CyberWire Daily - Dateline Moscow, Kyiv, and Minsk: Hacktivisim and privateering. Log4j vulnerabilities more widespread than initially thought. US Cyber Command deploys "hunt forward" team to Lithuania.
Episode Date: May 5, 2022Hacktivisim and privateering in Moscow, Kyiv, and Minsk. Log4j vulnerabilities are more widespread than initially thought. US Cyber Command deployed a "hunt forward" team to Lithuania. CISA adds five ...vulnerabilities to its Known Exploited Vulnerabilities Catalog. Jen Miller-Osborn from Palo Alto Networks discusses the findings from the Center for Digital Government's survey on Getting Ahead of Ransomware. Grayson Milbourne of Webroot/OpenText discusses OpenText's 2022 BrightCloud Threat Report. And Anonymous leaks emails allegedly belonging to the Nauru Police Force. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/87 Selected reading. Russian ally Belarus launches military quick-response drills (Washington Post) Putin’s Ukraine War: Desperate Belarus dictator strikes back (Atlantic Council) Russian ransomware group claims attack on Bulgarian refugee agency (CyberScoop) Russia and Ukraine Conflict Q&A | Cybersixgill (Cybersixgill) Threat Advisory: New Log4j Exploit Demonstrates a Hidden Blind Spot in the Global Digital Supply Chain (Cequence) Anonymous Leak 82GB of Police Emails Against Australia's Offshore Detention (HackRead) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Activism and privateering in Moscow, Kiev, and Minsk, Log4J vulnerabilities are more widespread than initially thought. Thank you. discusses the findings from the Center for Digital Government survey on getting ahead of ransomware.
Grayson Milburn of WebRoot and OpenText discusses OpenText's 2022 Bright Cloud Threat Report
and Anonymous Leaks emails allegedly belonging to the Nauru police force.
From the CyberWire studios at DataTribe, I'm Trey Hester with your CyberWire summary for Thursday, May 5th, 2022.
The UK Ministry of Defense describes continuing indiscriminate bombardment.
Despite Russian ground operations focusing on eastern Ukraine,
missile strikes continue across the country as Russia attempts to hamper Ukrainian resupply efforts.
As Russian operations have faltered, non-military targets including schools, hospitals,
residential properties and transport hubs have continued to be hit, indicating Russia's willingness to target civilian infrastructure in an attempt
to weaken Ukrainian resolve. The continued targeting of key cities highlights the desire
to fully control access to the Black Sea, which would enable them to control Ukraine's sea lines
of communication, negatively impacting their economy. Belarus is also figuring in the war news today.
The British MOD assesses Minsk's current round of military exercises as normal,
but is offering some potential for Russian exploitation,
perhaps in an economy of force role.
Quote,
Belarusian land forces have been observed deploying from garrison to the field for exercises.
This is in line with seasonal norms,
as Belarus enters the culmination of its winter training cycle in the field for exercises. This is in line with seasonal norms as Belarus enters the culmination
of its winter training cycle in the month of May.
Russia will likely seek to inflate the threat
posed to Ukraine by these exercises
in order to fix Ukrainian forces to the north,
preventing them from being committed
to the battle for the Donbass.
Deviation from normal exercise activity
that could pose a threat to the allies and partners
is not currently anticipated, end quote.
The Washington Post has a description of the exercises, which are being described as quick reaction exercises.
CyberScoop reports that the LockBit 2.0 ransomware gang, a Russophone privateering outfit,
has hit the Bulgarian State Agency for Refugees under the Council of Ministers.
Quote, all available data will be published.
End quote.
The gang said on its site,
giving a May 9th deadline for publication,
but no public ransom demand.
May 9th, of course, is Russia's Victory Day holiday.
Bulgaria has received somewhere in excess of 200,000 Ukrainian refugees,
and Bulgaria has been aligned with Ukraine in the present war.
CrowdStrike reports that pro-Ukrainian hacktivists
operating probably under some form of direction
or at least inspiration from Kiev's IT army
have been using compromised Docker images.
Quote,
Container and cloud-based resources are being abused
to deploy disruptive tools.
The use of compromised infrastructure
has far-reaching consequences for organizations who
may unwittingly be participating in hostile activity against Russian government, military,
and civilian targets. Docker engine honeypots were compromised to execute two different Docker
images targeting Russian, Belarusian, and Lithuanian websites in a denial-of-service attack.
Both Docker images' target lists overlap with domains reportedly shared by the Ukraine government-backed Ukraine IT Army.
