CyberWire Daily - Cyber phases of a hybrid war. DDoS in Romania. Flash loan caper hits a DeFi platform. Coca-Cola investigates Stormous claims. A Declaration for the Future of the Internet.
Episode Date: April 29, 2022Russian and Ukrainian operators exchange cyberattacks. Wiper malware: contained, but a potentially resurgent threat. #OpRussia update. DDoS in Romania. Flash loan caper hits a DeFi platform. Coca-Cola... investigates Stormous breach claims. CISA issues two new ICS advisories. Caleb Barlow on cleaning up the digital exhaust of your home. Our guests are Freddy Dezeure and George Webster on reporting cyber risk to boards. A Declaration for the Future of the Internet. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/83 Selected reading. Russian missiles bombard Kyiv during UN chief’s visit (The Telegraph) Zelenskiy urges ‘strong response’ after Russia strikes Kyiv during UN Ukraine visit (the Guardian) Anonymous hacked Russian PSCB Commercial Bank and companies in the energy sector (Security Affairs) Ongoing DDoS attacks from compromised sites hit Ukraine (Security Affairs) Ukraine’s Digital Battle With Russia Isn’t Going as Expected (Wired) CISA and FBI Update Advisory on Destructive Malware Targeting Organizations in Ukraine (CISA) Government and researchers keep US attention on Russia's cyber activity in Ukraine (The Record by Recorded Future) CISA Adds New Russian Malware to Cyber Advisory (Nextgov) An Overview of the Increasing Wiper Malware Threat (Fortinet Blog) Cyber Attacks Hit Romanian Government Websites (Balkan Insight) More than $13 million stolen from DeFi platform Deus Finance (The Record by Recorded Future) Coca-Cola Investigates Hacking Claim (Wall Street Journal) Coca-Cola investigating data breach claims by Stormous group (Computing) Has 'clown show' hacking gang Stormous really breached Coca-Cola? (Tech Monitor) Delta Electronics DIAEnergie (CISA) Johnson Controls Metasys (CISA) 1 A Declaration for the Future of the Internet (The White House) FACT SHEET: United States and 60 Global Partners Launch Declaration for the Future of the Internet (The White House) US joins 55 nations to set rules for internet, with eye on China and Russia (South China Morning Post) China, India, Russia missing from future of internet pledge by US, EU, and 33 others (ZDNet) US, partners launch plan for 'future' of internet, as China, Russia use 'dangerous' malign practices (Fox News) U.S. joins 55 nations to set new global rules for the internet (Reuters) Reporting Cyber Risk to Boards. Board Edition. Reporting Cyber Risk to Boards. CISO Edition. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Russian and Ukraine operators exchange cyber attacks.
Wiper malware contained but a potentially resurgent threat.
DDoS in Romania.
Flashloan caper hits a DeFi platform.
Coca-Cola investigates stormless breach claims.
CISA issues two new ICS advisories.
Kayla Barlow on cleaning up the digital exhaust of your home.
Our own Rick Howard speaks with Freddie DeJure and George Webster on reporting cyber risk to boards and a declaration for the future of the internet.
From the CyberWire studios at DataTribe, I'm Trey Hester with your CyberWire summary for Friday,
April 29, 2022.
Wired summarizes Ukraine's operations in cyberspace and notes that even the Ukrainian
operators are surprised by their defensive success. Kiev's cyber operations have most prominently included
messaging the families of Russian soldiers killed during the invasion. It's a controversial tactic
that has been criticized as gratuitously cruel. Ukraine says it has a humanitarian dimension as
well. The families, Kiev says, are certainly not going to get the truth about their sons from
the Russian authorities. CERT-UA, Ukraine's cybersecurity authority, has warned that
distributed denial-of-service attacks against Ukrainian targets continues.
The government team for responding to computer emergencies in Ukraine, CERT-UA, in close
cooperation with the National Bank of Ukraine, has taken measures to investigate DDoS attacks,
for which attackers place malicious JavaScript code,
brown flood, in the structure of the webpages
and files of compromised websites,
as a result of which the computing resources
of computers of visitors to such websites
are used to generate an abnormal number of requests
to attack objects,
URLs of which are statically defined
in malicious
JavaScript code, end quote. The most alarming Russian operations have been deployments of
destructive Wiper malware. The effects of such attacks, however, seem to have been quickly
contained. Fortinet offers a historically informed summary of Wiper malware and its employment in
cyber conflict. The U.S. Cybersecurity and Infrastructure Security Agency,
or CISA, yesterday updated its alert on the wiper malware Russia has deployed during its hybrid war.
