CyberWire Daily - Cuba ransomware pulls in $60 million. CISA releases three ICS advisories. Google announces new support for Ukraine. DDoSing the Vatican. Google supports Ukrainian startups in wartime.
Episode Date: December 2, 2022Cuba ransomware pulls in $60 million. CISA releases three ICS advisories. DDoSing the Vatican. Andrea Little Limbago from Interos on the implications of Albania cutting off diplomatic ties with Iran. ...Our space correspondent Maria Varmazis speaks with Brandon Bailey about Space Attack Research and Tactic Analysis matrix. And how Google supports Ukrainian startups in wartime. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/230 Selected reading. Alert (AA22-335A) #StopRansomware: Cuba Ransomware (CISA) Novel News on Cuba Ransomware: Greetings From Tropical Scorpius (Palo Alto Networks Unit 42) New ways we're supporting Ukraine (Google) 25 new startup recipients of the Ukraine Support Fund (Google) Vatican shuts down its website amid hacking attempts (Cybernews) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Cuba ransomware pulls in $60 million.
CISA releases three ICS advisories.
DDoSing the Vatican.
Andrea Little-Limbago from Interos on the implications of Albania cutting off diplomatic ties with Iran.
Our space correspondent Maria Vermatzis speaks with Brandon Bailey about space attack research and tactic analysis matrix.
And how Google supports Ukrainian startups in wartime.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary
for Friday, December 2nd, 2022.
The FBI and CISA warned yesterday that the Cuba ransomware operations have taken in aggregate some $60
million from more than 100 victims. The gang, it's worth noting, has no connection with the
country, government, or island of Cuba. Anyway, the Cuba gang has recently been deploying the
RomCom malware. This is a custom remote access Trojan used for command and control. The gang also seems
to be leveraging, as CISA and the FBI put it, industrial spy ransomware against its victims.
An account of indicators of compromise and appropriate defensive measures organizations
and individuals might take appear in the alert. Much of the intelligence on which the joint agency advisory is based
derives from research by Palo Alto Networks, and CISA and the Bureau cite earlier research by the
company's Unit 42, which tracks Cuba's operators as the threat group Tropical Scorpio. Unit 42
wrote back in August, the Cuba ransomware family first surfaced in December 2019.
The threat actors behind this ransomware family have since changed their tactics and tooling
to become a more prevalent threat actor in 2022.
This ransomware has historically been distributed through Hansator,
which is usually delivered through malicious attachments.
which is usually delivered through malicious attachments.
Tropical Scorpio has also been observed exploiting vulnerabilities in Microsoft Exchange Server,
including Proxy Shell and Proxy Logon.
As is so often the case, the underworld is willing to learn from the best,
which in a moral sense usually means learning from the worst.
Unit 42 goes on to say, The ransomware group uses double extortion alongside a leak site
that exposes organizations that have allegedly been compromised.
That said, this group didn't have a leak site when first observed in 2019.
We suspect the inspiration for adding one came from other ransomware groups,
such as Maze and Areval.
The Cuba ransomware leak site also includes a paid section
where the threat actors share leaks that were sold to an interested party.
Tropical Scorpio and its Cuba ransomware remain an active and ongoing threat.
Check out the joint advisory on CISA's website and read and heed the whole thing.
And while you're checking out CISA's website and read and heed the whole thing. And while you're checking
out CISA's website, do note that they have released three ICS advisories covering BD
bodyguard pumps, MELSEC IQR series, and Horner automation remote compact controllers. If you
use those, take the steps that are required to remediate the vulnerabilities that CISA has flagged.
There's been much discussion of assistance Western governments have rendered in Ukraine
and cyberspace, including hunt-forward operations by U.S. Cyber Command.
Kyiv also continues to receive support from the private sector.
Google yesterday announced further measures it was taking to support Ukraine during the Russian invasion.
Google and its employees are providing some direct financial support, some $45 million,
as well as contributions of services in kind.
Google's statement said,
We're continuing to provide critical cybersecurity and technical infrastructure support
by making a new donation of 50,000
Google Workspace licenses for the Ukrainian government. By providing these licenses and
giving a year of free access to our workspace solutions, including our cloud-first zero-trust
security model, we can help ensure Ukrainian public institutions have the security and
protection they need to deal with constant threats to their digital systems.
