Attivo Networks Blogs

CISA’s plans for countering disinformation, and for forming a white-hat hacker advisory group.

Carolyn Crandall, Chief Security Advocate, Attivo Network, joined Dave Bittner, Host of The CyberWire Daily Podcast.

Dave Bittner: Notes on rising international tension in Eastern Europe. A watering hole campaign in Hong Kong. The U.S. and the EU have joined the Paris Call. NSO Group’s prospective CEO resigns his position before formally assuming it. Void Balaur, a cyber mercenary group, is active on the Russophone Cyber Underground. Johannes Ullrich on leaked vaccination cards and COVID tests. Our guest is Carolyn Crandall of Attivo Networks on what organizations should be focused on to protect Active Directory. CISA intends to increase its capacity to work against misinformation and disinformation, and they also intend to recruit white hat hackers to an advisory board.

Dave Bittner: From the CyberWire Studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Friday, November 12, 2021. 

Dave Bittner: Since international conflict inevitably brings cyber-conflict in its wake, we begin with a brief account of rising tension in Eastern Europe. Ukraine has expressed concern over Russian troop movements near its borders, and other governments have seconded Kyiv on the matter. Bloomberg quotes U.S. Secretary of State Blinken as saying the deployments resembled the run-up to the 2014 invasion of Crimea. There are also problems between Belarus and its neighbors. Minsk’s push of migrants over the Polish, Latvian and Lithuanian borders – which Foreign Policy calls exporting instability – and Belorussian President Lukashenko’s threats to stop natural gas deliveries to the EU should the EU sanction Belarus, according to The Washington Post, are additional sources of friction. 

Dave Bittner: According to the BBC and the view from Warsaw, the Russian and Belorussian actions represent a campaign coordinated by Moscow. Bloomberg writes that the U.S. has warned the EU of the possibility of a Russian attack against Ukraine. But Russia’s ambassador to the U.N., according to the Military Times, says there will be no invasion unless Russia is provoked and then cites alleged instances of provocation, which would seem to undercut peaceful reassurances. Expect cyber-tensions to rise accordingly. 

Dave Bittner: Google’s Threat Analysis Group has outlined a watering hole campaign apparently designed by a well-resourced group, likely state-backed, exploiting a macOS zero-day to spy on Hong Kong democracy advocates. Google’s researchers write, quote, “the watering hole served an XNU privilege escalation vulnerability, CVE-2021-30869, unpatched in macOS Catalina, which led to the installation of a previously unreported backdoor,” end quote. 

Dave Bittner: Google disclosed its discovery to Apple, and Apple patched the vulnerability in the last week of September. Google doesn’t say which state is the likely backer of this particular campaign, but the report is being widely received as calling out a Chinese intelligence operation. 

Dave Bittner: The Chinese services have been taking a greater interest in Taiwan lately, too. That’s the conclusion Taiwan’s National Defense Report for 2021, released Tuesday, describes significant increases in Chinese collection against what Beijing regards as a breakaway province. Breaking Defense sees Taipei’s report as echoing many of the conclusions of the U.S. Defense Department’s China Military Power Report, which also sees Taiwan as one of China’s principal targets. 

Dave Bittner: The U.S. and the EU have announced that they’ll join the Paris Call for Trust and Security in Cyberspace, agreeing to support the Call’s nine principles. The U.S. adherence to the Call represents a change from the previous administration’s policy. So far, 80 states, 36 public authorities and local governments, 391 organizations and members of civil society and 706 companies have joined. 

Dave Bittner: The Paris Call’s nine principles are worth reviewing – first, protect individuals and infrastructure; second, protect the internet; third, defend electoral processes; fourth, defend intellectual property; fifth, non-proliferation; six, life cycle security; seven, cyber hygiene; eight, no private hack back; and nine, international norms. 

