CyberWire Daily - Cyber ops and a side benefit of sanctions. BlackCat wants $5 million from Carinthia. Fraudster pressures Verizon. Spain responds to surveillance scandal. CISA has 5G implementation guidelines.
Episode Date: May 27, 2022Pro-Russian DDoS attacks. Sanctions and their effect on ransomware. BlackCat wants $5 million from Carinthia. A fraudster pressures Verizon. Spain will tighten judicial review of intelligence services.... Johannes Ullrich looks at VSTO Office Files. Our guests are Cecilia Marinier and Niloo Howe with a preview of the RSAC Innovation Sandbox. CISA releases ICS advisories and with its partners issue guidelines for evaluating 5G implementation. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/103 Selected reading. Hacktivists Expanding DDoS Attacks as Part of International Cyber Warfare Strategy (Imperva) Cyberattacks against UK CNI increase amidst Russia-Ukraine war (Intelligent CIO Europe) A cyberwar is already happening in Ukraine, Microsoft analysts say (NPR.org) NSA: Sanctions on Russia Having a Positive Effect on Ransomware Attacks, Attempts Down Due to Difficulty Collecting Ransom Payments (CPO Magazine) BlackCat/ALPHV ransomware asks $5 million to unlock Austrian state (BleepingComputer) Hacker Steals Database of Hundreds of Verizon Employees (Vice) Drupal Releases Security Updates (CISA) Keysight N6854A Geolocation server and N6841A RF Sensor software (CISA) Horner Automation Cscape Csfont (CISA) Spain vows legal reforms in wake of spying allegations (MSN) Spain’s PM vows to reform intelligence services following phone hacking scandal (The Record by Recorded Future) Spain set to strengthen oversight of secret services after NSO spying scandal (Times of Israel) CISA and DoD Release 5G Security Evaluation Process Investigation Study (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Pro-Russian DDoS attacks, sanctions and their effect on ransomware,
Black Cat wants $5 million from Corinthia,
a fraudster pressures Verizon,
Spain will tighten judicial review of intelligence services,
Johannes Ulrich looks at VSTO office files,
our guests are Cecilia Marigny and Nilou Hao
with a preview of the RSAC Innovation Sandbox.
And CISA releases ICS advisories and, with its partners,
issues guidelines for evaluating 5G implementation.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 27, 2022.
Microsoft cautions in an NPR interview not to dismiss the cyber phases of Russia's hybrid war as inconsequential.
There has been no shortage of attempted disruption of Ukrainian networks since shortly before the Russian invasion began.
Imperva offers a timeline of distributed denial-of-service attacks conducted in the Russian interest by nominally hacktivist organizations.
Killnet is the most notable of those groups.
Imperva's timeline shows Killnet's development.
The gang first appeared on January 23rd as Russia was preparing its invasion of Ukraine.
invasion of Ukraine. On the 28th of February, four days after the Russian invasion began,
Killnet issued a call to arms, seeking to rally hackers in Russia and the Commonwealth of Independent States to the Russian cause. Along with that call was an invitation to subscribe
to the Telegram channel of the Cyber Army of Russia, the better to follow Killnet's exploits.
Since then, Killnett has conducted
various distributed denial-of-service attacks against easily accessible targets of opportunity.
On April 20, the U.S. Cybersecurity and Infrastructure Security Agency included
Kilnett in a list of Russian criminal groups that posed a potential threat to infrastructure.
Hacktivist, privateer, or simply a deniable group operated by Russian intelligence or
security services, Kilnets targeting has been varied, but its activities haven't risen
above a nuisance level.
DDoS is easy to attempt, but it's proving difficult to conduct with significant effect.
Ransomware operations appear to be on the way to becoming collateral damage in the sanctions that have been imposed on Russia.
CPO Magazine, citing recent remarks by NSA Cybersecurity Director Rob Joyce,
describes the ways in which controls on bank transfers and other remittance mechanisms have inhibited payments to ransom gangs.
They say ransom payments are more difficult to process due to lack of
access to assorted banking options and inability to purchase necessary technology to set up the
infrastructure for new ransomware campaigns. Collateral damage in this case may be wayward
as a description of what's going on, since the effect, while not directly intended,
since the effect, while not directly intended, isn't unwelcome either.
Call it a side benefit. Call it gravy.
The Austrian state of Carinthia, under ransomware attack by the Black Cat gang,
also known as ALF-V, and which is a rebranding of Dark Side or Black Matter,
since Tuesday, according to Bleeping Computer, has received a ransom demand. Blackcat wants $5 million to restore access to systems its attack disrupted. Corinthian authorities say that
its public-facing websites are down and that passport administration, collection of fines,
and processing of COVID tests are among the services that have been affected. They've found
no evidence that Blackcat succeeded in stealing data,
and indeed none of the usual teasers have been posted to the gang's dump site.
