CyberWire Daily - Cyber incidents and lessons from Russia's hybrid war. Zimbra vulnerabilities exploited. New Lazarus Group activity reported. ICS security advisories .Insider trading charges from 2017 Equifax breach.
Episode Date: August 17, 2022A DDoS attack against a Ukrainian nuclear power provider. The US Army draws some lessons from the cyber phases of Russia's hybrid war. Vulnerabilities in Zimbra are undergoing widespread exploitation....Reports of new Lazarus Group activity. CISA releases eight ICS security advisories. Carole Theriault looks at scammers and cryptocurrencies. Our guest is Jennifer Reed from Aviatrix on the changing landscape of cloud security. And the SEC charges three with insider trading during the 2017 Equifax breach. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/158 Selected reading. Ukrainian Nuclear Operator Accuses Russians Hackers Of Attacking Its Website (RadioFreeEurope/RadioLiberty) Ukraine nuclear power company says Russia attacked website (Al Jazeera) Ukraine Nuclear Operator Reports Cyberattack on Its Website (The Defense Post) How electronic warfare is reshaping the war between Russia and Ukraine (The Record by Recorded Future) Army lesson from Ukraine war: cyber, EW capabilities not decisive on their own (FedScoop) Learning from Ukraine, Army cyber schoolhouse focuses on electromagnetic spectrum (Breaking Defense) Cyber and full-spectrum operations push the Great Power conflict left of boom (Breaking Defense) Microsoft Exchange alternative Zimbra is getting widely exploited, 1000s hit (The Stack) CISA Alert AA22-228A – Threat actors exploiting multiple CVEs against Zimbra Collaboration suit (CyberWire) Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite (CISA) A signed Mac executable… (ESET) Yokogawa CENTUM Controller FCS (CISA) LS ELECTRIC PLC and XG5000 (CISA) Delta Industrial Automation DRAS (CISA) Softing Secure Integration Server (CISA) B&R Industrial Automation Automation Studio 4 (CISA) Emerson Proficy Machine Edition (CISA) Sequi PortBloque S (CISA) Siemens Industrial Products with OPC UA (CISA) U.S. SEC charges 3 people with insider trading tied to Equifax hack (Reuters) SEC Charges Three Chicago-Area Residents with Insider Trading Around Equifax Data Breach Announcement (US Securities and Exchange Commission) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A DDoS attack against a Ukrainian nuclear power provider.
The U.S. Army draws some lessons from the cyber phases of Russia's hybrid war.
Vulnerabilities in Zimbra are undergoing widespread exploitation.
Reports of new Lazarus Group activity.
CISA releases eight ICS security advisories.
Carol Terrio looks at scammers and cryptocurrencies.
Our guest is Jennifer Reed from Aviatrix on the changing landscape of cloud security.
And the SEC charges three with insider trading
during the 2017 Equifax breach.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, August 17th, 2022. Russian nuisance-level attacks continue against Ukrainian targets,
most recently taking the form of a distributed denial-of-service action
against the website of Energoatom,
the Ukrainian state corporation that operates the country's four nuclear power plants.
Energoatom described the incident, which took place Monday,
as the most powerful hacker attack since the beginning of the full-scale invasion of the Russian Federation.
The corporation said the attack was mounted from the territory of the Russian Federation and carried out by the Russian group the Popular Cyber Army, a hacktivist front organization.
Energoatom said the attack used 7.25 million bots and lasted for about three
hours. The corporation said it had a negligible effect on visitors to the website. Energo Atoms
plants include the presently occupied and besieged Zaporizhia nuclear facility. The DDoS had no
discernible effect on operations at this or any other plant.
The immediate risk to Zaporizhia is shellfire, not DDoS.
Some familiar and unsurprising lessons are among those the U.S. Army is drawing from its observations of Russia's special military operation.
First, non-kinetic attack techniques, including both cyber and electronic attack, are more prominent in the gray zone at the lower intensity portion of the spectrum of conflict.
