CyberWire Daily - Cyber takes point in a hybrid war. Medical robot vulnerabilities remediated. A Cyber Civil Defense for the US? Europol leads the takedown of RaidForums.
Episode Date: April 12, 2022GRU deploys Industroyer2 against the Ukrainian energy sector. NB65 counts coup against Roscosmos. Anonymous doxes three more Russian companies. President Putin purges the FSB’s Fifth Service. CISA w...arns of an exploited firewall vulnerability. Medical robots’ vulnerabilities are remediated. A Cyber Civil Defense effort in the US. Ben Yelin on newly passed cyber legislation. Our guest is Chase Snyder from ExtraHop to discuss their recent Cyber Confidence Index. And good riddance to RaidForums. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/70 Selected reading. Russia’s Reset (New York Times) Russia will not pause military operation in Ukraine for peace talks (Reuters) Industroyer2: Industroyer reloaded | WeLiveSecurity (WeLiveSecurity) CERT-UA warns of large-scale cyber attack on energy sector (Interfax-Ukraine) Russia's space programme hit by western cyber attack (The Telegraph) Anonymous Hits 3 Russian Entities, Leaks 400 GB Worth of Emails (HackRead) Russia’s Ukraine Propaganda Has Turned Fully Genocidal (Foreign Policy) Russia-Ukraine latest news: Vladimir Putin vows ‘clear and noble’ aims of Russian invasion will be achieved (The Telegraph) CISA warns orgs of WatchGuard bug exploited by Russian state hackers (BleepingComputer) CISA Adds Eight Known Exploited Vulnerabilities to Catalog (CISA) Cynerio Discovers and Discloses JekyllBot:5, a Series of Critical Zero-Day Vulnerabilities Allowing Attackers to Remotely Control Hospital Robots (Cynerio) Craig Newmark Philanthropies Pledges $50 Million to Cyber Civil Defense (Global Cyber Alliance) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The GRU deploys Indestroyer 2.
Anonymous doxes three more Russian companies.
CISO warns of an exploited firewall vulnerability.
Medical robots' vulnerabilities are remediated.
A cyber civil defense effort in the U.S.
Ben Yellen on newly passed cyber legislation.
Our guest is Chase Snyder from ExtraHop to discuss their recent Cyber
Confidence Index and good riddance to RAID forums.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Tuesday, April 12, 2022.
Sandworm, also known as Voodoo Bear, and in the org charts, Unit 74455 of Russia's GRU, has deployed
caddywiper destructive malware and an Indestroyer variant being called, simply, Indestroyer 2.
ESET tweeted the results of its findings early this morning and provided additional details
in a report also published today. They said ESET researchers collaborated
with CERT-UA to analyze the attack against the Ukrainian energy company. The destructive actions
were scheduled for April 8, 2022, but artifacts suggest that the attack had been planned for at
least two weeks. The attack used ICS-capable malware and regular disk wipers for Windows, Linux,
and Solaris operating systems. We assess with high confidence that the attackers used a new
version of the Indestroyer malware, which was used in 2016 to cut power in Ukraine.
We assess with high confidence that the APT group Sandworm is responsible for this new attack.
that the APT group Sandworm is responsible for this new attack.
At first look, the incident seems an attempted repetition of the 2016 Russian cyberattacks against the Ukrainian grid that ESET mentioned in its report.
CERT-UA offered a further description of the attack.
It intended to use Indestroyer-2 against high-voltage electrical substations
in a fashion tailored to the
individual substations. Caddy Wiper was used against Windows systems, including automated
workstations, and other destructive scripts, Orc Shred, Solo Shred, and Awful Shred,
were deployed against Linux systems. The Telegraph reports that Network Battalion 65, NB-65, has posted images it claims
show that it succeeded in compromising servers at the Russian space agency Roscosmos. Roscosmos
boss Dmitry Rogozin, lately much given to incandescent verbal sputtering in a westward
direction, downplayed the effects of the attack and called NB-65 a bunch of scammers and petty swindlers.
