CyberWire Daily - Cyberattacks reported in Ukraine as Russia signals a willingness to negotiate with NATO. TA2541 targets aviation and allied sectors. BlackCat’s tough to shake. Romance scams. Beamers.
Episode Date: February 15, 2022Reports of cyberattacks against Ukrainian targets as the parties to the crisis resume negotiations. The US has been forthcoming with intelligence on Russia’s ambitions in the region; those revelatio...ns form part of an influence strategy. An apparent criminal group is targeting aviation and related sectors. BlackCat ransomware victims are having difficulty recovering. Why conditions favor romance scams. Ben Yelin looks at pending cyber breach notification laws. Our guest Padraic O'Reilly from CyberSaint on the effectiveness of Biden's plan to protect the water sector. And “beamers” defraud Roblox players. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/31 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Reports of cyber attacks against Ukrainian targets as the parties to the crisis resume negotiations.
The U.S. has been forthcoming with intelligence on Russia's ambitions in the region.
An apparent criminal group is targeting aviation and related sectors.
Black cat ransomware victims are having difficulty recovering.
Why conditions favor romance scams.
Ben Yellen looks at pending cyber breach notification laws.
Our guest, Patrick O'Reilly from CyberSaint on the effectiveness of Biden's plan to protect the water sector.
And Beamers defraud Roblox players.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, February 15th, 2022.
Security firm Intel 471 writes that rates of cybercrime against Ukrainian victims, most of which would be expected to originate in Russia, have been unusually low during the crisis.
The Russian government has publicly cracked down on cybergangs over the past two months,
but this may represent a diplomatic gesture that could be easily reversed should tactics change.
There may have been such a change today.
BuzzFeed correspondent Christopher Miller tweeted this morning that there are signs of a surge in cyberattacks
against Ukrainian financial services and the country's Ministry of Defense.
The Ministry of Defense has itself tweeted that it's undergoing distributed denial-of-service attacks.
People on the ground in Kiev are sharing over social media that there's no comprehensive general shutdown of banking operations.
Some ATMs are working, for example, while others are not. but there's online a priori speculation that the incidents may represent a kind of virtual artillery preparation
for a more general attack in a hybrid offensive.
Preparation or not, there are mixed signals, on balance encouraging,
concerning Russian intentions with respect to Ukraine.
Moscow is signaling that it's interested in further diplomacy
aimed at reducing tensions over Russia's ambitions in Ukraine,
most obviously in what the New York Times calls stage-managed televised meetings among Russian leaders.
Foreign Minister Lavrov, the good cop, was yesterday shown giving President Putin his assessment of prospects for negotiation.
Quote, Putin his assessment of prospects for negotiation. I believe that our possibilities are far from exhausted.
I would propose continuing and intensifying them.
President Putin, the bad cop, responded with what the Times characterizes as an ambiguous
good.
Foreign Minister Lavrov called some U.S. proposals constructive, and it appears there's some
Russian interest in
confidence-building measures that might be put into place to mediate Russo-NATO relations.
But the U.S. reacted, in the AP's characterization, coolly, quote,
the path for diplomacy remains available if Russia chooses to engage constructively.
White House Principal Deputy Press Secretary Karine Jean-Pierre said,
quote,
However, we are clear-eyed about the prospects of that,
given the steps Russia is taking on the ground and in plain sight.
End quote.
German Chancellor Scholz is in Moscow for talks.
Reuters says his going-in diplomatic position
includes both an indication of willingness to address such legitimate security concerns Russia may have
and a clear statement that Russian escalation will prompt sanctions.
He said, quote,
We are ready for very far-reaching and effective sanctions in coordination with our allies, end quote.
There are contradictory indications of the current state of Russian deployments near Ukraine.
On the one hand, Russia says that some exercises having concluded, it's moving many units back to garrison.
