CyberWire Daily - CISA would like agencies to look to their management interfaces. Hacktivist auxiliaries and a role for OSINT in Russia’s hybrid war against Ukraine.
Episode Date: June 30, 2023US Federal Government working to secure management interfaces. NoName057(16)’s DDoSia campaign grows, and targets Wagner, post-insurrection. Update: Unidentified hackers attack Russian satellite com...munications company, claiming to be Wagner. The role of OSINT in tracking Russia's war. Manoj Sharma of Symantec discusses trends he's hearing about generative AI. Becky Weiss from AWS talks with Rick Howard about the math behind their security. Cyber awareness over a holiday. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/125 Selected reading. CISA Wants Exposed Government Devices Remediated In 14 Days (Dark Reading) 50 US Agencies Using Unsecured Devices, Violating Policy (Bank Info Security) CISA working with agencies to pull exposed network tools from public internet (Record) Following NoName057(16) DDoSia Project’s Targets (Sekoia.io Blog) Pro-Russia DDoSia hacktivist project sees 2,400% membership increase (BleepingComputer) Hackers attack Russian satellite telecom provider, claim affiliation with Wagner Group (CyberScoop) Hackers claim to take down Russian satellite communications provider (Record) Days of Chaos: How OSINT Helps Us Understand the Putin-Prigozhin Schism (Flashpoint) Preparing for cyber threats over the Fourth of July. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The feds are working to secure management interfaces.
NoName's DDoS campaign grows and targets Wagner.
An update on the unidentified hackers attacking a Russian satellite communications company.
The role of OSINT in tracking Russia's war.
Rick Howard speaks with Becky Weiss from AWS about the hard math behind security.
Our guest is Manoj Sharma of Symantec to discuss the security implications of generative AI and cyber awareness over a holiday.
I'm Dave Bittner with your CyberWire Intel briefing for Friday, June 30th, 2023.
Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency, issued Binding Operational Directive 23-02,
mitigating the risk from Internet-exposed management interfaces.
Researchers at Census have discovered hundreds of qualifying devices that will need to be secured in order to comply with the directive.
The company's report says,
Census researchers conducted analysis of the attack surfaces of more than 50 federal civilian executive branch organizations The company's report says, systems associated with these entities. Examining the services running on these hosts,
census found hundreds of publicly exposed devices within the scope outlined in the directive.
The researchers add, in the course of our research, we discovered nearly 250 instances
of web interfaces for hosts exposing network appliances, many of which were running remote
protocols such as SSH and Telnet. Among
these were various Cisco network devices with exposed Adaptive Security Device Manager interfaces,
enterprise Cradlepoint router interfaces exposing wireless network details,
and many popular firewall solutions such as Fortinet, FortiGuard, and SonicWall appliances.
So, as CISA's well aware,
there's a lot of work remaining to be done here. Turning to Russia and its war against Ukraine,
the Wagnerite mutiny is having an effect on conflict in cyberspace. Much of that conflict
is potentially self-defeating. Consider the DDoS network the Russian hacktivist auxiliary
NoName05716 has built up to serve the state. We'll call them NoName for short. Since NoName's
distributed denial-of-service public recruiting campaign DDoSia began in early 2022, its
participants have grown significantly. Bleeping Computer reports a 2,400% growth in active users, 10,000 as of June 29th,
and its Telegram channel has swelled to over 45,000 people.
Sequoia released a detailed report regarding the paid DDoS service offered by NoName and writes,
We clearly identify that the pro-Kremlin hacktivist group No Name
primarily focuses on Ukraine and NATO countries,
including the eastern flank, Lithuania, Poland, Czech Republic, and Latvia.
It is highly likely that this stems from the fact that these countries
are the most vocal in public declarations against Russia and pro-Ukraine,
as well as providing military support and capabilities.
The group has been noted to reactively target countries as they express their support to Ukraine with arms
shipments and anti-Russian sentiments. These pro-Kremlin hacktivists, as Sequoia calls them,
began to attack Wagner sites on June 24, which coincided with the Wagner mutiny and subsequent march on Moscow.
