CyberWire Daily - Consensus on the Viasat hack: Russia did it. Kaspersky remains under investigation. The Nerbian RAT is out. NPM dependencies exploited, but to what end? Advisories from CISA and its partners.
Episode Date: May 11, 2022There’s international consensus on the cyberattack against Viasat. Kaspersky remains under investigation. The Nerbian RAT is out. NPM dependencies are exploited, but to what end? Caleb Barlow examin...es Russia’s future on the internet. Our guest is Deepen Desai from Zscaler with the latest phishing research. And new advisories from CISA and its partners. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/91 Selected reading. Nerbian RAT Using COVID-19 Themes Features Sophisticated Evasion Techniques (Proofpoint) NPM dependency confusion hacks target German firms (ReversingLabs) npm Supply Chain Attack Targeting Germany-Based Companies (JFrog) Adminer in Industrial Products (CISA) Eaton Intelligent Power Protector (CISA) Eaton Intelligent Power Manager Infrastructure (CISA) Eaton Intelligent Power Manager (CISA) AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere (CISA) Mitsubishi Electric MELSOFT GT OPC UA (CISA) CISA Adds One Known Exploited Vulnerability to Catalog (CISA) Alert (AA22-131A) Protecting Against Cyber Threats to Managed Service Providers and their Customers (CISA) Protecting Against Cyber Threats to Managed Service Providers and their Customers (CISA) Russia downed satellite internet in Ukraine -Western officials (Reuters) US and its allies say Russia waged cyberattack that took out satellite network (Ars Technica) Western powers blame Russia for Ukraine satellite hack (The Record by Recorded Future) Russian cyber operations against Ukraine: Declaration by the High Representative on behalf of the European Union (European Council) Attribution of Russia’s Malicious Cyber Activity Against Ukraine - United States Department of State (United States Department of State) U.S. Government Attributes Cyberattacks on SATCOM Networks to Russian State-Sponsored Malicious Cyber Actors (CISA) Russia behind cyber-attack with Europe-wide impact an hour before Ukraine invasion (GOV.UK) Estonia joins the statement of attribution on cyberattacks against Ukraine (Ministry of Foreign Affairs, Republic of Estonia) Statement on Russia’s malicious cyber activity affecting Europe and Ukraine (Canada.ca) Attribution to Russia for malicious cyber activity against European networks (Australian Government Department of Foreign Affairs and Trade) Russia hacked an American satellite company one hour before the Ukraine invasion (MIT Technology Review) NSA Probing Reach of Software From Russia’s Kaspersky in US Systems (Bloomberg) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
There's international consensus on the cyber attack against Viasat.
Kaspersky remains under investigation.
The Nurbian rat is out.
NPM dependencies are exploited, but to what end?
Kayla Barlow examines Russia's future on the Internet.
Our guest is Deepan Desai from Zscaler with the latest fishing research
and new advisories from CISA and its partners.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, May 11th, 2022. We saw yesterday that the European Union had formally attributed the cyber attack against Viasat's KASAT network,
which took place an hour before combat operations began in Ukraine, to Russia.
Other allied governments were quick to second that attribution.
The U.S. Department of State said, after drawing attention to Russian use of Wiper malware in its cyber prep,
today, in support of the European Union and other partners,
the United States is sharing publicly its assessment that Russia launched cyber attacks in late February
against commercial satellite communications networks to disrupt Ukrainian command and
control during the invasion, and those actions had spillover impacts into other European countries.
The activity disabled very small aperture terminals in Ukraine and across Europe.
This includes tens of thousands of terminals outside of Ukraine
that, among other things, support wind turbines
and provide Internet services to private citizens.
CISA updated their March 17 alert
Strengthening Cybersecurity of SATCOM Network Providers and Customers
to explain that the threat to SATCOM networks they warned about
was indeed a Russian threat.
The attribution offered by Britain's NCSC is more specific.
It calls out Russian military intelligence, the GRU, as the organization responsible for the cyber attack.
Estonia is equally specific.
