CyberWire Daily - Cyber phases of a hybrid war. Google stops a Judgment Panda campaign and Symantec tracks Daxin. CISA updates its Conti alert. An alleged REvil member is arraigned in Texas.
Episode Date: March 10, 2022Prebunking a provocation. A spot report on the cyber phases of a hybrid war. Google stops a Judgment Panda campaign against US Government Gmail users. Symantec continues to track the origins and uses ...of the Daxin backdoor. CISA updates its Conti alert. Josh Ray from Accenture has tips on Log4J. Our guest is Chetan Conikee of ShiftLeft with strategies for reducing attackability. And law northeast of the Pecos, as an alleged member of REVil is arraigned in Texas. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/47 Selected reading. Vladimir Putin ‘plotting chemical weapons attack in Ukraine’ (The Telegraph) White House warns Russia could use chemical weapons in Ukraine (TheHill) Russia, China May Be Coordinating Cyber Attacks: SaaS Security Firm (eSecurityPlanet) More Than 5 Million Anti-Propaganda Text Messages Sent to Russians in Anonymous Information Warfare (Hstoday) Anonymous hacked Russian cams, websites, announced a clamorous leak (Security Affairs) EXCLUSIVE BNP Paribas bars Russia-based staff from computer systems as cyber attack fears grow (Reuters) CISA updates Conti ransomware alert with nearly 100 domain names (BleepingComputer) Google Blocks Chinese Phishing Campaign Targeting U.S. Government (SecurityWeek) Symantec tracked down one developer of ‘China’s most advanced piece of malware’ (Sc Magazine) Daxin Backdoor: In-Depth Analysis, Part One (Symantec) Daxin Backdoor: In-Depth Analysis, Part Two (Symantec) Sodinokibi/REvil Ransomware Defendant Extradited to United States and Arraigned in Texas (US Department of Justice) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Pre-bunking a provocation, a spot report on the cyber phase of a hybrid war,
Google stops a judgment panda campaign against U.S. government Gmail users, Pre-bunking a provocation, a spot report on the cyber phase of a hybrid war,
Google stops a judgment panda campaign against U.S. government Gmail users,
Symantec continues to track the origins and uses of the Daxon backdoor,
CISA updates its ContiAlert, Josh Ray from Accenture has tips on Log4J,
our guest is Cheetan Kaneki of ShiftLeft with strategies for reducing attackability, and Law Northeast
of the Pecos as an alleged member of our evil is arraigned in Texas.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Thursday, March 10th, 2022.
The Russian advance into Ukraine remains difficult at best, stalled at worst.
Russia's Belarusian ally seems to have
grown increasingly reluctant to join the kinetic fight, although it's providing aid in cyberspace.
Negotiations between the Russian and Ukrainian foreign ministers began in Turkey yesterday,
but without much result. That's to be expected. It's noteworthy that in the opening days of their invasion,
both Putin and Lavrov had made Ukrainian surrender a precondition of negotiation.
Moscow has clearly relaxed that hard line.
Western intelligence services, particularly in the U.S. and U.K.,
have been unusually open and forthcoming in their discussion of Russian actions against Ukraine.
Much of that openness has been devoted to what some journalists have called pre-bunking,
hitting the credibility of disinformation before its found legs and gained traction.
Yesterday's warning by the White House that Russia may be planning to use chemical weapons
seems to be another case of pre-bunking a building provocation the Kremlin may be preparing.
Russian sources have claimed that Ukraine, probably with American assistance, has been
preparing both biological and chemical weapons, and those claims have been seconded and amplified
by Chinese media. Western sources see this as an incipient provocation. The Atlantic Council
describes the early stages of this
information operation as the Russian Foreign Ministry claims that Ukraine had intended to
use the nuclear plants at Chernobyl and Zaporizhia for nuclear provocations. That same ministry
confirmed that it had proof that Ukraine, with U.S. support, had tried to destroy evidence of Ukraine's ongoing biological warfare
program. White House Press Secretary Psaki tweeted a U.S. response to Russian allegations
denying that any such biological or chemical weapons program existed and pointing out Russia's
use of its Novichok nerve agent in the attempted assassination of a GRU defector and its support of the Assad regime's
use of chemical agents against internal enemies in Syria. She also noted that the disinformation
fits Moscow's style of provocation. Quote, also Russia has a track record of accusing the West
of the very violations that Russia itself is perpetrating. In December, Russia falsely accused the U.S. of deploying contractors with chemical weapons in Ukraine.
End quote.
Nuclear, biological, and chemical weapons are the three traditional classes of weapons of mass destruction
whose use has been either restricted or, in the case of biological weapons,
prohibited entirely by international law.
