CyberWire Daily - A warning of cyberespionage targeting US cleared defense contractors. Update on the hybrid war against Ukraine. China’s favorite RAT. QR codes. Addiction to alt-coin speculation.
Episode Date: February 16, 2022US agencies warn of Russian cyberespionage against cleared defense contractors. Updates on the Russian pressure against Ukraine. ShadowPad as China’s RAT of choice. BlackCat claims to have leaked da...ta stolen in a double-extortion ransomware attack. Follow the bouncing QR code. Dinah Davis from Arctic Wolf on Canada’s government ransomware playbook. Rick Howard chats with Bill Mann from Styra on DevSecOps. And if you’re addicted to cryptocurrency speculation, the first step in recovery is admitting you’ve got a problem. (The second step is to step away from the phone.) For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/32 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
U.S. agencies warn of Russian cyber espionage against clear defense contractors.
Updates on the Russian pressure against Ukraine.
Shadowpad as China's rat of choice.
Black Cat claims to have leaked data stolen in a double extortion ransomware attack.
Follow the bouncing QR code.
Dinah Davis from Arctic Wolf on Canada's government ransomware playbook.
Rick Howard chats with Bill Mann from Styra on DevSecOps,
and if you're addicted to cryptocurrency speculation,
the first step in recovery is admitting you've got a problem.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 16th, 2022.
Around noon today, the U.S. Cybersecurity and Infrastructure Security Agency, the FBI, and NSA issued a joint cybersecurity advisory. The advisory, AA22-047A, bears the descriptive title,
Russian state-sponsored cyber actors target cleared defense contractor networks to obtain sensitive U.S. defense information and technology.
The tactics the Russian operators are using are described as common but effective.
Those tactics include spear phishing, credential harvesting, brute force and password spray techniques,
and known vulnerability exploitation against accounts and networks with weak security.
The goal, unsurprisingly, is espionage.
The operators are after sensitive, unclassified information
and any company, proprietary, or export-controlled technology.
The advisory says, quote,
The acquired information provides significant insight into U.S. weapons platforms'
development and deployment timelines, vehicle specifications,
and plans for communications infrastructure and information technology. What are cleared
defense contractors? It's a term of art in the U.S. acquisition system. A cleared defense
contractor is defined as a private entity granted clearance by the Department of Defense to access,
receive, or store classified information
for the purpose of bidding for a contract or conducting activities in support of any program of the Department of Defense.
So, if you work for one of those cleared defense contractors, be on your toes.
The bears are snuffling at you.
If you buy the theory that markets are the best predictors
and that wisdom is to be found in crowds more often than is madness,
then you should feel a bit better about the prospects
of an intensified, fully kinetic Russian war against Ukraine.
U.S. stock indexes rose yesterday after three consecutive days of losses,
and the Wall Street Journal
attributes the gains to investors' optimism that the crisis is relaxing. An opinion piece in The
Telegraph argues that what the markets are actually bullish on is a Western sellout of Kiev,
but both military and diplomatic signals remain mixed in that troubled part of the world.
and diplomatic signals remain mixed in that troubled part of the world.
On a day of mixed military and diplomatic signals,
two major Ukrainian banks and the country's Ministry of Defense sustained denial-of-service attacks yesterday.
Forbes identifies the banks as PrivatBank and OshadBank and quotes Ukrainian government sources as saying that public-facing websites of the Ministry of Defense were affected.
Those military sites are unlikely to be directly relevant to command and control.
The attacks appear to have been nuisance-level operations, disturbing but not crippling,
relatively unsophisticated and easy to remediate.
The Wall Street Journal reports that both the banks and the ministry have been quick to begin remediation.
Neither Ukrainian government nor security industry sources have so far offered official formal attribution of the incident,
although Ukrainian authorities are rounding up the usual suspects,
pointing out the a priori likelihood that Russia was behind the incident.
An AFP story in the Kiev Post quotes the country's
communications watchdog as saying, quote, it cannot be excluded that the aggressor is resorting to
dirty tricks, end quote. Moscow was quick to deny any involvement, but if you bet on form,
Moscow was probably involved. Following its recent practice of releasing intelligence
assessments that might otherwise be closely held, the U.S. intelligence community has said,
the Washington Post reports, that it's likely Russian cyber operators have penetrated and
established persistence inside Ukrainian critical infrastructure networks. Russia's pressure on its neighbor has brought
new urgency to space systems and commercial space companies' cybersecurity. Russia has jammed or
spoofed PNT, that's the Positioning, Navigation, and Timing signals, in the past. And given the
prominent role commercial satellite imagery has played in revealing Russian military deployments
over the
course of the crisis, there's speculation that Western space companies and the assets they run
will become early targets of cyberattack should Russia's hybrid war against Ukraine intensify.
