CyberWire Daily - Cyber phases of a hybrid war continue at a nuisance level. IcedID’s distribution vectors. Automating software supply-chain attacks. CISA offers power supply risk mitigation guidance.
Episode Date: March 29, 2022A cyberattack takes down a major Ukrainian Internet provider. GhostWriter is said to deploy Cobalt Strike against the Ukrainian government. Anonymous makes some large claims. This just in: spies drive... drunk: Ukrainian intelligence doxes FSB officers. Conventional criminals continue to exploit sympathy for Ukraine in social engineering scams. Red-Lili automates software supply-chain attacks. Ben Yelin considers Russian cyber capabilities. Mr. Security Answer Person John Pescatore addresses security automation. And CISA offers mitigation guidance on risks to uninterruptible power supplies. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/60 Selected reading. Russia says it will scale back near Kyiv as talks progress (AP NEWS) Ukraine Claims Some Battle Successes as Russia Focuses on Another Front (New York Times) Ukrainian telecom company's internet service disrupted by 'powerful' cyberattack (Reuters) ‘Most Severe’ Cyberattack Since Russian Invasion Crashes Ukraine Internet Provider (Forbes) GhostWriter APT targets state entities of Ukraine with Cobalt Strike Beacon (Security Affairs) Secret World of Pro-Russia Hacking Group Exposed in Leak (Wall Street Journal) Anonymous is working on a huge data dump that will blow Russia away (Security Affairs) While Twitter suspends Anonymous accounts, the group hacked VGTRK Russian Television and Radio (Security Affairs) Names and addresses of 620 FSB officers published in data breach (Times) Russian spies unmasked in embarrassing blow for Vladimir Putin (The Telegraph) New Conversation Hijacking Campaign Delivering IcedID (Intezer) Spoofed Invoice Used to Drop IcedID (Fortinet Blog) A Beautiful Factory for Malicious Packages (Checkmarx) School of Hard Knocks: Job Fraud Threats Target University Students (Proofpoint) Mitigating Attacks Against Uninterruptible Power Supply Devices (CISA Insights) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A cyber attack takes down a major Ukrainian Internet provider.
Ghostwriter is set to deploy cobalt strike against the Ukrainian government.
Anonymous makes some large claims.
This just in, spies drive drunk.
Ukrainian intelligence doxes FSB officers.
Conventional criminals continue to exploit sympathy for Ukraine in social engineering scams.
Red Lily automates software supply chain attacks, Ben Yellen considers Russian cyber capabilities,
Mr. Security Answer Person John Pescatori addresses security automation, and CISA offers
mitigation guidance on risks to uninterruptible power supplies.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 29, 2022. Reuters reports that Ukrtelekom, Ukraine's major telecom provider of both internet connectivity and mobile service,
sustained a major cyber attack yesterday. It was apparently a distributed denial-of-service attack that Ukrtelecom described as temporary difficulties with the installation of new internet sessions for Ukrtelecom customers.
NetBlocks confirmed that Ukrtelecom's service had indeed been disrupted,
with real-time network data showing connectivity collapsing to 13% of pre-war levels.
Forbes quotes senior Ukrainian officials as saying they're
presently unsure whether the attack was a conventional distributed denial-of-service
attack or represented a deeper intrusion into Ukrtelecom's systems. The State Service of
Special Communications and Information Protection of Ukraine was quick to attribute the incident
to a Russian cyber attack,
which it said Ukraine had been able to mitigate.
Ukrtelecom gave priority to military users
and is said to be on the way to restoring full service for private and commercial customers.
This seems to be the most significant Russian cyber attack since the opening hours of the invasion,
but it still falls short of the disruptive attacks against Ukrainian infrastructure that have been widely expected.
Ghost Rider, a threat actor associated with the Belarusian government, has been using spearfishing
attacks to install Cobalt Strike beacon in Ukrainian government systems. Security Affairs
cites CERT-UA as the source of the report. Cobalt Strike is a common
legitimate penetration testing toolset that's been turned to illegitimate use by criminals and,
as in this case, intelligence services. The Wall Street Journal has an account of a Ukrainian
researcher's infiltration of chatter by the managers of the TrickBot banking trojan.
The group interpenetrates Conti's operators, and the chats disclosed show a similar commitment to
Russia's war effort. They also indicate an interest in hitting Western targets, including
U.S. hospitals. But these should be taken with an appropriate grain of salt. Not only are the
leaks so far unconfirmed by official sources,
but criminals and privateers like hacktivists tend to crow large.