Other assistance includes a range of cooperative cybersecurity services and help combating disinformation.
The aid being rendered in information operations includes both action against Russian disinformation
and measures taken to surface accurate information about the war.
information and measures taken to surface accurate information about the war. Euronews reports that the Vatican sustained a DDoS attack against its sites shortly after Pope Francis made public
remarks interpreted as critical of Russia's war. The Pope has singled out some Russian conscript
formations as exhibiting significant cruelty in their operations. The DDoS attacks began Wednesday evening and were described as abnormal access attempts.
The Vatican offered no attribution, but Ukraine's ambassador wasn't shy about fingering Moscow's operators,
saying that the incident was a Russian cyber attack and entirely of a piece with other Russian actions during the war.
The ambassador described the DDoS as the work of terrorists,
which for a DDoS seems a bit overheated.
Finally, to return to Google and its support for Ukraine,
an unusual aspect of that support has been direct investment in Ukrainian startups.
As Mountain View wrote,
we also remain committed to supporting the Ukrainian startup ecosystem
and its vibrant IT and software sector.
Today, we have announced the last batch of recipients
of the $5 million Google for Startups Ukraine Support Fund.
Through this fund, we're allocating equity-free cash awards
to support a total of 58 Ukrainian-founded tech
companies, and we've been proud to lend our support to economic investment campaigns like
Advantage Ukraine. The most recent round of awards announced yesterday went to a wide range of
businesses, some providing educational services, others software, still others e-commerce and related solutions.
The goal would appear to be long-term economic development, not short-term capacity building.
Indeed, none of the recent 25 looks like a cybersecurity company.
The funding, Google stresses, is non-dilutive,
and so would leave the businesses under the control of their founders or other investors.
Heartfelt good luck to them.
Coming up after the break, Andrea Little-Limbago from Interos
on the implications of Albania cutting off diplomatic ties with Iran.
Our space correspondent Maria Vermatzis speaks with Brandon Bailey
about the Space Attack Research and Tactic Analysis Matrix.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Thank you. for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Our CyberWire space correspondent Maria Varmatsis recently spoke with Brandon Bailey about the Space Attack Research and Tactic Analysis Matrix, or SPARTA.
Maria files this report.
In cybersecurity, we're no strangers to frameworks, matrices, and guidelines to help organizations better identify threats, share information, and harden defenses.
defenses. And for the booming space industry, there's now a new cybersecurity matrix specifically for them, called SPARTA, which stands for Space Attack Research and Tactic Analysis.
To learn more about SPARTA, I spoke with Brandon Bailey, cybersecurity expert with the Aerospace
Corporation. Brandon led in the creation of the SPARTA matrix and modeled it after MITRE ATT&CK.
He mapped out and categorized the tactics, techniques, and procedures
that could potentially be used by threat actors
to target spacecraft and space systems.
We felt like there's been a gap in the way people understand
the way threat actors could potentially attack a spacecraft.
So in my work over the past eight years or more,
talking to various entities about the way threat actors could essentially attack a spacecraft.
No one really knows how.
Like, how would they do it?
Some people don't believe that it's possible.
And so we figured out, okay, there's an inherent communication gap here where people aren't understanding how tactics, techniques, and procedures could
be implemented for a space system from a cyber perspective.
So we looked at kind of what industry standard has been as it relates to communicating tactics,
techniques, and procedures.
So MITRE put out a great framework, the MITRE ATT&CK framework in 2013, and it's been improved
vastly over this nine-year span.
If you go back and look at what was first published in 2013 to today, it's quite different.
So our subdivision, the Cybersecurity Advanced Platform subdivision within aerospace,
we've been publishing data basically since 2019 in the open side,
in the unclassified internet around cybersecurity for space systems.
So typically what we see is there's been a lot of information about
cybersecurity behind kind of close to worse and not really talked about for
space.
Cause typically what we've done is publish PDF documents that, you know,
can't get updated regularly.
Can't be responsive to new threats and new TTPs and that type of thing.
So we wanted to make something that kind of could live,
be a living and breathing capability that we can update over time.
And that's basically how we got to where we are,
was years of research into just space and cyber and defensive mechanisms
and getting it into a digestible format,
which we leverage what we consider the industry best standard
with what was set forth by the ATT&CK framework back in 2013.
Yeah, excellent.
