CyberWire Daily - An overview of Russian cyber operations. The IT Army of Ukraine says it’s doxed the Wagner Group. Lapsus$ blamed for Uber hack. A look at the risk of stolen single sign-on credentials.
Episode Date: September 20, 2022An overview of Russian cyber operations. The IT Army of Ukraine claims to have doxed the Wagner Group. Who dunnit? Lapsus$ dunnit. Emily Mossburg from Deloitte and Shelley Zalis of the Female Quotient... on why gender equality is essential to the success of the cyber industry. We’ve got a special preview of the International Spy Museum's SpyCast's latest episode with host Andrew Hammond interviewing Robert Gates on the 75th anniversary of the CIA. And a look at the risk of stolen single sign-on credentials. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/181 Selected reading. Ukraine's IT Army hacks Russia's Wagner Group (Computing) Untangling the Russian web: Spies, proxies, and spectrums of Russian cyber behavior (Atlantic Council) Security update | Uber Newsroom (Uber Newsroom) Tentative attribution in the Uber breach. (CyberWire) Uber says Lapsus$-linked hacker responsible for breach (Reuters) Uber blames security breach on Lapsus$, says it bought credentials on the dark web (ZDNET) Uber's breach shows how hackers keep finding a way in (Protocol) Uber attributes hack to Lapsus$, working with FBI and DOJ on investigation (The Record by Recorded Future) Uber data breach spotlights need for enterprises to ‘get the basics right’, say experts (ITP.net) "Keys to the Kingdom" at Risk: Analyzing Exposed SSO Credentials of Public Companies (Bitsight) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An overview of Russian cyber operations.
The IT army of Ukraine claims to have doxed the Wagner Group.
Who done it? Well, Lapsus done it.
Emily Mossberg from Deloitte and Shelley Zalas of The Female Quotient
on why gender equality is essential to the success of the cyber industry.
We got a special preview of Andrew Hammond from the Spy Museum
interviewing Robert Gates on the 75th anniversary of the CIA.
And a look at the risk of stolen single sign-on credentials.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, September 20th,
2022. Russia has long been known for the use it makes of criminal organizations,
hacktivists, agents of influence,
and front groups in cyber and information operations. The Atlantic Council has published
a study that draws attention to the complexity of these resources. While cyber and influence
operations have clearly fallen short of expectations during Russia's war against Ukraine,
they've nonetheless continued.
The threat actors used by the Russians are varied,
and the level of control they operate under ranges from toleration to inspiration to direct command.
The report says,
Contrary to popular belief, the Kremlin does not control every single cyber operation run out of Russia.
Instead, the regime of President Vladimir Putin has to some extent inherited and now actively cultivates
a complex web of Russian cyber actors.
The network includes cyber criminals who operate without state backing
and inject money into the Russian economy,
patriotic hackers and criminal groups recruited by the state on an ad hoc basis,
and proxy organizations and front companies created solely for the purpose of conducting
government operations, providing the Kremlin a veil of deniability. This web of cyber actors is
large, often opaque, and central to how the Russian government organizes and conducts cyber operations,
as well as how it develops cyber capabilities and recruits cyber personnel.
The paper argues that there is a tendency for analysts to blur this complexity, an effective response to Russian cyber activity,
particularly an active response like the forward and continuous engagement that U.S. doctrine envisions,
needs to take this complexity into account. The criminal gangs operate under limited control.
The intelligence and security organs are most closely directed. The Russian government has
many internal teams carrying out cyber operations, notably the familiar ones deployed by the intelligence services, the SVR,
FSB, and GRU. Ukraine has also been active in the cyber phases of the hybrid war. Mikhailo Fedorov,
Ukraine's Minister of Digital Transformation, has reposted a telegram notice from the IT Army of
Ukraine in which the hacktivist militia claims to have obtained detailed information
about Wagner Group contract mercenaries.
The post says,
The website of the Wagner Group,
which collects Russian prisoners for the war in Ukraine,
was hacked by the IT Army.
We have all personal data of mercenaries.
Every executioner, murderer, and rapist
will be severely punished. Revenge
is inevitable. And they close with, glory to Ukraine, glory to the armed forces of Ukraine.
Ukrainska Pravda provides background. The Wagner Group has first increasingly served as a source
of frontline manpower for depleted Russian infantry, and second, has recently concentrated its recruiting efforts on Russian prisons,
offering convicts pardons in exchange for active service.
Reuters quotes U.S. estimates that put the private military company's
prison recruiting goals at 1,500.
The Wagner Group is said to have shown a preference for violent offenders
in its jailhouse recruiting.
Late yesterday morning, Uber published an update on the breach it discovered last week.
They've developed an idea of who was responsible, and they've concluded it was Lapsus.
Uber thinks the hacker began by purchasing a password in a dark web C2C market,
stating an Uber EXT contractor had their account compromised by an attacker.
It is likely that the attacker purchased the contractor's Uber corporate password on the dark web
after the contractor's personal device had been infected with malware,
exposing those credentials.
The attacker then repeatedly tried to log in to the contractor's Uber account.
Each time, the contractor received a two-factor login approval request, which initially blocked access.