At the outset of his war,
Mr. Putin alluded to NATO and Ukrainian nuclear ambitions as offering partial grounds for what
he characterized as a defensive, protective military operation. The addition of chemical
and biological weapons to the list of Russian charges is significant. Russia may or may not
have a biological arsenal, and if it does,
using it will probably prove difficult, perhaps difficult to the point of impossibility,
but it would be more easily deniable than a chemical attack. But Russia certainly does
have a chemical arsenal and a well-articulated doctrine for that arsenal's use. The disinformation
effort charging Ukraine with preparation for
chemical and biological war may be designed to afford a pretext for the use of chemical weapons
in particular. Russia's war against Ukraine has yet to see the widespread and disabling cyber
attacks many had predicted, but cyber operations continue at a low but constant level. Both sides seem to be making use of regular intelligence services as well as irregulars.
The Ukrainian irregulars have tended to be hacktivists, drawn to Kiev's cause and at Kiev's invitation.
The Russian irregulars have tended to be familiar underworld privateers who've long operated at Moscow's sufferance.
underworld privateers who've long operated at Moscow's sufferance. Fox News, citing sources in the U.S. intelligence community, reports that cyberattacks against U.S. companies active in the
liquefied natural gas sector conducted two weeks before the invasion of Ukraine may have been
battle space preparation. CISA, the report says, is presently working to confirm that this is indeed what the attacks represented.
Researchers at ReSecurity had earlier made a similar claim.
Chinese cyber espionage operations have lately taken a close interest in European foreign ministries and aid organizations
working to bring assistance to Ukraine.
There are signs that this activity may be coordinated with Russia's campaign.
Google researchers identify three state actors particularly engaged in collecting against
Ukraine and government sympathetic to Kyiv. Quote, Fancy Bear of APT28, a threat actor
attributed to Russia's GRU, has conducted several large credential phishing campaigns targeting UKR.net users.
UKR.net is a Ukrainian media company.
The phishing emails are sent from a large number of compromised accounts,
non-Gmail and Google, and include links to attacker-controlled domains.
Ghostwriter, UNC-1151, a Belarusian threat actor,
has conducted credential phishing campaigns over the past week
against Polish and Ukrainian government and military organizations.
Mustang Panda, or Temp.hex, a Chinese-based threat actor,
targeted European entities with lures related to the Ukrainian invasion.
End quote.
Google also notes that nuisance-level distributed denial-of-service attacks have continued to affect Ukrainian government sites.
Activists who identify themselves with the Anonymous Collective and who've taken up Ukraine's cause are tweeting security affairs reports about various website defacements and text campaigns they're operating in the hope of degrading Russian morale.
HS Today writes that Anonymous claims to now control over 400 Russian camera feeds.
It's using the compromised feeds to distribute anti-propaganda to open eyes of Russian civilians.
Companies have been taking measures to protect themselves from feared and expected Russian cyber attack. The large French bank BNP Paribas is one example.
Evidently concerned with the possibility of insider threats,
the bank has excluded its Russian workers from internal networks.
Security Week reports that Google claims to have blocked a Chinese espionage operation
directed against Gmail users within the U.S.
government. Shane Huntley of Google's Threat Analysis Group tweeted, quote,
In February, we detected an APT31 phishing campaign targeting high-profile Gmail users
affiliated with the U.S. government. 100% of these emails were automatically classified as spam
and blocked by Google, end quote. APT31 is also known as Zirconium and Judgment Panda.
Symantec researchers continue to investigate the DAXN backdoor used by Chinese threat actors.
SC Magazine cites Vikram Thakur of Symantec Threat Intelligence
as saying that they've tracked the tool to a persona they're watching in Chinese forums. Symantec has posted updates to its research in two parts, one describing
Daxin's driver initialization, networking, key exchange, and backdoor functionality,
the other covering its communications and networking features. Daxin has been used quietly
for a decade. CISA has revised the alert about the Conti ransomware gang it issued last September.
Yesterday's updates include the addition of 98 domain names to CISA's list of indicators of compromise associated with Conti attacks.
The new information does not appear derived from material provided by a Ukrainian researcher who succeeded in infiltrating
the gang. Leaping Computer notes that despite the reputational and possibly operational hits
Conti took from that infiltration, the gang hasn't trimmed its sails. Quote, since the beginning of
March, Conti listed on its website more than two dozen victims in the U.S., Canada, Germany, Switzerland, U.K., Italy, Serbia, and Saudi Arabia.
And finally, the U.S. Department of Justice announced yesterday that a major defendant
in the case of our evil Sodinokibi ransomware operations has been arraigned in the U.S.
