CyberWire Daily - Disinformation in Russia’s war of aggression. Correlating overhead imagery and radio intercepts. Taking down state-sponsored cyber ops. Threats to power grids.
Episode Date: April 8, 2022Russian disinformation in its war against Ukraine. Overhead imagery and electronic intercepts suggest that Russian atrocities are matters of policy and strategy. Microsoft disrupts GRU cyber operation...s. Facebook takes down Iranian coordinated inauthenticity. India’s Power Ministry says it stopped a Chinese cyberattack. Dave Dufour from Webroot on evolving attack mechanisms. Our guest is Dan Petro of Bishop Fox with a warning for document redaction. Grid security and the value of exercises. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/68 Selected reading. Putin’s ‘probably given up’ on Kyiv as Ukraine war enters new phase (Defense News) Ukraine says 39 killed in rocket strike on rail evacuation hub (Reuters) Russian rocket attack on Kramatorsk train station kills dozens—Ukraine (Newsweek) Possible Evidence of Russian Atrocities: German Intelligence Intercepts Radio Traffic Discussing the Murder of Civilians in Bucha (Der Spiegel) Germany intercepts Russian talk of indiscriminate killings in Ukraine (Washington Post) Microsoft says it disrupted Russian cyberattacks targeting Ukraine, West (The Hill) Disrupting cyberattacks targeting Ukraine - Microsoft On the Issues (Microsoft On the Issues) GridEx VI Lessons Learned Report (NERC) Power Grid Stress Test Finds Low-Tech Needs for High-Tech Problems (Wall Street Journal) Dire grid hacking scenario sparked “shields up” approach to Russian threat (Medium) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Microsoft disrupts GRU cyber operations.
Facebook takes down Iranian-coordinated inauthenticity.
India's power ministry says it stopped a Chinese cyber attack.
David DeFore from Webroot on evolving attack mechanisms.
Our guest is Dan Petro of Bishop Fox with a warning for document redaction
and grid security and the Value of Exercises.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, April 8th, 2022.
Microsoft says it's blocked GRU cyber operations directed against U.S., European, and Ukrainian targets. Redmond calls the group Strontium in its metallic naming convention for threat groups,
but the threat actor is also known as APT28 and, of course, Fancy Bear.
The disruption was a familiar takedown, Microsoft explained. On Wednesday, April 6th,
we obtained a court order authorizing us to take control of seven internet domains
Strontium was using to conduct these attacks.
We have since redirected these domains to a sinkhole controlled by Microsoft,
enabling us to mitigate Strontium's current use of these domains and enable victim notifications.
This particular GRU campaign isn't the only one Microsoft has observed during Russia's war
against Ukraine. Microsoft characterized
Strontium's use of its now sinkhole infrastructure as follows. Strontium was using this infrastructure
to target Ukrainian institutions, including media organizations. It was also targeting
government institutions and think tanks in the United States and the European Union
involved in foreign policy. We believe
Strontium was attempting to establish long-term access to the systems of its targets, provide
tactical support for the physical invasion, and exfiltrate sensitive information. We have notified
Ukraine's government about the activity we detected and the action we've taken. Among the inauthentic social media operations
Meta took down this week
were two Iranian espionage groups.
Meta's quarterly adversarial threat report said
the first network was linked to a group of hackers
known in the security industry as UNC-788.
The second was a separate previously unreported group
that targeted industries like energy, telecommunications, maritime logistics, information technology, and others.
The first, familiar actor, the threat cluster UNC788, associated with Phosphorus, Charming Kitten, used a malicious version of a legitimate Android birthday calendar app,
a remote access tool that represented itself as a Quran,
and a data harvesting and remote access tool in a chat application. Its target list also included
familiar interests, journalists, dissidents, human rights activists, universities, and so on.
Indian authorities say they successfully stopped a cyber attack by Cicada, the Chinese threat actor also known as
Stone Panda or APT-10. The attacks, described by Recorded Future, were concentrated in the
disputed Sino-Indian border around Ladakh. The Deccan Herald quotes Power Minister R.K. Singh
as saying, two attempts by Chinese hackers were made to target electricity distribution centers near Ladakh, but were not successful.
Power grid security has been of concern elsewhere.
The Wall Street Journal and Readme credit the biennial GridX war game with doing much to shape CISA's Shields Up program.
The most recent GridX was held in November, which afforded an opportunity to prepare for increased threat levels during the run-up to Russia's war against Ukraine.
A report of lessons learned from the exercise was released yesterday.