A similar tendency is probably in evidence on the Ukrainian side,
where hacktivists who claim allegiance to Anonymous say on Twitter
they're working on a data dump from their compromise of construction firm Rostprojekt.
Twitter has suspended some accounts associated with Anonymous,
but Security Affairs reports that the hacktivist collective is saying
that it's already counted coup against both the all-Russia state television and radio broadcasting company
and the Russian Central Bank.
Ukrainian intelligence services have released the names and addresses of 620 people they allege to be FSB officers.
The Times reports that, as well as names and addresses,
the list includes details of agents' cars, such as their number plates,
their phone numbers and dates and places of birth.
According to The Telegraph, some of the officers whose data were exposed
are believed to be operating in foreign countries, including the UK.
The data in the leaked files includes what appear to be entries in personnel files,
and some of it, in truth, is kind of cringey,
like observations that one officer likes luxury cars maybe a bit too much,
and that another drinks too much and has a propensity to violate traffic laws.
So what's next? Sudden unexplained wealth?
The incident is an embarrassing black eye for the FSB,
which has attracted President Putin's ire for what he retrospectively sees
as misleadingly optimistic intelligence assessments of Ukrainian public opinion and
will to resist a Russian invasion. Criminals are taking advantage of widespread sympathy for
Ukraine's experience under Russian aggression by preying upon people's desire to help out.
Grid News says the scams include conventional donation scams and more exotic appeals to those who would join the hacktivist IT army
that's formed under the uncertain direction of Kiev to fight Russian interests.
There are reports that naive volunteer hacktivists have been induced to install malware in their devices
after being convinced that, no, really, they're helping set up distributed denial-of-service attacks against Russian networks.
Fortinet and Intazer independently report criminal campaigns to deliver Iced ID,
a trojan that's been observed in the wild since 2017.
Fortinet describes spear-phishing emails with attached and bogus invoices
that carry Iced ID as their malicious payload.
attached and bogus invoices that carry Iced ID as their malicious payload. Intizer reports that Iced ID distributors have also turned to conversation hijacking as the means to deploy the Trojan.
Proofpoint researchers report that employment fraud continues to appear at a high level
and that it disproportionately affects students at colleges and universities.
They say there are many variations
of this threat, including job offers as caregivers, mystery shoppers, administrative assistants,
models, or rebate processors. The goal of employment fraud isn't usually direct theft
from victims, but rather either theft of identities or credentials or the recruitment
of victims into criminal activity, as for example,
money mules. Checkmarks has been tracking the activities of the Red Lily threat actor,
which has been engaged in using anonymous disposable NPM accounts as one-time distribution
vectors for malicious packets. Red Lily has developed the ability to mount these software supply chain attacks at scale.
According to Checkmarks, the attacker has fully automated the process of NPM account creation
and has opened dedicated accounts, one per package, making the new malicious packages
batch harder to spot. As Checkmarks notes, they're not the only researchers to have observed the activity. Both JFrog and Sonotype have reported on the malicious NPM activity.
Red Lily's allegiances and purposes remain obscure,
but the actor represents a clear threat to software supply chains.
And finally, CISA this morning issued guidance on protecting uninterruptible power supplies,
UPS devices,
not to be confused with the United Parcel Service.
CISA explains that UPS devices provide clean and emergency power in a variety of applications
when normal input power sources are lost.
The agency recommends that some well-founded best practice mitigations be applied at once.
They say immediately enumerate all UPSs
and similar systems and ensure they are not accessible from the internet. They say you
should check your UPS's username and password and see if it's still set to the factory default.
If it is, shame on you, but that's okay. Update it immediately. And they also say to ensure that
credentials for all UPSs and similar systems
adhere to strong password length requirements and adopt login, timeout, and lockout features.
Sound advice, courtesy of CISA.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Mr. Security Answer Person
Mr. Security Answer Person.
I'm John Pescatori.
Let's get into our question for this week.
Our question today comes from one of our listeners, Mr. Lucio Chagas.
How do you see the progress of automation in the great realm of the security landscape?
I would appreciate it a lot if you could link this to a little bit of history in the past versus future exercise.
Thanks a lot.
Thank you, Mr. Chagas.
This will be a fun one to answer.
First, let me make an absolute statement.
You cannot automate what you don't already know how to do.
Doing the wrong things faster is rarely a winning strategy.
This flows directly from the definition of security automation that I like to use, which comes from Red Hat.