When conflict moves to actual shooting, they remain useful, but they no longer have the centrality they did in the deniable gray zone. FedScoop quotes Lieutenant General Maria Gervais, Deputy Commanding General of U.S. Army Training and Doctrine Command,
as telling TechNet Augusta yesterday that the conflict also reveals an important aspect of both EW and cyber.
Neither is dominant on its own, and they work best when converged with other multi-domain effects.
She offered as an example of this observation that the ability to
use electronic warfare to detect an adversary is most formidable when matched with long-range
precision fires. Second, Russian information troops, which had been thought of as roughly
equivalent to U.S. Cyber Command, have turned out in fact to be optimized more for propaganda and counter-propaganda
than for cyber operations, whether offensive or defensive.
Third, traditional electronic warfare, mostly jamming and radio direction finding,
have increasingly come into their own as the conflict moved into conventional warfare.
And while there's been a convergence of cyber operations with electronic warfare,
both are valuable insofar as they're integrated into combined arms operations.
General Gervais said, network will face in conflict with a peer or near-peer adversary. The unified network will need to operate in an environment where it will face significant challenges from EW and cyber.
It must be resilient enough to handle these threats while providing the army and the joint
force the speed and relevancy to converge multi-domain effects against an adversary.
Ukraine serves as a stark reminder of this challenge.
And fourth, cyber and electronic warfare capabilities require constant adjustment in
combat. Cyberspace, the fifth domain of conflict, is an artificial domain shaped by human activity
in ways that the other four domains—land, sea, air, and space, are not. Cyber capabilities in particular, a piece in
Breaking Defense argues, unlike a weapon that can be tested, validated, and put on a shelf knowing
that it will work when needed, deployed information warfare and cyber capabilities have to be
continually tuned and optimized in order to be relevant to the warfighter. The widely used Zimbra collaboration suite,
which the stack and others describe as a lower-cost alternative to Microsoft Exchange,
is being widely attacked.
Small and medium-sized enterprises and schools are Zimbra's primary users,
but it's also used by some banks and multinational corporations.
used by some banks and multinational corporations. In all, the stack says Zimbra is used by more than 200,000 businesses over 140 countries. As an aside, one of those countries is Ukraine,
where CERT-UA warned back in April that CVE-2018-6882 vulnerability was undergoing active
exploitation. Yesterday, CISA issued an alert to the effect that
threat actors are exploiting multiple CVEs against Zimbra Collaboration Suite.
All of these are known vulnerabilities for which Zimbra has issued patches.
CISA urges all Zimbra Collaboration Suite administrators
to immediately update their systems, scan for indicators of compromise,
and take action to remediate any compromise they find.
ESET offers the latest in its ongoing reports of North Korean Lazarus Group activity,
stating,
A signed MAC executable disguised as a job description for Coinbase
was uploaded to VirusTotal from Brazil.
This is an instance of Operation Interception
by Lazarus for Mac. The U.S. Cybersecurity and Infrastructure Security Agency yesterday released
eight industrial control system security advisories, including products from Yokogawa,
Delta Industrial, Emerson, and Siemens, among others. You can find the complete list on CISA's
website. And finally, yes, public relations firms called in to help a company during a crisis
aren't supposed to trade on material non-public information. Yesterday, the U.S. Securities and
Exchange Commission announced charges against three individuals for illegally tipping and
trading in the securities of Equifax in advance of the company's public announcement on September
7th, 2017, that it had experienced a massive cyber intrusion and data breach. This case is a little
different since it involves an officer with a PR firm, not someone from Equifax itself, who allegedly learned of the breach. She then
allegedly told her significant other, who then told his brother, and got his brother to do some
trading so they could split the proceeds. The SEC seeks injunctive relief and civil penalties
against each defendant. The SEC also seeks disgorgement of ill-gotten gains plus prejudgment interest.