The two images have been downloaded over 150,000 times,
but CrowdStrike Intelligence cannot assess how many of these downloads
originated from compromised infrastructure.
CrowdStrike customers are protected from this threat
with the CrowdStrike Falcon Cloud workload protection module.
Activists and privateers have chosen sides in the war,
and Cyber6Gil has a summary of how those sides are shaping up.
Researchers at Sequence warn that the Log4J vulnerability may be more widespread
and harder to detect than initially thought.
The researchers say they, quote,
found unpatched servers within our customers' digital supply chain
that appear some 15 hours after the initial test results were received, end quote.
U.S. Cyber Command's Cyber National Mission Force recently sent a team to Lithuania to assist in the country's defensive cyber operations.
End quote. The U.S. Cybersecurity and Infrastructure
Security Agency, or CISA, has added five vulnerabilities to its known exploited
vulnerabilities catalog. Two of the vulnerabilities affect Apple products, one affects Microsoft's
Win32K driver, one impacts Internet Explorer, and one affects OpenSSL.
Agencies are required to patch the vulnerabilities by May 25th.
And finally, HackRead reports that the hacker collective Anonymous has leaked 82 gigabytes worth of emails allegedly belonging to the Nauru police force.
Anonymous claims the leak is meant to expose alleged abuses committed by the police
on the island, which has been used as an immigration detention center by the Australian government.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. comes to their cybersecurity, and in particular, how they're bracing themselves against the threat of ransomware. Jen Miller-Osborne is Deputy Director of Threat Intelligence with Unit 42
at Palo Alto. One of the most interesting thing is that, at least to me, was the note that more
and more for the state and local organizations, especially, they're getting bigger cybersecurity budgets, which for a long time
has really been the biggest thing hampering their security postures is just they didn't have the
kind of budgets they needed for the protections against the kind of attacks that we were facing.
So it's been really heartening to see that that's changing. And now they're able to,
you know, kind of put the
investment into defense that they've really needed. Yeah, that is good news. And I had not heard that.
So nice to hear that that recognition is actually happening. What is their status in terms of
how they think the ransomware threat is going to change in the near term?
Most of them think that the attacks are probably going to rise.
They're not expecting to necessarily see a downturn in ransomware attacks.
They're actually expecting to see them ramp up over the next year and a year and a half.
And that's also helping to drive both the budgetary increases and then
the protections being put in place because there's the recognition that not only is that a problem
now, but we're foreseeing in especially the short term, it's going to become a much larger problem.
So we really need to get ahead of it and start putting those protections in place.
Where do educational institutions stand when it comes to incident response plans?
We've seen an uptick that are actually putting plans into place for a ransomware or other
kind of incident response plan, which is incredibly important. One of the most difficult things any organization can face going into a
ransomware incident is not actually having a plan for how to respond to it or not having practiced
it. The last thing you want when you're struggling to restore any level of connectivity is,
oh, half of the people in the plan, if we had one, don't work here anymore. And no one knows who to contact now. And we don't have an incident response vendor or plan. So
you're having to figure all of that out in the heat of the moment. And that is just a level of
stress that no organization needs on top of what they're already having to respond to. So seeing
that planning coming into play as well is also another really heartening thing to see.
Yeah, one of the things in this report that caught my eye was that there seems to be a pretty positive attitude among the respondents in terms of feeling as though they are properly prepared.
I agree. I think there's a lot of education and outreach that's been done now, especially in the public space, for letting organizations, you know, educational and otherwise know what kind of threats they're facing, you know, how ransomware operates, who they're targeting, the kind of money they're asking for, how they're operating. And that allows for that level of user education and security staff education to understand what parts of the kind of attack lifecycle that they have a good handle on,
and then conversely, which ones they maybe don't. What did you see in terms of the kinds of things
that they're saying they need? What sort of stuff would they like to see more investment in?
The two that they were the most interested in were better security for home networks for employees, which is intriguing to me. And I think we're actually going to start seeing
more and more, especially as remote work is becoming kind of the norm, is what does that look like from
a corporate protection perspective when a lot of your employees are coming from work? How do you
need to extend your protection bubble? Is it a VPN or is it some things in addition to the VPN
that are run on the home network side? And then the second component, and I think this is really
true for most organizations, is more investment and being able to hire more IT and security staff. And that's
particularly challenging for education because their budgets tend to be lower. And it's, you
know, that's an area where a lot of people are struggling to recruit and retain staff. So it's,
it makes sense that that's something where they really need to see some more people as well.
