CyberWire Daily - Copper smelter hit with malware. Notes from the hybrid war. Disinformation, not direct manipulation of results, the principal threat to US elections. Ransomware in Australia’s ForceNet. Threat trends.
Episode Date: October 31, 2022Leading European metals producer is hit with malware. Cooperative defense in cyberspace. A Ukrainian ally describes its exposure to Russian cyberattacks. Former UK Prime Minister Truss's phone may hav...e been compromised. CISA sees a complex threat environment, but no specific threat to US elections. The Australian Defence network sustains ransomware attack. The three finalists in the DataTribe Challenge share insights on the competition. Rick Howard previews the new season of CSO Perspectives. And a look at threat trends. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/209 Selected reading. Aurubis says it was hit in wider cyberattack on metals industry (Reuters) Copper Giant Aurubis Shuts Down Systems Due to Cyberattack (SecurityWeek) Inside a US military cyber team’s defence of Ukraine (BBC News) Ukraine's cyber power shows value of public-private partnership (Nikkei Asia) Latvian President: Only the West’s Weakness Can Provoke Russia (Foreign Policy) Latvia’s cyberspace faces new challenges amid war in Ukraine (The Record by Recorded Future) Worries build about winter cyber threats in Ukraine (POLITICO) Liz Truss's personal phone hacked by Putin's spies (Mail Online) Truss phone was hacked by suspected Putin agents when she was foreign minister, the Daily Mail reports (Reuters) Liz Truss phone hack claim prompts calls for investigation (BBC News) Russian spies hacked Truss's personal phone (Computing) Government urged to investigate report Liz Truss’s phone was hacked (the Guardian) Ministers creating ‘wild west’ conditions with use of personal phones (the Guardian) 'Complex threat environment' ahead of midterm elections, top cybersecurity official says (Reuters) CISA chief sees no "specific or credible threats" to election infrastructure (CBS News) For cyber experts, disinformation overshadows cyberthreats in midterms (Washington Post) Australian Defence Department caught up in ransomware attack (ABC) Cyber-attack on Australian defence contractor may have exposed private communications between ADF members (the Guardian) Cyber Threat Reports (Deep Instinct) Deep Instinct releases its 2022 Interim Cyber Threat Study. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash n2k, code n2k.
A leading European metals producer is hit with malware.
Cooperative defense in cyberspace?
A Ukrainian ally describes its exposure to Russian cyber attacks.
Former UK Prime Minister Truss' phone may have been compromised.
CISA sees a complex threat environment, but no specific threat to US elections.
The Australian Defense Network sustains a ransomware attack.
The three
finalists in the Data Tribe Challenge share insights on the competition. Rick Howard
previews the new season of CSO Perspectives and a look at threat trends.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, October 31st, 2022. Arubus, Europe's largest copper smelting company, sustained a cyber attack last week, Reuters reports.
Security Week notes that the incident looks like a ransomware attack, although that hasn't yet been confirmed. The company believes it was targeted as part of a larger campaign against the metals sector.
It responded by shutting down certain IT systems and isolating them from the Internet.
Its core industrial processes have continued to function.
Arubas said,
The production and environmental protection facilities at the smelter sites are running, and incoming and outgoing goods are also being maintained
manually. Transitional solutions are being implemented to make the companies' full services
available to business partners again starting next week. Customers and suppliers can still
reach their Arubus contacts by phone. Turning to Russia's hybrid war against Ukraine,
it's well known that countries sympathetic to Ukraine have contributed weapons, ammunition, and other supplies to Kiev's defensive war.
They've also contributed cyber-operational capability.
The BBC was permitted a look inside U.S. Cyber Command's forward deployment to Ukraine and other countries threatened by Russian cyber operations.
deployment to Ukraine and other countries threatened by Russian cyber operations.
In their hunt-forward operations, Cyber Command's teams concentrate on detecting threat activity and reporting it to their partners so the partners can themselves eject the threat actors from their
networks. The combined operations the BBC described were conducted before Russia's February invasion, but they continued in-country up until the eve of the invasion, at which point the team was relocated from Ukraine.
While it was there, however, it contributed both to mitigation of SolarWinds exploitation and Ukraine's preparation to withstand wiper attacks. The BBC points out that hunt-forward missions are classed as defensive,
but General Paul Nakasone, who leads both the military's cyber command and the National
Security Agency, confirmed offensive missions have also been undertaken against Russia
in the wake of the invasion of Ukraine. But he and others declined to provide further detail.
of Ukraine, but he and others declined to provide further detail. Varus Taivans, deputy manager of Latvia's computer emergency readiness team, described his country's experience of Russian
cyber operations since the war against Ukraine began. In a conversation with The Record by
Recorded Future, he said that the rate of cyberattacks against Latvia had increased
by 30% since the war began in February. The Baltic country's experience has been a familiar one.