District Court for the Northern District of Texas. One Yaroslav Vassinsky, a Ukrainian national of 22 tender years, is alleged to have
accessed the internal computer networks of several victim companies and deployed Sodenokibi R-Evil
ransomware to encrypt the data on the computers of victim companies. One of the alleged victims
was Kaseya, and that incident affected a number of the software company's
customers. Mr. Vesinski, who received his invitation to Club Fed courtesy of extradition
from Poland, is charged with conspiracy to commit fraud and related activity in connection with
computers, damage to protected computers, and conspiracy to commit money laundering.
If convicted, of all counts, he faces a total penalty of 115 years in prison.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical
for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io.
Software development teams often struggle with prioritizing which vulnerabilities require their immediate attention and resources, and which can be safely put off. Chetan Kanaki is founder and chief technology officer at software security firm
ShiftLeft, and he believes companies need to take an outside-looking-in approach that puts
defenders in the attacker's shoes and determines how likely a vulnerability is to be successfully
targeted, a process he calls reducing attackability. Today, if you look at how things are done,
attackability. Today, if you look at how things are done, often an application is assessed to identify vulnerabilities. And these vulnerabilities are further on categorized into high, medium,
and low severity. And often engineers try to sort order and pick those that matter the most, which is the high severity ones to address and
mitigate. In certain cases, there are many, many such high severity vulnerabilities.
Because when you examine things inside out, what essentially happens is every vulnerability
that is of high risk is categorized as high risk. But in certain cases, you need to further look to see whether a particular exploiter or an attacker can touch that vulnerability in order to trigger that exploit.
When I use the word touch, it actually means can they call or invoke an API on your application?
And after they invoke the API, can they send a data point through that pathway of the application in order to touch that vulnerability and further on exploit it?
And what I just said in summary means, is your vulnerability that is deemed as high severe exposed for an attacker to firstly enumerate and secondly exploit?
So think of this as a filter that looks for these two characteristics in your application, where it identifies something of high severity, meaning that you're using, say, a lock4j. And if you're using lock4j, is there any API endpoint that would enable an attacker to send a parameter that is touching or invoking lock4j
without being filtered, sanitized, transformed, etc., etc.?
Help me understand why organizations come up short when it comes to doing this sort of process
on their own. What are the blind spots that they typically have? There are many such blind spots,
but just to try to identify the most critical ones, when it comes to application security,
there is often no incentive mapped for engineers to go triage, fix, and improve the security posture off.
Often engineers are hired to write code, code which produces value to your customers,
and that value is incrementally provided through features, new releases, and so on and so forth.
So when you have a satisfied customer, the company is generating revenue, and as a consequence, an engineer gets incentives as bonus payouts, stock grants, equity options, etc.
You never see or we've not heard of an organization focusing on security saying that I am going to provide or map the incentives to the number of bugs that are identified or security incidents that have been
resolved and triaged in the associated application. So given that all of us as engineers typically
mostly are inspired and mapped to incentives, and if there are no incentives, we don't have any
reason to go and triage and resolve these issues. Secondly, the majority of these tools,
you know, there's a broad spectrum in the world of application security, from code analysis to runtime.
Now, when each of these tools are producing alerts, and all these alerts are plenty,
without effective ways to prioritize, that would lead to alert fatigue. Now you could imagine
an engineer who's not incented has to go and essentially look at all these alerts and figure
out what matters. So as a consequence, it gets left behind. If it gets left behind, it turns
into an exploit in production. And then you work backwards in urgency to go and resolve.
So this is one of the reasons why we have to fundamentally change the way we prioritize
security in the early stages of the lifecycle. That's Cheetan Kanaki from ShiftLeft. A program
note, I recently recorded a career notes segment with Cheetan Kanaki. Be sure to check that out as
well. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Josh Ray.
He is a Managing Director and Global cyber defense lead at Accenture Security.
Josh, always great to have you back on the program.
You know, as you and I record this, we are about a month or so, give or take,
with the revelation that we are going to be dealing with the Log4J vulnerability.
And I just wanted to touch base with you now that we've going to be dealing with the Log4J vulnerability. And I just wanted to
touch base with you now that we've had a little distance between us and that initial discovery.
What sort of perspective is it giving you and your folks there in terms of this kind of
vulnerability? Yeah, Dave, and first, thanks for having me back. And this Log4J vulnerability is one of the nastier ones I've seen in my career.
But what's been really, I think, a positive takeaway for me is that the community as a whole, both public and private sector, have really rallied together to take this on.
And the client conversations that we've been having have been really good.
I mean, they're making good progress. I think people are applying the right level
of attention to this.
And teams, especially working over the holidays,
have been really working hard to mitigate this.
