CyberWire Daily - An update on the hybrid war in Ukraine. Conti and its users are still up and active. CISA releases twenty-four ICS security advisories. An extradition in the NetWalker case.
Episode Date: March 11, 2022An update on the hybrid war in Ukraine. Allegations of war crimes and Russian disinformation. Chemical, biological, and radiological weapons disinformation. Preparing for cyberattacks. Cyber operation...s against Russia. GPS interference reported along Finland’s border. Conti and its users are still up and active. CISA releases twenty-four ICS security advisories. Malek Ben Salem from Accenture on deception systems. Our guest is Joe Payne from Code42 on data exposure. An extradition in the NetWalker case. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/48 Selected reading. Russia 'did not attack Ukraine' says Lavrov after meeting Kuleba (euronews) Read the latest cybersecurity analysis (Accenture) Where conflict is reported in Ukraine right now (The Telegraph) How U.S. Bioweapons in Ukraine Became Russia’s New Big Lie (Foreign Policy) Russian embassy demands Meta stop 'extremist activities' (NASDAQ:FB) (SeekingAlpha) Transparency Org Releases Alleged Leak of Russian Censorship Agency (Vice) SecurityScorecard Discovers new botnet, ‘Zhadnost,’ responsible for… (SecurityScorecard) Inside the Russian cyber war on Ukraine that never was (Task & Purpose) Report: Recent 10x Increase in Cyberattacks on Ukraine (KrebsOnSecurity) Russian defense firm Rostec shuts down website after DDoS attack (BleepingComputer) The Spectacular Collapse of Putin’s Disinformation Machinery (Wired) Will Russians Choose Truth or Lies? Ukraine’s Fate Depends on Them (Bloomberg) Finnish govt agency warns of unusual aircraft GPS interference (BleepingComputer) Corporate website contact forms used to spread BazarBackdoor malware (BleepingComputer) U.S. Warns of Conti Ransomware Attacks as Gang Deals With Leak Fallout (SecurityWeek) Ex Canadian government worker extradited to U.S. to face more ransomware charges (CBC) Former Canadian Government Employee Extradited to the United States to Face Charges for Dozens of Ransomware Attacks Resulting in the Payment of Tens of Millions of Dollars in Ransoms (US Department of Justice) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Allegations of war crimes and Russian disinformation
involving chemical, biological, and radiological weapons.
Cyber operations against Russia.
GPS interference reported along Finland's border.
Conti and its users are still up and active.
CISA releases 24 ICS security advisories.
Malek Bensalam from Accenture on deception systems.
Our guest is Joe Payne from Code 42 on data exposure and an extradition in the NetWalker case.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, March 11th, 2022.
Ministerial-level talks between Russia and Ukraine this week have made little progress.
Russia's talking to Ukraine,
something it had said it wouldn't do until Ukraine laid down its arms, but it hasn't backed off from
what amounts to a demand for surrender. Euronews quotes Russian Foreign Minister Lavrov in a way
that suggests how far the Russian view of the situation diverges from what most of the rest
of the world regards as reality.
Quote, we do not plan to attack other countries. We did not attack Ukraine either. However,
we just explained to Ukraine repeatedly that a situation posed direct security threats to
the Russian Federation. End quote. The incident that's attracted considerable attention is the
destruction of a maternity hospital in Maripol,
apparently by Russian airstrikes.
An op-ed in CNN asks,
If bombing a children's hospital isn't crossing a red line, what is?
And the sentiment it expressed well represents international revulsion the attack has provoked.
Russia's response to the general outrage has been instructive.
The Kremlin has claimed, first, that the attack never happened, second, that the hospital wasn't actually a
hospital but rather a Nazi headquarters, and third, that the attack was committed by Ukrainian
forces in an attempt to embarrass Russia, which is running a clean military operation.
It's not a war, and it's not, as Foreign Minister Lavrov insisted during talks in Turkey,
an invasion either, and complaints of atrocities are just pathetic shrieks from Russia's enemies.