Yeah.
And you mentioned years of work.
And in that time, the landscape seems to have changed, or at least awareness seems to have
changed when things were sort of more theoretical, maybe when you began this project and now
they've become a lot more real.
Is that sort of aligning with what you've seen or do you feel like this is just sort
of catching up to where
things have always been?
So we don't have this
in the IT,
traditional IT world,
we definitely have
this large database
of just past intrusions
and past cyber events, right?
We have just this huge database
and the ATT&CK framework
actually documents
a lot of that stuff
and references.
So we have just tons of data.
We don't have
a huge database of those things on the space side.
So we're kind of in this middle ground area
where some things are theoretical.
What's the art of the possible?
And then some things are, hey, this has been proven by threat actors
or this has been proven in a lab environment
in like the Hackasat event at DEF CON
or this has been proven through some sort of cyber experimentation that we're aware of in our circles.
So it's kind of a mix of, you know, we've got evidence of these things happening in the wild,
or we've proven it in a lab environment.
And then there's a little bit of like, well, we feel like this is possible based on our research.
It just hasn't been proven necessarily yet.
But it's a large percentage of what's in SPARTA has been proven in labs or
in experiments, but not necessarily in the wild by threat actors yet.
And that's kind of where, and so what we're trying to really get ahead of is getting that
information out there of things that we think are possible or know are possible and what are the
defensive. So that's the big, I think, benefit of
the SPARTA stuff is more in the countermeasures and the defenses that we've placed in there.
It's not, hey, here's a problem.
This is how someone could potentially attack you.
It's here.
Yes, that's true.
But here are the ways to defend against it.
And that's where we put a lot of the research and work into the defensive side.
That makes sense to be proactive on that case.
I mean, certainly there's been a lot more attention paid to this, to different threat actors and escal defensive side. That makes sense to be proactive on that case. I mean, certainly there's been a lot more attention paid
to different threat actors and escalating threats.
So it's good to get ahead of that.
Could you talk a little bit about how it has been received
in the time that you've been developing it
and now that it's come out to the world?
So it's just been overwhelming success
from a feedback perspective
because it just hasn't been brought together like that.
And what I say in a lot of the briefings and presentations that I talk about is
cyber and space systems traditionally has really been considered this black box.
It's the boogeyman that can get you as it relates to affecting your mission in a space context.
And it's not really decomposed into the nuts and bolts like we typically manage cyber for IT systems.
So this really helps with that.
Decompose that problem into something tangible.
It helps people understand in kind of layman's terms as much as possible how these can affect
you and that front.
It's all about making something available and usable for the space cyber community because
I think it's a gap that needed filled and we're going to continue to fill it soon.
That's excellent.
And Brandon, thank you so much for sharing about this.
And I look forward to speaking with you in the future about how Sparta continues to develop
and be used in the industry.
Yep.
Thank you for your time.
Looking forward to continued collaboration.
If you'd like to take a look at the new Sparta Matrix or contribute or provide feedback,
you can go to sparta.aerospace.org.
For The Cyber Wire, I'm Maria Varmaazes.
And I'm pleased to be joined once again by Andrea Little-Dombago.
She is Senior Vice President for Research and Analysis at Interos.
Andrea, it is always great to welcome you back.
We are seeing some interesting movements around the world when it comes to, I don't know, the trickling down of cyber effects. I'm thinking specifically, we see Albania cutting off their diplomatic ties with Iran.
What are you making of this?
Yeah, so one, I think it's a very important area to keep an eye on
as far as whether other countries start following suit.
And really, for the context, Albania has declared that Iranian-linked groups attacked Albania.
And in response, they cut off the blank ties.
And then in response to that, more recently, the same group allegedly also attacked their national police system, Albanian national police system.
And we're talking cyber attacks here.
Cyber attacks, yep.
And we're talking cyber attacks here.
Cyber attacks, yep.
So we're seeing a range of tit-for-tat, but this is one of the first times where we've seen a government cut off diplomatic ties to another government for various kinds of adverse cyber behavior.
And as we've seen, I mean, we've seen so many different times.
We've seen the U.S. government say Russia or Iran or North Korea,
whoever is responsible. And getting to that point, if you remember, if you remember a long time ago,
like five years ago, there was a, you know, for quite some time, governments didn't want to actually formally declare that another country was behind a cyber attack. It was something that
just wasn't talked about openly. And really over the last decade, we have done a now enormous 180,
where in several years, the attribution was never done.