This is really one of these things
that takes a very holistic and agile approach.
And what we've been talking to clients most about,
not just on the vulnerability management side, but really from a, if you're thinking about from a breach readiness, threat
hunting, and incident response standpoint, some of the things that you really need to kind of take
into consideration. So as much as anything today, you know, what I wanted to do for the listenership
is just provide almost a PSA of, you know, five things that we've been thinking about or talking to clients about that hopefully people can use in their own environment
or just to kind of help organize their approach more moving forward.
All right, well, let's jump in together here.
Take us down that list.
The first is really kind of the notion of eliminating the tax service, right?
Obviously, this is very difficult to do and has to do with removing the vulnerability and patching it or implementing those compensating mitigations, right?
Using things like your bone scanners and working with your vendors' appliances to make sure that you get that right level of visibility and mitigation up front.
But this is really, again, the attack surface piece, starting with externally facing devices, both on-prem and in the cloud, and really working your way from there.
The next piece is really about control.
So using hardening tools and configurations to control those attacker actions from being successful post-exploitation.
post-exploitation. So restricting egress and recursive DNS on servers is very important,
especially because actors will attempt to leverage that web application servers to resolve and call out to download second and third tertiary code. So restricting that network access is very important,
especially looking at things like hardening and updating operating systems,
legacy systems that will increase your exposure.
This is especially true for Log4J, where production workloads,
running in the cloud, native infrastructure, or Linux servers
really lack that visibility for protections that you might have under EDR.
So making sure that those things are locked down as well from a control
standpoint.
What else?
Well,
now we kind of start to get into that monitoring hunt and kind of exercise
move.
So we've kind of covered down on, you know,
eliminating the attack surface controlling and hardening the environment.
Now, you know,
how do we gain that situational awareness and Log and analyze everything is what we say.
You can't eliminate or control.
Having that situational awareness on your network is absolutely critical
and making sure that systems that lack visibility
or that centralized logging, making sure that those things
are all getting centralized in some type of EDR or SIM.
making sure that those things are all getting centralized in some type of EDR or SIM.
Many of our clients are struggling with this
as their Linux production workloads were running
on end-of-life operating systems
that really couldn't be supported in their EDR
and didn't have good logging enabled
such as AuditD or such like that.
So then being able to perform a really a strong forensic review of the servers
of the identified exposure period for post exploitation actions.
So that's kind of that monitoring piece that I think is talked about a lot,
but sometimes, you know, not executed with the right level of diligence.
And then we move into this notion of hunt, right?
For everything that you can eliminate or control or monitor using threat
intelligence approach, right?
So active hunting, you know,
looking for signs of post exploitation, such as, you know,
privilege escalation, lateral movement.
Some of the things that our cipher team, you know, has seen include,
you know, installation of web shells, reverse shells,
installation of miners, and then, reverse shells, installation of miners,
and then other instances of, say, like Cobalt Strike or other types of PowerShell activity.
But again, it's about actively looking in your environment
because as we've seen, especially with things like Log4J,
within hours of that proof-of-concept code becoming available,
there was active scanning looking for vulnerable systems. So you need to be on your front foot driving that active hunt program.
And then finally, really, it's about exercising.
So making sure that your teams have that muscle memory and are ready to go.
Leveraging that crisis simulations and purple team exercises.
to simulations and purple team exercises, and then using those consequent driven scenarios that really stretch outside the security organization and require organizational-wide,
company-wide response and mitigation activities.
Yeah, I'm curious, when something like this happens, when a log4j hits the airwaves, you
know, so it's both high impact but but high profile as well. Does that present an
opportunity for the defenders out there? I mean, I'm curious, do you have folks coming to you as a
provider and say, hey, you know, log4j is bad, but the good news is this has got the attention of my
board and they have greenlit that budget I've been asking for for all this time? Yeah, I mean,
they do say never let, you know, a good crisis go good waste. But I mean, the fact of the matter is, is that, I mean,
you can look across the industry now and you can point to the crisis of the day. So, you know,
if you're waiting for the next big log for Jade to, you know, to happen so you can get that budget
approved, I would say responsible business owners and folks that, you know,
that now see this as part of their, you know,
the broader risks that they need to manage as part of, you know,
operating a business for their stakeholders.
They understand that, you know, these organizations,
your security organizations need to be properly funded,
but absolutely having that crisis management approach and that notion where you're able to bring together multiple stakeholders in the business to kind of achieve the, you know, get back to operational normalcy, I think is absolutely critical.
And that's that in and of itself is an opportunity that should not be missed by the security teams.
All right. Well, Josh Ray, thanks for joining us.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Thanks for listening. We'll see you back here tomorrow. Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.