Russian disinformation now seems to be playing to a largely domestic audience.
It remains to be seen whether it will continue to enjoy success even there.
Panelists on a recent Russian talk show had to be brought to heel by the host,
The Telegraph reports, for calling the situation in Ukraine worse than Afghanistan,
that is, worse for the Russian soldiers. Wired's take on the failure of Russian influence
operations abroad is that the invasion of Ukraine was simply too obvious to be obfuscated, and the positive lies told to justify it were too implausible to find any takers beyond a hard core of the already convinced.
Facebook has invoked an ongoing conflict exception to its ban on violent speech, The Verge reports.
to its ban on violent speech, The Verge reports.
Meta spokesperson Andy Stone told The Verge,
quote,
As a result of the Russian invasion of Ukraine,
we have temporarily made allowances for forms of political expression that would normally violate our rules,
like violent speech such as death to the Russian invaders.
We still won't allow credible calls for violence against Russian civilians.
End quote. We still won't allow credible calls for violence against Russian civilians. Russia has denounced Facebook's corporate parent Meta for extremism.
Russian sources continue to push the story that Ukraine had prepared stockpiles of chemical and biological weapons,
or at least that it was working on acquiring them.
The U.S. has called such claims preposterous, as indeed they are, and has taken China to task for amplifying them. The U.S. has called such claims preposterous, as indeed they are, and has taken
China to task for amplifying them. Foreign policy reviews this particular disinformation campaign,
which many observers view as setting the stage for Russian use of prohibited weapons.
Russian use of chemical weapons is regarded as more likely than either nuclear or biological strikes.
In a grisly story that should be received with caution, the Telegraph reports that Russian
forces are stockpiling the dead bodies of Ukrainian soldiers killed in action to use
in staging some sort of provocation at Chernobyl.
Security Scorecard has an account of the distributed denial-of-service attacks
various Ukrainian assets have sustained. They identify three distinct DDoS attacks,
but say that the attacks appeared to have had a minimal temporary impact on their targets.
Government websites and banking services were quickly restored, and customers' balances were
not affected.
Krebson Security reports a significant increase in attacks against Ukrainian citizens,
mostly phishing attempts, but these are still falling short of the widely anticipated destructive or disruptive attacks Russia had shown itself capable of.
Anonymous claims to have successfully gained access to internal files of Raskin-Manzur
and has leaked 820 gigabytes of data taken from Russia's Information Governance Agency.
The files pertain, for the most part, to disinformation and censorship operations.
The International Business Times says that the leaks deal primarily with Raskin-Manzur's efforts
to keep people from calling Russia's invasion of Ukraine an invasion.
Russian defense firm Rostec has, according to Bleeping Computer,
shut down its website after sustaining a distributed denial-of-service attack.
Finland's transport and communications agency Traficom
reports observing unusual interference with GPS signals near the country's eastern border, Bleeping Computer writes.
The source of the interference is unknown, but Russia has a record of GPS interference and shares a border with Finland.
The Conti ransomware gang hasn't, it appears, been significantly impeded by the recent doxing it received at the hands of a Ukrainian
researcher who infiltrated its chats. The U.S. government updated its ContiAlert on Wednesday,
and researchers at Abnormal Security have reported finding Conti's gangland parent wizard spider
using website contact forms to distribute Bazaar Loader to their targets.
Contact forms represent an
alternative to the more customary emails. The U.S. Cybersecurity and Infrastructure
Security Agency released 24 industrial control system advisories yesterday.
See our daily news briefing on our website for details of the affected systems.
CBC reports that Sébastien Vachon Desjardins,
formerly a Canadian civil servant,
has been extradited to the U.S.
to face charges in connection with NetWalker ransomware.
The U.S. Justice Department says the indictment
charges him with conspiracy to commit computer fraud
and wire fraud, intentional damage to a protected computer,
and transmitting a demand in relation to damaging a protected computer
arising from his alleged participation
in a sophisticated form of ransomware known as NetWalker.