Security automation is the use of technology that performs tasks with reduced human assistance
in order to integrate security processes, applications, and infrastructure.
I like this definition because it points out several important things.
Security automation can reduce but not eliminate the amount of human effort required
or the security skills required to perform certain tasks.
Often, integration between security processes is what's called automation or orchestration
because such integration reduces the manual effort
often involved in getting critical security information from one step in a process to the
next. It points out that you must first have accurate and effective security processes,
applications, and controls in place before you can automate. So security automation is not and
will never be a, instead of hiring a lot more security people, dump a lot of data into a software product and it will protect you, kind of deal.
You must have at least all the security basics in place, for example, the first two implementation groups of the Center for Internet Security Critical Security Controls, before you can benefit from automation, and to get to that point, you need a skilled security staff.
And to get to that point, you need a skilled security staff.
The second must-have before security automation can be effective is the automation technology has to be fast enough and accurate enough,
as in low to zero false positives,
and the action taken has to result in minimal or ideally no business disruption.
A lot of security automation technologies talk about zero false negatives.
We did not miss a single heart
bleed attack, but never mention a false positive rate. 20% of the time, what we called a heart
bleed attack was really a legitimate access. Similarly, stopping a threat but crashing
complex business applications and transactions is rarely a net positive for the business.
Some examples in the past where those two requirements have
been met and security automation has proven to be valuable. Signature-based
antiviral. A file matches a known malicious file signature and we
automatically delete it versus just warn the user and flag for security review. We
like to trash signature-based approaches because of their high false negative
rate but their lack of false positives enables automation.
Web security gateways.
We block user access to known bad URLs.
We don't just warn the user and hope they comply.
Again, low false positives is key.
Having the required fix-by date triggered by a vulnerability rescan.
Integrating trouble ticket data with automated vulnerability scans
to automatically update trouble ticket priority as it ages. Low false positive, low business
disruption. Network-based intrusion prevention. It's often called fancier things, but network-based
intrusion prevention. This is where detection has reached zero false positive rates and mitigation
can be done with no or at at most acceptable, business impact. We
block or drop traffic versus just issue alerts. A lot of threat-specific automation is really this
type of action with a very narrow focus, but if it blocks network attacks, it is really a network
intrusion prevention capability. The idea is, if we are 100% certain something is bad, why let it
through? These may sound like very simple use
cases, but they are all very valuable in freeing up scarce skilled resources to focus on the hard
problems allowing us to use pieces of software and lesser skilled or experienced analysts to
handle more routine issues. An extension of this is where the integration of data and the application
of smart software, which could be but does not have to be machine learning, is used to prioritize alerts or action recommendations to reduce time to respond. Not
very sexy automation, but very powerful in reducing time to detect without increasing staff.
But a lot of the automation examples tossed around are where detection, analysis, response,
and remediation are magically all automated. An old example was where a credentialed vulnerability scan could identify unpatched servers and automatically install the patches.
But there are often valid business reasons why a server had to be left unpatched and forcing patches would disrupt operations.
Not to mention that in most organizations, the security group is not responsible for patching.
the security group is not responsible for patching.
More recent examples are around detecting an attack and automatically changing firewall or IPS rules
or server OS configurations.
Almost none of these are practical,
yet in the real world,
complex business application environments we're in.
False positives and mitigation rates are just too high.
So, Mr. Chagas, to summarize,
integration of well-thought-out security processes is a powerful form of automation that can reduce time to detect, respond, and restore.
It takes skilled security folks and very accurate security tools to reach that point.
In certain areas, many have done just that.
This level of automation can allow lesser-skilled security staff to handle more security events per shift, which enables our limited security unicorns to focus on the more difficult issues.
And that is a huge gain.
But hyped-up security automation, as in AI detects and kills attacks fast,
is a long way away from more than the simplest of attacks in the real world.
I think the most likely area where we'll see near-term advances in more sophisticated automation
will be by embedding
security policies into the kernel level of virtual environments such as VMware and cloud-based
applications. There's an intersection of security admin, app admin, and virtual platform admin
where the AWS's, Azure's, Google Cloud Platform folks do amazing stuff. If you can get those
three worlds to cooperate in the virtual data center, more amazing automation is possible.
Thanks for listening. I'm John Pescatori, Mr. Security Answer Person.
Mr. Security Answer Person.
Answer Person.
Mr. Security Answer Person with John Pescatori airs the last Tuesday of each month
right here on the Cyber Wire.