The SEC points out that this is the third enforcement action it's taken with respect
to events surrounding the 2017 breach at Equifax. The earlier 2018 actions charged
two former Equifax employees with insider trading. So attention, PR types, you too should read and
heed the insider trading laws. If you decide to short, then maybe lawyer up so you don't
get caught short. Nobody likes a disgorgement. It even sounds bad.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have
continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Jennifer Reed is Chief Information Security Officer at cloud security company Aviatrix.
She shares her perspective on ways organizations need to adapt to the changing landscape of cloud security.
Well, I think you have two different paradigms.
You have a traditional enterprise perspective.
And what I mean by that is where you have multiple layers of security
defense, you know, multiple parameters that separate the public internet from the intranet
and the WAN. And even when you're talking about that from an internal perspective, you know,
you have different DMCs and firewalls that create additional layers to protect sensitive data. And that sensitive data can be
personally identifiable data. It can be intellectual property. It can be a number of different things,
right? And so usually as you go to those different layers, access has additional levels of
restrictions. So not everybody has access to everything. And the reason for that is because you don't necessarily need to have access. And the more people that have access to sensitive data,
the easier it is for that data to be mishandled. And so when you have that type of paradigm and
you go into the cloud, that isn't possible the same way. What I mean by that is like a lot of
that is physical layers where you actually have different people that have access to different things depending upon their job
and there are isolated networks that allow them to do that but not have access to say the interfaces
with the data going across it, the data plane. And they have access to a control plane but not
the actual data running across it. Does that make sense? So what that means for the cloud is just
that everything is virtual. And so you don't have a separation. The people who have access to the
control plane are your cloud service providers, right? And so they maintain the instances that
are running in hardware and data centers. And so they have no access to the things running across it. But if I am
an enterprise, I need to deploy my services into those virtual networks. And so I have my own
networking and system admins that need access, but they can't go across the CSP's control plane,
right? It's completely segregated because it's infrastructure as a service. So it's all virtualized. And so then I had to put in logical controls that give me some of that separation and
segmentation. But at the same time, I can't have a pure management network that I'm traditionally
used to having, right? So I have to start to think about how do I provide that sort of segregation
and isolation and segmentation, but I have to think
about it in a way where I can't have the perfect isolation. But even in an enterprise, it's not
perfect, right? But I have to think about it differently because I can't institute those
same things in a public cloud. And so for the people who are charged with maintaining security
in this environment, I suspect this has been a bit of an adjustment for
them. It's an ongoing adjustment, right? Because, you know, one of the big things is that, you know,
especially something that's holding, you know, personally identifiable data or intellectual
property, I don't want it to have a public IP, right? And that's been traditional because I
normally have a DMZ. But unfortunately, how are you going to reach that asset?
And how can I provide control on that so I can limit the access to it, but still allow my services to run?
So I start to think about things from a control plane might have a public IP that has limited access to it.
that has limited access to it,
but then internally it may have multiple internal private IPs and interfaces
that allow the data to run across,
but across a private network, right?
So I have to start thinking about,
even though if I think physically,
it's the same port on this virtualized machine,
you know, because traditionally you hadn't think,
you wouldn't think about it that way.
That is indeed the case.
And you have to think logically, I have these virtual interfaces that I will force the traffic
down so that all data traffic will go across the private interfaces.
And I'm limiting the access to this other interface for control traffic, right?
And so I have to think about how I can manage that and understand how to control that at
the different layers for different cloud service providers.
So you have to actually think about things differently instead of being so fixed in how we always did it.
Yeah.
Are there common places where folks trip up?
Yeah.
They allow developers to go into the cloud to do the development. They don't understand how they may
have initially deployed a instance. And what I mean by that is any cookbook that you use for
any cloud service provider, Amazon, Google, Azure, doesn't really matter. They try to make it easy
for you to get something going and running. And there will always be this asterisk, please limit this IAM policy, which is your identity access management policy for this instance, right, before you go into production.
And that's because they don't know how you're going to use it.
So they can't pre-formulate that for you.