Sequoia writes,
This is the first observed attack against one single victim,
as the no-name group usually targets an average of 15 different victims per day.
Another considerable difference can be noted.
While they usually do so for other victims,
the attackers did not communicate about the attack on their telegram channel.
It's noteworthy that No Name's group was quick and responsive. They were sharper on the uptake
than Killmilk, probably leader of Killnet, who was observed partying it up in Rostov during the
Wagner Group's brief occupation of that city. Mr. Killmilk has been largely quiet since things fell apart for the Wagnerites
Saturday evening. Maybe he backed the wrong horse. Unidentified hackers claiming to be the Wagner
PMC group targeted the Russian satellite communications company Dozer and have defaced
several websites with the Wagner logo. Cyberscoop writes, the group posted a link to a zip file containing 674 files,
including PDFs, images, and documents. On Thursday morning, the group also posted three files that
appear to show connections between the FSB and Dozor, and the passwords Dozor employees were
to use to verify that they were dealing with actual FSB representatives,
with one password valid for every two months in 2023, according to a Google translation.
Dozor Teleport was confirmed to be disconnected from the internet on June 29th by Doug Madery,
director of internet analysis for Kentik. The record reports, the hackers claim that they damaged some of the satellite terminals
and leaked and destroyed confidential information stored on the company's servers. The group posted
700 files, including documents and images, to a leak site, as well as some to their newly created
Telegram channel. One of the documents reveals a purported agreement that grants Russian security services access to
subscriber information from Amtel Sivas. Recorded Future News was unable to verify the authenticity
of these documents. InformNapalm, a hacktivist intelligence organization working in the interest
of Ukraine, has also reported on the attack on their Telegram page, but they have refrained from naming Wagner as the group responsible.
It should be noted that at the time of writing,
no Wagner social media have claimed credit for this attack.
A Ukrainian false flag operation remains very much a possibility.
One of the lessons taught by Russia's war against Ukraine
has been the utility and prominence of open source intelligence in following the action.
Observers have learned not to confuse cost with value, and a multitude of new sources, networked and equipped with smartphones,
has altered the way in which journalists and even intelligence services follow developments.
Sometimes the information posted by a rando taking selfies in front of a rail car with
tanks on it can be more valuable than what you're getting from a billion dollar hyper spectral
sensing platform in low earth orbit flashpoint has an overview of how osint has enabled the
formation of a tolerably accurate picture of even so murky an event as the wagner group's mutiny
they draw a lesson from how understanding of recent events has unfolded, stating,
In today's dynamic geopolitical climate,
staying ahead of the curve necessitates more than just monitoring mainstream media.
Open-source intelligence collections have emerged as a game-changing tool
for keeping abreast of the latest events in Ukraine and Russia,
which can
help various organizations and sectors sift through the vast amounts of information, quickly filter
out the noise, and deliver the most salient insights in real time. The recent events in
Russia showcase the value of this intelligence resource in offering a multifaceted perspective
on ground realities. And, we'd add, it's striking to see the extent to which even mainstream legacy journalism
has come to incorporate information gained from the social media crowd in its reporting.
Social media, and especially Telegram, have been a principal source of information
about the march on Moscow and its consequences.
They've also provided a useful check on official statements.
Anyone who's spent any time with social media
knows the vast quantity of nonsense in circulation,
but in some respects,
they do function as a kind of marketplace of ideas
and a market that can function efficiently.
Here's a suggestion for students of the field.
When do social media form a self-correcting source of information,
and when do they wander into popular delusion?
Some systematic understanding would be welcome.
Holidays are traditionally times of heightened cyber threat.
This weekend begins the U.S. Independence Day celebrations, and attacks are to be expected.
See our website for some
advice from industry experts. And remember, threats aren't really born on the 4th of July,
but they get itchy around the holidays. So enjoy the fireworks, have fun at the parade,
attend the barbecue, but stay safe online. We'll be enjoying the 4th, and we'll be taking Monday
and Tuesday off. We'll be back as usual on Wednesday.
