The Gately Report: Trellix Threat Intelligence Leader Expects Cybercriminals to Pounce in Hurricane Ian Aftermath
Russia is planning massive cyberattacks on Ukraine and its allies.
![Hurricane Ian Hurricane Ian](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt02e0c5dfb82404bd/652415ae35cbee67428d738e/Hurricane-Ian-1.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Channel Futures: Trellix Advanced Research Center recently discovered a vulnerability in Python’s tarfile module. Hundreds of thousands of repositories were vulnerable to this vulnerability. What’s the significance of this discovery?
John Fokker: That’s a 15-year-old vulnerability in Tarfile in the Python library. And it was actually shocking to see that that specific library in 2007 was identified, somewhat addressed, but it continued to linger on and it’s actually implemented in thousands of other projects and from Docker systems to even the European Space Agency uses some of these vulnerable systems. So we basically built a brick house on top of a foundation which is really weak. So that was the thing that really stood out to me. And that’s seems like we need to solve this as an industry. We can build the next-level generation solutions and all that stuff. But if we’re building stuff on vulnerable code base, that’s going to be a real problem.
CF: When you have these types of findings, is there a message in there for partners? Does it point to opportunities and/or challenges for them?
JF: So the Tarfile Python vulnerability was one which we identified, but at the same time it’s like, OK, we don’t want to shout off the rooftops saying like, oh, this is so bad. It’s 15 years old. We look at what can we do about it instead of just writing a blog. So one of the things that we did was we launched a scanning tool that anyone can download and you can find out if you’re vulnerable because … we saw that it was already very tough to establish if you have systems that are actually vulnerable. So we’ve written a special script for this and everybody can run that on demand. But we took it even a step further. We’re working together with GitHub and we’re actually having an automated way of identifying vulnerable repositories that have that vulnerability. And we’re going out to be sending out pull requests to get it patched automatically. That is a clear example of we don’t only find fault, but we try to find remedy as well.
CF: That also sounds like that could be really good for organizations because we hear that a lot of them are slow to patch and they’re not paying attention when updates are available, so they’re sitting there vulnerable.
JF: Sitting there vulnerable is totally right. The mean time to using a vulnerability that has dropped has dramatically decreased. So years back, it was maybe some days or weeks, and now it’s literally one or two days. There’s a proof of concept and the threat actors are very eager to implement this and to launch it as well. So that’s why I think it’s cool that my team, which is mostly intelligence focused, is working very closely with the vulnerability team as well because we leverage their knowledge saying, OK, for instance, the vulnerabilities that can drop by Microsoft every other week, what are the ones that will keep our customers up at night? What do they need to worry about? And are these the ones that they need to prioritize in their patching? And the same thing we do is look at the threat landscape, and we use our own sources and third-party sources to establish that a vulnerability that got dropped last week is now actively being exploited by this threat group. So if a customer is running our program or has our intelligence … they can say OK, this is higher on my patch priority list because it’s what’s actually actively being exploited in the wild. And furthermore, let’s say you have an organization and your biggest threat is ransomware, and a ransomware actor is using this vulnerability. We try to give that guidance to our customers and say you need to work on this and you need to patch this.
CF: What do you find most disturbing and dangerous about the current threat landscape?
JF: There’s a lot that’s been going on recent years. We had a publication that we did just prior to RSA where we looked at the Russian-Ukrainian war and everything that happened. I think from a threat actor perspective, that is something that is very worrisome to me. The conflict is ongoing and what we see with the increase of sanctions, basically on the Russian side there used to be a unity or some kind of an understanding between cybercriminals and there’s now a clear divide. And a lot of the Russian-speaking, Russian-based cybercriminals, which are some of the most capable ones in the world, are being pushed in the same corner as state-sponsored actors. The lines between nation-state activity and cybercriminal activity are going to blur. So nation-states are going after private entities, and it could actually be for monetary gain or it could be for espionage. Or furthermore, because we have one regime that’s under restrictions and being sanctioned, and they’re working together, we will see cybercriminals actually leveraging their skillset, but on behalf of a nation-state actor. And that is what keeps me up at night … and it’s making it more difficult because is this group now going after monetary gain or are they actively trying to disrupt the network from my customer or from a victim for a political reason?