Dave Bittner: The CEO-designate of controversial intercept vendor NSO Group has stepped down before formally assuming leadership of the company, Reuters reports. Isaac Benbenisti explained in his letter to NSO Group’s chairman that special circumstances arising from the company’s placement on a U.S. blacklist render it impossible for him to carry out his vision for the firm’s future. NSO Group has been controversial in many countries, and its position as a prominent vendor of readily abused surveillance tools has become an embarrassment to the Israeli government. 

Dave Bittner: The Jerusalem Post reports that the Palestinian Authority said this week that several employees of its foreign ministry have had NSO’s Pegasus tool installed on their phones. The Israeli Defense Ministry, the Post says, declined to comment, and NSO Group said that it’s not the operator of the products it sells. Any abuse, in the company’s view, is the responsibility of the operators. 

Dave Bittner: Trend Micro has published an extensive report on a cyber mercenary operation it’s calling “Void Balaur,” and whose activities the researchers say at first appeared to be associated with the GRU’s APT28, or Pawn Storm. On further review, however, they think it likelier to be linked to the mercenary group also known as RocketHack, which was itself described earlier this year. 

Dave Bittner: Void Balaur has been advertising in underground C2C markets since 2017 at least. As far as Trend Micro can tell, the group has an exclusively Russophone clientele. Quote, “to our knowledge, Void Balaur has never advertised in underground forums that were not Russian language-oriented. However, there used to be a website on that was registered on February 21, 2018 and was available on its bare IP address until at least December 2020. On the website, Void Balaur listed services such as hacking into mailboxes or flooding them with spam, distributed denial-of-service attacks and flooding phone numbers in Commonwealth of Independent States or CIS countries only,” end quote. 

Dave Bittner: For what it’s worth, the criminal word-of-mouth about Void Balaur is pretty favorable. Quote, “the feedback that Void Balaur receives on underground forums is unanimously positive. Posters mention that the hacking service delivers the requested information on time, while others commented positively on the quality of the delivered information from mailboxes. Yet others posted about passport details they had requested,” end quote. 

Dave Bittner: Void Balaur’s offerings would be equally attractive to criminal gangs and espionage services. The latter, Trend Micro points out, would regard the cyber mercenaries as strategic assets. 

Dave Bittner: Some developments at the U.S. Cybersecurity and Infrastructure Security Agency are worth mentioning. First, the agency continues to issue advisories on ICS security. CISA yesterday released 18 industrial control system advisories. 

Dave Bittner: Second, Director Easterly said that her agency intends to increase its capacity to work against disinformation and misinformation. The Hill reports that the move to expand that capacity is motivated by the experience of the 2020 U.S. election. 

Dave Bittner: And third, CISA intends to bring a set of white hat hackers into a cybersecurity advisory board, which, according to the account in Roll Call, would not only serve as a source of advice, but would also help preclude the growth of an underground market for zero-days. 

Dave Bittner: And finally, some sad news for the cybersecurity industry. Alan Paller, founder of the SANS Institute and for many years a leader in the sector, passed away Tuesday at the age of 76. He’s being especially remembered for his contributions to education in the field. Our condolences to his family, friends and colleagues. His was a life well-lived, and he will be missed. 

Dave Bittner: Attivo Networks recently released research highlighting the gaps in security for Active Directory and that many organizations are struggling to identify the best tools and techniques to do so. Carolyn Crandall is chief security advocate and CMO at Attivo Networks. 

Carolyn Crandall: Active Directory – it’s remarkable for it being the main directory services of most organizations. However, it’s not often thought about. It’s more relegated to kind of a plumbing maintenance. But what’s been seen in so many major attacks today is that attackers are getting in and they’re exploiting Active Directory. And because it really is the keys to the kingdom, they’re then able to conduct these massive attacks and demand very large ransomware payments. 

Carolyn Crandall: And so what is happening is organizations are needing to rethink how they protect their Active Directory and try to find ways to kind of build that castle and remote around Active Directory, especially in today’s distributed world. It’s just now there’s no longer a perimeter border, so now you’ve got to think about it as far as identities and how they’ll access this resource and how to better protect it, given that that’s how they’ll be trying to exploit it and get in. 