The New York Times quotes Russian statements that some forces in military districts near Ukraine are leaving assembly areas and returning to home station.
areas and returning to home station. On the other hand, U.S. intelligence sources have said,
the Wall Street Journal reports, that Russian force levels in the immediate theater of operations have increased, up to 105 battalion equivalents from 83 such units earlier in February.
Russian conventional forces may not be the ones used in an escalation. It's possible,
the Atlantic Council says, that Russia
would use deniable, nominally insurgent proxies to fight on the ground. The U.S. has been unusually
forthcoming with intelligence during the crisis. Foreign policy sees this as a possible sign that
the U.S. is catching up with its rivals in this aspect of information operations. The strategic calculation is that transparency will serve as a deterrent.
The more that's known about hybrid operations and strategic deception in particular,
the less likely they are to succeed.
In a conference call yesterday afternoon, the U.S. FBI and CISA reiterated recent warnings
that organizations in the U.S. should be alert for increased hostile
cyber activity originating with the Russian government. The substance of the call, to judge
from a report by Yahoo News, emphasized vigilance and security best practices. Director of the U.S.
Cybersecurity and Infrastructure Security Agency Jen Easterly has tweeted a short guide to
interpreting the Shields shields up alert and she
explicitly holds up not Petya as a foreshadowing of how the Russian threat might manifest itself
in practice. Quote, every organization in the U.S. is at risk from cyber threats that can disrupt
essential services. As we know, the Russians have used cyber as a key component of their force
projection to include disabling or destroying critical infrastructure.
While there are no specific credible threats to the U.S. homeland at this time,
we are mindful of the potential for Russia to consider escalating its destabilizing actions
in ways that may affect our critical infrastructure,
to include cascading impacts we saw with NotPetya.
All organizations must adopt a heightened posture of vigilance.
The time to act is now.
Proofpoint has published details of a study that tracks the activity of TA2541,
a threat actor that has targeted the aviation, aerospace, transportation, manufacturing, and defense industries for years.
Its preferred tactic is phishing, using malicious files to dangle a remote-access Trojan fishhook in front of its intended marks.
The group has evolved beyond familiar email phishing with malicious attachments
and now sends victims links to cloud services like Google Drive, where the payload resides.
links to cloud services like Google Drive, where the payload resides.
The researchers describe TA2541 as criminal, but offer little other attribution or characterization.
CyberScoop reports that it may have a geographical connection with Nigeria.
Some indication of ransomware's disruptive effects may be seen in the experience of Mabinaft GmbH and company KG,
the German fuel storage company that sustained a cyber attack during the last week of January.
The firm still hasn't returned to normal operations.
Bloomberg reports that Mabinaft's first tests of restored operations have been unsuccessful.
The company is believed to have been the victim of Black Cat ransomware.
Whatever action Russian security authorities have taken against cyber gangs recently
seems not to have affected the Russophone underworld's position in the global criminal marketplace.
A study by Chainalysis concludes that about three-quarters of ransomware payments are going to Russian criminal groups.
Evil Corp alone accounts for some 10% of the
global total. Chainalysis also notes that such attacks continue to avoid targeting members of
the Commonwealth of Independent States, an organization of former Soviet republics that
have remained more or less friendly to Russia. Romance scams, of course, tend to spike around
Valentine's Day.
But as the U.S. Federal Trade Commission pointed out this week, they're trending up generally.
What's fueling the increase?
It's a convergence of the non-harmonic kind.
People are feeling lonely and disconnected during the pandemic, socially distant,
and they're looking for companionship online more than ever before, the Wall Street Journal notes.
Take the scams and catfish who cumber the Internet and couple them with the easy remittance cryptocurrencies offer,
and the environment is ripe for romance scams.
Some of the Lonely Hearts scams are brutally direct, using bogus dating sites, Trend Micro reports,
to induce the amorous and incautious to fork over various pieces of valuable information,
including, of course, credit card details.
And finally, Vox has a report on a new venue for cybercrime where the victims are disproportionately young.
Roblox, the popular gaming platform where you can make your own game, is presently being infested with beamers.