In the meantime, enjoy the holiday
if you observe it. A British
friend of the show does, only
he celebrates it as Good Riddance Day.
That hurts,
but still, the guy's got a point.
Coming up after the break, Rick Howard speaks with Becky Weiss from AWS about the hard math behind security. Our guest is Manoj Sharma of Symantec to discuss the security implications of generative AI.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives
are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Manoj Sharma is Global Head of Security Strategy at Symantec in their enterprise division.
Like many of us, he and his colleagues watched with great interest the release of ChatGPT and other generative AI based on large language models with an eye on its potential for good
or harm.
We looked at this from multiple angles, if you will.
I mean, can this tool be used?
Is it mature enough to produce something meaningful
that can be used in a malicious kind of an attempt?
And as we were contemplating, I just see this one call
from one of our account managers who works with one of our largest customers.
It's like, Manoj, we need to talk. I'm like, sure. And the opening statement the
customer made was, Manoj, we have an existential crisis.
Like, coach me. Tell me more. And
their answer was, well, I'm really afraid that this tool
is going to create a lot of problems for us. And we are
a bunch of experts that serve larger, smaller, all kind of communities.
And I'm afraid that our experts would use this tool to find answers
that they should be looking for in the researchers that we subscribe to
and so on and so forth, real attributable research knowledge.
And they would go to this tool, find an answer to a question, get it wrong,
and then use that in knowledge in making business decisions, if you will. And if that gets wrong,
then I am opening myself to a lot of potential financial penalties in terms of lawsuits,
if you will. So I'm like, so what are you expecting me to do? They're like, I need guardrails.
So I'm like, so what are you expecting me to do?
They're like, I need guardrails.
I need guardrails for people when they're going to these tools.
Now, I can give you more examples on this front.
Imagine a company that processes the mortgages, if you will.
A part of mortgage processing is letter writing.
You write letters, right?
I mean, imagine this for a minute.
If somebody, you know, I'm not saying it's going to happen,
it's a possibility.
And I'll give you two more examples on that front.
There's a fact that if somebody who's processing that loan application
took that loan
application and
wrote a letter for it,
didn't like the way it came out, and
took all of that copy and all that text and gave it to ChatGP to rewrite it for it.
It's going to work. It's going to work great.
But the problem is that that text may have some PII
and very personal information about the individual or the entity you're doing business with.
And you don't know how that information will be used by that language, large language learning models, if you will, and where it will show up.
So this vector has become a primary concern for our customers for losing important data, either by intent or by a mistake.
data, either by intent or by a mistake.
When you talk about guardrails,
are we talking about something along the lines of security training that we do for our employees?
Are we talking about technical solutions or a blend of both?
It has to be a blend of both. Let me put that in perspective.
What do you think about it?
Even Broadcom, the company I work for,
we have a policy that came out as soon we discovered these tools
and how few other companies, and Samsung got in trouble
by using the code and sharing the code, if you will, on these tools.
Our engineers are not supposed to upload or download code from these
tools, if you will, right? Attribution and privacy and so on and so forth. And this is the reason why
most of the larger banks in America have actually blocked access to this tool already from their
environment. And so when you build a policy and you train your users on don't do this,
and you have the certification programs, and I agree, but then how do you enforce it? And how
do you report on it that it's not happening? So when we talk about guardrails, there, of course,
is a coaching and training of the employees that is happening. But in addition to it,
the technology controls and measures need to be
put in place that people don't do these things even accidentally. So what we do at Symantec,
and this is a very small change in our intelligence that we generated and enabled
our customers actually to clearly identify who are the users and which users are going to which ones of these tools.
There's so many tools out there, Dave.
It's not just ChatGPT.
It's not just BART.
It's so many others.
Salesforce has one.
AWS has one.
I mean, name it.
There's so many tools there.
So what we have done is clearly identify the traffic going to these tools
and who's going there, so you
as an administrator
or information governance program
owner can sit down,
analyze, so why is engineering going
there? They shouldn't be going there.
I understand that human resources
and recruiting and marketing wouldn't go there
because they do a lot of creative work.