It's a sole trickle of attribution, but still kind of keeping it somewhat vague
so there wouldn't have to be any kind of diplomatic response.
Albania is one of the first that at least I'm aware of that has very bluntly declared attribution
and had a consequence of that being a diplomatic action.
And I think that's a pretty big deal.
It'll be interesting to see how that then,
whether that escalates.
And we're still seeing it.
It hasn't, for sure,
lessened the adverse cyber behavior going on,
but we have not yet seen it extend beyond the cyber domain. And I think
that's the area to look at, because it is very often, you know, what's going on in cyberspace
really is a reflection of broader, you know, of the physical world. And so we'll have to see
if it does then translate it over. And I mean, it has with the diplomatic effects,
but will there be even more in that regard? It's interesting that, you know, nations now have this new lever that they can pull
in addition to, you know, economic or even military. I mean, does it provide them one more
level of influence, you know, before you have to start, you know, slinging missiles over the
border or sending troops or cutting off supplies,
those sorts of things?
I think it could.
And I think we'll be interesting because we're also in an era where trade barriers and sanctions
are also increasingly a lever as leading up into, or hopefully, ideally, offsetting
in kind of military behavior.
And so it could very well be that we see cyber attacks, response with diplomatic.
If they continue, I would imagine one of the next components
could be other kinds of sanctions and trade barriers as well,
especially on the technologies as a future
or as a further escalation of that.
And that's what's really interesting,
and that's what we've seen for military conflict
and heightening of tensions.
Very often we see the starting more in a diplomatic area, see some have an economic impact and then into military.
And ideally those ones before are to prevent the military.
And this could just be now part of the normal progression of severing of ties where before it really wasn't.
Before there really weren't major diplomatic repercussions for groups linked to one government attacking another government.
And I think other governments are paying attention to see what happens with this, to see whether it's something they want to do as well.
Right. Well, and how interesting, because I suppose, I mean, is it fair to say that we're still in the mode where we're trying to establish what the norms might be?
Oh, we absolutely are.
I mean, there was some progress on that leading up to about maybe around 2016,
and then it really has almost flatlined since then as far as seeing progress on that.
And we're seeing very different norms emerge.
And that's something you and I have discussed in the past,
but really are seeing the bifurcation of the norms amongst those that really want to put some low-hanging fruit
for what agreed-upon norms for cyber behavior,
such as not attacking critical infrastructure,
not having various kinds of civilian infrastructure
attacked during wartime,
like those kind of things that generally have
a good analogy to the physical world.
And then there are others that really want to focus
more so on norms as far as everything that goes on within their own country is within their own
control. And then that actually tends to expand to other interests. And so there is definitely
not a greed upon norms and behavior at the global level. I will say we just had a U.S. ambassador
to cyber went through nomination.
And so we now officially have that for the first time.
And so that's Nate Fick, who is former Endgame CEO.
And so we'll see.
He's got a tough job for him,
especially in this area of norms,
to really help almost corral those like-minded countries towards the area of solid cyber norms
and understand that may exclude some parts of the world
that don't want to adhere to some of those low-hanging fruit
that many like-minded countries agree upon.
So it'll be interesting to see what happens with that new rule.
Yeah.
All right.
Well, Andrea, a little lumbago.
Thanks for joining us. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Jeremy Kennelly and Suleon Lebouger from Mandiant.
We're discussing their research from RM3 to LDR4.
Ersniff leaves banking fraud behind.
That's Research Saturday. Check it out.
leaves banking fraud behind.
That's Research Saturday.
Check it out.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is
Elliot Peltzman,
Trey Hester,
Brandon Karp,
Eliana White,
Peru Prakash,
Liz Ervin,
Rachel Gelfand,
Tim Nodar,
Joe Kerrigan, Harold Terrio, Maria Vermatzis, Ben Ye White, Peru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan,
Carol Terrio, Maria Vermatzis,
Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Catherine
Murphy, Janine Daly, Jim Hoshite,
Chris Russell, John Petrick,
Jennifer Ivan, Rick Howard, Peter Kilby,
Simone Petrella, and I'm Dave
Bittner. Thanks for listening.
We'll see you back here next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.