CyberWire Daily - A Fancy Bear sighting. Why Russian cyberattacks against Ukraine have fallen short of expectations. ToddyCat APT discovered. ICEFALL ICS issues described. Europol collars 9. Say it ain’t so, Dmitry.
Episode Date: June 22, 2022Fancy Bear sighted in Ukrainian in-boxes. Why Russian cyberattacks against Ukraine have fallen short of expectations. ToddyCat APT is active in European and Asian networks. ICEFALL ICS vulnerabilities... described. CISA issues ICS vulnerability advisories. Europol makes nine collars. Andrea Little Limbago from Interos on The global state of data protection and sharing. Rick Howard speaks with Michelangelo Sidagni from NopSec on the Future of Vulnerability Management. We are shocked, shocked, to hear of corruption in the FSB For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/119 Selected reading. Ukrainian cybersecurity officials disclose two new hacking campaigns (CyberScoop) Ukraine Warns of New Malware Campaign Tied to Russian Hackers (Bloomberg Law) Russian govt hackers hit Ukraine with Cobalt Strike, CredoMap malware (BleepingComputer) Opinion How Russia’s vaunted cyber capabilities were frustrated in Ukraine (Washington Post) New Toddycat APT Targets MS Exchange Servers in Europe and Asia (Infosecurity Magazine) Microsoft Exchange servers hacked by new ToddyCat APT gang (BleepingComputer) OT:ICEFALL: 56 Vulnerabilities Caused by Insecure-by-Design Practices in OT (Forescout) From Basecamp to Icefall: Secure by Design OT Makes Little Headway (SecurityWeek) Dozens of vulnerabilities threaten major OT device makers (Cybersecurity Dive) CISA releases 6 Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency) Phishing gang behind several million euros worth of losses busted in Belgium and the Netherlands (Europol) Подполковника УФСБ по Самарской области арестовали за кражу криптовалюты у хакера (TASS) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Fancy Bear is cited in Ukrainian inboxes.
Why Russian cyber attacks against Ukraine have fallen short of expectations.
The TatiCat APT is active in European and Asian networks.
Icefall ICS vulnerabilities are described.
Europol makes nine callers.
Andrea Little-Limbago from Interos on the global state of data protection and sharing.
Rick Howard speaks with Michelangelo Sedagni from Knopsec on the future of vulnerability
management.
And we are shocked, shocked to hear of corruption in the FSB.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 22, 2022.
Music
Let's start today with a question.
What are you scared of?
Dentists? The dark?
Starting conversations with people you find attractive?
Or how about nuclear terrorism and the tax man?
Social engineers play on fear, hope, sympathy, vanity, greed, and so forth.
Especially fear, a human emotion the GRU knows like the back of its paw.
CERT-UA has warned that APT28, the GRU operators familiarly known as Fancy Bear,
have opened a renewed campaign of exploitation against systems still vulnerable to Folina,
the Microsoft diagnostic tool vulnerability tracked as CVE-2022-3190.
Fancy Bear is running two distinct campaigns, Ukraine's SSS-CIP warns, both of which use
phishing as their modes of access. The phish bait appeals to two very different sets of fears.
The first campaign, which Malwarebytes has also described, counts on an email recipient's fear of nuclear war, which is topical given the ongoing Russian nuclear saber-rattling described by the telegram.
The malicious document, Nuclear Terrorism, a Very Real Threat, carries CredoMap malware as its payload, CERT-UA says.
as its payload, CERT-UA says. The other campaign uses a more approximate, if less existential,
dread to induce the recipient to click, fear of the taxman. Anyone in wartime might be forgiven an understandable lapse of memory where paying taxes is concerned. The fish bait sample CERT-UA
shares is sternly entitled Imposition of Penalties, and the malicious document carries a
cobalt strike beacon as its payload. The email's subject is Notice of Non-Payment of Tax. The goal
of both campaigns appears to be espionage, although it's worth noting that CERT-UA sees
the tax-themed campaign as directed against critical infrastructure. An op-ed in the Washington Post
summarizes what's becoming consensus opinion about Russia's failure to deliver the devastating
cyber attacks that were generally expected during the run-up to war. Ukrainian resilience,
with appropriate and well-applied assistance from the private sector, was able to fend the
Russian operators off. According to the Post, the close partnerships that have emerged
between U.S. technology companies and Western cybersecurity agencies
is one of the unheralded stories of the war.