NetWalker ransomware has targeted dozens of victims all over the world,
including companies, municipalities, hospitals, law enforcement,
emergency services, school districts, colleges, and universities.
Attacks have specifically targeted the healthcare sector during the COVID-19 pandemic,
taking advantage of the global crisis to extort victims.
The alleged perpetrator is of course presumed innocent of the U.S. charges until such time as he may be convicted at trial,
innocent of the U.S. charges until such time as he may be convicted at trial,
not so up north of the border,
where he already copped a plea to mischief in relation to computer data,
extortion, and participating in a criminal organization.
He was granted a seven-year sabbatical in a Canadian correctional institution.
Now the Yankees get their crack at it. is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's Vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks,
and connected lives.
Because when executives
are compromised at home,
your company is at risk.
In fact,
over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
Insider risk security firm Code42 recently released the latest edition of their annual data exposure report, highlighting risks organizations face with cloud technologies
and insider risks. Joe Payne is president and CEO at Code42.
In our survey, 98% of those surveyed are concerned with the increased levels of turnover,
and rightly so, because the data also shows that when an employee quits, there's a one in three
chance, or a 37% chance to be specific, that the company loses important intellectual property.
Now, 60% of employees admit that they took data from their last job
to help them in their current job. And our survey, that 37% number, shows that that data is actually
really important information for a company. So while employees are taking data and emitting data,
the other thing that our survey shows is that 71% of respondents said they don't know what and or how much sensitive data departing employees take with them to other companies.
So you've got this huge migration of people leaving companies.
They tend to stay in the same industry.
They take critical information, and our cybersecurity industry really hasn't responded yet with the tools and the technology to protect companies from that.
So what are organizations to do to have better control over this?
Well, there's a category of software that's emerging called insider risk management, and it's really more than software.
It's a category around how do we build a program to help our employees think about data differently.
And it starts with what we call the three Ts.
So the first is transparency.
The first thing is the cybersecurity team needs to actually inform the organization,
hey, these are things we care about.
We are watching the store.
We are looking for people that are exfiltrating data, particularly as they leave an organization.
So being transparent is super important. And that sounds kind of obvious, except it's not for cybersecurity people.
Cybersecurity people are used to not letting their adversaries know their methods and practices. And in this case, it's the one area in cyber where you really want to let your quote-unquote adversary,
because your adversaries are actually your teammates and your employees, know exactly what you're doing.
The second T is training.
Training means explaining to the organization and to employees, both up front and then in real time when they make mistakes,
what they're allowed to do with data and how they're allowed to take it.
So when an employee moves something to their Gmail account and emails it to themselves,
or they move it to their Gmail account to email to a colleague because maybe they couldn't
get into the mail system on the weekend and so they just sent it from their Gmail, we
need to immediately educate them and train them, that we don't use gmail for corporate
data because you know once a file gets into a gmail you know that user has that forever
likewise we don't use dropbox we might use one drive or box or g drive for corporate purposes
but we're not going to use dropbox so that training is super critical it even includes
new employees when you join our organization we do not want you to bring data from your prior job.
So it starts literally when people come into your organization.
And then the last T of the three Ts is technology.
You really need technology that watches sort of the modern way that employees exfiltrate data.
sort of the modern way that employs exfiltrate data.
And that technology looks for things that are moving through cloud,
things that move through airdrop. But it watches that employee data movement
through the lens of allowing it to happen.
And the reason this modern technology takes this approach is
security teams cannot get in the way of collaboration.
And we are using all these cloud-based collaboration tools to work remotely, to work more efficiently, to be better at our jobs.
And the security team cannot get in the way of that.
The new way of doing this in technology is to watch it, to score behavior, and then to course correct employees as necessary.
But it's not to block all the use of cloud or block the use of collaboration tools.
So those are the three Ts, transparency, training, and technology that you need for an insider risk program.