Quote, this advisory has been updated to include additional indicators of compromise
for WhisperGate and technical details on Hermetic Wiper, Isaac Wiper, Hermetic Wizard,
and Caddy Wiper destructive malware, all of which have been deployed against Ukraine since January additional indicators of compromise associated with Whispergate are provided in an appendix to the alert.
Ukraine has attracted considerable hacktivist support.
Hacktivism is usually ambivalent and seldom decisive,
but in this case the Anonymous Collective has achieved a nuanced level of annoyance through doxing Russian organizations.
Security Affairs says Anonymous has released files that appear to have come from Russian firms.
First, Electrocentro Montaz, which provides electrical equipment to Russian electrical power generation and distribution centers,
a 1.7 terabyte archive containing 1.23 million emails has been posted to DDoS Secrets. Second, PSCB, Petersburg's social
commercial bank, was hit by Network Battalion 65, an anonymous affiliate. 543 gigabytes of 229,000
emails and other files have been posted to DDoS Secrets. Finally, Aliette, a customer broker
that serves the fuel and energy sectors, has lost 1.1 terabytes of data, including more than a
million email addresses, all of which have also been posted to DDoS Secrets. Balkan Insight reports
that Romanian government websites came under distributed denial-of-service attacks today.
Bucharest characterizes the attacks
as symbolic and well within the government's ability to contain and mitigate them. According
to the record, Deuce Finance, a decentralized finance platform, has acknowledged that it's
lost more than $13 million to online theft this week. The record describes the incident as a
flash loan attack. Quote, flash loan attacks involve hackers
borrowing funds that do not require collateral, buying a significant amount of cryptocurrency to
artificially raise its price, and then offloading the coins. The loan is paid back, and the borrower
keeps the profit. The Wall Street Journal says that Coca-Cola is still investigating the Stormis
group's claim to have compromised company networks. Coca-Cola is being investigating the Stormis group's claim to have compromised company networks.
Coca-Cola is being cautious, but many observers are skeptical.
Stormis, which presents itself as a Russian criminal gang,
and which appeared around the time of Russia's invasion of Ukraine,
has done a fair amount of woofing about what would amount to a privateering campaign.
But others see them as scavengers, as people who pick up old data from dump sites and then claim to have obtained them from artful hacking. The investigation will tell. In the meantime, Tech Monitor quotes
Recorded Futures' assessment, which is that Stormis is known as, quote, a bit of a clown show,
end quote. Recorded Futures' Alan Liska says, quote, that doesn't mean they didn't successfully
pull off the attack. It is possible, but I think many researchers are going to need additional verification before taking this group at their word. End quote.
The U.S. Cybersecurity and Infrastructure Security Agency, or CISA, issued two industrial control
system advisories yesterday covering Delta Electronics' DIA Energy and Johnson Control's
Metasys. And finally, the U.S. and 60 other nations
yesterday issued a Declaration for the Future of the Internet. A White House fact sheet says
the declaration aims at securing the following principles. 1. Protect human rights and fundamental
freedoms of all people. 2. Promote a global internet that advances the free flow of information.
3. Advance inclusive and affordable connectivity so that all people can benefit from the digital Thank you. of all, neither Russia or China have signed on. for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times
faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Our own Rick Howard sat down with Freddie DeJure and George Webster to discuss reporting cyber risk to boards.
Here's Rick.
I'm joined by Freddie DeJure, an old friend of mine, the CEO of Freddie DeJure BV and formerly the head of CERT-EU,
and George Webster, the chief security architect at HSBC.
Freddie, George, thanks for coming on the show.
Nice to be here.
Pleasure.
You two belong to something called the Cyber Risk Metrics Working Group,
and the group has just recently published two versions of a study called
Reporting Cyber Risk to Boards, Control, Measure, Report, Repeat.
One version is for CISOs and another is for board members.
So, Freddie, can you explain what the Cyber Risk Metrics Working Group is and what was the goal of the project?
Yeah, sure.
So, the project was set up about a year and a half ago.
And because we saw a gap in the community in the way that people report in a quantifiable manner,
in an understandable manner,
how people in the community report cyber risk to their boards
or to their regulators or to their supervisors.
And this gap is apparently across the board,
geographically everywhere,
companies have the same kind of challenge and people
have difficulties to overcome that challenge and because we saw that gap we
thought maybe it could be to bring together practitioners from the field
and to have them share with each other what worked well in their environment in
a in a trust group and then extracts from those exchanges
the essence of what we think could be useful for the broader community. And the outcome of
that discussion in this working group is the two white papers that have been published just
recently, three weeks ago. So, George, I was happy to see that you all recommend reporting risk to
the board as opposed to other low-level metrics. And I was also happy to see that you all recommend reporting risk to the board as opposed to other low-level metrics.