Nuisance-level state-inspired nominal hacktivism, much of it by Kilnett, has dominated the
threatscape. These attacks have often shown poor intelligence preparation and often amount
to nothing more than what Tyvance characterized as PR, as in the publication of publicly available
information with the claim that it had been obtained through hacking. The state organizations
proper, the APTs run directly by Russian intelligence services, are of more concern,
run directly by Russian intelligence services, are of more concern,
but while their aim and their planning are better than the hacktivist militias,
they too seem to have concentrated more on DDoS as a means of disruption.
That could change as the war situation changes.
Taiwan said, We are still at a stage where kinetic warfare is a priority for the attacking nation,
We are still at a stage where kinetic warfare is a priority for the attacking nation,
while cyber is only a tool for threat actors to gain some economic and political advantage,
or a means to support kinetic operations.
Despite a lack of results so far, Ukraine, NATO, and the EU remain on alert for Russian cyber attacks on the power grid.
Russian intelligence services are believed to have successfully compromised former British Prime Minister Liz Truss' personal smartphone.
The Mail on Sunday reported in an exclusive this weekend.
The compromise is thought to have occurred while Ms. Truss was serving as foreign minister
and continued through the summer's Conservative Party leadership campaign, according to Reuters.
The BBC says that Labour and Liberal Democrat members of Parliament have called for a government investigation.
This would presumably extend to how any compromise was accomplished, what information would have been compromised,
and the extent to which officials use personal devices to communicate about official business.
CISA Director Easterly urged election authorities to secure their systems
and take steps to protect their operations from violence
in what she characterized as a very complex threat environment.
But she also said, CBS News reports, that
we have no information about specific or credible threats to disrupt or compromise election infrastructure.
The Washington Post has spoken with a range of cybersecurity experts, and they are in general agreement that disinformation and not compromise or manipulation of the vote itself is the principal challenge the U.S. faces during the midterms.
is the principal challenge the U.S. faces during the midterms.
So beware of seditious and bogus narratives and their amplification by the credulous, the ill-intentioned,
and those just addicted to chatter.
ForceNet, which The Guardian describes as a kind of
internal social media platform for Australia's military,
has sustained a ransomware attack.
ForceNet is maintained by an external contractor, ABC reports, and that vendor initially said that
no personal information had been exposed. Since that initial disclosure, however, the Australian
government has begun to suspect that some private details, such as dates of birth and dates of enlisting, may have been stolen.
And finally, Deep Instinct has published its 2022 Interim Cyber Threat Report,
outlining some of the top malware strains and exploited vulnerabilities they've been tracking.
The majority, 44%, of ransomware campaigns were launched by affiliates of the LockBit ransomware-as-a-service offering,
while 23% were carried out by the now-defunct Conti gang.
Emotet is still by far the dominant banking trojan in the threat landscape,
followed by NJRAT at a distant second.
The researchers also note that data theft extortion attacks are growing more efficient,
stating, ransomware attacks remain a serious threat to organizations,
causing business disruption and reputational damage.
While it is not a new threat, ransomware has become easier to detect in the encryption phase.
Threat groups are moving toward exfiltrating data earlier in their attack flows
to demand a ransom for the leaked data instead of a key to decrypt.
In the case of sensitive data exfiltration, there are far fewer remediation options.
Several threat actors went even further, demanding a ransom from third-party companies if the leaked data has their sensitive information as well.
has their sensitive information as well.
Threat groups operating ransomware campaigns are financially motivated
and have begun to develop their own markets
with easy-to-use query engines
to find relative data from the leaks and purchase it.
We saw this play out in July 2022
by a rising star in ransom operators,
Alfie Blackcat,
who introduced their new leak database.
So, the C2C market continues to mature.
Keep your virtual eyes out for the crooks.
Coming up after the break,
the three finalists in the Data Tribe Challenge share insights on the competition, and our own Rick Howard previews the new season of CSO Perspectives. Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
It has become an annual tradition that the folks at startup incubator DataTribe
hold their live DataTribe challenge
competition, hitting three finalists against each other in front of a live audience and a
distinguished panel of judges. Up for grabs are $20,000 in prize money, and for the winner,
up to $2 million in seed capital. The Cyber Wire is a media sponsor of the event and has received
seed funding from DataTribe.
The three finalists this year are Webified, Northstar, and Balance Theory.
I spoke with the CEOs of each of these hopefuls to find out what attracted them to this kind of competition.
