CyberWire Daily - Albania reports more Iranian cyberattacks. RaidForums has a new successor. A look at threat actor reconnaissance in the contemporary Internet.
Episode Date: September 12, 2022Albania reports additional cyberattacks from Iran over the weekend. RaidForums has a new successor. A look at threat actor reconnaissance in the contemporary Internet. Kinetic strikes hit Ukraine’s ...infrastructure. Rick Howard calculates risk with classic mathematical theorems. Tim Eades from Cyber Mentor Fund on the dynamic nature of the attack surface. And a look into the cyber phase of the hybrid war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/175 Selected reading. Albania blames Iran for second cyberattack since July (CNN) Treasury Sanctions Iranian Ministry of Intelligence and Minister for Malign Cyber Activities (US Department of the Treasury) Iran strongly condemns US sanctions over Albania hacking (Al Arabiya) Six months into Breached: The legacy of RaidForums? (KELA) 2022 State of the Internet Report (Censys) Ukraine hails snowballing offensive, blames Russia for blackouts (Reuters) Ukraine says Russia is retaliating by hitting critical infrastructure, causing blackouts. (New York Times) Last reactor at Ukraine’s Zaporizhzhia nuclear plant stopped (Associated Press) Ukraine Warns Russian Cyber Onslaught Is Coming (Voice of America) Montenegro wrestles with massive cyberattack, Russia blamed (ABC News) CyberCube: Russia’s Sovereign Internet Creates Security Risks With Implications for Cyber (Re)Insurance While War in Ukraine Develops (Associated Press) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Albania reports additional cyber attacks from Iran over the weekend.
Raid forums has a new successor.
A look at threat actor reconnaissance in the contemporary Internet.
Kinetic strikes hit Ukraine's infrastructure.
Rick Howard calculates risk with classic mathematical theorems.
Tim Eads from the Cyber Mentor Fund on the dynamic nature of the attack surface.
And a look into the cyber phase of the hybrid war.
From the Cyber Wire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, September 12, 2022.
Albania reports that it sustained additional cyber attacks from Iran over the weekend, evidently in response to Tehran's severing of relations with Tehran over earlier cyber incidents.
In the most recent attacks, CNN reports that the total information management system
used for border control was taken offline.
As the outlines of Iranian attacks against Albania's government networks becomes clearer,
the U.S. Treasury Department announced sanctions against Iran's Ministry of Intelligence and Security
and its Minister of Intelligence in response to their involvement in cyberattacks on the NATO country.
The Minister of Intelligence is singled out for his role in directing several networks of cyber threat actors involved in cyber
espionage and ransomware attacks in support of Iran's political goals. Iran condemned the U.S.
action, Al-Arabiya reports, with the foreign ministry saying, America's immediate support
for the false accusation of the Albanian government shows that the designer of this scenario is not the latter,
but the American government. Microsoft described Iran's campaign against Albania in a report
published last Thursday, stating, Microsoft assessed with high confidence that on July 15,
2022, actors sponsored by the Iranian government conducted a destructive cyber attack against the
Albanian government,
disrupting government websites and public services. At the same time, and in addition to the destructive cyber attack, Mystic assesses that a separate Iranian state-sponsored actor
leaked sensitive information that had been exfiltrated months earlier.
Various websites and social media outlets were used to leak this information.
Security firm Kela released a report today describing Breach Forums, also known as Breached,
a cybercrime forum that's risen in response to the closure and seizure of Raid Forums.
The site, launched by the threat actor whose hacker name is PomPomPourin,
offers database leaks, login credentials, adult content, and hacking tools.
Breached launched only a few weeks after Raid Forums was closed
and has quickly risen to become the new platform for database exchange,
with 82,000 registered users, which continues to increase.
Besides that, the forum is active with monthly posts
and with participation by known actors from RAID forums.
Kella states,
Breached is not only the successor of RAID forums,
but in a very short time frame has become a promising data leak marketplace.
The increasing number of users, monthly posts on the forum,
and the fact that known actors from raid forums have chosen to
join the platform shows Pompompurin's popularity and influence. It also seems that ransomware
operators are allowed to post, which expands the possibilities for a wide range of cybercriminals.
Kela believes that the forum will continue gaining popularity in the next months
and could become bigger and even more sophisticated than RAID forums.
