CyberWire Daily - Diplomacy and cyber warnings in the Ukraine crisis. REvil may not actually be out of business. A warning about Iranian state-directed hacking. And Data Privacy Day is observed.
Episode Date: January 28, 2022Diplomatic channels remain open even as NATO and the US reject Russian demands over Ukraine. More warnings over Russian cyber operations in the hybrid conflict (Voodoo Bear is mentioned in dispatches).... Social media as a source of tactical intelligence. The FBI tells industry to be alert for Iranian hacking. Ransomware continues to circulate. Josh Ray from Accenture digs into the Bassterlord Networking Manual. Carole Theriault examines a university data backup snafu. And a happy Data Privacy Day to all. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/19 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Diplomatic channels remain open even as NATO and the U.S. reject Russian demands over Ukraine.
More warnings over Russian cyber operations in the hybrid conflict.
Social media as a source of tactical intelligence.
The FBI tells industry to be alert for Iranian hacking.
Josh Ray from Accenture digs into the Bastard Lord networking manual.
Carol Terrio examines a university data backup snafu,
and happy Data Privacy Day to all.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Friday, January 28, 2022.
In the crisis posed by Russia's aggressive posture with respect to Ukraine,
by Russia's aggressive posture with respect to Ukraine, TASS has written that there's no understanding on new Russia-U.S. strategic dialogue meetings so far. The so far in TASS's
headline is significant insofar as it suggests that diplomacy remains Russia's focus. Reuters
also sees a softening of the Russian tone, but a change in tone doesn't necessarily imply a change in direction.
TASS quotes Vladimir Yermakov, director of the Russian Foreign Ministry's Department for Non-Proliferation and Arms Control, depends to a significant extent on Washington's readiness to give a rational and realistic response to Russia's core security concerns
and to engage in practical work on legally binding guarantees of stopping NATO's further expansion,
refraining from deployment of offensive weapons of the U.S. and its allies near our borders,
and returning NATO's military equipment and personnel levels to levels of 1997
when the Russia-NATO Founding Act was signed, end quote. Those are substantially the demands
Russia made during the Geneva talks, and neither NATO nor the U.S. are likely to accede to them.
The U.S. has called for a meeting of the United Nations Security Council on Monday,
where the U.S. intends to confront Russia over its preparations to invade Ukraine.
The conflict between Russia and Ukraine is a hybrid one, with cyber operations preceding
the physical kinetic invasion the West would like to forestall. The BBC reports that Britain's National Cyber Security Centre has,
like others among the Five Eyes, notably Canada and the US, renewed warnings to businesses in
the UK that they should be on alert for Russian cyber attacks during the present period of
heightened tension. Paul Chichester, the NCSC Director of Operations, said early this morning,
While we are unaware of any specific cyber threats to UK organizations in relation to events in Ukraine,
we are monitoring the situation closely,
and it is vital that organizations follow the guidance to ensure they are resilient.
For all of the NCSC's reticence about attribution,
Computer Weekly quotes Chichester as saying, Over several years, we have observed a pattern of malicious Russian behavior in cyberspace.
Last week's incidents in Ukraine bear the hallmarks of similar Russian activity we have observed before.
While experts temper the warning with reassurance that panic isn't called for
and that Russian cyber operations are likely, at least in the initial phases of a hotter hybrid war,
to be confined insofar as that's possible to the theater itself,
memories of WannaCry and NotPetya remain fresh and lend gravity to NCSC's latest warning.
The BBC quotes former NCSC director Kieran Martin
as saying, quote, at one point around a fifth of the world's merchant shipping fleet was being
controlled by WhatsApp because their computer systems weren't working, end quote. Also mindful
of that 2017 experience, the Danish Defense Intelligence Service has warned the maritime
sector in particular to be alert for possible spillover from Russia's hybrid war against Ukraine.
Shipping Watch notes that the Danish shipping giant Maersk was particularly hard hit by NotPetya.
Former Director Martin is among those who counsel against panic, at least with respect to cyber attacks.