Corinthia does not intend to pay the ransom,
and its services are beginning restoration today.
Verizon has confirmed to Vice that a scammer has contacted the phone company
with a claim to have accessed sensitive internal data.
Specifically, the scammer said they'd obtained an internal corporate employee database, which they threatened to release if they weren't paid a $250,000 bounty.
Verizon told Vice,
A fraudster recently contacted us, threatening to release readily available employee directory information in exchange for payment from Verizon. We do not believe the fraudster has any sensitive information
and we do not plan to engage with the individual further. As always, we take the security of
Verizon data very seriously and we have strong measures in place to protect our people and
systems. The U.S. Cybersecurity and Infrastructure Security Agency has released two industrial
control system advisories.
The AP reports that Spain will increase judicial supervision of its intelligence agencies after
investigation revealed abuse of NSO Group intercept tools for domestic surveillance.
The AP writes, the Spanish government will tighten judicial control over the country's intelligence agency,
Prime Minister Pedro Sánchez said Thursday,
weeks after the agency admitted it had spied on several pro-independence supporters
in the region of Catalonia with judicial authorization.
The country's National Intelligence Centre, or CNI, has been under fire
since April after Canada-based digital rights group Citizen Lab alleged that the phones of
more than 60 Catalan politicians, lawyers, and activists had been hacked with controversial
spyware. The CNI later acknowledged in a closed-door meeting with Spanish lawmakers
that it had hacked into the cell phones of some of those politicians.
Finally, as U.S. federal agencies move, like other organizations, toward 5G technology,
CISA and its partners in the Department of Homeland Security's Science and Technology Directorate
and the Office of the Undersecretary of Defense for Research and Engineering
have released version 1 of its 5G Security Evaluation Process Investigation.
It outlines a five-step process organizations should follow as they implement 5G.
Step 1 calls for a use case definition to identify 5G subsystems that are part of the system,
component configurations, applications, and interfaces involved in are part of the system, component configurations, applications, and
interfaces involved in the operation of the system. In step two, agencies should define the boundary
to identify the technologies and systems requiring assessment and authorization, taking into
consideration the ownership and deployment of the products and services that comprise the use case.
The third step, after determining the scope of the assessment,
is to perform a threat analysis of each 5G subsystem
with a view to mitigating the risks associated with it.
At step four, an agency should consult relevant federal security guidelines
and create a catalog of that guidance.
And finally, in the fifth step, the agency applies the guidelines,
identifies any gaps in security guidance guidance for ways to address them.
It seems a common-sense approach with an appropriately bureaucratic bent, but CISA hopes that it will provide an approach that's both uniform and flexible.
CISA invites feedback, and the deadline for comment is June 27th.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
One of the highlights of the upcoming RSA conference in San Francisco is the RSAC Innovation Sandbox Contest,
which puts 10 promising security companies in front of a panel of judges and a live audience
in hopes of winning the title Most Innovative Startup.
As part of the CyberWire's media partnership with RSAC,
innovative startup. As part of the CyberWire's media partnership with RSAC, I spoke with Cecilia Marignier, Program Director for Innovation from RSAC, and Nilou Hao, Senior Operating Partner
with Energy Impact Partners and one of this year's judges. We hear first from Cecilia.
So the RSA Conference Innovation Sandbox Contest actually started in 2005. It has been ongoing with one year
exception from 2005 to today. So we've had 17 years of selecting top innovators in our field.
And the goal of the contest is to actually celebrate what's happening in innovation. We see a lot of
adversaries innovating. Well, we have a lot of amazing people on the positive side also
innovating. And this competition actually is very competitive and it selects the top companies
that are bringing out some highly important innovation in our field.
Nilou, you are on board as one of the judges this year. What attracts you to the Innovation
Sandbox?
Why is this something that you choose to participate in?
It's an incredible opportunity to spend time with entrepreneurs,
people who are really going after
the leading edge problems in cyberspace,
hear them out.
And I'll tell you, being a judge is incredibly hard
because we get,
when we start with over 100 companies and trying to select down to the top 10,
there are so many amazing entrepreneurs in our space. Every year, we duke it out because there's amazing people, there's amazing solutions, there's really big problems.
Some of them are problems that have been there for a while. Some of them are newer problems as technology innovates and we transform.
But it's just a remarkable opportunity to spend time thinking about these problems and
speaking with the entrepreneurs.
Cecilia, beyond the innovation sandbox itself, there's also the early stage startup area
at the RSA conference. Can you give
us some insights on that? So the early stage expo is situated on the second floor in Moscone South,
and it will host 35 different companies. They'll have 17 briefing sessions in the space.
