CyberWire Daily - A new loader variant for wiper campaigns. Sanctions, hacktivism, and disinformation. Conti’s toxic branding. Happy birthday, US Cyber Command.
Episode Date: May 23, 2022There’s a new loader identified in wiper campaigns. President Putin complains of sanctions and cyberattacks, and vows to increase Russia's cybersecurity. Coordinated inauthenticity at scale. Killnet... crows large over Italian operations. Conti's dissolution doesn't mean its operators' disappearance. Rick Howard looks at software defined perimeters. Dinah Davis from Arctic Wolf on how ransomware groups are upping their game to nation state levels. And happy birthday, US Cyber Command...but we're not necessarily wishing you a moonshot for your birthday present. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/99 Selected reading. Sandworm uses a new version of ArguePatch to attack targets in Ukraine (WeLiveSecurity) Putin complains about barrage of cyberattacks (Military Times) Putin promises to bolster Russia's IT security in face of cyber attacks (Reuters) Russia keeps getting hacked (Mashable) Putin is bringing his disinformation war to Ukraine (Newsweek) Putin is bringing his disinformation war to Ukraine (Newsweek) Russian government procured powerful botnet to shift social media trending topics (The Record by Recorded Future) Fronton: Russian IoT Botnet Designed to Run Social Media Disinformation Campaigns (The Hacker News) Russian Hackers Claim Responsibility for Attacks on Italian Government Websites (Wall Street Journal) Anonymous Declares Cyber-War on Pro-Russian Hacker Gang Killnet (Infosecurity Magazine) DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape (AdvIntel) Notorious cybercrime gang Conti 'shuts down,' but its influence and talent are still out there (The Record by Recorded Future) Could a Cyber Attack Overthrow a Government? Conti Ransomware Group Now Threatening To Topple Costa Rican Government if Ransom Not Paid (CPO Magazine) Fears grow after ransomware attack on Costa Rica escalates (TechCrunch) US Cyber Command’s birthday (US Cyber Command) U.S. Needs New 'Manhattan Project' to Avoid Cyber Catastrophe | Opinion (Newsweek) Cyber pros are fed up with talk about a cyber-Manhattan Project (Washington Post) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
There's a new loader identified in wiper campaigns.
President Putin complains of sanctions and cyber attacks and vows to increase Russia's cyber security.
Coordinated inauthenticity at scale, Killnet crows large over Italian operations.
Conti's dissolution doesn't mean its operators' disappearance.
Rick Howard looks at software-defined perimeters.
Dinah Davis from Arctic Wolf on how ransomware groups are upping their game
to nation-state levels,
and happy birthday, U.S. Cyber Command.
But we're not necessarily wishing you a moonshot
for your birthday present.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, May 23, 2022.
The GRU's Sandworm group has deployed a new version of its Argue patch loader, ESET reports.
Argue patch had seen previous use in both Indestroyer and Caddywiper attacks against Ukrainian targets.
The new variant of Argue patch, named so by the Computer Emergency Response Team of Ukraine, that's CERT-UA,
and detected by ESET products as Win32Agent.AEGY,
now includes a feature to execute the next stage of an attack at a specified time.
This bypasses the need for setting up a scheduled task in Windows and is likely intended to help the attackers stay under the radar.
Reuters reports that last Friday, President Putin complained to his Security Council
that cyber attacks against Russia had increased.
Mr. Putin also reprehended the way in which sanctions had affected the country's IT capabilities.
Reuters says,
Restrictions on foreign IT, software and products have become one of the tools of sanctions pressure on Russia.
A number of Western suppliers have unilaterally stopped technical support of their equipment in Russia.
President Putin says Russia needs to shore up its cyber defenses.
He put a bold face on the situation, as Mashable quotes him.
Already today, we can say that cyber aggression against us, as well as in general the sanctions
attack on Russia, have failed. Russian disinformation efforts against Ukraine have been both heavy and
heavy-handed, in some cases using a playbook almost out of the 1930s. The New Yorker described
them last week. Russian armored vehicles drove along Melitopol's central avenues with loudspeakers blaring,
the military-civilian administration of Melitopol, in order to prevent lawbreaking and to ensure public order temporarily prohibits rallies and demonstrations.
In general, Ukrainian messaging has been more effective and internationally successful.
and internationally successful.
Russian messaging has found principally a domestic audience as Moscow's international isolation grows
with the duration, brutality, and incompetence of its war.
Coordinated inauthentic behavior is a different matter.
Many have seen the Fronton botnet as principally a tool
for distributed denial-of-service attacks.
While it certainly has that capability,
it's more remarkable for its ability to create synthetic persona in social media
and marshal them in campaigns that push specific lines of disinformation.
The Russian FSB security service is believed to have purchased Fronton
from a contractor, Zero Day Technologies.
Researchers at Nisos have studied Fronton
and found that its real
novelty lies elsewhere in its ability to push disinformation. The Fronton toolkit enables not
merely an array of coordinated posts, but also likes, reposts, and comments. And it provides
feedback on the effectiveness of its operations in achieving reach, currency, and amplification,
all of which can be used for the further tuning of disinformation campaigns.