Dave Bittner: So what are you and your colleagues there at Attivo tracking in terms of how folks are coming at Active Directory? 

Carolyn Crandall: So we track it on many fronts. We like to follow the attacker. And if you start at the endpoint, you look at the exposed credentials and how the attacker is able to find the attack paths and the access into Active Directory. And they’re looking for everything from the credentials that may be left there so that they get privileged access, and then they’re looking for other exposures and vulnerabilities to be able to get in so that they can take control. 

Carolyn Crandall: And once they are able to get control, then they’re able to do things like download mass amounts of malware. They can reset security policies. They can do things to hide their tracks. They can delete backups. They can do all kinds of damaging things. 

Carolyn Crandall: And so once you hit that Active Directory level, you’re looking at the visibility to those exposures. Plus, you’re also looking at the live attack activity in order to see when those things, such as a mass account change is being made or mass password changes or things like DCShadow or DCSync type of attacks or those favorite golden ticket type of attacks that can be quite deadly. And so you’re really looking for that activity to be able to detect it before any real damages can be done. 

Dave Bittner: And how do users get insights onto that? I mean, what are your recommendations in terms of detection methods? 

Carolyn Crandall: Yeah, a lot has changed. I mean, before, a lot of people would be using, you know, logs and other things to look for unusual behavior. But unfortunately, there’s just not enough AD administrators and time, quite honestly, to do this in the manual way that’s been done before. And so what you’ve seen in the last year is a lot of automation coming around automated Active Directory security assessments. And you can use tools for that. So there, you can see visibility to vulnerabilities and also the exposures. So not just, you know, are you patched, but also where those misconfigurations are there. 

Carolyn Crandall: And then there’s also some really cool – two levels of technology. One is to see if an attacker is trying to enumerate Active Directory. And then there’s also cool concealment technology that’s out today that actually hides the Active Directory objects from the attacker and then will misdirect them. And they do this by feeding it disinformation. 

Carolyn Crandall: And it’s amazing because if the attacker’s using their typical tools like, say, Bloodhound or Mimikatz, they’re going to do their query. They’re going to get the information back that they think they’re supposed to get. And so they’re going to take action, but it’s really disinformation that can just steer them into a decoy. 

Carolyn Crandall: And here, they kind of spill their beans, right? Now they get all the information collected on their TTPs, and they get information so they can shut down that attack, but also get counterintelligence on how that attacker is attacking them. So it’s super efficient. It throws off real attackers. We see it all the time with pen testers and the red teams come back and say, hey, I got into your Active Directory. And now, fortunately, the defender is like, well, no, not really. Here’s every step you took, you know… 

Dave Bittner: (Laughter) Right. 

Carolyn Crandall: …From 20 command sets in about what you’re doing. So it’s really fascinating technology. 

Carolyn Crandall: You want to know if somebody is in tampering with your Active Directory. And it’s a really no-excuse situation anymore, right? You know, if it is your crown jewels and it can change and cause such damaging harm to your organization that whether it’s driven by compliance or insurance policies, things are going to get tighter. And not protecting your Active Directory could be seen as negligent behavior. 

Carolyn Crandall: And so we know it’s coming in 2022, a lot of changes around it. So I definitely encourage businesses to get ready for it and to change their security architecture. It’s not hard to do – not expensive to do either. But get ready for the things that are going to be expected around Active Directory protection because it’s just not acceptable not to protect that valuable of a resource anymore. 

Dave Bittner: That’s Carolyn Crandall from Attivo Networks. There’s a lot more to this conversation. If you want to hear the full interview, head on over to CyberWire Pro and sign up for Interview Selects, where you’ll get access to this and many more extended interviews. 

Listen to the podcast on The CyberWire.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

20 − 10 =

Ready to find out what’s lurking in your network?

Scroll to Top