These are people who impersonate others and steal from them in the in-game purchase marketplace Roblox offers.
Vox writes, quote,
So-called beamers are able to profit from stolen Roblox items
via massive dedicated marketplaces
that handle at least tens of thousands of underground transactions
and which take a cut of each sale, too.
Some of the items sold in these marketplaces likely include hacked items, end quote.
And so, a criminal marketplace again grows up in the shadow of an online community.
Hold on to your skins, friends.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
When it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more
at blackcloak.io. In late January, President Biden announced his administration is expanding the Industrial Control Systems Cybersecurity Initiative to include the water sector.
They said the Water Sector Action Plan is a collaborative effort between the federal government and the critical infrastructure community
to facilitate the deployment of technologies and systems that provide cyber-related threat visibility indicators, detections, and warnings.
Padraic O'Reilly is co-founder and chief product officer at CyberSaint,
a software security solutions company that does quite a bit of work with the water sector.
It's pretty complex. There's a lot of different structures in place.
There are municipalities, localities that have primary authority. There is some state authority and the feds do have some say so through the EPA. So it's a pretty complex structure. And as you can see, it's regulated in some respects, but not really when it comes to cyber. And even the initial guidance now is presented more in the form of guidance and not
as regulation yet. So what exactly has the Biden administration done here in terms of their
approach to cybersecurity and water treatment plants? I think what they're trying to do is to
leverage some of what they are doing with electric and pipeline, some of those directives and the rethinking around all of that, and apply that
to water. And they're doing it in a slightly different way with respect to water because of
the structure that we just talked about. There are many, very, very many small water treatment
facilities, and they are really understaffed with respect to cyber. And it's a hard thing to ask them to
step up their cyber practice when they don't have the resource. So what the Biden administration is
doing is taking some of the learnings out of the electric infrastructure push last year with CISA,
which was to get more monitoring into place. And about 150 electric concerns have already signed on to that.
So they're going to work with the largest water treatment plants and kind of build the best set
of best practices with the largest plants first, and then float those learnings downstream, more
or less. Do you feel as though this is a reasonable approach to the situation? I do. I work with several water treatment concerns in my business. I've seen
firsthand how constrained they are. And I've seen also firsthand how they're not as mature as certain
other sectors. And they need help. And basically, this plan is a way to increase the cadence and communication between the federal government and these smaller concerns and get them the help they need.
Can you give us some insights with some of the organizations that you work with?
I mean, what sorts of things are they dealing with on a daily basis when it comes to managing their own cybersecurity?
when it comes to managing their own cybersecurity?
Well, they're managing a complex threat landscape and a pretty complex threat attack surface,
particularly after COVID,
in the sense that a lot of water treatment plants
have some remote access now.
You can see at the Oldsmar attack
that that was through remote access.
That was through a thing called TeamViewer.
And the person in the control room actually saw the cursor moving.
So you have this remote access issue, which increases the threat attack surface.
And there's a lot of bad actors out there right now looking to leverage any number of
vulnerabilities in there.
We saw them all come out last year, SolarWinds
and the rest, and they're generally understaffed. So they might have a SIM or a logging tool in
place, but that quickly gets overwhelming if you don't have analysts on hand, right?
So what they really need to do is mature a bit with respect to seeing what's coming in across
their networks and doing some internal
monitoring, which is another really difficult thing to do when you're understaffed.
Are you optimistic that we're heading in the right direction when it comes to the things
that are coming down from the White House and these plants' abilities to accommodate
them?
Yeah, I'm quite optimistic. I think the White
House is taking the correct approach on this. It's long overdue in some respects. The only thing that
I'm a bit concerned about are the layers of governance between sort of these initiatives
and the actual operators of the plant. Part of the reason we're in this situation is
governance has been, you know, a little, has overlooked cyber historically, and that can't
continue. So, you know, hopefully after this initial round of help is in place, you know,
I hope the EPA and the administration and the Senate take a look at whether or not this has
to become, you know, more of a regulatory issue.