He said, if the aim is to conquer Ukraine, you don't do that with computers.
End quote.
The BBC also suggests that both the UK and the US have succeeded in establishing their own persistence inside Russian critical networks, that Russia knows this, and that Russia will therefore be likely to exercise
a degree of restraint before it lets an attack loose against Western targets, that the wiper
used in the bleeding bear attacks against Ukrainian networks wasn't wormable and was
therefore less likely to propagate beyond its intended targets may be one indication of such restraint.
CrowdStrike has released its analysis of the probable course of Russian cyber action against Ukraine. They attribute most of the activity against Ukrainian targets to Voodoo Bear,
a unit operating under the direction of Russia's GRU military intelligence service.
Voodoo Bear has a long history of servicing Ukrainian targets that
goes back to 2014, the year Russia seized and annexed Ukraine's Crimean region. The recent
information operations in the campaign CrowdStrike calls Whispered Debate are assessed as preparation.
Should the conflict escalate, CrowdStrike expects VoodooBear to step up destructive wiper attacks.
In hybrid war, cyber operations for the most part amount to what military officers call combat support,
and experts commenting to the BBC tend to see it that way.
What combat power, kinetic power, looks like is on display in Belarus.
DFR Lab has been tracking the movement of Russian
combat units into the Russian allies' territory, where they're positioned nominally for joint
exercises along the border Belarus shares with Ukraine, and it's developed a surprisingly
detailed picture of the Russian order of battle is, of the forces deployed in the vicinity of the Ukrainian border.
The sources of DFR Labs' information are interesting.
Some of them derive from satellite imagery, but more of them come from social media,
as Belarusian locals take pictures and video of Russian equipment moving through their towns.
Much of it appears on TikTok and where else would you go for information on an enemy
order of battle information wants to be free as they used to say and the way social media
have put the need to show off so firmly in the cultural saddle makes one wonder whether
traditional military operational security is even possible anymore who needs hyperspectral
sensing platforms in low earthEarth orbit when everyone
is happily taking selfies in front of BMP-2s at the local railhead? This is not, we should note,
purely or even characteristically a Russian or Belarusian phenomenon. No army on the planet
should be surprised when its deployments turn up on TikTok, right beside the latest moves of the most viral
influencers. CrowdStrike has also published a long and detailed account of how Cozy Bear,
Russia's SVR intelligence service, successfully exploited SolarWinds vulnerabilities in a
long-running campaign CrowdStrike calls Stellar Particle. Especially noteworthy is the threat actor's ability
to establish presence and remain undetected for months.
The U.S. FBI this week issued an advisory warning private industry that the Iranian
threat group Eminent Pasigard is both newly active and posing a threat beyond the influence
operations it's best known for. During recent U.S. election cycles, for example,
the group's operators impersonated members of the Proud Boys to circulate inflammatory posts
intended to exacerbate divisions in American civil society. The group is now held to be capable of
and likely to engage in what the Bureau calls traditional cyber exploitation activity targeting several sectors,
including news, shipping, travel, hotels and airlines, oil and petrochemical, financial and telecommunications in the United States, Europe and the Middle East.
Researchers at Reversing Labs have been keeping an eye on REvil with a view to assessing how significant the much
ballyhooed FSB raids on those are evil apartments actually were. Quote, the week before the arrest,
there were 24 implants a day, 169 per week. The week after the arrest, there were 26 implants a
day, 180 per week. End quote. That is, there's not much change, and what change has been seen actually
represents an increase. And so the mystery of what Russia's FSB was actually out to accomplish
remains, but whatever's going on, it's unlikely to be the dawn of a new era in international law
enforcement cooperation. And we can't help but notice how the criminal world's lifestyles seem to have taken a
haircut. The guys in the FSB video looked as if they were living like slacker undergraduates.
What happened to the style of the older alleged cybergang kingpins, the yacht on the Black Sea,
the exotic cat kept as a pet, the stylish designer tracksuit? Other ransomware operators are also active.