That's Joe Payne from Code42.
There's a lot more to this conversation.
If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects,
where you get access to this and many more extended interviews.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Malek Ben-Salem. She is the Technology Research Director for Security at Accenture. Malek, it's always great to have you back. You and I spoke
recently about this notion of deception systems, and I wanted to dig in and get a few more details
about that. Yeah, so I think there are some considerations to think about when deploying
these deception systems to gather more information about how attackers behave.
First, these systems have to be designed with three principles in mind. The first one is
believability, or if you will, fidelity to a real world system. These systems are much more believable if they are very similar, if they look similar to a real production environment.
So that notion of fidelity or believability is important.
The second principle is isolation.
You want these systems to some extent isolated from real world systems.
And I can explain why I'm saying to some extent and not fully isolated.
But I think that that's an important distinction.
And then the third principle is cost.
Obviously, you don't want to mimic your full or to double your infrastructure.
You want to deploy infrastructure that is realistic, but you don't want to double your costs.
So I think cost is also another aspect when designing these deception systems.
Well, let's dig into some of the details of that.
I mean, you mentioned you're not having
it completely separated from the real system. Why is that? So, defining the isolation boundaries
is very important. In some extent, obviously, you don't want this boundary to be permeable between
your real system and this deception system. But you want these systems to be permeable between your real system and this deception system.
But you want these systems to be discoverable.
You want to tie them to some extent to your company
or to your organization so that they're discoverable,
so that the adversary coming after you can discover them.
But you don't want to put them out there on the internet
without any connection to you,
without any connection to anything else. You don't want to deploy them inside your environment
totally so that you only detect the attack when the attacker is within your environment.
You want to deploy them, juxtapose them, if you will, deploy them adjacently to your environment
and have them be discovered.
And one way to have them be discovered
is to direct some of the real traffic
coming to your real world system
to this deception system.
So that's one way of reducing your costs, right? You don't have to generate, you know,
you make them discoverable, you have them have some real world traffic while they're isolated
from your environment, but not fully isolated. So there's that connection where you can direct
some of the traffic to them. And actually one clever way of doing this in a secure manner is through something called honey patching, right?
Where you patch, you make sure that all the patches are deployed within your real environment, right, for known vulnerabilities.
But that, you know, the patches are not deployed within the deception environment.
the patches are not deployed within the deception environment.
And then the traffic that's coming to your patch environment can be redirected to that deception environment.
And the attacker can take advantage of that vulnerability,
exploit that vulnerability in the deception environment,
and you can start collecting information
about how the attacker is behaving within that environment.
How do you go about funneling the attackers to the appropriate environment?
So that's where those techniques we talked about in the previous segment we had,
like software-defined networking, would help.
You can direct that traffic to the new environment through those techniques,
through the proper network segmentation.
So you're relying on the fact that you can detect that they are someone who is up to no good and send them where you want them to go.
No, you're not necessarily detecting that upfront.
You're just deciding that perhaps some of the traffic should go here.
I mean, you can make some assumptions.
If traffic is coming from certain IP addresses, for instance, that are more suspicious, then you may want to do that.
But it's not 100% valid assumption.
I see.
How do you balance the risk reward here? I mean, I could imagine some
people, you know, hearing this and saying, you know, that sounds risky to me, Malek,
you know, cross-pollinating this traffic. What's your response to that?
This is assuming that your real deployment is secure, right? That you have the right defenses or defense layers deployed in your real environment.
So that is secure.
But this other environment that is not secure is only there for the purpose of gathering more information about the attacker and how they are behaving.
All right. Well, Malik bin Salim, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's edition of Research Saturday and my conversation with John DiMaggio from AnalystOne.
We're discussing their research report that chronicles the rise and fall of our evil.
That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is
Elliot Peltzman, Trey Hester, Brendan Karp,
Eliana White, Puru Prakash, Justin Sabey,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Valecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here
next week. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.