That may be, but it appears that NB-65 did obtain some access to Roscosmos networks
and that the hacktivists or hacktivists deployed some of Conti's ransomware code therein.
Hackreed says that Anonymous has hit three more Russian enterprises,
Aerogas, Forest, and Petrovsky Fort.
Aerogas, which handles oil and gas production services,
Forest, which handles logging,
and Petrovsky Fort, which handles office space.
The collective leaked roughly 437,000 emails belonging to the
companies. Petrovsky Fort lost about 300,000 emails, about 244 gigabytes. Aerogas lost 145
gigabytes, and Forrest lost 37.7 gigabytes worth of information, including 375,000 emails. Petrovsky Fort and Aerogas are state-owned.
The material has been posted to the familiar Distributed Denial of Secrets site.
Here's a study in disinformation relevant to those interested in cybersecurity and hybrid warfare
because of the way we can expect to see it repeated and amplified in Russian-controlled or sympathizing online outlets.
Long-suffering Russia is waging a good war, President Putin said in a speech this week.
The U.S. Cybersecurity and Infrastructure Security Agency yesterday added eight vulnerabilities
to its known exploited vulnerabilities catalog.
Among them was the high-severity privilege escalation flaw in WatchGuard firewall appliances the GRU had exploited to build up its Cyclops Blink botnet, disrupted last week by the US FBI.
Bleeping Computer quotes WatchGuard on the effects of exploitation.
WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access.
WatchGuard issued its own warning at the end of February.
Synereo today announced its discovery of vulnerabilities in Athon Tug Hospital robots
that could allow attackers to circumvent security
and remotely surveil and interact with patients, tamper with medication distribution,
and disrupt day-to-day hospital operations.
Synario disclosed the bugs, collectively called Jekyllbot 5,
to the manufacturer under the CISA-coordinated vulnerability disclosure process,
and the issues have now been remediated and patches are available.
The Global Cyber Alliance reports that Craig Newmark Philanthropies
has committed to donating more than $50 million total
to support a broad coalition of organizations
dedicated to educating and protecting Americans amid escalating cybersecurity threats.
Craig Newmark, who is the Craig in Craigslist,
characterizes the effort as a cyber civil defense initiative.
It will focus on cyber education, cybersecurity career opportunities,
development of cybersecurity tools for community protection,
usability and customer service for security tools and services,
and championing equitable cybersecurity.
And finally, Europol this morning announced the takedown of RaidForums,
the large cybercriminal forum and market where techniques were discussed
and tools and stolen data were traded.
The forum's infrastructure was seized,
and its administrator and two accomplices were arrested in Operation Tourniquet.
This was a year-long international effort coordinated by Europol
to support the separate investigations of law enforcement agencies in Portugal,
Romania, Sweden, the United Kingdom, and the United States.
Europol credits effective information sharing with enabling investigators
to define the different roles the targets played within this marketplace,
such as the administrator, the money launderers,
the users in charge of stealing or uploading the data, and the buyers.
So bravo, Europol, and Congratulations on the collar.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
cyber defense firm extra hop recently released results from their 2022 cyber confidence index conducted by wakefield research exploring how it and security decision makers assess their
security practices chase snyder is senior product marketing managerHop. One of the big things, Dave, is that the
disparity between confidence in the ability of cybersecurity teams or security operations teams
to respond to threats versus their admission that their own cyber hygiene and the existence
of old insecure protocols and unmanaged devices in their
environment, there's a gap there. So many teams, I believe the Cyber Confidence Index indicated that
77% of teams believed that they were highly able to respond to and mitigate and prevent
cybersecurity threats. But 64% of them said that half of their cybersecurity incidents
were due to their own outdated protocols
and their own outdated security posture.
So there's a little bit of a gap there,
and we were trying to understand where exactly that comes from.
What do you make of that?
I mean, are people fooling themselves? What do you suppose is causing the disconnect?