And I was also pleased to see that you showed that there is a ton of metrics that the CISO might be interested in that will never be shown to the board, but that are essential for the CISO's risk assessment.
Can you explain the thought process there?
Freddie kind of elaborated a little bit on it.
there. Freddie kind of elaborated a little bit on it. But it's whenever you're running a business,
right, you need to be able to speak the language of the business or to function in that way.
So one of the things you want to do with the board is you want it to be able to just clear, concise way, explain to the board, what are the key things? Like,
what is the risk that they're facing? Are
they making the right investment? You know, are they secure and can the company operate?
But at the same time, you really don't know where the attackers are, which means, you know,
you have metrics galore in cybersecurity, which are all incredibly valuable and incredibly
important, but they help drive the business and they help drive the business, in this case,
But they help drive the business and they help drive the business, in this case, cybersecurity, to make effective and pragmatic choices on how they're actually operating and running.
So you really do have to have that separation. One is how do you effectively operate cybersecurity?
And the other is how do you explain to the board and justify your budget and make sure everything works?
So I work on a podcast called CSO Perspectives,
where we talk about first principles in cybersecurity.
And one of the key tenets is boiling down everything that we do as cybersecurity professionals
down to the essence, the atomic thing that we're trying to get done.
And what I think it is, is reducing the probability of material impact to our organizations
due to a cyber event.
And all these board metrics, these metrics that you're talking about, flow into that
equation so that we can give a generic sense to the board about what the risk is to the
business.
And so that's an assessment we tell them.
But we can use all these other low-level metrics to feed into our calculation about what we
tell the board.
Is that the idea you're conveying here to the readers of this report?
Yeah, it's hard, right?
Like if you think of cybersecurity and if you think of metrics, you don't know where
the attacker is coming from, which means fundamentally you don't have a denominator.
You can't really say this is how much profit I'm going to generate.
And it's being able to take all those metrics together and try to distill them into something
that is explainable to the board so like you can talk for instance have i installed the antivirus
product where it needs to be is it the right package does it have the right signature pack
is it operating effectively you know all of a sudden you have like seven different metrics
you can't present just to the board here's all these metrics for antivirus.
The CISO needs it.
They need to understand is the business functioning, right?
But the board doesn't.
The board just needs to know like this risk that I have,
is it being mitigated?
Am I okay?
Right.
And so that's kind of the essence of it.
It's how do you take all those metrics?
There's hundreds of metrics you have and distill it down to something that's consumable
and the board can understand.
So that's good stuff, guys,
and we're going to have to leave it there.
That's Freddie DeJure, the CEO at Freddie DeJure BV,
and George Webster, the chief security architect at HSBC.
Their group is called the Cyber Risk Metrics Working Group,
and the study is called
Reporting Cyber Risk to Boards, Control, Measure, Report, Repeat.
Thanks for coming on the show, guys.
There's a lot more to this conversation.
If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects, where you get access to this and many more extended interviews. Cyber threats are evolving every second, and staying ahead is more than just a
challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity
solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions Thank you. to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is CyberWire contributor Caleb Barlow.
Caleb, it's always great to have you back on the show.
You know, I want to touch base today about some of the things that build up over time.
I think you refer to it as digital exhaust in your home.
I tend to be a bit of a pack rat myself when it comes to these things because it's so easy to hold on to things.
But that's probably not the best way to go about it, is it?
Well, my house has a digital exhaust like a big 18-wheeler semi-truck. There's a lot pouring out,
and every now and then you want to clean it up. Well, I mean, here's the thing. You know,
there's a lot of reasons why you may not want people to know where you live or what your home
looks like. Or worse yet, you know, if you're like many people that know where you live or what your home looks like.
Or worse yet, you know, if you're like many people that have bought a home in the last
five years, all the pictures of the inside of your house are posted publicly on the internet.
So how do we get rid of all that?
And believe it or not, it's actually doable.
Hmm.
Go on.
Okay.
So let's start with, you know, first off, just to set the kind of the baseline here, it's probably nearly impossible to get rid of all records of where you live.
But we can definitely reduce kind of the overall impact.
I mean, tax records are always out there.
But interestingly enough, I mean, especially as we all get a little older, one of the things to think about is what happens when your day comes and you punch your ticket.