Security Week reports that France's Ministry of Justice has sustained a LockBit 2.0 infestation.
Palo Alto Network's Unit 42 describes Black Cat ransomware,
an unusually sophisticated strain that's been circulating in the wild since this past November.
But not every problem is the work of hackers.
Federal News Network reports, for example,
that the U.S. State Department has assessed
the worldwide email outage it sustained yesterday
as due to a glitch, not an attack.
And finally, we close by wishing all a happy Data Privacy Day.
We hope you've completed your holiday shopping
and done so with as much discretion as possible.
But seriously, a good way of observing the day would be to review NIST's data privacy framework,
which coincidentally is celebrating its second birthday.
Many happy returns, NIST.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The continued success of ransomware operations worldwide
has put the spotlight on organizations' backup and recovery plans, seen as a critical step in protection against ransomware.
But what happens when things don't go according to plan?
Our CyberWire UK correspondent, Kirill Terrio, has that story.
So years ago, I held the job of managing crisis communications for a global
IT security firm. And over the years, there were, well, countless events that demanded a clear head
and a clear message, even when everything around you was completely chaotic. Managing a digital
crisis and being directly responsible for it, those are very different indeed. I mean,
some bad decisions, even ones made erroneously without an iota of ill intent, can still have
catastrophic consequences. Case in point, Kyoto University, famed for producing world-class
researchers, including 13 Nobel Prize laureates. Well, they have recently found
themselves in a nasty pickle. At the tail end of 2021, a leaping computer reported that the
university lost 77 terabytes of research data due to a backup system error. 77 terabytes of data.
This isn't a flash in the pan. This is a mountain, a monumental
mountain of data. And apparently, the incident happened in just two days. According to a Kyoto
University data release, between December 14th and 16th, 34 million files from 14 different
research groups were wiped from the system and backup file.
And from what I could make out from the Google Translated version of the release,
there was a careless modification of the backup program by the supplier of the supercomputer.
And looking into it a bit further, it seems that this supplier are publicly taking the hit. Again, this is using Google Translate and it seems to be a response on the incident.
It says, we are 100% responsible and deeply apologize for causing a great deal of inconvenience
due to the serious failure of the file loss of the system.
And they go on to explain that a modified script was overwritten in a way that spurred on the disaster.
Now, it's quite rare for a massive corporation to own up to say mea culpa, our bad, and that victims need compensation.
But ultimately, what a painful screw-up. All that research and data.
Like, no offense, but no compensation or sorries really can make up for that, can it?
And despite the details on the disaster being very high level at best,
I think we can all agree that none of us would want to swap places with the person who is actually responsible for this blunder.
Well, person or persons. Due to stress,
lack of resources, lack of attention, distraction, phone calls, a mistake with catastrophic
consequences occurred. And maybe it was not just one mistake. Maybe there were several little oversights that led to this nightmare.
All this leads me once again to build the case for regular risk assessments,
not just on your own systems, but also those in your supply chain as well. This could be a requirement for doing business with you, a regular risk assessment on your systems to make sure that a mistake at their end
has, for example, backup fail safes, which would mean that if someone made a mistake,
you don't lose all your data. This was Carol Theriault for the Cyber Wire.
Thank you. trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
And I'm pleased to be joined once again by Josh Ray.
He is Managing Director and Global Cyber Defense Lead at Accenture Security.
Josh, it is always great to have you back here on the show. I wanted to touch base with you on some of the things that I know you and your team are tracking when it comes to activity happening in
that cyber underground. What sort of things are on your radar these days? Hey, Dave. Yeah, thanks
for having me back. And yeah, this has been really a primary requirement for our cyber recon team.
And it's, as we've spoken about before, a trend that we've seen primarily over the last 18 months of threat actors
just showing a huge amount of interest around these VPN and server-side type of vulnerabilities.
And as you know, this is likely a direct result of the remote work environment.
And as you know, this is likely a direct result of the remote work environment.
But also, these server-side vulnerabilities really afford an attacker higher privileges. And sometimes they're a little bit less noisy.