Eventually, however, the contractor accepted one, and the attacker successfully logged in.
From there, the attacker pivoted around the network.
Uber is still working to determine whether there was any material impact from the
incident. Their updated report today offered a moderately optimistic interim conclusion.
So far, they haven't seen any signs that the attacker got into either production systems
or user databases. And finally, BitSight released research yesterday analyzing exposed public company single sign-on credentials.
SSO is an authentication approach that enables users to use one set of credentials to authenticate with multiple applications.
BitSight's research found steady growth in the availability of public company's SSO credentials on the dark web,
with more than 1,500 becoming available in June and July alone.
There has also been a steady increase in the number of companies with credentials on the dark
web. Industries found to be most impacted by compromised SSO credentials for sale include
technology, manufacturing, retail, finance, energy, and business services.
BitSight says that SSO credentials can be hard to protect and are easily stolen.
BitSight co-founder and CTO Stephen Boyer says,
credentials can be relatively trivial to steal from organizations, and many organizations are unaware of the critical threats that can arise specifically from stolen SSO credentials.
These findings should raise awareness and motivate prompt action to become better acquainted with these threats.
Additionally, it was also noted that organizations with stronger cybersecurity that BitSight has defined
were found to be less likely to have exposed SSO credentials.
were found to be less likely to have exposed SSO credentials.
To prevent the risk of credential theft,
BitSight recommends using adaptive multi-factor authentication,
which factors in geolocation, day and time, and suspicious activity, or universal two-factor authentication, which uses an origin-bound physical key.
Other recommendations include limiting access to critical systems to only
those who need it and managing risk from third-party vendors the organization uses.
Coming up after the break, Emily Mossberg from Deloitte and Shelley Zalas of the Female Quotient on why gender equality is essential to the success of the cyber industry.
A special preview of Andrew Hammond from the Spy Museum interviewing Robert Gates on the 75th anniversary of the CIA.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more
at blackcloak.io. Emily Mossberg is global cyber leader at Deloitte, and Shelley Zalas is CEO of Female Quotient, an equality services company.
I recently spoke with Emily and Shelley on why gender equality is essential to the success of the cyber industry, and they shared some of their success stories as well.
Shelley Zalas is up first.
And they shared some of their success stories as well.
Shelley Zalas is up first.
The World Economic Forum just came out with the most recent gender equity report. And it says it'll take over 132 years to close the gender equity gap.
132 years.
So what does that have to say?
You know, 132 years, we'll all be gone.
Emily, what's your take there?
I mean, I don't, you're not a person who I would suspect would be fatalistic about this sort of thing and wants to get in and try to make some meaningful change.
Yeah, and Dave, if I think about this from the lens of cybersecurity and the security space, clearly we've made some progress. We've seen an increase in women
practitioners and professionals who are interested in the space. But the reality is we still have
work to do. If we look at the workforce, the workforce is roughly holistically just under half female. But if we look at the
cyberspace, it's more like 24, 25 percent of the cyber practitioners are female. So we've made
some strides, but we still have a ways to go. And I think that there's a number of things that we
need to think about around how we get more women
into the field and excited about the field. And I think it's not just about
looking for the right resumes and broadening our searches. I think that we need to think about the
ways in which we're defining the roles in the cyberspace. I think we need to think about the ways in which we're defining the roles in the cyberspace.
I think we need to think about the ways in which we are exciting people about what the opportunity looks like and making sure that we're truly bringing forward a more interesting space to a broader set of individuals, and in this case, females.
Shelley, what about filling the pipeline? I mean, making it so that the young women who are coming
up feel as though these careers are within the realm of possibility for them.
You know, it was so remarkable because it is about this next generation as well. And it's such a pay it
forward moment because the women that we profiled, it was the most successful campaign that we
actually ever ran. The campaign was so well received. It was our most successful campaign,
the initiative in our social channels.
Women paid it forward.
The buzz was remarkable.
The women that we featured were so grateful.
Our audience was so inspired.
We're going to continue this series, but it also created such a buzz that so many other women in other categories wanted us to do the same thing. Imagine if you profile 25 women in cybersecurity, those 25 women want to then profile 25 women
in their networks who then want to profile 25 women in their networks, 25 times 25 times
25 times 25.
That grows to an amazing community of paying it forward. The next thing
you know, you have a vast community of generations that pay it forward. And that's just what happens.
And I think the inspiration of looking up to this cybersecurity network and what we saw at RSA, even, the initiative where we kicked it off, it was just, for me, such
a proud moment because I remember being an only and lonely in my field of market research
and going to CES where there was 150,000 people, less than 3% being women in tech.
I created the first, you know,
girls lounge at the time. Now there are quality lounges and, you know, inviting five women that
became, you know, 25 women that became now 750,000 women across a hundred countries, you know, that
pay it forward moment, that power of the pack, a woman alone has power collectively, we have impact.