Security firm Census has published a report on the state of the Internet,
finding that 88% of Internet-connected risks are caused by misconfigurations or accidental exposures.
The report states,
Identification of misconfigurations and exposures can be among the first observations a threat actor makes
when performing initial reconnaissance on an organization.
Good security hygiene that addresses misconfigurations and exposures may not be as exciting as a zero-day,
but it's a critical piece of defense in depth for any security program.
One of the questions the report asks is how are
organizations responding to vulnerability disclosures? It suggests that there have in
general been three kinds of responses. First, near-immediate upgrading. Systems vulnerable
to Log4J, for example, acted quickly based on the widespread coverage of the vulnerability. By March 2022, Census observed only 36% of potential vulnerable services were left unpatched.
Second, upgrading only after the vulnerability is being actively and widely exploited.
While the GitLab vulnerability was being exploited,
the remediation process acted slower than others until researchers discovered a botnet composed of thousands of compromised GitLab servers participating in DDoS campaigns.
And last, near-immediate response by taking the vulnerable instance off the Internet entirely.
Rather than upgrading, users chose to remove assets entirely from the Internet
after Confluence's vulnerability became public between
June 2021 and March 2022. As Russian forces retreat from the vicinity of Kharkiv, Reuters
reports they have retaliated with attacks against Ukrainian electrical and water utilities in the
area. Those attacks were kinetic, conducted by repurposed air defense and anti-shipping missiles,
as the Russian army runs short on cannon artillery, and they're not the long-feared Russian cyber attacks.
Ukrainian authorities denounced the attacks, the New York Times says, as deliberate and cynical.
Elsewhere in critical infrastructure, external power having been restored to the Zaporozhye nuclear plant,
the Ukrainian operators are performing a cold shutdown on the last operating reactor in the
complex, according to the AP. That doesn't entirely remove the danger of a nuclear incident,
but it does reduce the possible effects of any damage, whether accidental or deliberate.
While cyber operations in Russia's
war have been eclipsed by kinetic operations, Ukrainian authorities warn that they expect an
increase in the tempo of Russian cyber attacks. The Voice of America quotes Deputy Minister of
Digital Transformation Yorgi Dubinsky, who told reporters at the Billington Cybersecurity Summit
last Friday,
we saw this scenario before. They are trying to find a way how to undermine,
how to defeat our energy system, and how to make circumstances even more severe for Ukrainians.
We are preparing. An increase in cyber operations may represent a form of escalation intended to compensate for widespread battlefield failure.
Dubinsky said, we cannot compare it with nuclear weapons, but the effectiveness of that is enough.
That is, of course, correct. Cyber weapons aren't to be compared with nuclear weapons in terms of
their effects. Ukraine also faces an insider threat, and this threat is a familiar one.
Dubinsky said, the Russians are developing
classical operations using not only cyber, not only software, also using some human resources,
using some traitors. The effects of Russian cyber attacks continue to be felt in NATO countries that
have supported Ukraine. ABC News reports that Macedonia is still recovering from a large cyber campaign Russia mounted as a punitive action for that country's pro-Ukrainian sympathies.
A report this morning by CyberCube sees one possible enduring effect of the hybrid war. privateers, coupled with the growing isolation of an increasingly independent Russian internet,
may give the gangs a long-term safe harbor from which they operate with even greater impunity
than that already afforded to them by Russian toleration. This expectation is already beginning
to appear in the calculations insurers are applying to cyber risk. The report states,
Russia is using ransomware gangs to
undermine the U.S. economy while avoiding direct war with the U.S. European energy companies are
being targeted for strategic value. Russian actors are targeting governments outside of Ukraine.
This is intended to gather intelligence on Western allies assisting Ukraine's war effort.
Ransomware threat actors are today focusing their efforts
more on Russia than on other parts of the world.
And forward-looking reinsurers are starting to adopt
a threat modeling approach to portfolio risk management.
Reinsurers should look across their portfolios
for indications that certain companies
may be susceptible to different threat actors.
After the break, Rick Howard calculates risk with classic mathematical theorems.
Tim Eades from the CyberMentor Fund on the dynamic nature of the attack surface.
Stay with us.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for
security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
And it is always my pleasure to welcome back to the show, Rick Howard.
He is the CyberWire's Chief Security Officer and also our Chief Analyst.
Rick, welcome back.
Hey, Dave.
So, on our CyberWire Slack channel this week, you were talking about, and by talking about, I mean going on and on, about this math theorem.