I think something that's happening is that there's been a large focus on advanced threats and folks are really increasing their ability to detect and respond to threats.
But not everyone has done the work to clean house and shore up the foundation of their environment.
So when I say clean house and shore up their environment, what I mean is many organizations still have large numbers of outdated and known-to-be-insecure protocols running in their network.
92% admitted that they still had SMBV1 or NTLM.
These are old protocols that are low-hanging fruit for attackers.
On average, these organizations also said that 29% of the devices in their environment aren't managed.
So there's a large gap there.
There's a blind spot, and that blind spot represents an attack surface for attackers.
So the detection and response capabilities are there,
but there are still these big attack surfaces that need to be cleaned up. And there's a big
upside for companies that take the effort to go ahead and clean that up and shore up their
foundations. Is there recognition that this is something that they need to be working on,
or is this a matter of them knowing that but taking it as part of their risk
calculation? That's a great question, Dave. I'm not totally certain whether or not folks have
fully internalized the idea that these older insecure protocols and unmanaged devices represent
an enormous amount of risk for them. They may be incorporating it into their risk calculus,
but the amount of risk is going up
in a non-linear way. We see supply chain attacks occurring. We see open source vulnerabilities
coming out with enormous scale and the impact that they're having across thousands of organizations,
millions and millions of attempts against vulnerabilities such as the log4shell
vulnerability that was in the news quite recently and is still being dealt with.
And the fact is that while in the past you may have been able to get away with leaving some insecure protocols
or having a certain amount of devices in your environment that aren't managed,
now that there are these large-scale advanced attacks, supply chain attacks, ransomware,
or supply chain attacks being used to deliver
ransomware, the risk that is represented by these outdated protocols and unmanaged devices has gone
way up. And I think that organizations and security leaders are still adjusting their
threat model or their risk model to incorporate that.
Right. Well, I mean, based on the information that you've gathered,
what are the take-homes for you? What sort of words of wisdom do you have for folks out there?
A quarterly update of your asset inventory is no longer enough.
You need continuous visibility into the hardware and software in your environment.
It's the number one control that is recommended in the CIS top 18.
And there's a reason for that, because managing your attack surface can give you acceleration in your ability to respond. If you're in a situation where you're asking yourself,
how do we even find the devices with Log4j on them when the attacks are already making the news,
you're already behind.
Asset inventory is an accelerator for both prevention,
detection, and response for all types of cybersecurity attacks.
And achieving that asset inventory
is going to require greater cooperation between security teams and network teams and IT teams.
And that is a foundational way to improve your security posture, take away that low-hanging fruit, and give yourself the advantage over these advanced attackers.
That's Chase Snyder from ExtraHop.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Ben Yellen.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security and also my co-host on the Caveat podcast.
Hello, Ben.
Hello, Dave.
Here in our home state of Maryland, my home state, your adopted state.
You are a true Marylander.
It's true.
They recently wrapped up their legislative session,
and there were some bills
regarding cybersecurity that you had a bit of a hand in, and they were successful. Share with us
what went down. They were. So this has been a multi-year effort. Maryland has suffered from
cyber incidents. Most famously, there was a ransomware attack in Baltimore City in 2019,
stopped people from being able to record real estate transactions,
pay water bills, cost the city an estimated $18 million.
There was a ransomware attack on the Baltimore County school systems.
A couple other attacks on localities.
And then most recently, there was a,
what we suspect was a ransomware attack on the Maryland Department of Health,
which has had a terrible impact,
including us being unable to access our COVID data dashboard during the height of the Omicron
surge. So it's a big problem here. A friend of our show, she was on it a couple of years ago,
is a state senator named Katie Fry Hester, and she has made it her mission during her term in
the state senate to change cybersecurity policy in the state of to change cyber security policy in the state of
maryland she's the co-chair of a joint committee on cyber security and biotechnology at the state
legislature and for the past several years through collaborative efforts with various
maryland agencies she's put together bills to try and change our cyber security governance structure
the way our local units
of government interact with state agencies on cybersecurity-related measures. And every year
until this year, we've come up a little bit short. So in preparation for this year, this senator
decided to commission a study. She's part of what's called the Maryland Cybersecurity Council,
which is an advisory group within our state government,
a quasi-government agency that develops cyber policies.
