CyberWire Daily - Bogus DDoS protection pages distribute malware. Estonia deals with DDoS attacks. Roskomnadzor's Internet panopticon.And data-tampering attacks are regarded as a growing risk.
Episode Date: August 22, 2022Bogus DDoS protection pages distribute malware. Estonia deals with DDoS attacks. Roskomnadzor's Internet panopticon. Rick Howard on the RSA Security Breach of 2011 and the Equifax breach of 2017. Cale...b Barlow on what does a recession mean for cyber security venture capital and what is the impact of this on the industry? And data-tampering attacks are regarded as a growing risk. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/161 Selected reading. WordPress sites hacked with fake Cloudflare DDoS alerts pushing malware (BleepingComputer) Fake DDoS Pages On WordPress Sites Lead to Drive-By-Downloads (Sucuri Blog) Car blast kills daughter of Russian known as 'Putin's brain' (AP NEWS) Russia blames Kyiv for killing daughter of ‘Putin’s Rasputin’, but the truth may be closer to home (The Telegraph) Alexander Dugin's daughter killed by anti-war Russians: Former state deputy (Newsweek) Estonia Repels Biggest Cyber-Attack Since 2007 (Infosecurity Magazine) Estonia's Battle Against a Deluge of DDoS Attacks (Infosecurity Magazine) Latvia Starts Removing Soviet Monument in Challenge to Russia (Bloomberg) Data-tampering attacks are a 'nightmare' threat that's hard to detect (Protocol) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. Bogus DDoS protection pages distribute malware.
Estonia deals with DDoS attacks.
Russ Cometor's internet panopticon.
Rick Howard on the RSA security breach of 2011 and the Equifax breach of 2017.
Caleb Barlow on what does a recession mean for cybersecurity venture capital and what
is the impact of this on the industry.
And data tampering attacks are regarded as a growing risk.
From the CyberWire studios at DataTribe, I'm Trey Hester filling in for Dave Bittner with your CyberWire summary for August 22, 2022.
Researchers at Securi warn that fake DDoS protection pages, the sort that ask visitors to perform a browser check before proceeding, are distributing malware in drive-by attacks.
Securi writes, quote, Unfortunately, attackers have begun leveraging these familiar security
assets in their own malware campaigns.
We recently discovered a malicious JavaScript injection affecting WordPress websites, which
results in a fake Cloudflare DDoS protection pop-up, end quote.
Since these types of browser checks are so common on the web,
many users wouldn't think twice before clicking this prompt to access the websites they're trying
to visit. However, the prompt actually downloads a malicious.iso file onto the victim's computer,
end quote. The file is a remote-access Trojan. The malicious site is an imposter,
and there's no compromise of Cloudflare itself.
Info Security magazine speaks with Estonian officials concerned to mitigate the effects of distributed denial-of-service attacks the country has sustained this month.
Tanu Tamer, head of the Incident Response Department of the Estonian Information System Authority,
said that the campaign peaked last week, on the 16th and 17th.
The attack against the website of emta.ee, which is the homepage of Estonian Tax and Customs Board,
on August 17th had the most visible effect, with the website being unavailable from 12.30pm to 1.40pm.
After changing the settings and implementing additional defense mechanisms,
it was possible to use the website again.
Still, all the services were functional and only the webpage itself was affected.
End quote.
Tammer credits defensive preparations and adequate resourcing with having given Estonia the means of mitigating the effects of the attack.
The campaign was claimed by Killnet.
The campaign was claimed by Killnet.
The proximate cause of recent attacks has been, as it was seen in 2007,
Estonia's removal of Soviet-era Second World War memorials.
There may be more pretexts for follow-on attacks.
Russia's FSB has claimed that the assassin who killed Russian ultra-nationalist media personality Daria Aleksandrovna Dugivna has taken refuge in Estonia,
from where Russia has demanded her extradition.
The identification of the assassin is unconfirmed, and there's no reason beyond the FSB's word to think that the assassin has taken refuge in Estonia.
Latvia's government, undeterred by recent cyber operations against Estonian online resources, has begun dismantling a very large Second World War memorial in Riga.
This one was erected in 1985, Bloomberg reports, near the end of Soviet power.
It's come to be regarded as a symbol of nationalism,
which is why the Latvian government is taking it down.
Citing Comersant, Bleeping Computer reports that
Razkomnador, the Russian internet watchdog,
has contracted for the development of a tool
that will automate
internet scanning to identify objectionable material. The projected tool, known as Oculus,
is described as a neural network that will use artificial intelligence to scan websites for
prohibited information. The automatic scanner will analyze URLs, images, videos, and chats on
websites, forums, social media, and even chat and messenger channels
to locate material that should be redacted or taken down.