It includes high-level recommendations, each of which is expanded in some detail in the body of the report. They include... procedures and systems to share security information, continue to build on understanding
of GSE, continue to enhance routine and emergency operations coordination between the electricity
industry and natural gas providers, strengthen operational coordination between the electricity
industry and communications providers, and finally, continue to reinforce relationships
between governments in the United States and Canada
to support industry response to grid emergencies.
Note the emphasis on communication and relationship building.
And of course, remember, shields up.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Sometimes in the course of, say, penetration testing, you need to deliver client reports,
and they'll often have very
sensitive information in them. Sometimes data that you don't want to necessarily include in
clear text. And so you have a need to redact information. With text, that's pretty easy.
But sometimes it happens in a photograph. There's a picture of a screen or something like that,
and you have some text in there inside an image. So how do you properly redact that?
Dan Petro is a lead researcher at Bishop Fox.
People would like to get really cute and clever with redaction techniques.
You know, you try, like, blurring the data or swirling it or something like that.
And very often you'd see pixelization, like, pixelation.
That is a kind of of way of saying,
look, half-revealing the data.
And it was always apparent to me, at least at the time,
this process can't be secure.
There must be a way of undoing that redaction process.
It's clearly leaking information through.
You can see bits and parts of it, but there was never a tool to
properly do this that really worked. And so I finally got around to making a tool that does
basically exactly that, that you could take pictures of redacted text using that pixelation
process and reverse it into its original text. Well, take us through exactly how you set about
doing this. Yeah, that's a good question. So there's some existing tooling on this. The most
prominent is a tool called DeepX that uses this really fancy process of a De Bruyne, I think I'm
saying that right, the J might be silent or something. A sequence that's literally trying to take those pixels
and really reverse them.
Let's take a further step back about like,
what the heck is a pixelation process to begin with, right?
The algorithm for it is actually remarkably simple.
You just take an end-by-end grid.
You just define how big you want your block size to be.
And then the algorithm just goes through
and averages all
of the pixels inside of that block and then sets the pixel equal to that average. So it just
basically takes all the data and smears it into these blocks. And the algorithm is remarkably
consistent across like every tool. So whether you use GIMP or Photoshop or like whatever,
it'll basically do the exact same process so um this tool called dpix
is super clever and it actually what it does is it tries to figure out like what letter could
have resulted in that exact pixel given its precise value like depending on varying circumstances
there might be some noise um though right? Like if you had a picture of a
picture or if there's some slight error in the rendering, the wheels tend to fall off it pretty
quickly. So is this a matter that the English language, for example, has a limited number of
characters? And if you combine that with something like a dictionary? Do you find yourself making pretty good guesses?
In my tool on Redactor,
we didn't use English words as guessing.
It doesn't necessarily brute force the whole thing,
much like a password cracking technique.
My insight into this was,
a deep picture is really great and really fancy,
but it's almost too fancy for me.
I wanted to do something much more dumb.
How about we just brute force it character by character? We're just going to guess. So all my tool does is you tell it the font and like the font size and some other detailed information around like character spacing
and letter space and things like that. Enough to reliably reproduce the original format of the text.
And then it just guesses the characters
one by one. So it tries the letter A and then renders it using a headless Chrome. It's an
electron app. And then tries the letter B and then tries the letter C and sees which one matches up.
And what's really nice about that is it doesn't need to match up exactly. You can kind of get
within a certain distance of it. it's like as a kind of fuzzy
matching threshold so even if there's a little bit of noise or you don't get the font exactly
right or you don't get the spacing quite precise it's actually fine as long as it's close enough
it's good and you can do that character by character so you don't need to like guess whole
unlike you know the password guessing you need to guess the whole password. You can't just guess half the password.
There's no extra credits.
There's no partial credit for half-guessing a password
when you're password-cracking, right?
Well, that's not true with this redaction technique with pixelation.
If you get the first three letters right, then you can know about that.
And that's kind of the crux of the vulnerability,
if you really put down to it.
Unlike a regular hashing problem,
in cryptography terms, it has no diffusion, we would say.
If you change one letter, it only changes the hash,
if you want to call it, the pixelization, the redacted text.
It only changes it in that exact area.
And so the consequence of that is that you're able to guess it character by character.
So you actually don't even need to throw English words at it or whatever.
So if you wanted to, that would actually strictly improve the process.
So how good is it?
I was very quickly able to solve the challenge text that I could produce.
But that only means that I could solve a problem that I made for myself.
So naturally, the very first thing I wanted to do was find a good test for this.
