 times a day.
The rest of us open them up about 11 times a day.
But our lives are just moving online,
and organizations are more susceptible to cyber attacks as they shift their operations to adjust to that digital world.
So where do we stand in terms of what's
available to us in terms of authentication on those mobile devices? So you basically have
two options if you want to make it more secure than just a username and password. So you can go
with MFA or you can go with true passwordless authentication. Both of those will reduce your risk about 99.9% of the attacks.
The big attacks are account takeover attempts, phishing, man in the middle of attacks type
thing, MFA and passwordless.
And there's some pros and cons with those.
Well, let's dig into each of those.
Can you give us a little bit of a rundown?
Yeah, MFA is the most understood.
You know, MFA is a countermeasure.
It doesn't reduce the likelihood of an attack,
but it lowers the impact of phishing, brute force, credential stuffing.
And so when you think about MFA,
think about one-time passcodes to your cell phone or your email
or like a push notification that comes into your phone.
So these are things
that validate that you really are who you say you are. And then in terms of biometric
verifications, I think most of us are familiar with things like Face ID or Touch ID and the
equivalents on the various platforms. Yeah, biometrics are becoming much more popular
and they're great because the form factor is so easy to use.
What's interesting is the security under the hood when you use them can vary from mobile application to mobile application.
So the premier gold standard is FIDO WebAuthn, which is where you can remove passwords altogether.
And in terms of that being available to people, where do we stand?
It's ubiquitous in its support in both the device and the browser. And again, it's the strongest
form of authentication. And it's a really nice form factor. It's just your face or your finger.
The adoption is coming along. It's increasing. But I will say when it comes to adding authentication that's both
safe and simple, different demographics have different preferences. So I think what we see
enterprises doing right now is kind of defaulting to MFA and starting to move closer and closer to
passwordless over time by first introducing it as an option. Yeah, that's fascinating. And so for those folks
who are out there who are app developers who are looking to include these sorts of things
in the programs that they're working on, how should they go about doing that? I mean,
what are your recommendations? It's a great question because authentication is something
that's really important to get right.
And it's hard to make sure all of your app developers understand the intricacies and nuance of how authentication works.
So the easiest way is to use a vendor like ForgeRack who can provide an SDK to embed those options into your application really easy. So then you could embed your MFA options
or a passwordless option right into your app,
just being assured that it's installed
and configured the right way.
You know, there's a lot of talk about supply chain issues.
And so, I mean, I suppose there's give and take there, right?
I mean, on the one hand, you can trust a third party
to provide that service for you. But on the one hand, you can trust a third party to provide that service for you.
But on the other hand, now you need to be concerned about what they're doing behind the scenes themselves.
Yeah, the supply chain right now is currently the weakest link.
And when we look at a lot of these attacks, MFA was not in place and MFA would have dramatically improved.
So that's a first place to look.
And, you know, it needs to be a part
of the requirement. When you look at your supply chain, you need to require that they use MFA in
order to authenticate into your systems at very minimum. That's Mary Ritz from ForgeRock.
There's a lot more to this conversation. If you want to hear more, head on over to CyberWire Pro and sign up for
Interview Selects, where you get access to this and many more extended interviews.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant. You may have noticed that after the GDPR went into effect,
we all started seeing more pop-ups regarding website cookie policies.
Whether or not that's a direct effect of GDPR is arguable,
but there's no doubt cookies play an important role in online privacy.
So when Google announced they were updating their approach to handling cookies in the EU,
that caught the attention of our own Carol Theriault.
Last month, Google announced changes on how it makes use of cookies in Europe.
You listeners outside Europe might not know this,
but for more than a decade, if you visited a website from Europe,
you would typically see a cookie consent banner.
Now, cookies, as we know, help sites remember information about your previous visits.
So they can do things like display text in your preferred language,
deliver stuff appropriate to your geography, remember previous actions.
They grease the wheels during a service request.
The problem is that it caused a bit of a privacy fracas.
What if you as a user don't want a website to grab this info without your consent?
And over a decade ago, Europe agreed and the European cookie consent banter was born
and mandated, meaning that when a European-based user opened a website, they had to be presented
with a choice to allow or deny the cookies from tracking them. And Google complied. Well, kinda.
Google allowed users to accept all tracking cookies with a single click, but it forced people to click through various menus to reject them all.
Basically, they had greased the wheels for acceptance and made it complicated and annoying for those that wanted to block the cookies.
asymmetry was unlawful, said CNIL, France's data protection agency, steering users into accepting cookies to the ultimate benefit of Google's advertising business. It was so awful that CNIL
fined Google 150 million euros or 170 million dollars for deploying confusing language in cookie banners. $170 million may sound like a steep fine, but it is really a
teeny tiny drop in Google's financial ocean. Yet, they decided to play ball. To remedy this,
writes Google on its blog, Google's new cookie banner gives clear balanced choices, reject all,
accept all, or more options. This new menu will appear on Google
Search and YouTube if users are not signed into an account. We've kicked off the launch in France
and we will be extending this experience across the rest of the European economic area, the UK
and Switzerland, wrote Google in a blog post announcing the changes. Now between you and me, Google is a pretty big fish,
but there are quite a few other sizable fish out there that have followed in Google's data
snarling shoes and are currently massaging their cookie banners to obfuscate the reject all options.
To you, I say take heed. It is only a matter of time before you are in the EU's data protection headlights.
And the fine may not seem like chump change to you.
This was Carol Theriault for The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't miss this weekend's Research Saturday and my conversation with Dr. Mei Wang from Palo Alto Networks.
We're discussing their research,
Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization.
That's Research Saturday. Do check it out. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of
cybersecurity teams and technologies. Our amazing Cyber Wire team is Rachel Gelfand, Liz Ervin,
Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week.
Thank you.