Cyberattack is an attractive alternative to kinetic anti-satellite operations.
Cyberattacks are more ambiguous, more deniable, less easily attributable,
and less likely to draw retaliation in kind. Commercial ISR is also a useful source of
tactical and operational intelligence for Ukraine, and denying Kiev easy access to such combat
information would be an obvious move should the conflict become more intense.
NATO says it hasn't seen signs that Russian troops are moving from exercise and assembly areas back to their home stations, the AP reports.
Whatever Moscow may be saying.
NATO Secretary General Jens Stoltenberg said,
At the moment, we have not seen any withdrawal of Russian forces.
If they really start to withdraw forces, that's something we will welcome, but that remains to be seen, end quote.
Nor have Ukraine's leaders.
The BBC reports that President Zelensky isn't seeing a drawdown yet either.
President Zelensky told the BBC, quote,
When the troops do pull back, everyone will see that, but for now, it's just statements, end quote.
The Economist wonders whether the Russian troop deployments may be more bluff than realistic military threat.
150,000 troops are a lot, to be sure,
but Ukraine wouldn't, at this stage of its post-Crimea rearmament, be a pushover either.
And the paper also isn't seeing the level of domestic propaganda it would expect to see on the eve of an invasion.
Given the factitious atrocity stories circulated by Russian media,
The Economist has high expectations indeed for what wartime propaganda would look like.
indeed, for what wartime propaganda would look like. It may be the year of the tiger and not of the rat, but Beijing seems to have a favored rat. SecureWorks describes Shadowpad, an advanced
remote-access Trojan that's been used since 2017 by threat groups affiliated with the Chinese
Ministry of State Security Civilian Intelligence Agency and the People's Liberation Army.
CSO calls Shadowpad the rat of choice for both the MSS and the PLA.
There's a bit more on the Black Cat ransomware gang.
Swissport is investigating claims by Black Cat that they've leaked data stolen from the aviation services provider
during its recent ransomware
attack, Security Week reports. The Coinbase Super Bowl commercial drew a great deal of attention.
The ad presented a minute's worth of empty screen with a QR code ricocheting across the screen with
an implicit invitation to scan it and go to the company's website, where you can speculate your way to
wealth. If judged by viewer response, the commercial was a hit. Security Magazine says
that the landing page where the QR code sent those who responded received more than 20 million hits
in a minute. This quickly amounted to a kind of auto-dedossing since Coinbase's site crashed
under the traffic, but the company was
pleased with the results. The commercial also prompted some discussion of the ways in which
QR codes lend themselves to abuse by malicious actors. HelpNet Security writes, the codes don't
lend themselves to easy user inspection. Even the minimalist queues a URL or an email address might
contain are absent, and it's wise to treat them by default with suspicion.
So let's say you were one of those who couldn't help themselves.
There you were, minding your own business, watching the Super Bowl,
and while you couldn't define the difference between pass interference and illegal contact,
you were right there with your phone to follow that bouncing QR code
toward the pot of altcoin you were sure you could see at the end of that rainbow.
Or maybe you've got a mining rig in your basement that's using so much juice it's prompted the local power utility to ask you if you're refining aluminum.
The first step is admitting you have a problem.
Therapists have noticed that cryptocurrency traders are getting obsessive,
that they're exhibiting some of the behaviors and preoccupations that accompany other addictions.
Quartz writes that one therapist is noticing that many of those who consult her,
and a lot of them are from the San Francisco area, are troubled by thoughts like these.
Should I have sold it at a higher price? Should I have done it two months ago?
these? Should I have sold it at a higher price? Should I have done it two months ago? All these questions, said therapist Patti Fiore, were cropping up along with regret, depression, and anxiety.
She's not the only one seeing people present with these symptoms. The U.S. National Institutes of
Health has published a study on the psychology of cryptocurrency trading, risk and protective factors.
The authors conclude that more research is necessary.
Quote,
The paper suggests the need for more specific research
into the psychological effects of regular trading,
individual differences and the nature of decision-making
that protects people from harm,
while allowing them to benefit from developments
in blockchain technology and cryptocurrency.
End quote.
Until such time as the paper is completed,
perhaps we might consider the advice of philosopher Kierkegaard's pastor,
travel, divert yourself, take a laxative.