That's Patrick O'Reilly from CyberSaint.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Ben Yellen.
He is from the University of Maryland Center for Health and Homeland Security and also my co-host over on the Caveat podcast.
Hello, Ben.
Hello, Dave.
Interesting article from the folks over at Mimecast written by Karen Lynch.
And they have sort of gathered up, aggregated
a list of some of the laws that are pending on reporting and paying ransomware as we are well
into 2022 here. I thought it'd be interesting to review some of these with you, Ben. What's on this
list? Sure. So the closest we came to getting a piece of legislation in this regard was towards the end of last year when a provision for reporting cybersecurity or ransomware incidents made it into the defense authorization bill at first.
That bill always changes at the last minute, and those provisions were left out of the final bill.
But we do have a number of proposals pending in Congress, most of them with bipartisan support.
So there's a bill,
the Cybersecurity Incident Notification Act,
which comes from the Senate Intelligence Committee,
that would require companies to report
any cybersecurity breach or an attempt
with potential national security,
government, or economic impact within 24 hours.
So that's a rather strict requirement. A separate
bill is a little less strict. The Cyber Incident Reporting Act gives a longer window, 72 hours.
With that longer window, it also would institute criminal penalties for organizations that did not
comply. Whereas in the first bill I mentioned, it's only a civil penalty.
Now, would these two be mutually exclusive? In other words,
could they both be passed or would you have to come down with one or the other?
I think they could both be passed. I mean, there are lots of circumstances where the same action can subject you to both civil and criminal penalties. I see. So it might be report within
24 hours to avoid a civil penalty, report within 72 hours or else you receive a criminal penalty.
I could see that taking place.
So if you want to drag your heels
and you're okay paying a fine,
have at it.
Right, exactly.
If there's some reason that,
you know, you don't want to report after 24 hours,
whether that's reputational
or whether you're just, you know,
not really sure exactly what happened,
then yeah, that might be your way out of it
if you just want to avoid
criminal penalties. How are companies responding to the specter of this sort of legislation
coming online? So companies are sort of split on this. I think many companies that are victimized
by ransomware are anxious about these reporting requirements just because they've been attacked
and now you have this extra
onus on you to report back to the federal government. If you think that information
is going to get out, your organization or company might suffer reputational damage.
If it indicates that you've been negligent in protecting, say, personally identifiable
information, that could subject you to legal liability. It's kind of a prisoner's dilemma of sorts here
because we want information in the aggregate about cyber incidents.
We want to know the extent of ransomware,
how many companies are actually paying the ransom.
That's useful information for the country, for our federal agencies,
but it might not be advantageous for companies themselves
to actually report that they've been the victim.
And then separate from these reporting requirements, there's the question of whether you should be punished for paying a ransom.
So Mimecast, where we got this article, actually did a survey on this.
The survey is going to be released shortly saying that 72% of companies attacked by ransomware
said that they paid the criminals, whereas only 19% of them recovered their data.
So if we are talking about a system which has been proposed where we penalize companies for
paying the ransom, going beyond reporting requirements, that's going to be a
high percentage of organizations that are going to face this really difficult choice. Sometimes
paying the ransom is the easiest thing to do to recover your data, but that might subject you to
federal criminal and civil penalties. And I think there would be a lot of companies that would lobby
against that trade-off. I think that leaves us kind of looking to see what happens in 2022.
There's going to be another defense authorization bill.
That might be a good opportunity to stick in a couple provisions about mandatory reporting.
My guess is that we'd see mandatory reporting make its way into federal statute before we saw anything related to ransom payments.
That's just kind of where I'm at on that.
All right.
Well, Ben Yellen, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brendan Karp, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. secure AI agents connect, prepare and automate your data workflows helping you gain insights receive alerts
and act with ease
through guided apps
tailored to your role
data is hard
Domo is easy
learn more at
ai.domo.com