And I have to admit, I'm not particularly a math guy.
This is one I had never heard about before.
It's called Bayes' theorem.
You seem to be very excited about it, something that was going to solve all the world's problems. So fill us in.
What's going on here, my friend? Well, maybe not all the world's problems, but one specific pet peeve
of mine, maybe, you know. So, you know, Dave, for years, I've been trying to get my head around
how to calculate cyber risk for my organization, but with enough precision to make some decisions
with. And last week on our last show at CSO Perspectives Pro,
we talked about how security professionals like me
could use super forecasting techniques
from Dr. Tetlock's book of the same name,
and specifically Fermi estimations,
these back-of-the-envelope calculations
made by famous Enrique Fermi,
one of our greatest physicists.
Now, we can use those techniques
to forecast cyber risk for the business.
But it turns out that super forecasting and Fermi estimates are just two legs of the risk forecasting stool.
The third leg is this theorem, Thomas Bayes' theorem.
And I know you're going to love this.
You're going to start rolling your eyes.
But he published this thing, or it was published after his death in 1763.
So he was a computer guy.
Yeah, you know, he was way up there on social media.
Right, right. Okay.
So, but it's essentially the mathematical foundation of why super forecasting and Fermi estimates work.
Now, you don't have to know how the math behind this to use the theory, but you should understand how and why it works. So, in this episode for CSO
Perspectives Pro, we talk about Bayes' theorem and its fight for legitimacy for the past 200 years.
And mainly what you should listen to this for is we cap it off with how Alan Turing, I've told you
before, Dave, he's my all-time computer science hero. He used Bayes' theorem to crack the Enigma
codes during World War II. How about that?
Oh, all right.
That sounds cool.
So that is on the pro side.
What is going on over at CSO Perspectives Public?
Yeah, and last week's show, I ran the idea of compliance requirements,
in other words, official law, through a cybersecurity first principle lens.
In this week's show, I talked to one of the cybersecurity giants in the field
and a regular here at the CyberWire hash table, Tom Quinn, the CISO for T. Rowe Price.
You've talked to him, right, Dave?
Yeah, sure.
Yeah, so I asked him to check me on my first principle assertions,
and let's just say it was a lively discussion.
All right.
Well, before I let you go, what is the phrase of the week over
on your WordNotes podcast? Yeah, this is a good one. The phrase this week is a relatively new one
in the alphabet soup of cybersecurity. It's called Apple Lockdown Mode, and it's a new feature in a
near-future release of Apple operating systems and is intended for a small number of users who believe
they are more at risk than the general purpose internet user for being targeted by cyber
adversary groups.
And examples might include dissidents, company executives, senior government officials, and
journalists like Jamal Khashoggi, the Washington Post journalist who was allegedly tracked
using the NSO group's Pegasus software by unknown
parties and assassinated by them on October 2nd, 2018. So, Apple lockdown mode is a response by
Apple to protect users like Mr. Kosoji. All right. Well, we will have to check all of that out. You
can find out more about CSO Perspectives Pro. It is over on our website, thecyberwire.com.
Rick Howard, thanks for joining us.
And I'm pleased to be joined once again by Tim Eades.
He is the CEO at vArmor and co-founder of the Cyber Mentor Fund.
Tim, it's always great to welcome you back.
Dave, absolute pleasure.
I want to touch with you today on attack surfaces.
And I know some things that you're tracking here in terms of the nature of attack surfaces,
how that seems to be fleshing out to be something that's pretty dynamic these days.
What can you share with us?
Yeah, so let's talk about it.
So attack service management, Gartner are now going to start to position as exposure management.
So exposure management is kind of divided into two.
External attack service management, that's been around for a while.
There's great companies like Psycognito in that space.
Rob does an amazing job running that company.
That's the external attack service management.
And then you have the internal attack service management.
And the internal attack service is incredibly dynamic now and very, very diverse.
I mean, you have customers all the way to one side that have legacy mainframes.
And then those communications, those applications, they talk sometimes all the way out to the public cloud with a container or serverless.
So you've got public cloud after the digital transformation.
That's people going through that still.
But you've got the legacy.
And it's incredibly complicated.
There's a customer I know, a very large European bank.
They have AWS. They have Azure. They have Cisco ACI. They have VMware NSX as a platform.