The public-private rift in the tech world that followed Edward Snowden's revelations in 2013
appears largely to be over because of the backlash against Russia's attacks on the 2016
and 2020 U.S. presidential elections and now its unprovoked invasion of Ukraine.
Kaspersky describes Toddycat, a hitherto unremarked APT active against high-profile
European and Asian targets. The threat actor works against vulnerable Microsoft Exchange instances,
has been active since late 2020,
and deploys at least two distinctive tools,
the Samurai Backdoor and the Ninja Trojan.
It's not clear whom ToddyCat is working for,
and its disparate target list offers few obvious suggestions.
The group is said to have been active against Taiwan,
Vietnam, Afghanistan, India, Iran, Malaysia, Pakistan, Russia, Slovakia, Thailand, the United
Kingdom, Kyrgyzstan, Uzbekistan, and Indonesia. Researchers at Forescout describe OT icefall,
which they characterize as a set of 56 vulnerabilities affecting devices from 10 OT
vendors. Forescout calls the affected systems insecure by design and divides the vulnerabilities
into five categories. First, remote code execution. This allows an attacker to execute arbitrary code
on the impacted device, but the code may be executed in different specialized
processors in different contexts within a processor, so an RCE does not always mean full
control of a device. This is usually achieved by insecure firmware or logic update functions
that allow the attacker to supply arbitrary code. Next is denial of service. This allows an attacker to either take a device completely
offline or to prevent access to some function. Then there's file, firmware, or configuration
manipulation. This allows an attacker to change important aspects of a device, such as file
stored within it, the firmware running on it, or its specific configurations. This is usually
achieved via critical functions lacking the proper
authentication or authorization or integrity checking that would prevent attackers from
tampering with the device. They next list compromise of credentials. This allows an
attacker to obtain credentials to device functions, usually either because they are
stored or transmitted insecurely. And finally, authentication bypass.
This allows an attacker to bypass existing authentication functions
and invoke desired functionality on the target device.
Completely mitigating the icefall vulnerability will require vendor-delivered patches.
In the meantime, network isolation, restricting network connections to specifically selected engineering workstations, and of course, focusing on consequence reduction are all encouraged.
CISA continues its program of alerting operators to industrial control system issues.
The agency yesterday released six ICS security advisories.
yesterday released six ICS security advisories. Bravo Europol, the international police agency working with its Dutch and Belgian colleagues, yesterday bagged nine miscreants involved in a
fishing operation that had winkled its victims out of millions of euros. The arrests, all in the
Netherlands but under a Belgian warrant, were made in the course of 24 house searches
that also netted a lot of ill-gotten swag,
including firearms, ammunition, jewelry, electronic devices,
cash, and cryptocurrency,
which seem to be the usual desires of cybercriminals nowadays.
All that's missing is the snazzy and ostentatious sports car.
But perhaps cybercriminals in the
low countries are more given to riding bicycles than their Russian, Nigerian, or for that matter,
American counterparts are. What's with all the jewelry? Is the typical cybercriminal a fashionista?
The world wonders. If you are a cybercriminal, why not call Europol and let them know what it
is about jewelry that draws you so?
We're sure they'd love to talk to you.
And finally, TAS is authorized to disclose that they just aren't making siloviki the way they used to and it's a shame.
An FSB officer has been arrested for stealing cryptocurrency from some hoods he was supposed to be arresting.