That's Jen Miller Osborne from Palo Alto Network's Unit 42.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant. Thank you. large and small. Grayson Milbourne is security intelligence director for OpenText Security
Solutions. One of the things that I'm happy to see is we saw a 58% year-over-year decrease in the
net new malware that we saw at the endpoint. And so for me, like, yay, okay, like, we're starting
to see less malware maybe at the endpoints that we're protecting, but, you know, that's influenced
again, like I said, by improvements that we're constantly trying to prevent. I mean, of course, there's detect and respond.
But if you can prevent an attack through user education, through better network protection, and preventing a file transfer from getting to the actual endpoint,
our telemetry, when it comes to malware, literally comes from our 20-plus million endpoint subscribers that are giving us that intelligence.
And so for us, we see, hey, yes, it seems like it's going down.
But then when we kind of step back a little bit, what we really realize is that the attack
surfaces have shifted.
And how compromises occur doesn't always necessarily require a delivery of malware,
or it might be ransomware, but that's often the very last stage of an attack.
And so we'll see compromise occur. Perhaps it's just remote credentials or somebody's
login information has been phished. And especially in the SMB space, we see a lot of
improper management of their IT infrastructure, which isn't that surprising. A recent survey I
read showed that of businesses with 100 or fewer
employees, they average 81% of them have just one single IT resource. So we see a lot of focus still
on attacking, even though there might be less malware. What we still see is that ransomware
is targeting SMBs. And we're seeing a disturbing trend in that we hear about ransomware on the news. We see these very large-scale, kind of like the top of the pyramid attacks.
And that's what the media focuses on because, well, these businesses are Fortune 500 companies.
The ransom demands are often millions or tens of millions.
I mean, we saw $100 million ransoms last year.
But the reality is those are the outliers, right?
The vast majority of where this problem exists is really in the SMB.
And our data show that attackers are moving downstream because they know there's fewer defenses.
And maybe you're not going to get that huge payout.
But also in the last year, we did see, again, to give CISA some credit, we saw some retaliatory, coordinated,
multinational attempts to disrupt and arrest some of the members behind these more advanced,
or I guess more organized, cybercrime organizations. So, you know, that's a disincentive
to go after the big fish. You're much more likely to garner attention and may risk going to jail or having your operation
greatly disrupted. Well, let's talk about what you tracked when it comes to some of the regional
differences here. That was one of the things when I was looking through the report that caught my
eye. Yeah, absolutely. And you know, like for me too, because it really just shows that if you
invest in cybersecurity, your defenses are
much better, right? And we see this when we look at infection rates in the United States, or if we
look at them in Japan or a lot of Western Europe, those regions have dramatically lower infection
rates than when we look at places like South America or the Middle East or Asia. We see five
times as many infections
coming from these regions. And beyond that, there's a really big difference between consumers
and business endpoint devices, which I think really resonates because during this pandemic,
I know a lot of businesses really scrambled to support the remote workforce, which ultimately
led with a lot of remote users using their own
personal devices to connect to corporate resources. And our data shows even in highly secured places
like where we saw some of the lower infection rates in the United States, when we looked at
the consumer versus business split, almost everywhere, it's almost twice as many infections
on a consumer device versus a business device. I think that makes sense to some degree, right?
I use my personal PC in a different way.
My kids can use it.
I use it for fun.
It's not a work PC.
And so you're more likely to encounter risk.
Whereas on my business laptop, I use it for work, right?
It has one purpose. And so I think what we see in that
data is when you look at a cyber resilience posture and identifying your assets, you really
have to look at access. Because, I mean, let's face it, today a lot of us are connecting,
even though I'm on my corporate laptop, I'm connecting through my home internet
into a VPN, so more secure, using two-factor,
improving security. But a lot of businesses, they don't go through those extra steps to
ensure security. We think that between the identify, protect, detect, respond, recover,
and educate, those six steps really allow you to understand your business and any weaknesses it
might have.
And then if something bad happens, you have a plan and you're not going to be offline for
days or weeks, which can be really devastating for a business. And so really, I look at cyber
resilience as sort of just resilience in general. It's your business's ability to defend itself and
to stay online. That's Grayson Milbourne from OpenText Security Solutions.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technology.
Our amazing Cyber Wire team is Liz Ervin, Elliot Peltzman, Brandon Karpf, Eliana White,
Pru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Raul Terrio, Ben Yellen,
Nick Falecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Trey Hester, filling in for Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.