CyberWire Daily - A new member of the Winnti Cluster is described. Cobalt Strike used against unpatched VMware Horizon servers. Ukraine blames Russia for what seems to be a destructive supply chain attack.
Episode Date: January 18, 2022A new Chinese cyberespionage group is described. Cobalt Strike implants are observed hitting unpatched VMware Horizon servers. Ukraine attributes last week’s cyberattacks to Russia (with some possib...ility of Belarusian involvement as well). Microsoft doesn’t offer attribution, but it suggests that the incidents were more destructive than ransomware or simple defacements. The US warns of possible provocations. Ben Yelin looks at a bipartisan TLDR bill. Our guest is Lisa Plaggemier from the National Cybersecurity Alliance on the ongoing threat of phishing. And the REvil arrests in Russia may have been for “leverage.” For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/11 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A new Chinese cyber espionage group is described.
Cobalt strike implants are observed hitting unpatched VMware Horizon servers.
Ukraine attributes last week's cyber attacks to Russia.
Microsoft doesn't offer attribution, but it suggests that incidents were more destructive than ransomware or simple defacements.
The U.S. warns of possible provocations.
Ben Yellen looks at a bipartisan TLDR bill. Our guest is Lisa Plagemeyer from the
National Cybersecurity Alliance on the ongoing threat of phishing. And the are evil arrests in
Russia may have been for leverage. From the Cyber Wire studios atribe, I'm Dave Bittner with your CyberWire summary for Monday, January 18th, 2022.
Trend Micro yesterday reported on an elusive threat actor it calls Earthluska and that it's been tracking since the middle of last year.
Earthluska is assessed as a Chinese group, part of the Winti cluster,
although it represents a distinct operation.
Its interests include government and educational institutions, religious movements, pro-democracy and human rights organizations in Hong Kong, COVID-19 research organizations, and the media.
All predictable espionage targets, but Earthluska's activities are mixed.
They also extend to some apparently financially motivated operations against gambling and cryptocurrency outfits.
financially motivated operations against gambling and cryptocurrency outfits.
Whether that's a central purpose of the group or whether it represents an APT side hustle is unknown. Trend Micro's technical analysis of the group's activity describes its infrastructure,
a distinctive strain of malware, and its extensive social engineering.
Researchers at Team Huntress, following up on warnings from the UK's NIH,
have confirmed that unpatched VMware Horizon servers are now being actively attacked with
cobalt strike implants. This activity amounts to exploitation of Horizon itself and not the
abuse of web shells that were observed earlier. Ukraine has now attributed last week's cyber attacks to
Russian operators, and Kiev has found some support for its conclusion among other governments.
Microsoft on Saturday released a report on the malware used in the attacks. It was a wiper that
represented itself as ransomware. NATO considers its options for defense, deterrence, and response. Kiev has
accused Russian services of carrying out last week's cyberattacks with some possible assistance
from Belarus. Ukraine's Ministry of Digital Transformation said this weekend, quote,
Moscow continues to wage a hybrid war and is actively building forces in the information and cyberspace. Kiev's view is that
the operation is a continuation of a hybrid war Russia has waged against Ukraine since its 2014
invasion of Crimea. Ukraine's State Service for Special Communications described the attacks as
hitting 70 government sites or resources, 10 of which were subjected to unauthorized interference.
But the service claimed that no personal data was leaked and that most affected sites were
quickly restored to normal. The state service added some details about how the attackers
obtained access to the sites. It was a supply chain attack. Quote, the attackers hacked the
infrastructure of a commercial company that had administrative access to the web resources affected by the attack.
Which commercial vendor was hit remains unspecified.
It's worth noting that a supply chain attack through ME-DOC tax preparation software was used in 2017's NotPetya attack,
which has been generally attributed to Russian intelligence services.
The cyber operations, coming as they do as Russian troops are reported to have marshaled
in assembly areas near the Ukrainian border, have been received by NATO as battlespace preparation.
The U.S. has said that the cyber attacks have the hallmarks of a disinformation operation
intended to afford Russia
a pretext for military action. White House Press Secretary Jen Psaki went on the record concerning
the possibility of false flags during Friday's daily media brief. Here are her remarks as recorded
by C-SPAN. As part of its plans, Russia is laying the groundwork to have the option of fabricating
a pretext for invasion. And we've seen this before. We saw this before leading up to 2014,
just to note, including through sabotage activities and information operations,
by accusing Ukraine of preparing an imminent attack against Russian forces in eastern Ukraine,
and the Russian military plans to begin these activities several weeks before a military
invasion, which could begin between mid-January and mid-February.
Again, we saw this playbook before, including the widespread effort to push out misinformation,
not just in Eastern Europe, but around the global community.
Ukraine's Ministry of Digital Transformation agrees that the cyber attacks represented,
at one level, disinformation in the service of influence operations.
Quote,
Its goal is not just to intimidate society, but to destabilize the situation in Ukraine by stopping the public sector's work and undermining Ukrainians' confidence in their government.
End quote.
False flags and disinformation are a longer game, but Friday's cyber incidents may have had some more immediate effects.