We note, parenthetically, that this would never happen in the Netherlands.
TASS quotes its official sources as saying,
The 235th Garrison Military Court a month ago arrested Dimitri Demin,
Lieutenant Colonel of the Federal Security Service for the Samara region,
on charges of especially large-scale fraud. And on June 21st,
his detention was extended until early August. Lieutenant Colonel Demin apparently shook the goon
one A.O. Makalov down for his crypto during the course of an investigation. And when Mr. Makalov
was later arrested by others, he apparently asked the cops what happened to that crypto the lieutenant colonel took from him.
Time to lawyer up, comrade lieutenant colonel.
Anywho, Russia is particularly troubled by corruption.
And while it's less common over here than over there, it happens to you too, Yankee.
It happens to you too, Yankee.
Back in 2015, the FBI bagged a Secret Service and a DEA special agent in Baltimore on charges of ripping off the Silk Road crooks they were supposed to be investigating.
It was a poor career move for the duo, who should have known better.
By the time the Justice Department issued its press release on the indictments,
the two were already described as former federal agents.
We imagine Lieutenant Colonel Demin will soon be described as a former FSB officer.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta
brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire's own Rick Howard recently sat down with Michelangelo Sedagni. He's Chief
Technology Officer at Knopsec. Their discussion centered on the future of vulnerability management.
I'm joined by Michelangelo Sedani, the CTO and co-founder of Knopsec. Michelangelo,
thanks for coming on the show. Thanks, Rick. Glad to be here and, you know,
hope to come back many times. Absolutely. We will put you on the rotating roster.
We're talking about vulnerability management today, and I've been doing vulnerability
management in the various places I've worked since the internet was young, you know, for the last 30
years or so. And on the surface, to me, it doesn't appear that the community is getting any better
at this never-ending task. But that can't be true, right? I mean, I'm sure there's been advances over
the years. Can you give us a sketch of how the industry does vulnerability management today?
over the years. Can you give us a sketch of how the industry does vulnerability management today?
It's really like, you know, what the industry does these days is not like big organization,
it's not what it's supposed to be. First of all, the industry identify vulnerability management,
do it only a part of it, which is vulnerability assessment, which is the art or the science of finding vulnerability using an infrastructure network scanner or a web application scanner.
So basically, you point these tools, this software, to your web application,
and soon enough, a bunch of vulnerabilities come back.
But that's only part of the story.
The most important parts are having a comprehensive asset inventory.
Part of vulnerability management is called vulnerability assessment.
The third part is very, very important, prioritization.
I mean, after I found hundreds of thousands of vulnerabilities which are high and critical, what am I supposed to do?
Am I like fix all the critical and leave alone the medium or low?
Well, it's not as clear cut because not all the vulnerabilities are created equal.
For example, there are critical vulnerabilities, and that's where the prioritization comes in,
that basically like they're critical and the CVS is core scale, but they've never been exploited.
There's no indication of exploit available in the wild.
They've never been used and never tried to be exploited because they're so hard, basically, for a motivated attacker to build a stable exploit. And there are others that are like medium or low that they are used all the time as jumping around to actually find mounting like a more sophisticated attack.
So basically exploiting one vulnerability and then chain it to another.
If you prioritize correctly vulnerability, you don't have to patch 100%.
You only patch vulnerabilities that are critical for your system, for your network. Let's unpack
some of that, right? So first of all, you're talking about just discovery of
unknown software that's running out there. Like you were talking about somebody
throws up a web server in AWS that you didn't know about. So you have to discover
those things. The other one, though, and it's become more prominent here
this last year, is
just keeping track of the software components that we're all running, you know, and that is
the software that we develop ourselves, plus the commercial software that we use, like Microsoft
or whatever it is. But the thing that's come into the front this year is supply chain software,
all the components that everybody's using from open source software. We talked about Log4J that came out last December.