Well, on second thought, all of those, even the third one,
wouldn't necessarily get you away from your device.
Kierkegaard would have understood, friends. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more dot io our own rick howard has been pondering the utility of devsecops and he recently chatted with
bill mann from stira on that very topic rick howard files this report i'm joined by bill mann
the ceo of styra it's a company that helps its customers on their infrastructure as code journey.
And the minds behind the most excellent open source project called OPA, which stands for Open Policy Agent.
It's kind of a policy as code project that helps with zero trust initiatives.
Thanks for coming on the show, Bill.
Now, I've been a fan of the DevSecOps movement since Gene Kim published his cybersecurity Canon Hall of Fame book, The Phoenix Project. But it's been at least
seven years since he did that. Can you give us a sense on the current state of
the DevSecOps deployment in 2021? Sure.
I think I agree with you wholeheartedly. It's not moving as fast as we all anticipated
it was going to move at. I know. I'm very disappointed. I thought we'd be all over this
by now, but apparently we are not. Well, we're heading in the right direction, right? And I think
it's worthwhile. When you think about DevSecOps, it's three things. It's development, it's security,
it's operations. And that's different from what we had before, which was development and operations.
To get it working within any organization, it's a combination of culture, changing everybody's
perspective on how they've been doing business, which is very hard, obviously. It's automation.
And lastly, it's the way we think about platform designs and how we think about software engineering
and so forth. So that's kind of one part of the context, right, about why it's moving slower.
But the other context is we're changing everything around how we deliver software.
Every organization is going through a kind of a platform rethink, which predominantly is open source software like Kubernetes and service meshes and so forth.
Everybody now realizes it doesn't matter if you're a car company or a health company, right?
Everybody realizes that software
is the leading edge capability.
So there's a need to innovate really, really fast.
So you've got a new stack.
Now you've got an urgency to innovate.
And then lastly, no surprise,
because we're talking about security,
everybody wants more privacy as well.
That combination, it's what's slowing it down.
My observation is that, yeah, that's all hard,
but mostly the biggest problem, I think, is cultural.
Like you mentioned, right,
the security people and the IT people are still siloed.
So it makes the whole idea of a DevSecOps movement
more difficult because those two sides
still do not communicate
with each other on a regular basis. Is that your observation or am I wrong about that?
No, you're right. And look, we can't expect those two organizations to be best of friends because
there's a yin and yang here, right? Developers want to get code out the door as fast as possible.
Securities historically have wanted to stop things from going out the door.
Tooling is required to make those organizations work better together.
Let me give you a simple example.
You mentioned earlier on, you know, we're the creators of the open source project, open policy agent.
One of the use cases of open policy agent is to provide guardrails, a pipeline, essentially.
is to provide guardrails, a pipeline, essentially.
So when an application configuration,
which is defined in code,
gets to a certain point in the pipeline,
it needs to be checked to make sure that it's meeting certain security requirements.
We call them guardrails, right?
So for instance, a very simple guardrail could be,
you don't want this application
to ever talk to a certain S3 bucket.
The job of OPA is to enforce that policy.
But who writes that policy?
Typically, the person who's going to write that policy is definitely going to be in security.
But the ramifications of that policy failing, it then goes back to the developers. So how can we have these two organizations work
together for the greater good of the application going out into production? And the way we try and
solve that is by providing better tooling. So I like the idea here that there's kind of a natural
bifurcation where the DevOps people continue to do their thing, but we make them go through like
an OPA engine where the security
people can set the policy. So the DevOps people don't have to be experts in security and the
security people don't have to be expert coders, right? And therefore those two things can merge
and have a better outcome in the future. You're spot on. And the reason why OPA was created was
it was a common approach to defining policy across different elements of
the stack. Because one of the other things that is happening with this new application stack is
there's many, many, many new tools being introduced. And the point I'm making is,
if there's hundreds of projects, and all of these projects will need some sort of policy
and configuration, but you can't expect a developer or a security organization to know how to configure policy for hundreds of
tools that they may be using. So that's why OPA was designed as a general purpose policy system
that can work across the stack. We're going to have to leave it there. That's Bill Mann,
the CEO of Styra. Bill,
thanks for coming on the show and explaining this to us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And I'm pleased to be joined once again by Dinah Davis. She is the VP of R&D Operations at Arctic Wolf, also the founder of Code Like a Girl.
Dinah, always great to have you back.
Thanks, Dave.
You know, ransomware stays at the top of the news stories on everyone's mind.