And it's just a very cool area. It has a lot of companies that are coming from outside the US,
which is also really nice
to kind of see what the breadth
of what's happening outside
the outside of our country.
But that area is interesting.
I would also recommend
that the other thing
that we're doing on our 365
is this innovation showcase
where we partner
with venture capitalists
and each month celebrate innovation
in different parts of the globe.
And that's something else people who are interested in innovation should be following.
If they want to follow it, it's great.
Nilo, I want to give you the last word here.
I mean, for folks who are coming to the conference who perhaps have never attended the actual Innovation Sandbox event,
make your pitch here.
Why is this something in a busy week that they should carve
out their time to include on their schedule? We are going to have 10 incredible entrepreneurs
that are thinking about leading-edge technology issues in the cybersecurity domain. Get on stage,
make a fast pitch, get ganged up on by a series of seasoned judges.
And they'll get a great sense of what it's like to pitch and to be questioned
and also get a really good broad sense of what's happening in the community.
So it's a really fun, fast-paced, high-energy event.
It's my favorite event, whether to watch or be a judge or participate in.
That's Cecilia Marignier from RSAC and Nilou Hao from Energy Impact Partners.
This year's Innovation Sandbox competition takes place Monday, June 6th, in Moscone South.
There's a lot more to this conversation. If you want to hear more,
head on over to CyberWire Pro and sign up for Interview Selects, where you get access to this
and many more extended interviews.
Thank you. suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute
and also the host of the ISC Stormcast podcast.
Johannes, you and I have talked many times
about the issues with macros within Microsoft Office files.
I know there's some stuff you've been tracking
along these lines lately.
What's the latest?
Yeah, so macros, of course, are still, I think,
the predominant way how Malibu enters Windows systems these days.
But it's getting more difficult.
Microsoft made it more difficult to use macros.
And some users actually caught on to the idea that whenever they open a macro,
their system gets encrypted.
So there are some correlations here that show up sometimes.
But it turns out that with macros kind of becoming more difficult to use,
there are actually some other techniques
that people have discussed in the past.
Like this goes back to sort of 2018.
But now it's sort of getting more steam
because it's sort of a replacement for macros.
And it is these Visual Studio for Office files, which is sort of a macro technique.
It's more an add-in to a Word document.
What better than receiving a Word document that includes a binary add-in to Office?
I can use it every day when I'm writing reports and things like that.
Not really, but it's a little bit of a feature.
Every file needs an executable, right?
Every word file needs an executable, yes.
And Daniel Skell sort of revived that a little bit
and wrote a blog about this recently in April
discussing how to create these documents.
As the name implies, you need Visual Studio.
So it's a little bit more work than your standard macro,
but the tools are being developed now to make it easy enough
where even an attacker is able to create those documents pretty easily.
Now, there are still some restrictions around these documents.
They have to be loaded from the right website,
but that's all a matter of actually how you disguise the macro.
Not macro, I should say the add-in.
And it has some interesting features, like, for example, automatic updates, where I can send you a little document that may not really look all that malicious,
but it will update itself once you open it and basically pull in additional code from a URL
that I probably put up with some cloud provider
or whatever kids these days like to post their malware.
Right.
So a way to maybe bypass that first look at the file itself.
Correct.
Bypass that first look,
then the next download will come
from a source that you may even
have whitelisted, like some
Office 365
file share or
some Google Cloud service, whatever
you may want to use here
to deposit a file. It can really come from
anywhere. And
the users aren't yet at least
used to that kind of interaction. So it hasn't really
sort of made it into our awareness training. Right now is a time when this type of attack
probably will work best because our defenses aren't ready for it yet.
Is this the kind of thing where, similar to macros, that users can disable them by default?
that users can disable them by default?
They're a little bit more difficult to outright disable,
but typically you may see prompts,
but it all depends on where you exactly download them from.
If I manage to load a document into a trusted file share or something like this, then things are different.
If you are saving it first to your local disk,
if it arrives as an email attachment. Then again, different rules apply.
So, I think it's still open to research
exactly how to best defend against this and
also what the exact warnings users will be seeing
and when they'll be seeing it.
Alright, well Johannes Ulrich, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing
at thecyberwire.com.
Be sure to check out
this weekend's Research Saturday
and my conversation
with Symantec's Dick O'Brien.
We're discussing Stonefly,
North Korea-linked spying operation
continues to hit high-value targets.
That's Research Saturday.
Check it out.
The Cyber Wire podcast
is proudly produced in Maryland
out of the startup studios
of Data Tribe,
where they're co-building
the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Rachel Gelfand, Liz Ervin, Elliot Peltzman, Trey Hester,
Brandon Karpf, Eliana White, Paru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer
Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.