Everybody was scrambling to see if we were running that component in our software.
So that's a huge job.
Have we gotten better at being able to keep track of all that stuff?
It depends, obviously, on the security material of an organization.
Basically, like attackers, they're getting smarter and they take the path of least resistance.
It's really
hard, for example, like to hack a government up front. But if you take the supply chain route,
it might be actually easier for the compromise and obtain the same result.
You mentioned prioritizing the work here and you refer to it in some of the things you've written
as risk-based vulnerability management.
So can you elaborate on what that means exactly?
Risk is basically going to be split in like really two areas.
One is threat-based risk prioritization.
So that means that, again, like not all the vulnerabilities are created equal.
Some, they're never being exploited.
Some are hard to be exploited.
Some are currently used as part of, like, threat intelligence information.
I agree that the criticality of the vulnerability feeds into the risk equation,
but I'm not sure that's the most important part.
If I was going to base decisions on what work to do over other kinds of work,
I would base it on data or systems
that are material to my business.
So if I know what those are,
and then there's a critical vulnerability that pops up,
then clearly that we need to work on that one first.
But if it's worrying about the menu
from the cafeteria down in the basement,
maybe we don't worry about that one so much.
The second part is what I call contextual risk.
So basically, it's based on your organization,
existing controls.
That means it's very important to perform a threat modeling
on the vulnerability.
So calculate and visualize the attack path
on vulnerable systems,
but also of systems that are actually reachable from the attacker.
This is all good stuff, Michelangelo, but we're going to have to leave it there.
That's Michelangelo Sedani, the CTO and co-founder of Knopsec.
Thanks for coming on the show.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. And I'm pleased to be joined once again by Andrea Little-Limbago.
She is the Senior Vice President of Research and Analysis at Interos. Andrea, it's always great to welcome you back to the show.
I want to start off today just by sort of checking in with you.
If we could do a broad check-in on the state of the world, and I know that's a lot, but
maybe let's start big and then go a little smaller.
When it comes to, you know to democracies, authoritarianism,
and how that's affecting our ability to connect with each other online,
where are we right now?
Yeah, I think we're continuing to see a lot of the trends
that have been accelerating over the last few years.
So it's a great question.
I look at really the broad geopolitical fault lines
are starting to become more embedded.
And then along those, you see the technological fault lines basically are starting to follow suit with the geopolitical.
And that's why they're so intertwined.
And when you think about the role of emerging technologies, both in society and in modern warfare,
they're just so crucial and foundational to both components that when
you do start seeing some of the geopolitical fault lines start to emerge, natural almost,
to see that those are also going to lead to divides along technology, along approaches to
data, and that's where we're seeing a big aspect of it, and approaches to what's viewed as a trusted
network. And at a very high level, we are still seeing China really leading the way on more of the digital authoritarian model.
And that does still continue to gain traction.
We still see, you know, additional laws starting to pop up from Cambodia and Thailand and really across the globe that are putting more restrictions and censorship on data.
But at the same time, we still see the reverse trend of over 100 different data privacy
laws popping up across the globe. And those are interesting in that some are under the auspices
of national security. And so actually, they sound very similar to something like the GDPR, which is
intended for having protecting individual data rights. But you actually do see aspects of the
GDPR in China's data privacy law.
And so there are some similarities along that line as far as data minimization and what kind of data different companies can have access to and its flow across borders.
But where you see differences are, it's almost like the devil's in the details.
Like for China's law, for instance, there is governmental access allowed pretty much
without any kind of digital review or oversight or
accountability. And so that's where you start seeing some very big differences. But there is,
you know, really across the globe, still a push towards greater data protection,
data privacy, which is a nice movement. How is this affecting the big global companies,
you know, the apples of the world who are doing business across the world, but of course,
China, a hugely important
market for them.
Yeah, you know, it's really making companies across the globe really rethink their global
footprint.