And I thought it'd be interesting to check in with you
being up north in Canada as you are,
what you're seeing from the Canadian government
when it comes to recommendations for ransomware.
Yeah, in December,
they actually put out a really great guide
and it was a guide for ransomware for companies
and how companies should handle ransomware. And they even, well,
they sort of answered it, but there's always this question, should you pay, right?
Yeah.
So they don't give you an answer because no government agency actually would give you an
answer there, but they do give you some good information about it, right? So first,
report it to your local police. Paying doesn't guarantee access. We all know that. But you may
not know that if it's your first time around seeing this, right? Or it's happening to you.
You know, heard it happen to other people, but now it's happening to you. It's a little more scary.
Payment might be used to fund other illicit
activities. So you have to remember that, right? Do you want to fund further illicit activities?
Even if you pay the threat actor, they may still demand more money, retarget your organization with
a new attack, or copy, leak, or sell your data. So I mean, I think the Canadian government is
saying don't pay here. It's like a subtle, there's a subtle undertone without actually saying the words. But yeah,
that's where they're standing on that. Yeah. It seems to me like we're in this,
we're sort of in this era of being practical about it where, you know, government organizations,
the FBI and so on and so forth would say don't pay under any circumstances. But now I think there's a realization that you have to be practical, and there are occasions when the path of least resistance may be paying the ransom.
But you're right.
It's hard for them to say that because then the bad guys win, right?
What about prevention itself?
Any recommendations in terms of backups and all that sort of good stuff?
Yeah, they have two major recommendations, right?
One, make sure you have a backup plan.
And two, make sure you have an incident response and recovery plan.
They actually go through the benefits of the different types of backup plans you can have,
Types of backup plans you can have, whether it's like full backups on a regular basis or differential, which is just going to copy the differences each time, or incremental, where it's like, you know, it does it, but then it's saving it as a whole. So each one has their benefits, right?
Full backups on a regular basis, you can restore real quick, right?
But it takes up a lot more
space and data. Whereas a differential, it's a lighter weight system, but to get a full backup,
you have to go to the last time you did a full backup and then add all of those things in a row.
So it can make it pretty long. And then incremental basically saves a copy of the data since your last differential.
So it pulls it together each time. There's choices and reasons why an organization may
want to choose one or the other. And then they also talk about the differences between online,
offline, cloud, and the benefits of each one of those, right? Offline being probably the most secure
because if your system is hit, then your offline backup shouldn't be connected to anything,
meaning it should be more safe. And then the second step after you have a good backup plan is develop your incident response plan, right?
You need to do all the things that regularly you need to do, right?
So you need to do a risk assessment and you need to make sure you have policies and procedures in place.
Big ones for me are like, make sure you have a response team in place and you actually do example runs of this stuff so that people know what to do when it
happens, right? You want to have good training, training on how to restore from backup, making
sure you know who's going to handle communications to your customers if something like this happens,
making sure you know who all of your stakeholders are, right? And then one really
big thing that I think often gets forgotten is to make sure you're managing your user and
administration accounts, right? Always be applying the principle of least privilege, right? Only give
people enough access to things that they can get their job done. But make sure you're also auditing that.
And if somebody leaves or moves department, this is the bigger one inside companies,
moves department. How many times do people move a department, keep all the access from their
previous department, but now they're doing a new job. They forget they have it, but they're a really
good target for attackers because they have all this access but they're a really good target for uh for attackers because they have
all this access that they don't really need and don't really think about using very often right
and the one interesting thing i i saw that they they put in there was to use a separate system
to do any administrative work so from for example like you know, I've got my work computer, but if I was an admin for a
system, I should have a separate, either a separate computer, a separate VM, a separate like system
where the administrative work gets done that is not the same system that you just do your regular
everyday work on. So that reduces the chance of, you know, a malicious attack coming in via email or
something because the system you do administration on should not have an email account on it at all.
Right, right. Yeah. The other thing that I think of too, which I think is good advice is
as you're doing your practicing, you know, your playbook response, think about what happens if
many, if not most of your computers are not working, are not available. How's your team
going to communicate if none of their computers are accessible? People often don't think about
that. Well, interestingly, that's also something you should do even not in an attack because
right before Christmas, Amazon had some major outages that
took out companies like Slack. And because that's an outage, right, you might actually have some of
your systems running on that Amazon cloud. Now you've got to manage your internal operations
and you've lost Slack. Have a default secondary communication tool that you're going to use if one goes down.
All right.
Well, good advice as always.
Dinah Davis, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.