Blurring of these lines and the escalation, and what the usage of these tools and these types of malware by certain groups can cause, that is stuff that worries me and the team quite a bit. So we try to give a lot of guidance to our customers. But at the same time, we have a lot of industry partners and our public-sector partners. We work a lot with law enforcement, intelligence agencies, national service, and that’s something that we’re really proud of. We don’t really speak about it a lot, but from the first day of the (Russia-Ukraine) conflict, we’ve been sending information back and forth about everything that we see. I think we had some offerings as well to provide threat intelligence to customers at no cost or reduce cost. And there’s been multiple efforts on helping out with the initiatives.
CF: You mentioned the war in Ukraine, and also there’s economic uncertainty. There’s even natural disasters, like what’s going on with Hurricane Ian right now. What kind of impact are those types of things having on the threat landscape and the actions of cybercriminals?
JF: There’s kind of an energy crisis, which is obviously inflicted through the war in Russia. And if there’s one thing that I’ve learned from all the work that we do is that cybercriminals never cease to amaze me on how quickly they can adapt and they can do something, even if it’s just a phishing scam, to take advantage of something. And they’re so quick to do that. We saw that with COVID-19. Johns Hopkins University launched that phenomenal map (of COVID-19 cases) … and within a day there was somebody saying hey, guys, I got a version that actually has an exploit kit. So if somebody goes to my website, we can install malware and we can take advantage of it. I’m always amazed of how fast they can adapt to these things.
CF: So we could end up seeing cybercriminals trying to take advantage of the need for help in the aftermath of Hurricane Ian?
JF: That for the fraudsters is a clear thing. Like the relief funds. There’s a lot of covert fraud as well. Luckily, the American government is taking some really, really strict actions against fraud with this, and they’re taking it very seriously. And you see people being charged with those fraud cases. But, yes, there’s a lot that’s going on where they would really try to lure people in because it’s on the top of everybody’s minds. Let’s see what we can get.
CF: Do you find that there’s still a lot of that sentiment out there of it won’t happen to me?
JF: We often see that a lot of the top organizations and the top customers, they have a pretty solid cybersecurity strategy. But in the middle of the bell curve, there’s those that have a very decent budget, but either are not aware enough of what is going on or think it’s not going to happen to me, or what are the chances or whatever. And guess what? Those end up being headline news or on those blogs from ransomware actors extorting them with their data. And that’s what we read in all the breach reports.
I had a case a couple of weeks ago where one of our researchers uncovered a Lazarus campaign. So North Korea targeting a renewable energy company in Portugal. He found this out and we were doing our research, and we have our backend system in which we encode campaigns, which feeds into Trellix Insights. And literally he was putting his indicators and everything he saw in there from multiple sources and the correlation engine. There was multiple correlations to multiple other events and this was already pushed to Insights. This customer was entitled to it, but they didn’t use it. It’s like, by the way, please turn on Insights because you could have seen this at the beginning. You’re in luck that we caught it, but you could have seen this. And that shows me that there is a real need for intelligence among all customers, everybody who could be impacted. They can benefit from it because there’s so much you can do before they actually come to your doorstep. And if you can understand the adversary, you can take countermeasures to arm yourself against them. It’s better to do that before the breach because during the breach, you’re in a time constraint.
In other cybersecurity news …
Russia is reportedly planning massive cyberattacks on the critical infrastructure of Ukraine and its allies, focused on disrupting and taking down energy industry facilities and institutions.
According to Bleeping Computer, the warning comes from the Ukrainian military intelligence service. The attacks are likely aimed at slowing down the Ukrainian Army’s ongoing offensive and to increase the destructive effect of missile strikes against Ukrainian energy supply facilities in the eastern and southern regions.