So I will let them go, but not let engineering
and other functions go use these tools.
But if they have to
coach them, coach
them in a way that the user gets to these
tools, a little coaching page
would show up and say, hey,
I see you're going to this page.
Please do so. Please go to this
app. Do what you need to do. Please ensure
that you read the term of use, how the information will be used. We recommend,
we heavily suggest, and the policy states, whatever
housing you're awarded, so coach the user on the way.
The problem, Dave, is that all the businesses, it doesn't matter where you work,
our users are way too smart and way too savvy
with internet technologies.
If you block them from going to this tool, and everybody's very curious about it,
if you block them from going to these tools from their network, from your corporate devices,
they'll find another way to get there.
Right.
Well, and that was going to be my next question, which is, like, I can imagine this being an irresistible temptation when it comes to folks making their own shadow IT.
Well, you bet. It's a classic use case for shadow IT.
So the idea here is the best way that we found working with our customers is guardrails.
Coach the users, let them go there, but coach them on the possibility of your data that you're uploading will show up somewhere and that may cause legal liabilities. Don't download
code that may be copyrighted code. So coach the users, tell them, and then put additional controls
that when the user is uploading something or asking a question, you're monitoring what are
they uploading? What does the query look like? So our technology allows you to capture that data.
And then if we find in that conversation that this is PII, this is sensitive data that shouldn't be
going, we'll block it before it gets there in real time.
That's Minaj Sharma from Symantec. Thank you. In another episode of our continuing series of interviews
that our CyberWire colleague Rick Howard gathered
at the recent AWS Reinforce conference,
today Rick speaks with Becky Weiss from AWS
about the hard math behind security.
The CyberWire is an Amazon Web Services media partner,
and in June 2023, Jen Iben, the CyberWire's senior producer and I,
traveled to the magic world of Disneyland in Anaheim, California,
to attend their AWS Reinforce conference
and talk with senior leaders about the latest developments
in securing the
Amazon cloud. I got to sit down with Becky Weiss, a senior principal engineer at AWS,
and one of the keynote speakers at the conference. And we got to talking about the different ways
people can learn the craft of cybersecurity. And she had some excellent advice.
In my opinion, someone's trying to learn the cloud. It is the best vantage point from which to approach that learning journey
is to actually start with security.
Actually, concretely, I tell people to start with the identity
and access management service in AWS
because that's at the center of everything.
If you understand what's going on there,
you're going to have a much easier path to learning anything,
how anything works in AWS.
I love that as advice, right?
Because that's not what most people,
most veterans would not say that,
but that's a perfect way to get in, right?
Because if you, like you said,
it is the key to the whole security posture, right?
And especially if you're trying to adopt
some kind of zero trust strategy, right?
So what a great recommendation that is.
That's fabulous.
Yeah.
One of the things you said in your keynote was you were talking about being able to mathematically prove things.
And that went right over my head, right?
And so I would love you to explain what that means to me, right?
Well, you have to cover so much material so fast.
So we've made a very large investment in AWS into what we call automated.
Automated. You can edit that one. No, no, we're leaving that in,
totally. Okay. Automated reasoning. Automated reasoning. Okay. So this made its, as far as I
know, this made its first appearance on the AWS stage. I'm going to say, I might have my facts a
little bit wrong, but I'm close, 2018. We launched this feature for S3 called Block Public Access.
we launched this feature for S3 called Block Public Access.
So the problem we were working backwards from was this.
You know, S3 is the focal point for where a lot of customers store their data in AWS.
Most of it is in the S3 service.
And, you know, of course, S3 buckets are secure by default.
They're local to your account by default.
They're not accessible from outside the account until you take some configuration step to affirmatively say so.
And we had a lot of customers who were worried
about somebody making a configuration mistake
on that policy that allows outside access.
Because that seems like, I mean, in the early days of S3 buckets,
that seemed like the news headline, you know,
someone forgot to configure the S3 bucket to do something. Right.