The cyber attacks may have been intended to provide cover for other more destructive operations.
Microsoft said on Saturday that it hadn't been able to draw connections between Friday's cyber attacks against Ukraine and any of the threat actors it tracks.
attacks against Ukraine and any of the threat actors it tracks. It is, however, confident that the attack involved the use of a wiper, that is, malware whose intent was the destruction of data,
not their temporary denial, as in a conventional ransomware attack, or their theft. The operation
is being called WhisperGate, and Microsoft has given the threat actor behind it the temporary tracking identifier DEV-0586.
The attack is, Microsoft says, a two-stage operation.
Stage 1 overwrites the master boot record to display a faked ransom note.
Stage 2 of the attack installs a file corrupter malware.
That malware is still undergoing analysis.
Microsoft has provided
a set of indicators of compromise organizations can use to assess their risk. To return again
to NotPetya, that earlier incident also involved the use of a wiper dressed up as ransomware,
so this too would be out of a familiar playbook.
Website Ukrinform reports that NATO,
having condemned last week's cyberattacks,
is working with closer cooperation
on cyberdefense with Ukraine.
According to Reuters,
the U.S. has offered Ukraine
whatever it needs to recover from those attacks,
and Interfax Ukraine says
that Franco-American talks
have addressed common preparations to render such aid to Kiev.
Russia denies any involvement in the cyberattacks and disclaims any intention to invade Ukraine.
Kremlin spokesman Dmitry Peskov said in a CNN interview,
We have nothing to do with it. Russia has nothing to do with these cyberattacks.
Ukrainians are blaming everything on Russia, even their bad weather in their country.
End quote.
That said, Russian President Vladimir Putin has given the U.S., and by implication, NATO,
a soft deadline for meeting Russia's demands.
It's set to expire, roughly, on January 20th.
He's outlined three demands, Russia Matters reports.
Demand number one, no more NATO expansion eastward, especially to Ukraine and Georgia.
Demand number two, NATO withdraws military infrastructure placed in eastern European states after 1997.
And demand number three, U.S. and NATO deploy no-strike systems in Europe,
such as intermediate and short-range missiles that would be capable of striking targets in Russia.
Should the U.S. refuse, and it would be expected to formally accede to or reject the demands,
Russia Matters describes the Kremlin's probable next move. Quote, This written refusal to honor Russia's demands
could then be used in a rhetorical battle on the international stage
over which side is to be blamed
when Russia subsequently claims it has been compelled to act
vis-à-vis Ukraine and the West.
Be this via the deployment of nuclear attack systems
along Russia's western frontiers,
including Kaliningrad
as well as Belarus, the deployment of systems in Cuba and Venezuela, and or another intervention
in Ukraine. End quote. The Cyber Wire's continuing coverage of the crisis in Ukraine can be found on
our website. In response to an increase of governments requiring people to obtain, and under some circumstances present, evidence of vaccination against COVID-19,
criminals are selling fraudulent PCR and test certificates.
Checkpoint says the bogus certificates are for the most part being distributed by the Telegram messaging app,
and that some regions have seen increase in such fraud of up to 600%.
And finally, U.S. officials have said, according to the record, that one of the members of Areval
arrested last week by Russian authorities may have been responsible for the ransomware attack
on Colonial Pipeline last spring. Trustwave back in November reported that Eastern European cybercriminal
circles were beginning to wonder whether the safe haven they'd so long enjoyed were about to be
closed to them. Those worries are probably as premature as hopes for a new age in Russo-American
cooperation, a false sunset to go with a false dawn. The Kremlin's withdrawal of what amounts to a letter of mark
is likely, Cyber Reason told ITPro, to be purely tactical, designed to darken counsel while Russia
pursued its interests in Ukraine. Impunity can be restored as easily as it's withdrawn.
And besides, there's no real risk of extradition to the U.S.,
so a sabbatical in club fed seems unlikely in the extreme.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it
comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The National Cybersecurity Alliance is a non-profit public-private partnership
promoting cybersecurity and privacy education and awareness.
The organization dates back to 2001
and focuses on bridging the gaps between private industry,
government, and the public at
large. Lisa Plagemeyer is interim executive director of the National Cybersecurity Alliance,
and I caught up with her recently for insights on the state of phishing.
I think there's definitely greater awareness. We did a lot of speaking events. We get invited by
corporations and organizations of all sizes to speak during Cybersecurity Awareness Month in October.
And just anecdotally from the companies that I was speaking to, we also surveyed a lot of their employees during one of the talks that I gave.
There was a chance for audience participation and a couple of poll questions.
for audience participation and a couple of poll questions.
And I see a big difference between people,
I'll say people of working age and their awareness of phishing.
And most of these people,
especially if you're at a large American company or even a smaller medium-sized company these days,
you're being sent simulated phish by your employer.
And so that does a lot to raise awareness. I have a 20-something
who's in her first job out of college, and she is so pumped when she recognizes all of those
simulated fish that her employer sends her. And they have a contest. They have a leaderboard.
You get a gift card to their company store so you can get yourself some swag. She tracks that.