Roscom Nazor wants Oculus to be ready on December 12th of this year.
The agency has lowballed the contract at 57.7 million rubles, or about $965,000,
which observers think is grossly inadequate to fund such an ambitious project.
And finally, Protocol discusses data tampering attacks with security experts.
While the risk remains more potential than actual, such attacks have occurred, and they're
regarded as particularly disturbing.
They're difficult to detect and can be highly consequential.
The risk is the integrity of an organization's own data.
can be highly consequential.
The risk is the integrity of an organization's own data.
It's not simple data theft, as in doxing or cyber espionage,
or denial of access to data, as in traditional ransomware,
but it represents a quiet threat to the data themselves.
Information an organization relies on for decision-making could be manipulated, corrupting the decision-making itself,
and medical imagery could be altered with damaging, potentially lethal, consequences.
Or adversarial machine learning could alter the data used to train artificial intelligence
with the eventual consequences for the AI's operation.
It's a disturbing possibility and another thing for CISOs to worry about.
If you can't trust your data, whom can you trust?
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And it is always my pleasure to welcome back to the show the CyberWire's own Rick Howard.
He is our chief security officer, also our chief analyst.
Rick, welcome back.
Hey, Dave.
So on this week's CSO Perspectives Pro podcast, you are covering two infamous cybersecurity espionage attacks conducted by the Chinese government.
infamous cybersecurity espionage attacks conducted by the Chinese government.
You've got the RSA security breach of 2011 and the Equifax breach of 2017.
First of all, what made you pick those two to highlight?
Well, because they are on opposite ends of the spectrum when it comes to crisis communications planning. On the one end, we have RSA security, where the Chinese government stole the C values
of the RSA SecureID token product. That's the, I don't know if you remember this day, but that was
the two-factor authentication device, and back then used by tens of millions of users in government
and the military agencies, defense contractors, banks, and countless corporations around the
world. This event, it should have scuttled their company, and it didn't.
And it's largely due to how their CEO, Art Coviello, managed the communications plan.
Because within a quarter of the breach, RSA security made record profits again.
All right, so that's an interesting case.
And then contrast that with Equifax, where another Chinese government hacker group
stole the PII of some 143 million U.S. consumers. That's 60% of the U.S. population. And in the end
of that exercise, four executives lost their jobs, including the CEO and the CISO. The U.S. House
Digital Commerce and Consumer Protection Subcommittee hauled the CEO in to explain himself,
and the total cost to recover was north of $1.4 billion plus any legal fees.
And that was largely due to how the CEO bungled the communications plan.
So, in this episode of CSO Perspectives Pro, we're going to talk about why, in terms of crisis planning,
did RSA
security do so well and why Equifax didn't. All right. So that is on the pro side. That's
our subscription side. How about on the public side, the ad-supported side this week? Yeah,
well, if you remember from last week's show, I was talking about the concept of adversary playbooks,
and they're kind of the next step in thinking once you get your head around
the Lockheed Martin intrusion kill chain model, the U.S. Department of Defense's diamond model,
and the MITRE ATT&CK framework. Adversary playbooks are an attempt to pull all that
together into one bag. Well, as you might know, Dave, I didn't come up with that idea myself.
I'm not smart enough. My partner in crime for that paper that we eventually published on the subject was Ryan Olson,
currently the VP of Threat Intelligence at Palo Alto Network.
So I brought him onto the show to discuss the current state of adversary playbooks
and what needs to be done now to take the next step.
Well, before I let you go, what is the phrase of the week on your Word Notes podcast?
This week's word is micro-segmentation.
And we've come a long way from those early Internet days back in the 1990s
when we thought to segment sensitive information from normal day-to-day network traffic
by running separate physical cables and fibers.
Today, especially in cloud environments, we can do it all in software.
And micro-segmentation is the latest tactic that we might use to implement this zero-trust concept.
All right. Lots of interesting stuff this week.
You can find out more about all of that by visiting our website, thecyberwire.com.
Rick Howard, thanks for joining us. Thank you. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant.
And it is my pleasure to welcome back to the Cyber Wire, Caleb Barlow. He is the CEO of Silete.
Caleb, it's always great to welcome you back.
I want to touch base with you today on where we stand in terms of venture capital.
And we have this looming possibility, specter, I would say, of a recession.
What sort of things are you hearing about how that might affect venture capital and cyber?
Well, you know, first of all, everybody's debating, are we in a recession or not? But I do think there's a few things we can acknowledge, right?