They have Tanium. They have Microsoft over Windows Defender. They have mainframes. This thing is
very hard to protect. That attack service is incredibly complicated, highly regulated
across the world. And yet, it all starts with understanding, discovering it, actually
understanding what is actually communicating. Here's an example. Let's say you're a member
of a golf club. And if all you're doing is saying, there's 400 members of a golf club.
Yeah, well, that's interesting, but who do you play
golf with, and who do you know in the golf club? So let's give you an example. I'm a member of a
golf club. There's 400 members, but I probably only communicate to eight. So okay, so if you're
trying to understand me and how to protect me, you need to understand who I have relationships with,
who I communicate with, not the whole 400, but the who I am communicating with,
and how do I restrict and control the communications I only communicate to those eight or so people that I do? So if you think of the attack services very broad, just eight,
just that 400, then you have to look at the applications. In this case, in this scenario,
in this analogy, it's Tim. Tim talks to eight people. How do I understand that he's only
communicating to eight, not the 400? And how does he make sure that he only communicates to eight, not to the 400?
Well, I mean, to stretch the analogy perhaps to the breaking point, I mean, how do you
deal with the fact that, you know, Bob might be the guy who doesn't replace his divots?
And how does Word get around about that to let Bob know that's not acceptable?
Yeah, exactly.
Then you have, it's a great analogy.
Yeah, then you have bad behaviors.
Then you have attempted communications that fail.
Then you have, you know, people sneaking onto the side of the golf course and breaking in
and playing golf who are not members.
But you do have to understand your service.
If you like the grounds and the members and what they are doing and what they should do.
And then controlling at a granular level what you really want to have happen so that the rules are obeyed to.
But it's a complicated thing, right?
You do have masses of regulations.
The attack service is crazy open.
The attack service is crazy open.
And as you start to move into these macroeconomic headwinds, what happens?
Budgets are tight.
People are looking at these budgets and going, what can I not do?
Well, the people who are successful, what are they doing?
How are they getting a handle on all of this?
That's a great question. I think the people that are successful are really looking at how to make more value of the things that they've already bought. If you think about it over the last, you know, certainly 18 years of security,
you've just got an enormous range of security products. But over the last five years in
particular, you know, APIs have really come up.
You can make more leverage of the APIs from your infrastructure and make more use of the
things that you've already bought and get some visibility, get some discovery going
on.
Mapping it to policy is difficult because it's so fragmented.
But you can do it.
But the people that are leaders in this world are making more use of the things that they've got
by leveraging the APIs of the tools
that they've already bought,
and then building that into things like graph databases
so that you can actually see how things are connected.
See, five years ago, maybe eight years ago,
graph databases were only used by high-end banking
and people predicting the weather and things like that.
But if you can suck all this knowledge out via APIs,
and now graph databases, CrowdStrike does a bunch of this,
you can actually start to understand
what is actually happening.
That's a very efficient way of doing it,
and it's great to make more use of the stuff
that you've already bought.
Is this a bit of a, I don't know,
a philosophical shift for some folks?
Are we saying that heading towards simplicity rather than complexity
is the direction to go?
For sure, head towards simplicity where possible
and avoid complexity.
Complexity brings, obviously, insecurity.
What's interesting is you start to march towards a cloud, right?
You know, clouds don't generally create markets,
they consolidate them.
You know, and if you look at people like Wiz
and some of the orcas of the world, as they start to
combine cloud-native security products and capabilities with your application performance
management tools, a bit like Datadog and others, yeah, you start to consolidate some of the
capabilities.
You start to make it more simple, more intuitive to use.
But the challenge remains that I've still got this legacy technology,
these legacy data centers,
and I still have to protect them
because the applications on the public cloud
will talk towards them.
Because the applications talk horizontally,
not vertically.
So what's interesting is, yeah,
absolutely drive to simplicity when you can.
Suck the knowledge out of the infrastructure
that you've already bought.
Build maps, build bought. Build maps.
Build dependency and resiliency maps.
As you get to more simple,
you can combine
some capabilities,
but know that, you know,
it's not going to be
a short road
to get rid of your data center
and your legacy applications.
That's for sure.
Yeah.
All right.
Well, interesting insights
as always.
Tim Eades,
thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
Breaking news happens anywhere, anytime.
Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app or visit cbcnews.ca.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment called Security, huh?
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karp. where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan,
Kirill Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.