As the Hacker News points out,
it's unclear whether Fronton has been used in active campaigns
or whether it remains under development or in reserve,
but the botnet's capabilities are interesting.
The Wall Street Journal reports that even as Italian police
sought to verify Kilnett's claim of responsibility for attacks against various Italian websites,
the Russian hacktivist group, or at least a nominal deniable hacktivist group,
claimed in its telegram channels to have killed Italy like a mosquito.
And Anonymous has taken official notice in its decentralized anarcho-syndicalist
way. InfoSecurity Magazine, for what it's worth, reports Anonymous claims that it's declared war
on Killnet. Adve Intel on Friday described what they're observing with the Conti ransomware
operation as the retirement of a brand, but not necessarily the dissolution of a
gang, and almost certainly not the retirement of the gang's members. The admin panel of its
shame blog, Conti News, has shut down. The blog itself persists as a shadow of its former self,
but its posts are now merely poorly written anti-American screeds. There are no significant signs of Conti News' former role
as a site that pressured victims to pay.
Adve Intel sees the gang's dismantling itself
into smaller affiliates as a business move.
Conti's brand was under pressure from law enforcement,
and its public adherence to the Russian cause
in the war against Ukraine
seems to have made it more difficult
to receive
ransom payments. Its high-profile attack against the Costa Rican government, then,
seems to have been misdirection for spin-out and rebranding as opposed to a serious attempt
to foment insurrection. Breaking into smaller groups has both business and security advantages,
as the record observes, but Adve Intel sees the root cause of Conti's decision in the toxicity the brand has developed.
They say this situation presents the first and foremost reason for Conti's timely end,
toxic branding.
Indeed, the first two months of 2022 left a major mark on the Conti name.
While there is no tangible evidence to suggest that the well-known
Conti leaks had any impact on the group's operations, the event which provoked the leak,
Conti's claim to support the Russian government, seems to have been the fatal blow for the group,
despite being revoked almost immediately. Conti alumni will no doubt, however, continue to enjoy
the toleration and enablement that the Russian government has long extended to privateers operating from its territory.
As long as they hit enemies of the regime and stay deniable, the gangs will be permitted to profit.
Why did Conti choose Costa Rica for its last hurrah?
The country was a target of opportunity, TechCrunch explains.
Its online services were wreckable, and there was money to be made from wrecking them, and so Conti wrecked them.
Cyber Command dates its founding to May 21, 2020, when two task forces merged under U.S. Strategic Command.
Since then, it's grown into a full-spectrum combatant command, so happy 12th birthday to U.S. Cyber Command. Since then, it's grown into a full-spectrum combatant command. So happy 12th birthday to U.S.
Cyber Command. A Newsweek op-ed last week called for a Manhattan Project for cybersecurity.
The gist of their argument is, much like the World War II-era Manhattan Project, which ensured the U.S.
won the race to nuclear weapons, we should confront our current dangerous moment
by launching a Cyber Manhattan Project to make revolutionary leaps ahead in cyberspace,
understanding that complete technical overmatch against our adversaries is the surest path to
deterring bad actors. The metaphor has been used before, along with the similar moonshot or Project Apollo metaphors.
The op-ed, while it offers a thoughtful account of cyber threats that pose considerable risk to
national well-being, has come under criticism from, among others, the Washington Post's Cyber 202,
which finds the central metaphor wayward and unhelpful. The Post doesn't put it quite this way, emphasizing instead that
spending on cybersecurity probably already outstrips General Groves's budget and that
ordinary human error plays a prominent, perhaps dominant, role in cyber risk. But consider,
both the Manhattan Project, which developed the first nuclear weapon during World War II,
and the Apollo program, which put a human being on the moon in the 1960s,
were directed at the solution of large, difficult, complex, but fundamentally unified problems.
One knew with no ambiguity whether Fat Man worked when it was detonated.
One knew beyond any reasonable doubt that Apollo 11 had reached the moon
and that Armstrong and Aldrin
had walked there. Cybersecurity is also a complex problem, but it, like, say, the problems of crime
or war or perhaps cancer, are not fundamentally unified in this way. The Greek poet Archilochus
is said to have written, a fox knows many things, but a hedgehog knows one big thing.
Moonshots and Manhattan projects are hedgehogs' problems.
Cybersecurity is for foxes.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Rick Howard.
He is the CyberWire's Chief Security Officer and also our Chief Analyst.
Rick, it's always great to have you back.
Hey, Dave.
You know, there's a trend that I have been tracking in the news these past couple of years.
And this is where both marketing people and tech leaders alike have started to add this one little tech phrase to everything.
And it's software-defined.
Yeah.
Software-defined.
So we've got software-defined networking, software-defined storage, software-defined data centers.
And it kind of takes me back to the old days when Apple started putting the letter I in front of everything.
I do remember.
iPod, iMac, iPad, and then other Silicon Valley companies started doing the same thing.
I mean, in fact, you actually worked for one of those companies.
I did.
iDefense right back in the day, right?