And so they expect you to understand how that is.
But of course, developers just want to make stuff work, right?
And so they're like, I don't know how to restrict it, right?
I know.
And it's like, well, I don't know if I restrict it, it might break something.
That's the most common thing.
And they'll want to go all the way to the CIO and say, hey, if I restrict this, I don't know what it can break.
And we have this deadline.
It's this revenue.
And someone will sign off on it because, you know, it's like, well, what's the real risk?
And the problem is, is the security teams don't really understand what the risk actually is to help inform the CIO in that process.
Right.
And so they come around to security last.
in that process, right?
And so they come around to security last.
And so there's this drive really with people I've talked to, other CISOs, desire to really start to embed security
in the app teams, right?
And so as they're developing and iterating
and creating these applications to really help them start
with a limited restricted policy as they're going and add the permissions as they need them, right?
And you don't want to be the naysayer, you know, to hold up a project or, you know, someone's
going to get an exception, which puts the company at risk, but more importantly, customer
data at risk, which is what we don't want, right?
We don't want someone's PII to be at risk, which is what we don't want, right? We don't want someone's PII to be
at risk. And what I mean by that is, you know, it's the thing that, you know, keeps a lot of
people up at night. It's not that, you know, you have a hack of your data. It's that someone's
grandmother's data, right, gets used and they then steal that person's identity.
And how much more difficult is it for that person to try to fix that, right?
They don't have the skills or understanding of even what happened.
And so that's the real person that, you know, you want to kind of protect, protect their
data and to protect their data, you have to protect the enterprise, right?
And also be able to train people to do the right thing.
Because I think app developers want to do the right thing.
But unless you pair them up with a security person to work collaboratively, you're not enabling them as effectively as you could to do it right the first time.
That's Jennifer Reed from Aviatrix.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
Our UK correspondent, Carol Terrio, has been looking into scammers and cryptocurrencies,
two things that sadly seem to go together more than anyone would like.
She files this report. Is it any surprise that scammers are cashing in big on the crypto craze?
A recent report from the FTC says that since the start of 2021,
more than 46,000 people have reported losing over $1 billion in crypto to scams.
That's about one in every four dollars reported lost,
more than any other payment method.
And can you guess what the top cryptocurrency used to pay scammers was?
70% of payments to scammers were done in Bitcoin.
Now, crypto has several features that are attractive to scammers, says the FTC,
which may help to explain why the reported losses in 2021
were nearly 60 times what they were in 2018.
They list three biggies.
One, there is no bank or other centralized authority to flag suspicious transactions
and attempt to stop fraud before it happens.
Two, crypto transfers can't be reversed.
Once the money's gone, there's no getting it back.
And three,
most people are still unfamiliar with how crypto really works. And perhaps no surprise, social media sites don't get off easy here. Nearly half the people who reported losing
crypto to a scam since 2021 said it started with an ad, a post, or a message on a social media platform. And can you guess the
top platforms identified in this report? Instagram and Facebook. And another interesting little
tidbit is that of the reported crypto fraud losses that began on social media, most are
investment scams. Basically, we're talking bogus investment opportunities.
And these scammers claim that they can make huge returns for investors.
But those crypto investments don't end up in your wallet,
but in the scammer's wallet.
When they do really try to cash out,
they are simply told to send more crypto for fake fees.
And of course, they don't get any money back.
The FTC capped off with a few
reminders. One, only scammers will guarantee profits or big return. No cryptocurrency investment
is ever guaranteed to make money, let alone big money. And two, nobody legit will require you to
buy cryptocurrency, not to sort out a problem, not to protect your money. That's all
a scam. And you know, I'll add on to that. It's really important to be honest with yourself.
Before you dabble into crypto and get all excited, make sure you know your onions from
your Bitcoins. Because for every single person that claims to have won big, there is a huge
number that have lost their shirts.
This was Carol Theriault
for The Cyber Wire.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com. The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions
that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.