Send in your questions for Mr. Security
Answer Person to
questions at thecyberwire.com
Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security and also my co-host on the Caveat podcast.
Hello, Ben. Hello, Dave. Interesting article caught my eye. This is from Kim Zetter, writing over on Politico, really highlighting what we have and have not seen when
it comes to cyber capabilities in this ongoing war in Russia and Ukraine. What's going on here,
Ben? Yeah, so maybe I'm out of line here, but I almost found this article somewhat reassuring.
So we know that our intelligence agencies, the CIA and the NSA, have spent decades now
spying on Russia's computer networks. They are collecting intelligence, both for the purposes
of figuring out what Vladimir Putin's going to do, as they
did prior to this war in Ukraine, but also for the potential to order destructive cyber attacks
on Putin's regime. I think we've always imagined that we would use this as a defensive weapon,
that if we were attacked with some type of kinetic or cyber incident, that we would want to have the
capabilities to respond in kind.
But what this article gets at is both sides, the United States and Russia, are treading very slowly
in this potential cyber conflict. And I think the reason they are treading slowly
is the same reason we didn't have widespread nuclear Armageddon during the Cold War,
and that's mutually assured destruction. We don't know exactly what Russia's
capabilities are, but if we went in and, you know, for the purposes of responding to Russian
aggression in Ukraine, damaged the critical infrastructure in Moscow, we shut off the lights,
we damaged the sewer system, water treatment plants, etc. There's a very real fear that they
not only would retaliate against us, which
would escalate the conflict, and that certainly could be very difficult for our own citizens,
having power cut off in a major American city or attacks on other parts of our critical
infrastructure, but it could escalate from there. The cyber warfare could lead to kinetic warfare, which could eventually lead where a place where none of us want to be, which is a full-on war between two nuclear powers.
So I just thought it was interesting and encouraging that both sides are treading lightly.
Our government hackers have been working for the past couple of decades to develop these capabilities. I just think there's the reluctance to use them knowing that Russia potentially has the capability to retaliate.
I find it fascinating that we look at this and in retrospect it makes absolute sense.
But this is not the way that people were thinking going into this conflict.
What do you make of that?
Right. I think people were expecting that Russia would have already used
offensive cyber operations in Ukraine to help their war efforts,
so shutting down Ukrainian power grids.
A point that you made on the Caveat podcast when we discussed this is
they really haven't done that really because they think it would be detrimental
to their own war effort. They've needed to use the same cellular networks that are already deployed in Ukraine
for their offensive military operations. So I think we haven't seen that yet as part of this
conflict. I think the conflict has been, I don't want to say traditional, but has kind of been more of a 20th century type of
warfare. They, with their military through air and ground support, invaded a sovereign foreign
country and we responded with economic sanctions. I think that's the safest place for all of us to
be right now, given that this could potentially turn into a large global conflict. I think people imagine that if they destroyed Ukrainian power grids or
nuclear facilities or something or any other attack on critical infrastructure,
I think people were anticipating that we might use our cyber capabilities to do the same in Russia.
But I think there is a real reluctance to do that
because of this fear of escalation. Breaking into their country's core systems is something we,
frankly, have been able to do. It's kind of a power that we can't use lightly.
Because if our calculus is wrong and we use this as an offensive weapon, as we say in the 2000s, we don't want the smoking gun to be a mushroom cloud.
Yeah.
To what degree is this situation establishing norms in cyber conflict?
Because this is all new, right?
A hybrid war like this is still relatively new.
So to what degree, if any, is this establishing future rules of the road?
I think it's really unclear. It's a unique situation when we're dealing with Russia,
as opposed to some of our other adversaries,
whether they are nation states or terrorist groups. For one, they've lost a lot of their
economic power as a result of this war, but they're still a nuclear-armed country.
And we also have reason to believe that they have enhanced cyber capabilities. We've seen
them perpetuate cyber attacks before. Certainly their involvement
in the 2016 election, GRU, indicates that those capabilities are there. So we know that they could
respond in kind. I'm not sure that that would be the case in other cyber conflicts across the
world. So I don't think this is setting any broad ground rules for cyber warfare. I think the fact
that it is Russia is significant for the reasons that I mentioned. So I think it might not be
precedent setting, but I think it's just an interesting outgrowth of the conflict that
we're seeing now. Yeah. All right. Well, that article is over on Politico. It's written by
Kim Zetter. It's titled Not the Time to Go Poking Around, How Former U.S. Hackers View Dealing with Russia. Ben Yellen, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Justin Sabey,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Ivan, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to