Vinu Thomas is founder and CEO of Webified, a company focusing on changing user identification and digital asset certification,
verification, and validation using the decentralized system of blockchain and
Ethereum smart contracts. I think validation of an idea, right? The validation essentially has
come with the fact that we've even reached the finals, which is great. But the opportunity to
present to the judges who are very well-respected individuals in the cybersecurity space,
other investors as well. So it gives me a true opportunity to get some sense on, hey,
is this idea really going to take off? That's number one. Number two, I think the execution.
So Data Tribe is not just telling, hey, yes, the price money is great,
but they're also coaching me.
They're also educating me.
They're also opening new doors
and helping me in the overall execution
of moving it from
it's no longer an idea.
It's now a minimally viable product.
It's an MVP.
How do we take that MVP and essentially make it
to something that can be, you know,
widely adopted and widely loved by, you know, customers and partners and everyone alike.
Alex Moss is CEO at Northstar.io, a risk-based vulnerability management company.
Refinement and messaging. And I would say that's number one. We're a very technical organization
and we like what we've built and we like what we're doing
and we like to talk about it. A lot of times that doesn't translate to good marketing and good
messaging. So we've worked very hard over the last year in refining our messaging and how we talk to
people and kind of walking them down a path to understand how we can solve their problem quickly and get
them to near-term ROI, but also share with them the longer vision of how we can mature the solution
to continue to extract value over time. And we're already seeing the results of working with the team at Datatribe and helping us further refine and craft that
messaging so that we're able to help communicate the value, not smooth over the complexity,
but not highlight it when it's unnecessary. Greg Baker is co-founder and CEO at Balance Theory,
a company focused on helping organizations deal with
emergent threats using technology and collaboration. What our core mission is,
is really uniting the world of cybersecurity in a way to operationalize that knowledge and allow
people to take advantage of it for better defense that they can take to their enterprises.
they can take to their enterprises, that is a type of model and a type of mission that really requires everybody to look at it and buy in.
And whether or not you're somebody that's an enterprise CISO looking at securing their
internal organization better than it is today, or you're a service provider looking to build
more intimate relationships with your clients to help them solve problems more rapidly, or you're an analyst group that is putting out thought leadership around new
frameworks like Zero Trust that want to see the adoption level and help clients understand how to
adopt it, higher education, the list goes on. Really giving them a place to come in and build
this community is key. So for us, as much as investment is fueled
to help a product develop faster
and help strengthen the capability and add to that,
it's really about spreading awareness
and really getting additional eyes on the mission
and getting additional eyes on the approach
to really help build and formulate this thing
that's not just for us as a product company or builder,
but really for the community at large.
And we value everybody's opinion.
We want the outcome of what we're working on to be something that really drives lasting generational change
for those that really have made the opportunity to make cybersecurity their career and their self-mission
and give them a home that allows them to learn, to share their insights, to share their career, and their self-mission, and give them a home that allows them to learn,
to share their insights, to share their knowledge, and collaborate at scale and take that
institutional knowledge with them throughout their career and throughout their journey.
Our thanks to Vinu Thomas from Webified, Alex Moss from Northstar.io, and Greg Baker from
Balance Theory for joining us. The Data Tribe Challenge is coming up November 3rd.
And it is always my pleasure to welcome back to the show Rick Howard.
He is the CyberWire's Chief Security Officer and also our Chief Analyst.
Rick, great to have you back.
Hey, Dave.
So it is Halloween as we air this.
Yes, it is.
Which means a couple of things.
First of all, you've crawled out of your crypt.
You've crept out of your cave to join me today on I know what is one of your favorite holidays. It absolutely is.
It totally is. It is the Howard event of the year. Right, right. You're that guy in your
neighborhood who goes all out, right? Yes, I am, yeah. Do you have your 12-foot tall skeleton from
Home Depot? My wife forbade me from going near that aisle, so I do not have that one yet.
Okay, I see. You're fully subscribed. All right, well, fair enough.
But welcoming you back also means that it must be time for another season of CSO Perspectives,
which, of course, is over on the pro side of the Cyber Wire.
What do you have in store for us this season, Rick?
Yeah, we are back. CSO Perspectives is starting its 11th season, if you can believe that.
And the interns in the bowels of the CyberWire sanctum sanctorum, you know, they've been working on some fantastic stories.
One is the current state of identity.
I have an interview with the CEO of Ping, Andre Duran.