They say it can be stated with high certainty that the GRU was behind these attacks.
According to The Telegraph, the British government also sees the cyberattacks against the German wind turbine sector
as collateral damage of the PrEP fire directed against Ukraine's Internet.
Both the British foreign minister and the U.S. Secretary of State emphasized this indiscriminate aspect of the Russian cyberattack.
of State emphasized this indiscriminate aspect of the Russian cyber attack. NBC News quotes British Foreign Secretary Liz Truss as saying in a news release,
This is clear and shocking evidence of a deliberate and malicious attack by Russia
against Ukraine, which had significant consequences on ordinary people and businesses in Ukraine
and across Europe. U.S. Secretary of State Anthony Blinken made the same point.
He said,
Russia launched cyberattacks in late February
against commercial satellite communications networks
to disrupt Ukraine command and control during the invasion,
and those actions had spillover impacts into other European countries.
Both Canada and Australia joined the other five eyes in the condemnation of Russia's disruption of Viasat's KASAT network.
For governments that aren't parties to the conflict, their open hostility to Russia's special military operation and their support for Ukraine are striking and unambiguous.
MIT Technology Review's coverage of the cyberattack on Viasat terminals concludes that further attacks are possible, perhaps probable.
The Russians used the acid rain wiper against the systems,
and acid rain is striking in its general-purpose adaptability.
Technology Review quotes Sentinel-1 researcher Andrei Gero Sade, who says,
What's massively concerning about
acid rain is that they've taken all the safety checks off. With previous wipers, the Russians
were careful to only execute on specific devices. Now those safety checks are gone and they are
brute forcing. They have a capability they can reuse. The question is, what supply chain attack will we see next?
Bloomberg covers the ongoing investigation of Kaspersky security software as a potential
security threat, quoting Rob Joyce, head of NSA's Cybersecurity Directorate, on the risk he thinks
Kaspersky poses to U.S. companies. Joyce stated, I am still very worried about U.S. companies that are using
Kaspersky. We think that it is ill-advised with this global situation. In one respect, this is a
supply chain issue. Kaspersky software is white-labeled inside many widely used devices.
Joyce said, so there are routers, for example, that come with a Kaspersky engine inside them,
and it's not clear people understand that that's buried inside a product that looks U.S. or Western,
so we're trying to understand where those risks are in the supply chain and where the biggest ones exist.
Kaspersky, it's fair to note, has long denied that it's under Kremlin control.
has long denied that it's under Kremlin control.
Proofpoint issued a report this morning which describes a new OS agnostic rat
written in the increasingly popular Go language.
The researchers call it NERBIAN
and say that it leverages multiple anti-analysis components
spread across several stages,
including multiple open-source libraries.
Reversing Labs blogged yesterday about an NPM dependency confusion that's been exploited
recently in attacks against large German firms.
Reversing Labs said,
New NPM packages discovered last week by Reversing Labs appears to target a major German media
conglomerate as well as a major rail and
logistics operator. The packages are similar to those discovered by researchers at the firm
Sneak and disclosed in late April. It's unclear who was behind the attacks, what their objectives
were, or even how successful they were, but it seems clear that NPM attacks are more widespread than previously believed.
JFrog, which has also been tracking the incidents, sees similar ambiguity
and thinks the attacks could be the work of either a sophisticated threat actor
or an unusually aggressive penetration tester.
CISA yesterday released six industrial control system security advisories.
CISA also added two vulnerabilities to its Known Exploited Vulnerabilities Catalog,
the Microsoft Windows LSA spoofing vulnerability,
and F5's BigIP missing authentication vulnerability.
Fixes are available for both of them.
And finally, concerned about a growing threat to managed service providers,
the Five Eyes have issued a joint alert with advice to MSPs and their customers
on preventing and responding to cyberattacks staged against and through MSPs.
The advice is a familiar set of best practices, but no less valuable for that.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Zscaler recently released the latest edition of their annual phishing report,
documenting the trends they track using a combination of their own internal telemetry and outside sources.