I mean, she's excited by that.
And she also likes the way I think that it makes her feel.
It makes her feel smarter than a bad guy because she can spot these things.
And I would hazard a guess that a couple of years ago when she was in college, she could
have cared less.
And it just wasn't top of mind for her.
So I think the more companies that run simulated phishing programs that do it in a way that encourages your employees, that makes them feel good about what they've learned, that makes them feel smarter than a bad guy, I think that's all really positive, as opposed to running a program that's more punitive.
So if you treat it like training, not like human penetration testing,
I think it can do a lot to raise awareness. I've also noticed that people seem
less inconvenienced by security than they have in the past. I think with this increasing awareness
of things like phishing has also come an increased awareness that, hey, you know,
sometimes security is a little bit inconvenient, or it might take me a few extra seconds to check
an email or use multi-factor authentication, but I'm okay with that because it's all about being
more secure. I think a couple of years ago, I just, you know, because I work in security,
I'll have, you know, friends that will always like to gripe to me about, you know, oh, my company turned on MFA or this e-commerce site turned on MFA and I have to use it or a financial institution and they like to complain about it.
I don't hear that so much anymore.
And I know that's completely anecdotal, but it's just the general feeling that I get.
Yeah, you know, it strikes me like I sometimes use the analogy that, you know, you can do all the right things.
You can wash your hands.
You can, you know, wipe down surfaces with antibacterial things.
But every now and then you're still going to get a cold.
And that's just sort of the way it is.
But you can't be fatalistic about this.
You still have to do those basics and you're going to be better off for it.
You don't stop doing those things because what you're doing is mitigating your risk.
You're reducing your risk.
If you did none of those things, then your risk would be much higher of getting sick.
So it's really about risk management.
That's Lisa Plagemeyer from the National Cybersecurity Alliance.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
And keep your company safe and compliant
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security,
but also my co-host over on the Caveat podcast.
Hello, Ben.
Hello, Dave.
Interesting story from the folks over at the Washington Post. This is written by Christiana Lima, and it's titled,
No One Reads the Terms of Service.
Lawmakers Want to Fix That
with a New TLDR Bill. Ben, what's going on here? So we've talked many times on this podcast and
on Caveat about how nobody reads the EULAs. They're too long. They're 300 pages. It's written
in legalese. Nobody understands them. Members of Congress want to do something about that, and this is a bipartisan effort.
So there was a bill introduced in the House called the TLDR Act.
You and I were very curious as to how they would make this TLDR, which of course is too
long, didn't read, into a legislative acronym.
And they did not disappoint.
The act may be cited as the Terms of Service Labeling Design and Readability Act.
Nice.
Which, frankly, is brilliant.
I would like to give a Nobel Prize, a Pulitzer Prize to the legislative staffer who came up with that.
Well done.
Absolutely fantastic.
So the purpose of the bill would be to require companies to have terms of service that are readable Well done. sensitive personal data they are allowed to collect. So this is the House bill. The Senate counterparts, this is a Senate bill proposed by Democrat Ben Ray Lujan of
New Mexico and Republican Bill Cassidy of Louisiana.
It's largely identical, but they didn't come up with a brilliant acronym for their piece
of legislation.
So if I'm a member of Congress, I'm advocating that we adapt the House version, because how much better could it be than having a TLDR Act?
Let me ask you this.
So as a lawyer yourself, isn't the whole notion of legal jargon in direct tension
with the idea of having a version of that that is easy to read and understand?
Yes.
a version of that that is easy to read and understand?
Yes.
I think there's parts of EULA's terms of service that need to be written out in 300 pages
because at some point the lawyers are going to be pouring over them.
The problem is it's not the lawyers.
We don't call our attorney and have them read the terms of service
before we press the I agree button.
At least most people don't do that.
And I think the purpose of this legislation is to decouple
the actual legalese, the very complicated terms
that dictate whether the company is liable,
when they're liable, what liability they're disclaiming.
Decouple that with something that's just very easy
for the average consumer to understand.
I certainly think it is in the interest of consumers and therefore in the interest of
members of Congress to make these more readable for people so they know exactly what they are
agreeing to. That doesn't mean you completely displace the 300 pages of legal jargon.
It just means the company has to summarize that in a way that's readable,
understandable for the average consumer. Do you think that is ultimately achievable?
I do. I do. You know, this might be a part of a larger piece of legislation. If there is ever
data privacy legislation, you know, some sort of breach notification law, maybe they would tuck this in as a rider to that bill.
But I could certainly see this as something that Congress would have the fortitude to do,
given that it has bipartisan support. They've held a lot of hearings over the past couple of years
about some of the abusive practices of these tech companies. So it's certainly an area ripe for regulation.
So I would not be surprised at all to see a version of this get enacted.
And I think it would make life a little bit easier for most of us who don't take the time to actually read through those terms and conditions and give us some sort of meaningful consent
when we agree to the EULA when we download that new application.
So yeah, I think the chances are decent that this could actually turn into a law.
And fingers crossed, because I think it's a really good idea.
All right. Well, time will tell.
Ben Yellen, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.