Technology has unintended consequences, and this reality is getting much of the security world’s focus as events play out this year.
There was news at the Black Hat 2022 cybersecurity conference this week about creating an open standard for analyzing enterprise data, innovative new security tools and a declaration by the former head of government cybersecurity that things will likely get worse.
Yet much of the discussion from the annual gathering in Las Vegas revolved around three examples of how technology can have unintended consequences: the cyberwar in Ukraine, continued problems from the Log4j logging tool vulnerability and rising concerns around security threats in Web3. On Black Hat’s 25th anniversary, the issues have become much more significant than the carefree days of 1997 when the first DVD players made a debut.
“Much like everything else in security, we figured it out along the way,” Black Hat founder Jeff Moss said in his conference keynote remarks that recalled 25 years of cybersecurity. “Now we need a lot more people in the room trying to explain what’s going on, what the unintended consequences of technology are.”
Attention on cyberwar
The security community is closely monitoring the use of cyber weapons in Ukraine because the tools being used by Russian attackers form a preview of future nation-state and criminal-underground threats.
Security researchers from ESET provided Black Hat attendees with an update on cyberattacks against Ukraine on Wednesday. They were joined by Victor Zhora, chief digital transformation officer at the State Service of Special Communications and Information Protection in Ukraine, who made a surprise appearance at the conference session.
The Ukraine conflict has demonstrated how technology-driven attacks can be used to bring down government and communications services, along with utility infrastructure. Zhora noted that the number of cyber incidents in his country has tripled this year, and Russia exhibited a pattern of launching a series of malware wiper attacks on Ukraine networks before deploying its biggest gun to date – Industroyer2.
The Industroyer2 malware is believed to be the latest iteration of a powerful fully automated attack against the Ukraine electrical grid in 2016 that shut down power in parts of the country. However, Russia inexplicably preconfigured its Industroyer2 attack in April to launch on a Friday afternoon at 6 pm when many power plant workstations had been shut down, according to Zhora. With the help of ESET and Microsoft Corp., Ukraine was able to thwart the Industroyer2 incursion.
“It was a well-planned and technically sophisticated operation, with a lot of tools that we later discovered,” Zhora said. “This was an act of aggression against civilian infrastructure.”
Perhaps more alarmingly, security researchers have uncovered another malware tool – CaddyWiper – that was used by Russia as an operational lead for Industroyer2. This malware wiper allows attackers to hinder recovery from damage caused by Industroyer2 through the erasure of key data and files, based on an analysis of Russian attacks presented by security researchers from SentinelOne Inc. in another Black Hat session on Wednesday.
“Remember, this is the tip of the iceberg,” said Juan Andres Guerrero-Saade, principal threat researcher at SentinelOne. “I assure you there is much more activity beneath the surface that we’re not even aware of.”
Log4j issues continue
Tech’s unintended consequences have become an issue in the open-source community this year as well, as organizations continue to address vulnerabilities in the Apache Log4j tool.
Log4j is a popular Java-based logging utility used in many software packages. When a vulnerability was first discovered last year, it was assigned a 10 on a scale of 10 by the National Vulnerability Database.
Not long after the Log4j disclosure, Microsoft began to see cybercriminal attackers probing systems for Log4j flaws. The threat posed by the open-source tool raised alarm bells all the way to the upper reaches of the federal government, where a White House-mandated Cyber Safety Review Board switched plans to focus first on the SolarWinds breach and instead examined Log4j.
The chairman of the CSRB, which issued its report on the vulnerability in July, appeared at Black Hat on Wednesday and delivered a blunt message: Issues caused by the Log4j flaw are nowhere close to being fixed.
“Log4j is not over,” said Robert Silvers, under secretary for policy at the Department of Homeland Security. “This was not a ‘look back and now we’re in the clear.’ It is most likely that organizations are going to deal with Log4j issues for at least a decade and maybe longer.”
Part of the issue has been a lack of knowledge around precisely where Log4j has been installed so that fixes can be rapidly applied. In an effort to support remediation, the Cybersecurity and Infrastructure Security Agency has compiled several lists on GitHub, including an “Affected Vendor and Software” catalog.
Several cybersecurity firms have been working to apply fixes for Log4j. At the start of Black Hat, CyCognito Inc. released a report which found that 70% of surveyed firms which had applied fixes were still struggling to patch vulnerable assets and prevent new Log4j-related instances.
Log4j is widely used within the tech community, and software engineers can deploy it for multiple purposes, according to one CyCognito executive. “It makes the visibility and risk detection process one thousand times more difficult,” Rob Gurzeev, co-founder and chief executive of CyCognito, said in an exclusive interview with SiliconANGLE. “Most of the Log4j vulnerabilities we’re seeing are on assets never properly tested by these companies.”
The role of China in the Log4j issue provides an interesting subplot. The flaw was first reported to the Apache Software Foundation in late November when a security engineer within Alibaba Cloud’s organization discovered the vulnerability in Log4j.
The CSRB’s report, which included discussions with representatives of the Chinese government who agreed to participate, did not find evidence that China attempted to exploit the vulnerability before it became public knowledge in December. However, the board also noted that the Chinese government would not comment on reports that Alibaba had been punished for revealing the flaw to the Apache Foundation first, and expressed concern around the potential for China to exploit flaws in the future.
“We did not find evidence of exploitation before the vulnerability broke into the open,” said Silvers, during his Black Hat appearance. “The regulatory regime that China has in place surrounds vulnerability disclosure. The board expressed concern that this could give China early access to very serious vulnerabilities.”
Web3 proves vulnerable
As Web3 begins to gather traction in the tech ecosystem, the consequences of emerging digital financial instruments, such as the blockchain, cryptocurrencies and smart contracts being developed in full public view, are beginning to have an impact on security. The reality is that most blockchain and cryptocurrency projects have been operating with low security maturity, and that’s beginning to raise alarm bells as investment pours in and use cases grow.
“If people collect cryptocurrencies and NFTs they really want people to know they collect them, so they are becoming their own targets,” Nathan Hamiel, senior director of research at Kudelski Security, said during a Black Hat presentation on Thursday. “We have high-value targets with public exposure and an unexplored attack surface. The time to exploit this stuff is incredibly fast and we’re not used to what we’re seeing.”
What security researchers are seeing is a rapidly escalating series of attacks resulting in the theft of hundreds of millions of dollars. One of the most significant to date was a breach of the Ronin Network, provider of the “Axie Infinity” blockchain game, which netted hackers at least $620 million in March.
Validator nodes on the Ronin Network were apparently compromised, according to a statement released by the provider, Sky Mavis. Hamiel has also found hacks, such as Beanstalk, where hackers manipulate protocol governance using a digitally generated flash loan to give them supermajority power.
The Web3 world has built a following based on precepts of decentralized autonomous organizations or DAOs and community ownership. Yet that’s proving to be a vulnerability that threat actors have been more than happy to exploit.
“Decentralization is a feature and also a drawback, nobody owns the issues,” Hamiel noted. “You cannot solve tactical problems with a DAO, it should not be up to a community whether to patch a piece of software. We haven’t even found all of the security issues yet.”