It's no surprise that phishing continues to be an attractive and effective technique for threat actors.
Deepin Desai is Chief Information Security Officer at Zscaler.
So what we noticed was retail and wholesale industries were among the most targeted ones,
experiencing over 400% increase in phishing attacks
over the last 12 months.
The team also saw, you know,
dissected the data based on the regions
that were being targeted by the attackers.
We noticed the United States being at the top, accounting for more than 60% of all the phishing attacks that were seen, followed by Singapore, Germany, Netherlands, and the UK.
Germany, Netherlands, and the UK.
The third key finding that I'll call out is new phishing delivery vectors,
such as SMS phishing.
It's also called smishing.
This is where the threat actors are using SMS to deliver the phishing link to the end user.
And this is because more and more users are becoming wary of suspicious emails,
looking at different telltale signs on their computer.
But they're often more lenient
when they're clicking on links that they see
from a user on their cell phone.
And these are SMS arriving from banks,
retail vendors, and so on and so forth. So we saw 700% increase in the first half of 2021 in smishing attacks as well.
You know, one of the things that you highlight here is this notion of phishing as a service,
where, you know, folks can go and basically buy these prepackaged kits.
Can you take me through this?
I mean, suppose I'm someone who's looking to, I don't know, branch out on my own and
do this sort of thing.
How would I go about it?
Yeah, it's very easy.
And I hope you're not going to do that.
But it's really easy with this phishing as a service offering.
So what essentially it provides the cyber criminal
is an easy way to deploy phishing sites at scale.
And I'm not talking about you deploying a phishing page
on one website, but hundreds of sites at a given time.
There are pre-cooked templates based on the brand that you're trying to target. on one website, but hundreds of sites at a given time.
There are pre-cooked templates based on the brand that you're trying to target.
No spelling mistakes.
They've taken care of all the fields
that make those pages look really authentic.
So making it more professional,
making it easier to deploy at scale,
and honestly creating a greater chance making it more professional, making it easier to deploy at scale,
and honestly creating a greater chance for making those phishing campaigns successful as far as the end user clicking on the link and entering the information is concerned.
What are your recommendations for folks to best protect themselves against this?
Yeah, so, I mean, just like any attack campaigns,
phishing involves, I mean, it starts with your end user, right?
So they're targeting, end users are often referred to
as weakest link, right?
They target the social engineering aspect
where they're trying to convince a user into believing
that the link or the page that they're visiting
is indeed the service for which they're trying to harvest credentials
or at times they're trying to plant a malware payload.
So number one thing I would recommend is
continue to make your security awareness training course
as dynamic as possible.
You need to update the training content to make the user aware of all the newer techniques.
The one that I mentioned, smishing, for instance.
There should be some level of training on that part as well.
The second most important thing is test it.
All the security controls that you have in place, all the training
that you do for your end users, you need to have simulated phishing attacks. Or you could call it
red teaming. You need to have those simulations done to see whether your users are still making
those mistakes, whether your security controls are doing the job of blocking those attacks. And training the user at the time of incident is critical, right? You could do all
the training beforehand or after an incident. But when the incident is happening, if your security
stack is able to train the user, notify the user, assess the user in not making mistakes.
I think that's the third piece that I would mention.
That's Deepan Desai from Zscaler.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is our Cyber Wire contributor, Caleb Barlow.
Caleb, always great to welcome you back to the show.
You know, we're all tracking the situation going on here with the Russian invasion of Ukraine.
Tracking the situation going on here with the Russian invasion of Ukraine and some of the fallout from that is as more and more services seem to be decoupling themselves from interacting with the Russian economy.
I want to check in with you on this.
Where do you think we're headed here?
Well, for years, we've all talked about what does a cyber war look like? And, you know And I remember once even on CNN being asked,
hey, is there a future cyber Armageddon coming?
And I think people often thought about
the crossover from the cyber realm
into the kinetic realm.
Letting loose the water to dams,
shutting off a city's electricity.