Toby Lewis is Darktrace‘s head of threat analysis.
“With effective counterattacks by Ukrainian defenders pushing Russian troops further back, and with increasing political and public unrest over the recent mobilization proclamation, Russia is increasingly looking at the remaining cards it can play, and cyberattacks have the potential to provide quick wins with no human cost for Russia,” he said. “In the run up to the invasion, many commentators were concerned about a Russian cyberattack of international proportions with sweeping collateral damage as we saw with NotPetya in 2017. In reality, Russia was able to deploy it’s wiper malware directly into target networks, likely as a result of a pre-existing network compromise. But as the war has progressed, those pre-existing compromises will have been gradually burnt by each cycle of incident response by the Ukrainian authorities. And there will come a point where Russia may have to resort to more indiscriminate attempts to deploy their capabilities. It is at this point that the potential threat for those outside of Ukraine escalates, as those cyber operations become more haphazard and less targeted.”
Tom Kellermann is senior vice president of cyber strategy at Contrast Security.
“Geopolitical tension has reached a tipping point,” he said. “Just hours after the Ukrainian warning about attacks against critical infrastructure, Russia sabotaged the gas pipeline to Europe last night. Much like we saw a wave of destructive cyberattacks in January, a dramatic escalation is occurring as Russia’s gloves are off. We should expect a wave of destructive cyberattacks against western critical infrastructure. Cybersecurity teams must test their backups, expand threat hunting for groups like Sandworm, APT 28, Gameredon and APT 29, apply microsegmentation and apply runtime protection across their applications.”
Federal legislation seeking to address open source software risks in government has been introduced by U.S. Sens. Gary Peters, D-Michigan, and Rob Portman, R-Ohio.
The legislation comes after a hearing convened by Peters and Portman on the Log4j vulnerability earlier this year. The bill would direct the Cybersecurity and Infrastructure Security Agency (CISA) to help ensure that open source software is used safely and securely by the federal government, critical infrastructure and others.
Tim Mackey is principal security strategist at Synopsys Cybersecurity Research Center.
“Managing open source software is fundamentally different from managing commercial software – whether that software is off the shelf or created based on a contract,” he said. “Properly securing open source software requires an understanding of this and other realities for how open source enters organizations like the U.S. government. The Open Source Software Act of 2022 recommends many activities that are traditionally the responsibility of an open source program office (OSPO). For example, it is the responsibility of an OSPO to determine what open source risks are acceptable for an application and the context in which it’s deployed.”
While there is much to like in the bill, the fact that there’s no mention of how open source software was tested is concerning, Mackey said.
“There are many software development practices that can create weaknesses in software, and some are programing language dependent,” he said. “The capabilities of the various testing tools, both commercial and open source, also vary considerably. How well software is tested and what the security targets used during testing are as important in open source as in commercial software.”
Check Point Research (CPR) has discovered multiple hacker groups using Telegram, Signal and the dark web to help anti-government protestors in Iran bypass regime restrictions.
Key activities are data leaking and selling, including officials’ phone numbers and emails, and maps of sensitive locations. CPR sees the sharing of open VPN servers to bypass censorship and reports on the internet status in Iran, as well as the hacking of conversations and guides.
Specifically, hacker groups are allowing people in Iran to communicate with each other, share news and what is going on in different places, which is what the government is trying to avoid, to lower the flames.
In addition, there are some hacking groups that are trying to make profit from the situation and to sell information from Iran and the tegime.
Michael DeBolt is chief intelligence officer at Intel 471.
“One notable trend was uploading videos of protests and trying to collectively reveal the identity of soldiers and officers who were taking part in violent crackdowns against protesters,” he said. “We observed the actor 3ackd0or and others posting such information. Many of the notable hacker group chats changed their name to OpIran and were used to share information on the protests. The most common cyberattacks observed were denial of service attacks.”