But they also provide a lot of access to much more broader targeting opportunities.
And I was actually talking to two of my colleagues the other day, Paul and Luca, from our recon team.
to two of my colleagues the other day,
Paul and Luca from our recon team,
and they were talking to me about how they discovered this networking manual guide of sorts
that had some very specific recommendations
regarding some free tools and exploits
to take advantage of just some previously
disclosed vulnerabilities and things like RDP,
net login, other types of VPN technology.
Again, things that help an actor to not only gain access to a network,
but do things like move laterally effectively and things.
But as we start to think about how do we defend against this,
it's really important to note that two very well-respected actors
were primary contributors
to this networking manual guide, and they have repeatedly shown interest in the darknet about
virtual private network vulnerabilities in which offering some significant bounties,
meaning that they are very well-resourced to buy these zero-day exploits.
that they are very well resourced to buy these zero-day exploits.
When you say significant bounties,
what sort of dollar signs are we talking about here?
Can you help me calibrate my scale?
Absolutely.
And this is, I mean, this is kind of serious when you talk about the resources that these actors can bring to bear now
for a lot of these zero-day exploits,
particularly ones that are affecting Windows and Linux
and VPN products and also Android.
So we've seen actors that are placing Bitcoin deposits
on forums to show that they have actually
the resources to pay somewhere in the order of magnitude
of about 27 Bitcoin, which is right around 1.3 million US.
As a deposit, right, when they're actually
offering 3 million for a remote code execution exploit against Windows or Linux.
And in early January, another actor placed a 20 Bitcoin, you know, right around 900,000
deposit and offered about a million for exploits in Windows, IoT, Android, and Linux. So
we're talking significant dollar amounts really to really focus on being able to get the latest
and greatest zero-day exploits to exploit these technologies. Is it fair to say this is a pretty
exclusive club here that we're playing in the nation state level with these kinds of dollar amounts?
I mean, it's tough to say nation state or otherwise, but I mean, the fact of the matter
is that there are actors that are out there that have the resources and we're obviously seeing this
environment and operations become more and more specialized. So, you know, it's a high-risk,
high-reward type of environment, and the criminals are, I think, you know, ready to pay whatever is
necessary to continue to advance their objectives. When you see this sort of thing out there,
this sort of networking manual, what are your recommendations for folks to best protect themselves? So there's three things that I try to
help people kind of understand. And when we talk to clients, we put context around it, right? So
patching hygiene is critical, right? And absolutely needs to happen, but it's table stakes,
right? And I think just as a community, we need to agree that we need to do better than that.
We really need to be thinking about how do we drive an Intel-driven approach into our vulnerability and attack surface management programs.
And this is, I mean, it's not just good enough to get the latest and greatest proof of concept code or active exploitation out there to help drive your patch prioritization.
That's important.
out there to help drive your patch prioritization.
That's important, but I would say that even if you're doing that,
you're a little bit behind.
We've really got to start thinking about taking it a step further.
When we see that a new server-side exploit is found,
we have seen actors that are initiating scanning of the entire IPv4 space within hours
to find vulnerable systems.
That means that you you as a network
defender have to be much more proactive and you have to be actively hunting your environment and
your attack surface and using a third party or even an internally built intel capability that
can operate responsibly in the dark net. And that's important, right? You got to be able to
do it without causing a lot of risk to your organization
to provide those advanced indications and warning about how the threat's operating,
the things that they're interested in targeting.
Because if you can't do that, then you're always going to be on your back foot, Dave.
And I think it's going to be really difficult for organizations to achieve that resilient security posture.
All right. Well, interesting insights as always.
Josh Ray, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday
and my conversation with Sylvester Segura from Symantec's ThreatHunter team.
We're discussing their work on espionage campaigns targeting telecoms organizations
across the Middle East and Asia.
That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sebi, Tim Nodar,
Joe Kerrigan, Kirill Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Thanks for listening.
We'll see you back here next week. Thank you. also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.