Yes, I did.
You actually worked for one of those companies. I did.
iDefense right back in the day, right?
Yes, I did.
So I say all of that to bring us to this,
which is that you are talking about one of these specifically
on this week's CSO Perspectives podcast,
which of course is over on the pro side of the CyberWire.
And this is software-defined perimeter.
Now, what does that mean, all of these software defined things? Do they all work
the same? Well, you know, in general, yes. Okay. Because as the cloud has become the place where
we all do the bulk of our work these days, you know, as opposed to the way we used to do it,
say, before 2010, when we all had big iron tucked away in data centers that we had to manage
ourselves with network managers and IT managers running around in data centers that we had to manage ourselves with network managers
and IT managers running around.
You know, they had to manually configure everything.
Like animals.
Like the beast that they are.
Right, right.
And I used to be one, so I appreciate that.
Yeah.
So, but when we hear the phrase software-defined,
that generally is marketing speak for services running out of the cloud somewhere and being controlled by software.
But it does cause some confusion, especially for what we're talking about this week.
Software-defined perimeter, because this architecture is not about perimeter defense at all in the classic sense.
In fact, I would say that the architecture completely demolishes the
perimeter defense model altogether. And it's probably the most innovative and important
zero trust and identity management tactic that most of us have never heard of, right? So,
for this CSO Perspectives episode, we're going to break out the Rick the Toolman toolbox,
explain how everything works, and discuss why it's superior to anything we have seen so far since the early 1990s. All right, I look forward to that.
Before I let you go, what is the word of the week on your Word Notes podcast? Yeah, for this week,
we're talking about identity orchestration, which is kind of a subset of the notion of security
orchestration, which is all those things we have to do to manage
and maintain all that stuff we have in the security stack.
And I know that's a mouthful,
but it turns, you know,
that's just the way it is
with the cybersecurity dudes around here.
So it turns out though,
if you're serious about deploying a zero trust strategy,
then identity and access management
is the key and essential piece to get it right.
So in this episode,
we discussed the current state of managing all of that, identity and access management is the key and essential piece to get it right. So in this episode, we discuss the current state of managing all of that identity and access infrastructure in the most efficient way.
All right.
Well, Rick Howard, he is the chief security officer and chief analyst here at the CyberWire.
But more importantly, he is the host of CSO Perspectives, part of CyberWire Pro.
You can learn all about that on our website, thecyberwire.com.
Rick Howard, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Dinah Davis.
She is the VP of R&D Operations at Arctic Wolf.
Dinah, it's always great to welcome you back to the show.
You know, we've been tracking ransomware groups, of course,
and one of the things that strikes me about them is the ever-increasing amount of sophistication with which they operate.
I mean, it seems to me like, you know, they are really many.
Some of them, it's fair to say that they're on par with some of the nation state actors out there.
What's your take on this?
Yeah, for sure.
This year, I really got into learning more about zero-day vulnerabilities. I read the book, This is How They Tell Me the World Ends, a cyber weapons arm race by Nicole Peroth. And it's really good, really, really good.
about zero days and who would buy them, it was all nation states, right? And just to take a step back, you know, a zero day vulnerability is a software vulnerability discovered by attackers
before the vendor has any idea, okay? So it's very popular for a nation state to use this to spy.
So they want to assume, you know, people are all, countries are all using very common software, Microsoft or iPhones, Google Cloud, whatever.
And if they can find a vulnerability in one of those things and spy with it, then that's really good for them, right?
Right.
But we've seen this huge uptick on ransomware, right?
And these ransomware gangs are starting to make some serious amount of money.
And they want more and more ways so that they can deploy their ransomware into different systems.
And what we're finding is that they are now becoming as big of a buyer of these zero-day vendor. They actually sell zero-day bugs or vulnerabilities.
They have a standing offer to pay $2.5 million for any zero-day that gives hackers control
of an Android device.
So that's for one hack if you have that.
And then here's the thing.
They have to make a profit on that.
So they're going to buy that from some hacker
and then sell that at a higher price, right? So it gives you an idea of how much a lot
of these zero days can cost. And then it always is going to come back to ROI, right? What's your
return on investment? And sadly, it seems like the ransomware gangs are getting pretty high ROIs here if they're spending that much money on it.
Yeah.
Yeah, I mean, it's not the kids in the basement anymore just banging away on their keyboards.
I mean, these are sophisticated groups with sophisticated tools.
Yep, yep, exactly.
And so, you know, you want to look to prevent yourself from being attacked from these.
It's going to be, you know, the same thing over and over. Patch, patch, patch, patch.
And multi-factor authentication and train your people. It's the same mantra always.
Yeah. Yeah, absolutely. All right. Well, Dinah Davis, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment called Security Ha. I join Jason and Brian on
their show for a lively discussion of the latest security news every week. You can find Grumpy Old
Geeks where all the fine podcasts are listed. The Cyber Wire podcast is proudly produced in
Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand,
Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabey,
Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you all back here tomorrow. Thank you. platform comes in. With Domo, you can channel AI and data into innovative uses that deliver
measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.