And I don't know if you know this, Dave, but he's
been in the industry since the early 2000s. So he's seen a thing or two. And his vision of where
identity is going is fascinating. Is there anything in particular that you're hoping to
glean from that interview? It's just that I wasn't paying attention to it. And where he
thinks it's going to go, it's going to be much more personalized, where he would like it to go, where we all own our own identity
and we don't have to be captured by the big Silicon Valley giants.
So I hope his vision comes to fruition.
We'll see.
Yeah.
What else are you working on?
So the interns are also working on a Rick the Toolman episode
about how to apply MITRE ATT&CK in cloud environments.
And this is one of my pet peeves because as an industry, we just aren't very good at it.
And we should be.
You know, if the bad guys are going to attack us using the MITRE ATT&CK sequences, why aren't they doing it in the cloud?
We just don't see that much evidence of it.
So we're going to talk about how we can get better at that.
much evidence of it. So we're going to talk about how we can get better at that.
Is it cloud specifically, or is it coming up short with the MITRE attack sequence in general?
We just haven't seen a lot of reporting of, you know, known adversary groups like the,
you know, like the bears, you know, going after the cloud environments. Now they'd have to use different techniques, clearly, right? Because it's a cloud environment and not your data center. But
there hasn't been a lot of reporting on that. But I think that's starting to change,
and that's good news. Yeah, interesting. What else?
So, we also did an all-hands call to our subject matter experts that regularly come to the Cyber
Wires hash table. We wanted them to discuss strategies for how security newbies could
become CISOs sometime in their careers.
And this was actually a topic suggested by one of our listeners, and we were only too
happy to oblige this guy.
Yeah, that's fascinating to me.
How many people, when they're starting out, do you think have that CISO position?
How many people do you think set their sights on that?
Do you think it's common?
I don't know. You know, when I was starting, I always thought that that's the pinnacle. You know,
if you get to be a CISO somewhere, that's probably the highest you're going to go unless you change
careers. I'm not so sure that's the case anymore. And it's a really hard job. So it's not for
everybody. So in that episode, we'll try to figure out, we'll try to lay out what's good
and what's bad about it. And you can decide for yourself if that's what you want to be.
It strikes me that with the short tenure we see from CISOs these days and the high turnover,
be careful what you ask for. Yeah, no kidding. Yeah, no kidding. Yeah, absolutely true.
Speaking of CISOs, something that you and I talked about back at RSA were virtual CISOs.
And I know you're going to talk about that as well.
Yeah, we both noticed this kind of thing getting ground at the RSA conference.
And so we're going to talk a little bit about it.
And I think it signifies a major shift in what a CISO's job is, right?
It's not there yet.
You know, they're still typical CISOs that we've seen before,
but this virtual CISO job, you know,
basically a contractor comes in and fixes some things
and then heads out the door.
That's a different role, and we're going to talk about that.
Yeah, interesting.
You've got some good interviews coming up as well.
I know books are one of your favorite things in the world,
and you've got a good author you're going to talk to. Yeah, we got an interview with Andy Greenberg about his new book
called Tracers in the Dark, and I just finished reading this thing. It is the best cybercrime book
I've read in the past 10 years, and it's about how law enforcement has cracked the blockchain in
general, and Bitcoin specifically, with something called chain analysis. And if you
thought you were anonymous using those tools, well, guess what, Dave? You're not. Okay. They
figured out how to do all that. Okay. And so Andy covers many of the big cases that law enforcement
have solved the last five years or so. So it's just fascinating. Yeah. Andy is always a good
interview and of course, needless to say, a great author. I look forward to hearing that one.
Yeah. And so finally for this week's show, we finally got to this week's agenda. We're doing a special for Veterans Day. That's Veterans, not Veterans Day, no apostrophe.
Because according to the Department of Defense, this annual holiday is not owned by the nation's veterans. Everybody owns it. It's a day for
honoring all veterans and the family and friends that support them. And our friend, Dave Elliott
Peltzman, he's our senior sound engineer here at the Cyber Wire. He really made this one special.
We're both very proud of it, and I hope everybody will give it a listen. Yeah, well, definitely have
to check that out. It is CSO Perspectives.
It is part of CyberWire Pro, which you can learn all about on our website, thecyberwire.com.
Rick Howard, always a pleasure.
Thanks for joining us, my friend.
Thank you, sir.
Thank you. Be safe and compliant. Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast
is a production of N2K Networks,
proudly produced in Maryland
out of the startup studios
of Data Tribe,
where they're co-building
the next generation
of cybersecurity teams
and technologies.
Our amazing Cyber Wire team
is Elliot Peltzman,
Trey Hester,
Brandon Karp,
Eliana White,
Puru Prakash,
Liz Urban,
Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Maria Varmasis, Ben Yellen, Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, Thank you.