I mean, anyone in the cybersecurity space
has had this conversation
and been asked the question of, is this in the art of the possible? And, you know, we've
even seen the Russians try that historically in Ukraine, turning the power off and things like
that. And I don't want to belittle that that is not a possibility. I mean, critical infrastructure
attacks are certainly a real possibility. But I don't think what we ever thought about was the impact of private services just getting turned off during wartime, where either government action or private sector companies saying, hey, I'm not going to do work with this entity anymore.
And, you know, this kind of cancel culture of these things being turned off.
turned off. And where Russia is fighting a kinetic war, you know, tanks and soldiers on the ground,
the U.S. and Western allies are clearly fighting an economic war, right? Sanctions and, you know,
things that are very devastating to the Russian economy in the long term. But cyber is unfolding in a very intriguing way, which is kind of this cancel culture. Imagine the impact long term of not
being able to get access to silicon, not being able to get access to new computers, routers,
all these things that can't be sold in Russia anymore, either because of government sanctions
or just simply because private sector companies are saying, hey, I'm pulling out. I'm not doing
business there anymore. This is a part of the playbook I don't think anybody really thought through. And where
this could get more interesting is up to this point, most of the dialogue has been about the
purchase of physical devices, you know, a router, a computer, computer chips, things like that.
You know, the telcos, for example, have said,
hey, we're not going to do new business in Russia,
but they're not shutting off existing business to date.
If, you know, if you take AT&T, Verizon, Lumen,
I mean, they move a very large percentage
of global internet traffic.
If we ever got to the point,
either through a large-scale cyber attack,
an action from government, or some other factor, where one of these companies said,
hey, we're just not going to route this traffic anymore. We're going to stop the peering
relationships. That's going to force the Russian economy back to the days of a 1200 baud modem.
I mean, it wouldn't disconnect them from the internet, I don't think, but it would degrade services to a point that would be mind-numbing.
I mean, I was looking around this morning.
The number one used app in Russia, the number one visited website is YouTube.
What happens if you can't get to that anymore?
91 million Russians are using YouTube.
YouTube. Does Russia have a future that looks like North Korea's where, you know, the rest of the world community makes it so that they have to be self-contained? I don't know. I mean, I think,
but I think these are the kinds of questions we have to start asking ourselves, both government
and private sector, because there's a new tool here we really never thought about.
We never thought about how do we use it? When do we use it? Where do we use it? Is it even a good
idea to use it? I mean, the better access Russians have to the internet, the better our ability to,
you know, push past Russian propaganda for a whole variety of reasons, right?
So there's a lot of reasons to say, hey, you want to keep these activities moving
as much as you can.
But in many cases,
the decision of to do or not to do business
is going to actually be held
with the CEOs of private sector companies.
And that's a part of this kind of new genre of warfare
that I don't think anybody ever thought through.
Also, it adds a level of coercion, if you will, into the equation that I don't think anybody ever thought through. Also, it adds a level of coercion,
if you will, into the equation that I don't think we've ever thought about. I mean, when we think
about coercion relative to an attack, whether it be a cyber attack or a kinetic attack, the normal
ways we thought about that is, you know, someone, you know, person A launches a missile into person
B's territory and person B fights back with another missile or maybe economic sanctions or maybe something else. We never thought about the idea of, oh yeah, you just,
you can't get to YouTube. You can't get to Amazon. You can't get to Microsoft. Like that's a whole
new realm of discussion as the world now operates largely remotely, thanks to the pandemic in a,
in a cyber realm. And we've got to really start thinking about what that means.
Right.
So perhaps a global conversation here.
You know, these are the, as we talk about things like the norms of war and so on and
so forth, does this need to be part of future conversations?
Absolutely.
You know, much like economic sanctions have a huge impact,
so do these, and I don't even know what you call it, but cyber sanctions, right?
Like a lack of ability to get to cloud environments or network at speed
will definitely have an impact on any economy. All right. Well, Caleb Barlow, thanks for joining us. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Rachel Gelfand, Liz Ervin,
Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Justin Sebi,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Thank you. you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.