And lo and behold, there's actually
this wonderful challenge text
by another company called Jumpsack
that had looked into the exact same problem,
found DPIX, and identified that, you know,
maybe it works a little bit better in theory
than in practice.
And they issued like a challenge to the internet
to say like, here's some redacted text,
you know, can solve this, send us a note.
And so, yeah, I threw Unredactor at it and it worked.
So I was super happy with it.
I reached out to Caleb over there at JumpSec and they confirmed that my guess was correct.
They work out of the UK, so it took a little while, but they sent me some JumpSec swag.
I got like a mug and
a nice notebook from them. So yeah, huge shout outs to Caleb over at JumpSec. They're a great sports.
So what are your recommendations then? I mean, in terms of redacting things, I guess, you know,
pixelization is no longer on the menu, right? Definitely. The only way to go about it is to use black bars fully
covering the information you want to redact. Anything else is leaking information that can
potentially be reversed. So unredactor doesn't specifically work against blurred text, but
there's no reason one couldn't make a slightly modified version of my program that just works
on blurred text. So I wouldn't recommend doing that sort of thing either. Of course, that comes with the normal caveats that there's a bunch of other things
that could go wrong with redacting text. If you use a lot of PDFs, for instance, you have to make
sure that the redaction technique you're using is actually removing the letters and not just simply
making it so that there's a black text on a black background, but the words are still there.
That kind of thing happens a lot.
In some cases, context can give you away,
where if you're, for instance,
redacting information in a report or a court document where there's only two names, Alice and Bob,
and you say the perpetrator was blank,
but it's clearly only three letters long,
well, then that's not really redacting very much, is it?
So there's still some things that can get you into hot water, but at least the very
basis use black bars fully covering the text. And that is in the actual image of the text, not in
a simple highlight function. That's Dan Petro from Bishop Fox. His depixelation tool is called Unredactor. You can find it on GitHub.
There's a lot more to this conversation.
If you want to hear the full interview,
head on over to CyberWire Pro
and sign up for Interview Selects,
where you'll get access to this
and many more extended interviews. Thank you. security solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed
to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And joining me once again is David DeFore. He's the Vice President of Engineering and Cybersecurity at OpenText.
David, always great to welcome you back to the show.
I want to ask you to get out your crystal ball and look forward for the rest of 2022.
What are some of the specific attack mechanisms that you think we may be in for as this year plays out?
Yeah, 2022.
I think a couple of things are going to be
the super fun repeat of 2021 and 2020 and 2019.
You know, we're going to continue to see
a ton of ransomware attacks and phishing attacks.
I mean, these are so successful,
they have no reason to divert from that focus
on those two type of both delivery mechanisms
and attack vectors and getting information from you.
Now, there's a couple of things that keep popping up
that are super fun for old guys like myself,
you being, of course,
in your spry 20s there, David, but worms. We're seeing a ton of worms. And this comes along with
the proliferation of ransomware. And you and I have talked many times about how the attackers
have moved up level from the consumer and small business to the larger organizations. And this is
why worms are an important part of their attack toolkit now, because once they land
inside an org, they're using worms all over the place to deliver as much as they can. So it's
pretty interesting to see that happening. And kind of one of the last exciting, terrifying things
about this year being an election year, David, I think we're going to see a ton of deepfake,
a ton of things coming
out in terms of, and those aren't directed necessarily at someone to steal their information,
but I think we're going to see a lot of video, audio, AI, modified technology that's going to
make it hard, you know, with the proliferation of bad information. It always upticks in election years.
Is there anything that you feel isn't getting the attention it deserves? Anything that,
you know, you're trying to shout from the rooftops and, you know, get people to focus on?
I have said this to you so many times, and it isn't anything exciting. Back up your data,
people, and patch your systems, because a lot of this stuff goes away if you do that.
That's one thing. And then another is really to hit on something that people don't realize can be a cyber issue is supply chain.
You know, we're struggling right now with inflation, with costs of everything.
with inflation, with costs of everything.
And the minute that gets back on its feet,
some government organizations,
some individuals could really disrupt the supply chain and knock us back down.
And I think that's something
we don't pay a lot of attention to
because IoT was hot and exciting for a while,
then it faded away
and everyone has stopped thinking about industrial security.
And it's a big deal.
All right.
Well, David DeFore, thanks for joining us. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Alon Zahavi from CyberArk.
We're discussing their research, How Docker Made Me More Capable and the Host Less Secure.
That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly
produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing Cyber Wire team is Liz Ervin,
Elliot Peltzman, Trey Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar,
Joe Kerrigan, Kirill Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here next week. Thank you. Not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.