What’s also interesting is how the more “traditional” or older hacker groups in Iran, such as Bax 026 and Ashiyane, were always taking the regime’s side and aligned with the regime’s agenda “while we see more and more groups that are actively targeting the regime and helping opposition and anti-regime protestors,” DeBolt said.
Check Point Research (CPR) has discovered multiple hacker groups using Telegram, Signal and the dark web to help anti-government protestors in Iran bypass regime restrictions.
Key activities are data leaking and selling, including officials’ phone numbers and emails, and maps of sensitive locations. CPR sees the sharing of open VPN servers to bypass censorship and reports on the internet status in Iran, as well as the hacking of conversations and guides.
Specifically, hacker groups are allowing people in Iran to communicate with each other, share news and what is going on in different places, which is what the government is trying to avoid, to lower the flames.
In addition, there are some hacking groups that are trying to make profit from the situation and to sell information from Iran and the tegime.
Michael DeBolt is chief intelligence officer at Intel 471.
“One notable trend was uploading videos of protests and trying to collectively reveal the identity of soldiers and officers who were taking part in violent crackdowns against protesters,” he said. “We observed the actor 3ackd0or and others posting such information. Many of the notable hacker group chats changed their name to OpIran and were used to share information on the protests. The most common cyberattacks observed were denial of service attacks.”
What’s also interesting is how the more “traditional” or older hacker groups in Iran, such as Bax 026 and Ashiyane, were always taking the regime’s side and aligned with the regime’s agenda “while we see more and more groups that are actively targeting the regime and helping opposition and anti-regime protestors,” DeBolt said.
Trellix threat intelligence leader John Fokker expects cybercriminals to take advantage of Hurricane Ian‘s devastation in Florida and other states much the same way they did during the COVID-19 pandemic.
Trellix’s John Fokker
Fokker, Trellix’s head of threat intelligence and principal engineer, spoke during this week’s Trellix Xpand Live 2022 conference. He and Doug McKee, principal engineer and director of vulnerability research, detailed how the company helped law enforcement take down the notorious REvil ransomware gang. REvil was responsible for last year’s attack on Kaseya.
“We help catch bad people,” he said. “That’s what gets me going every day.”
During his career, Fokker has supervised numerous large-scale cybercrime investigations and takedowns. In addition, he’s one of the co-founders of the NoMoreRansom Project. The No More Ransom website is an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky and McAfee. It helps victims of ransomware retrieve their encrypted data without having to pay the criminals.
Trellix Threat Intelligence Leads to Better Protection
We spoke with Fokker during Trellix Xpand Live to find out how threat intelligence is helping to protect organizations from cybercrime.
Channel Futures: Tell me about your work with Trellix’s Threat Intelligence Group and how does it lead to better cybersecurity for partners and customers?
John Fokker: I have the privilege to run a team with different types of analysts where we have commercial papers, and we have analysts that go out and hunt, collect and do research on threats out there in the world. So they use our telemetry, they use our products, but they also look at scanning the internet or disseminating third-party product blogs. We also have other vendors that come out with phenomenal research. We’ll look at it and we’ll validate it, and we’ll send it out to our customers. So that’s integrated in our work stream and that goes immediately to all the products. And we like to say we collect stuff that will really help the customer tackle the threat.
Now, there’s these threat actors. They move through a network. There’s multiple ways of doing so, and they use multiple tools. So our team identifies how the threat actor operates and we’ll try to find out ways of how they do it. This is what we can give. We can connect with the respective product teams and they’re like OK, can we build protection for this? And at the same time, we give intelligence to our customers. And this is product innovation. It was tied into the product. And at the same time, we also have an option where we have commercial opportunities. So if we have a customer that really wants to go in depth on threat intelligence or the other way around, they want threat intelligence, but they don’t have a whole team, we can help them out. We can support them with their assets.
Scroll through our slideshow for more from Fokker and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like