Labor markets are still red hot, even though some companies are starting to slow down as,
you know, supply chain issues start to get worked out.
But just as, you know, cybersecurity was becoming a mainstream industry in the last recession, kind of back in 2008 or so, we don't really have a good baseline on what the likely impact is of recessionary trends in cybersecurity.
Now, one of the things, as I was looking at this, Dave, that I think is really important to underscore is nearly every CEO and a security vendor has growth-focused skills,
right? Because that's all we've been dealing with over the last 10 years or so is growth in this
industry. And as we switch back to profitability-focused skills, this could be a real
challenge for some leaders to be able to kind of pivot and shift gears. And we're already seeing
examples of where
our venture capital is slowing down or pausing a bit. Valuation and funding rounds will probably
be a bit lower. So, you know, I do think there's a bit of a cautionary tale here of maybe pumping
the brakes a bit. But at the same time, you know, we ought to talk a little bit about, you know,
what's likely to happen in labor markets and what's likely to happen, you know, in terms of funding rounds. Yeah. I mean, how do we reconcile the
two sides of the stories still come out about how there aren't enough people to hire, there are all
these empty jobs. And on the other hand, I'm starting to hear stories of some cybersecurity
companies doing rounds and layoffs. Well, I mean, I think one of the things we have to recognize is that, you know, we still have over 700,000
open unfilled jobs just in the United States in this field.
So, you know, we're probably likely to see slowdowns
in people filling jobs.
You know, think outside of kind of the vendor market,
but in, you know, more traditional
critical infrastructure companies
where maybe those businesses are slowing down in general, there's certainly a good chance you may
see hiring freezes, potentially even layoffs or hiring holds. But I do think what's, you know,
that doesn't necessarily mean if you're a cybersecurity professional, you're going to be
unemployed. What it might mean is you change jobs or that 700,000 open jobs start to maybe reduce
down a few hundred thousand jobs as people start to fill the gap that's been open for so long.
What about on the venture capital side? Is there pumping of the brakes happening there?
Well, you know, I mean, we're in a world where lots of people were taking down $100 million plus
rounds if you look at the cybersecurity vendors.
The big thing you're going to see a shift in
is a movement from growth-focused metrics
to profitability and EBITDA-focused metrics.
This is going to be the case in any kind of recessionary trend.
What investors are going to look to see is,
can you turn this company into a profitable one? And of
course, there's a couple of strategies there. One is bring down enough money to weather the storm,
figure three to four years at a minimum. But the problem there is, you know, if you don't pump the
brakes a bit on your spending, you don't want to come out of a recessionary trend, still not
profitable when all of your peers focused on profitability and have a really high
burn rate. You know, on the other hand, if you're a company that can maybe pump the brakes a bit,
switch your leadership and thinking to free cash flow and profitability versus rapid growth,
you know, you might be in a position where not only can you weather the storm longer with the
capital you have, but you're going
to look much better coming out the other side when everybody's focused on those types of metrics.
What's your advice then? I mean, for that CEO, that board of directors who's looking to
maybe weather this storm, any words of wisdom there? Well, I mean, I think the first thing is
recognize the skills you have and the skills you don't, right? I mean, the folks in leadership positions that really weathered the last storm, you know, 2008 was mostly an impact on, for example, the auto industry and banking.
It really didn't have an impact on the cybersecurity or technology industries even.
You have to go all the way back really to 2000.
So you're talking about leaders that – the last leaders that weathered this are probably in their 50s now, which, you know, is not the demographic that makes up a lot of CEOs and cybersecurity companies.
So the first thing is, you know, have those mentoring relationships, have those peers, and understand the metrics on which you're going to be measured are probably totally different than the metrics on which you've been measured for the last five or 10 years.
You know, in addition to that, really watch your term sheets
when you're going forward for another round. What's in those term sheets? You know, preferred
stock, antedilution provisions. I mean, now is the time to pay attention to what are you signing up
for, and the best deal might not be just the biggest deal, which is what I think everybody
always used to get enamored with. But also, watch what's happening.
We already see public security software companies are down in the first half,
along with the rest of the market.
But this is going to be a proxy for valuations, Dave,
which are already showing signs of impact and people slowing down.
All right. Interesting times.
Caleb Barlow, thanks for joining us.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building
the next generation of cybersecurity teams and technology. Our amazing Cyber Wire team is Elliot
Peltzman, Brandon Karpf, Eliana White, Rupakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Kerrigan,
Goral Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Trey Hester filling in for Dave
Bittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive
alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.