So she formed an ad hoc committee to do a study
on how we can improve the cybersecurity posture
within our state government and our units of local government.
And I have to say she made a terrible choice
on the co-author of this study,
which was some guy named Ben Yellen.
La-dee-da.
From the University of Maryland Center for Health and Homeland Security.
Okay.
So we co-authored this study with experts in the field.
There were three sections on it, one on governance, one on units of state government.
We got help on that one from the state chief information security officer.
on that one from the state chief information security officer. And then we did a survey of units of local government on what they want and what they need to improve their cybersecurity
posture. And that led to the proposal of three pieces of legislation. One of the bills is a
cybersecurity governance bill, which codifies practices that already exist in terms of the
state chief information security officer
and the Office of Security Management, but those only existed via executive order. So now those are
assuming these bills are signed, that's going to be the law of the land in the state of Maryland.
It also introduces new measures to make sure that we are keeping up to date on the latest security practices,
making sure that we are meeting minimum standards as established by NIST.
So that's going to be done through a couple of different organizing entities
that will have oversight over the Department of Information Technology in Maryland.
And the Department of Information Technology will have more of a hand
in having kind of a centralized enterprise of cybersecurity across state agencies.
In terms of local governments, there's a unit within the Maryland Department of Emergency
Management, the Cyber Preparedness Unit, which exists but wasn't codified into law. That, as
part of these pieces of legislation, is now going to be codified. So these are a group of individuals with our Department of Emergency Management who are
giving units of local government preparedness resources, updating them on the latest cyber
threats, and making sure that our school systems, our public health departments, and our county
governments are getting all of the information and training resources they need to protect themselves against cyber attacks. That shop was only two guys. They
were contractors. With these bills, it's going to be vastly expanded. We're going to have additional
staff as part of this preparedness unit, including potentially regional coordinators. So a guy in
charge of going to Western Maryland and making sure those counties have everything they need. We're also going to have a local cybersecurity support fund.
So if units of local government here in Maryland need help updating their networks, updating their
systems, hiring contractors, doing trainings and exercises, there's going to be a pool of money
available that they can apply for. As long as they're meeting minimum cybersecurity standards, they will be able to have access
to that money.
So it's a package of three bills.
The Maryland State Legislature adjourned sine die.
As we're recording this, it was last night.
It's always a mad dash at the end of the session.
Everybody wants to get their bills
through. So there was some uncertainty as to... I saw you tweeting about it. You had your fingers
crossed. Are we going to make it across the finish line? Yeah. And there are all sorts of delay
tactics that people try and use if they don't want pieces of legislation to get passed. You can just
kind of try and run out the clock. The amount of work that's gone into this, and without getting into too many of the details,
there were basically 15 hours of hearings at the relevant Senate committee to really perfect these
bills, figure out which agencies have authority over which particular issues, and to see it get
across the finish line and hopefully to be signed into law by our governor here
is a huge accomplishment.
I do think it's going to have a significant impact
on cybersecurity here in Maryland.
I think it'll leave our state agencies better prepared,
part of a more cohesive cybersecurity enterprise,
and I think we'll now have the type of resources available
to our units of local government
to prevent the types of things that have happened in the past, these ransomware attacks on governments and school systems, et cetera.
So as a point of personal privilege, I was glad to work on these issues.
And it was kind of like watching a sporting event to see if your team can score a touchdown within two minutes.
And so just watching and seeing these Bills cross the finish line was personally exciting for me.
Yeah, and perhaps a template for other states to follow.
I sure hope so, yes.
All right. Well, Ben Yellen, thanks for joining us.
Thank you.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shake and espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland at the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Thanks for listening. We'll see you back here tomorrow. Thank you. solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.