Or one of the things to think about is what happens when your day comes and you punch your ticket.
You know, having your house in your name directly isn't the smartest idea for tax purposes anyway.
So, you know, if you've ever talked with an estate attorney, they're going to encourage you to put your home in a trust so that it becomes easier to pass that along to your children or your heirs.
And, of course, when you put the name of your home in a trust, you don't have to name it the Bittner Family Trust. You know, you can call it something a little more obscure. So when those tax records show up, it's harder to find out where you live.
Now, of course, you got to sell your house to do this. So this isn't the easiest piece of advice
I'm going to give you today, but okay. Yeah, go on. Okay. So let's talk about
something a little easier. So let's say you did just buy a house and all those pictures of the
inside of your house are on places like redfin and realtor.com. You can actually make those go
away. And I think it's a great idea because, you know, the last thing you need is a future employer
or the ex-girlfriend going and digging through,
where does he live, right?
What's it look like on the inside?
So if you go to those sites,
you can actually claim the home as your own.
It's a simple click.
You put in a little bit of information
and then you're claiming the home
and then you can remove the pictures.
Now, if you want to have a little more fun in the more advanced class, they also let you add pictures.
And as far as I'm concerned, I don't think they have any way to figure out whether the pictures you might add are legit.
So there's some really great stock images out there.
I added a picture of a castle as my house.
Why not?
Right.
So make the inside of your house bigger
than the outside. Look, if you're going to go figure out where I live, then you're going to
have to, you know, see some stock images and it's much better than it really is.
I like the subversive nature of that. That's very good, Caleb.
We might as well have some fun with this day. Okay. Now, in addition to that, we've talked
in this show before about the importance of changing your Wi-Fi SSID. And I'm not going to get into all the details now.
You can go listen to those past episodes. If someone knows your SSID, which your phone's
broadcasting all the time, it's really easy to figure out where you live. Change your SSID and
change it to something like a car name or something that is not unique So you can't look it up on a map. You can also remove
the image of your home from mapping services. And this was a fun one to play with. So literally
Google maps and Bing, you can remove the image of your home. So I've seen where you can get it
blurred. Yeah, you get it blurred. So literally you go out and you know, they all have a little
setting of report this. And one of the options on reporting it is home. And apparently it's irreversible. But the next thing you know, your home is blurred, which there was a time period where my house on Google Maps had a giant dumpster in front of it because I've been doing some work on my house.
But also, no one needs to see where I live.
Like, get that stuff out of there.
So those are a couple of really quick things you can do to kind of clean up your digital exhaust on where you live
and make it a little harder for someone to cyber-stalk you.
Do you think we're ever going to reach this utopia
that people imagine where,
in order for these things to happen at all,
they're going to have to get permission
that it's going to be opt-in rather than just vacuuming up everything and posting it. And it's
up to you to ask them to remove it. Dave, we live in the United States. There's no way.
Maybe there's a European utopian with GDPR, but there is no way, right? I mean, this is
unfortunately going to be a constant battle. And I think, honestly, it's something we have to educate our kids on early on.
Every now and then there are these moments in life where you've got to go back and clean up your digital exhaust.
And, you know, one of those moments, when you graduate from college, make it all go away.
Everything you've done up to that point, there is no need for it to be out on the internet.
Clean it out of what's publicly accessible.
No future employer needs to be seeing your photos from your eighth grade soccer team, right?
Get them out of there.
Or worse yet, whatever else you got in there from your fun time in college.
No, that's true. I've run into that of hiring folks who are recently graduated and, you know, do a Google search and interesting photos come up sometimes. And you try to try not to make that too much of a part of your hiring decision. But, you know, I mean, it crosses, again, right back to the same point with your house, too. You can tell a lot by looking at where somebody lives.
You know, the creepiest thing is you can even see the inside of the house, right?
Clear that stuff out of there.
There's no reason for that to be out of there.
And have a control over who you are and what people see about you.
Yeah.
All right.
It's good advice.
Caleb Barlow, thanks for joining us. stories, check out our daily briefing at thecyberwire.com. Don't forget to check out this weekend's episode of Research Saturday, where Dave Bittner sits down with Vikram Thakur
of the Symantec Threat Hunter team to discuss their work on DAXN, stealthy backdoor designed
for attacks against hardened networks. That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technology.
Our amazing CyberWire team is Liz Ervin, Elliot Peltzman, Brandon Karf, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Karol Theriault, Ben Yellen, Nick
Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby,
and I'm Trey Hester, filling in for Dave Bittner.
Thanks for listening.
We'll see you back here next week. Thank you. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.