It was that wow moment. And then of course, here at RSA for the we have impact it was that wow moment and then of course
here at RSA for the first time it was that same feeling we popped up this equality lounge with
Deloitte and I will never be able to be so grateful for Deloitte for what they did that same feeling
all of a sudden women in cyber security coming to cyber security RSA five to six years in a row, and all of a sudden,
having this equality lounge pop up and women coming saying, we have been showing up at RSA
year after year. And all of a sudden, seeing this network of women in cybersecurity showing up at
this space, it gave me shivers. They started to cry saying, we never met other women in one
location. And they said, this made us feel so proud and so inspired and we don't feel alone anymore.
And I said, oh my God, that is how I felt the first time I had a lounge at CES. And these women
started telling all the other women about it.
And all of a sudden, five women, 25 women.
And by the end of three days, it was the standing room only.
And that's what it takes, just that consciousness.
And it was, this is the inspiration.
It takes being a first and taking that step out there. And you never know what
happens. And that's what happened. And all these women in RSA, women in cybersecurity said, thank
you. And we're so grateful. And it was that moment, just one moment creates remarkable things.
moment creates remarkable things. This space continues to expand rapidly. You know, as technology evolves, cybersecurity evolves. And, you know, we've talked for years about the fact
that it's not just a technology risk, it's a business risk. But we're really seeing that become real with the executives and organizations, which
changes the stakeholders that we need to be able to communicate with. We need to be able to talk
about cyber, not just with the technologists, not just with the CIO, not just with the CTO,
but in many cases, it's now reaching the CFO and the CEO. That breadth of stakeholders,
I think, really brings an opportunity for women in terms of playing a different role
in the cyberspace than maybe traditional cyber roles, like different than what traditional
cyber roles have been. This gives them a new opportunity to broaden,
to engage with a more vast set of stakeholders, and in some cases, raise the visibility and raise
their profile in the process because of the fact that we've really got to get the message
to a more senior level and at a more executive level. The other element that I would bring into
this as we talk about the opportunity is the fact that we all know there's a significant talent gap
in cyber. We need to be exciting more women to join the field in order to address that talent gap. And that talent gap is not just
in numbers. It's in the breadth of skill set. We've got to start to find that connective tissue
between what somebody has done in their past career or their past role and how that adds something to an organization's cyber
program and the way in which they're managing their cyber risks.
I think those are two really important elements to how we bring more women into the space
and excite them.
Our thanks to Emily Mossberg from Deloitte and Shelley Zalas
from Female Quotient
for joining us.
Andrew Hammond
is host of the Spycast podcast
right here on the Cyber Wire podcast network.
In celebration of the 75th anniversary of the CIA, Andrew's special guest is former CIA director and former Secretary of Defense Robert Gates.
Here's a special preview of that interview.
I'm just thinking about your career.
You take over as DCI when the Soviet Union dissolves. You take over as Secretary of Defense when Iraq is unraveling and Afghanistan's not really going anywhere.
some very challenging moments. So for any leaders out there that are listening,
how did you deal with both of those tremendously complex and almost bewildering experiences?
Well, the most important thing is to surround yourself with really good people. And not only people who are exceptional managers and leaders, but people who are intellectually honest,
people who will tell you exactly what they think.
I've always believed having an inclusive and transparent decision-making process is really
critically important, not only in terms of informing yourself about the different points
of view and the different challenges and different ways to deal with the challenges, but in terms of
bringing people along, in terms of having them support whatever decision that you ultimately
make. And I think the other thing that's critical is holding people accountable. I fired a lot of
people when I was Secretary of Defense, and I don't think I ever fired somebody for not knowing
about a problem. Mostly, i fired people because once they
were informed of the problem didn't take it seriously enough whether it's wounded warrior
treatment at walter reed or handling of nuclear weapons in the air force and things like that
i think an inclusive and transparent decision-making process and keeping people
informed of where you're headed, but also just people who will
tell you what they actually think. Most bosses say they want that. Most people are gun-shy because
they've heard bosses say that. Then they try it and they discover, actually, he really didn't
want to hear what I had to say. Maybe 95. And just looking into the future, so 75 years, the CIA has came a long way. Where do you see it going in the next 75 years? time in its history and will become even more important. For the first time since World War II,
the United States faces powerful, revanchist states that are hostile to the United States.
We face a global threat from two authoritarian, huge states, a number of other emerging threats. I think that the world in some
respects has returned to pre-1914 of conflicting great powers seeking power and territory and
influence and markets. And the United States faces a big challenge. And I think CIA will be a critical
element in how the current and all future presidents deal with those threats in terms of
real world estimates of their military power, of their economic strengths and weaknesses,
of their politics, of their intentions and those things.
One of the reasons CIA has survived is because presidents ultimately have recognized
the importance and the value of independent intelligence unaffected by politics. Every
director has been accused of slanting intelligence to support the presidents. The interesting thing
is I couldn't find a single president who would agree with that. They would all argue CIA went to extraordinary lengths to
poke them in the eye and say your policies aren't working. That's the mythology that it's slanted
and so on. But the truth is one of the huge advantages we always had over the Soviet system was that our intelligence operations, our CIA,
was independent of political control and could tell presidents when things weren't going well.
That's former CIA director and former Secretary of Defense Robert Gates speaking with SpyCast
podcast host Andrew Hammond. You can find more of that interview right here on the Cyber Wire podcast network.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Thank you. generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.