And there was understandably a lot of concern about that. And if you even go back to the,
you know, to the birth of S3, like I once went and looked it up and S3 storage for the internet,
right? And one of those use cases in those early days before the
rest of AWS existed, because S3 was either the first or one of the first, depending on how you
look at it, was, well, let's host a website on this. This is a great place to host website assets
so that the world can get to my website. But if you zoom forward a decade and a half or more,
that's not really what... Even if you wanted to put a website on S3,
which is a great use case for S3,
you would use our CloudFront service
and you'd get all kinds of other, you know,
you'd get better latency and, you know,
and caching behaviors and global distribution
and all these things that the CloudFront service
is exactly designed to do.
Well, can I give you a for instance?
I joined the CyberArm about three years ago, right? And I kept talking about a web server that we, you know, where we distribute all
of our content. And I'm thinking in my head, because I'm an old guy, right? That there's a
server somewhere, either hardware or software sitting in Amazon, acting like a web server.
And it took me a year and a half to realize that. It was just data in S3 bucket with Lambda calls.
That's how our website, there's no server, right?
And it's like, it completely went, my head blew.
And I've actually seen, particularly in the earlier days of AWS,
I actually saw exactly that reaction from customers.
You're like, wait, what's, you know,
how do I put a firewall in front of my DynamoDB tail?
Like that's not what's going on here, right?
Like it's an API, right? That's right. So, you know, so we saw a lot of understandable
concern over these, over these misconfigurations and we had been investing in this team that
specialized in automated reasoning techniques. So these are mathematically provable techniques
that are based on, you know, you model a system and it's able to, it's able to
use all those things you learned about in that theoretical computer science class that they made
you take. I really liked that class, by the way. It was a cool class. But, but all of those techniques
are used to prove, very specifically to prove that like one policy is or isn't more permissive than
another policy. And from that, they can deduce provably
whether the bucket has a policy on it
that's allowing public access.
And from there, they could block that
when they see that happening.
And that was a very large step forward that we took
or that our customers were able to take
in just having confidence that the configurations are,
that the configurations are what they want them to be.
And if somebody ever misconfigured a resource with what they didn't want it to be,
this thing would step in, block it, and so they could be a lot more confident.
What's the takeaway from your view from this conference?
What should, as I'm leaving, going home tonight, what should I be thinking about?
I talked a little bit in the keynote about data perimeters.
This is very meaningful, probably both to me and to all of our AWS customers,
because like I said at the beginning,
the very first thing that you think about
if you're going to move a workload to the cloud
is not how do I build it,
but how do I make sure that it's secure?
Just at a core screen level, how do I keep the... I have my part of the cloud. I need to keep the outsiders out.
I need to keep the data inside it, right? That's, you know, that's step zero, right? We got to
figure out how to solve that before we can really do anything else. And our data perimeters efforts
work backward directly from that. And, you know, and we've made quite a few steps along this journey,
meaningful progress for the last couple of years,
even before we were using the term data perimeters.
This is something that we are very, very attuned to.
And we have a great white paper on it
that if these ideas resonate with,
if you're listening to this,
if these ideas resonate with you,
look up AWS data perimeter,
you're going to find a really actionable white paper
with good guidance.
Excellent.
And, you know, and we're not done there.
Like we're doing a lot more there.
And I'm really excited about that
because it's just so meaningful to anybody,
you know, anybody who's, you know, trusting us
and giving us the privilege of holding their data.
I like the way they wrapped that up
because Zero Trust has given us concrete things we
can do right away.
It's no longer a theory.
We can actually do some things.
And then a little bit of homework.
Go read the data perimeter paper and see what you can do.
You'll definitely pick up something you want to do from there.
Excellent.
Well, thanks, Becky.
Thanks for coming on the show.
Thank you so much for having me.
That's the Cyber Wire's Rick Howard speaking with Becky Weiss from AWS.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's Research Saturday and my conversation with Daniel Dos Santos,
Head of Security Research at Forescout.
We're discussing their insights from a recent exercise his team conducted on AI-assisted attacks for OT and unmanaged devices.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine of many of the most influential leaders
and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500
and many of the world's preeminent intelligence and law enforcement agencies. Thank you. This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester, with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.