And on the one hand, you know, it's much easier said than done, you know, for companies like
Apple who have invested decades in their manufacturing plants, for instance, in China.
You can't just pick up and move a manufacturing plant and find that labor, you know, anywhere
else that that actually, you know, that takes a and move a manufacturing plant and find that labor anywhere else.
That actually takes a decent amount of time to rebuild that elsewhere.
But at the same time, Apple is starting to rethink some of that.
And it's not just Apple.
We've seen other companies either starting to minimize their footprint.
And I would say it's not a full-out, complete withdrawal, but there's a decoupling going on where companies are rethinking what data they
have, some of their core components of their cross-supply chain, and trying to lessen that
dependency on China for those very reasons. And so we'll see what happens. There has been a big
increase in reshoring and decoupling over the last few years from China. And that really started
to, it kicked off really during the start of the trade
wars during around 2016. So it's, you know, the pandemic accelerated when everyone started to
realize just how big their concentration risks were when there was a lockdown. And I would say
for a lot of those companies, there is a geopolitical component to it, but it's also
the aspect of not having all your eggs in one basket from a supply chain perspective. So even
if they're not necessarily bought into the shifting geopolitical dynamics,
companies are bought into the notion that they realize that they had a single source of failure
and are trying to diversify from that.
Yeah.
Where do you see the trend lines headed?
What do you think we're going here?
Yeah, you know, I do think that we're entering this new normal.
And that's, you know, whatever we want to call it.
You know, I think it's the post-pandemic new normal, whatever this era ends up getting named.
But it is, you know, it's a different global order than what we've seen in the past.
You know, I think there's sort of an easy trend to thinking that, oh, maybe it's just going to be like the Cold War.
We'll call it, you know, China and the U.S., Cold War, and make it easy.
Because that's fairly familiar for people who
have been around or have studied the history of that. But it's not the Cold War. And that's one
of the things that I try and reinforce over and over again because you're really under a very
different system. You have one technology just changes everything. The internet and various
forms of emerging technology, artificial intelligence, all of that really makes it a game changer just on the aspect of what warfare and technology will – how that will contribute to any kind of geopolitical tensions.
And then also, you know, it's much more of a multipolar system.
There's much more entanglement of the economies.
And so if you think about during the Cold War, the economies were fairly distinct.
Now there's just so much, you know, it used to be called, you know, mutually assured, you know,
economic destruction because the Chinese and U.S. economies were so tightly controlled,
no one ever thought that there could be a war, and so it will be interesting to see what happens
with some of this decoupling, but I would argue that the decoupling, you know, if done well,
should be prioritized in areas of national security interests and aspects of social security as far as health security and so forth, like we saw during the pandemic, and focus on those areas.
But there are still areas where there could be mutual gains.
And so hopefully there are some, though those still remain, a component that keeps some links between the different countries.
But there is a decoupling.
It's going to take a long time.
I really don't think it'll be an entire decoupling,
but it is, you know, where the U.S. and China go,
it really does spill over into the rest of the world.
And then what you see with Russia's invasion of Ukraine,
you see Europe really coming together much faster.
And that actually, you know,
really decreased a lot of the tensions
across U.S. and Europe as well
and brought the EU and U.S. really a lot more
tightly coordinated than they ever had been for recent history. So we are seeing some push factors
that also are pushing a lot of the democracies closer together in ways that they hadn't been
before. There was just an Indo-Pacific economic agreement introduced probably a few weeks ago in
the May timeframe.
And that also is getting just additional economic ties.
And that kind of overlays with the Quad Alliance that also has supply chain and technological ties.
And we're seeing just a really restructuring.
And I think a lot of that will be along technology
and rules and regulations of the internet
will really be some of the driving forces
that are binding different groups together.
All right. Well, Andrea Little-Limbago, thanks for joining us.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Liz Ervin, Rachel Gelfand, Elliot Peltzman, Trey Hester,
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.