CyberWire Daily - Doxing, trolling, and censorship in a hybrid war. Borat RAT. State’s Bureau of Cyberspace and Digital Policy. National Supply Chain Integrity Month. Wild youth. Hey spooks: brown bag it like the GRU.
Episode Date: April 4, 2022Doxing, trolling, and censorship in a hybrid war. Western organizations remain on alert for a Russian cyber campaign. Known Russian threat actors continue operations against Ukraine proper. Borat RAT ...described. Welcome the US State Department’s Bureau of Cyberspace and Digital Policy. National Supply Chain Integrity Month. Your wild ways will break your mother’s heart. Rick Howard weighs in on Shields Up. Josh Ray from Accenture on ideological differences on underground forums. And fast food as an OPSEC issue (and an OSINT source). For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/64 Selected reading. Ukraine intelligence leaks names of 620 alleged Russian FSB agents (Security Affairs) Anonymous leaked 15 GB of data allegedly stolen from the Russian Orthodox Church (Security Affairs) Listen Now: Deputy national security adviser talks about the risk of Russia waging cyberwar (NPR One) Inside Cyber Front Z, the ‘People’s Movement’ Spreading Russian Propaganda (Vice) Ukraine Accuses Russia of Using WhatsApp Bot Farm to Ask Military to Surrender (Vice) ‘It’s like 1937’: Informants denounce anti-Ukraine war Russians (The Telegraph) Cyber Espionage Actor Deploying Malware Using Excel (Bank Info Security) New Borat remote access malware is no laughing matter (BleepingComputer) Deep Dive Analysis – Borat RAT (Cyble) Establishment of the Bureau of Cyberspace and Digital Policy (United States Department of State) Supply Chain Integrity Month (CISA) April is National Supply Chain Integrity Month. As Russia Plots Its Next Move, an AI Listens to the Chatter (Wired) Data leak from Russian delivery app shows dining habits of the secret police (The Verge) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Doxing, trolling, and censorship in a hybrid war.
Western organizations remain on alert for a Russian cyber campaign.
Known Russian threat actors continue operations against Ukraine proper.
The Borat rats described.
Welcome the U.S. State Department's Bureau of Cyberspace and Digital Policy.
National Supply Chain Integrity Month.
Your wild ways will break your mother's heart.
Rick Howard weighs in on Shields Up. National Supply Chain Integrity Month, Your Wild Ways Will Break Your Mother's Heart,
Rick Howard Weighs In on Shields Up, Josh Ray from Accenture on Ideological Differences on Underground Forums, and Fast Food as an OPSEC Issue.
From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 4th, 2022.
As the week opens, news of Russia's war against Ukraine is dominated by accounts of atrocities that have come to light as Russian forces retreat from areas they'd occupied in the northern parts of the country around the capital.
The main intelligence directorate of the Ukrainian Ministry of Defense has released what appears to be personal information on 620 people, it claims,
are FSB officers working on Russia's war against Ukraine. The data exposed includes names,
phone numbers, addresses, vehicle license plates, SIM cards, date and location of birth,
signatures, and passport numbers. Security Affairs points out that the authenticity of the data can't be confirmed.
Hacktivists associated with the Anonymous Collective tweet that they've succeeded in
doxing the Russian Orthodox Church. Anonymous TV said,
Hackers leaked 15 gigabytes of data stolen from the Russian Orthodox Church's charitable wing and released roughly 57,500 emails via DDoS Secrets. DDoS
Secrets noted that due to the nature of the data, at this time it is only being offered to journalists
and researchers. Vice describes CyberfrontZ, a troll farm that hires social commenters, spammers,
content analysts, programmers, IT specialists, and designers
to run social media posts and other comments intended to advance Moscow's line concerning its war against Ukraine,
and to do so at scale, with fake persona deployed to give the impression of a mass movement.
Cyberfront Z's home base and public face is on Telegram, but its trolls operate in other
media. It's noteworthy that the front's operators need to fire up their VPNs to gain access to other
largely blocked social networks, and also noteworthy that the VPNs themselves are currently
in bad odor with the Kremlin, wary as it is of the VPN's reputation for anonymous
circumvention of censorship. Some Russian influence operations are more tightly focused.
Vice reports elsewhere that the Security Service of Ukraine last week exposed a bot farm operating
out of Ukraine but, according to the SBU, remotely controlled from Russia. The bots were smishing
Ukrainian soldiers with resistance's futile texts. They said, the outcome of events is predetermined.
Be prudent and refuse to support nationalism and leaders of the country who discredited themselves
and already fled the capital. There's a triple exclamation point emphasis in the original.
There's a triple exclamation point emphasis in the original.
The guy whose apartment they found the trolled server in said he had no idea what was going on.
Telephone tip hotlines, websites, and telegram channels have been established to encourage and enable good citizens to report those whom President Putin has described as traitors. The Telegraph observes that it would be inaccurate to conclude
the denunciations were explicable purely in terms of state pressure.
The paper quotes OVD Info,
which the Telegraph describes as a Russian human rights organization,
to the effect that such denunciations arise also from a broad popular base of support.
The Telegraph said ordinary people are getting involved in the repression too.
This is being driven by ordinary Russians.
Massive cyber attacks of the kind widely expected have yet to materialize,
but Western intelligence services continue to warn that Russia can be expected to be keeping its options open in this respect.
to warn that Russia can be expected to be keeping its options open in this respect.
U.S. Deputy National Security Advisor Ann Neuberger spoke with NPR on Friday.
We continue to see evolving intelligence, as we talked about last week,
that the Russian government is exploring options. And we continue to, most importantly,
double down in working closely with the private sector to share that sensitive threat intelligence and really try to create the urgency for action and the call to action
to put in place the cybersecurity measures that would prevent that from being successful.
Deputy National Security Advisor Neuberger also cautioned that there was no specific
intelligence that such an attack was imminent, but that the private sector should take steps to increase its resilience should such attacks take place.
Known Russian threat actors have been active in the theater of operations.
Researchers at Malwarebytes report UAC-0056, also known as Saint Bear,
UAC0056, also known as Saint Bear, UNC2589 and TA471, is a cyber espionage actor that has been active since early 2021 and has mainly targeted Ukraine and Georgia.
The group is known to have performed a wiper attack in January 2022 on multiple Ukrainian government computers and websites. Earlier in March, CERT-UA reported UAC-0056 activity
that targeted state organizations in Ukraine using malicious implants called Grimplant,
Graphsteel, as well as Cobalt Strike Beacon. Following up with that campaign, SOC Prime and
Sentinel-1 have reported some similar activities associated with this actor. In late
March, the Malwarebytes threat intelligence team identified new activity from this group
that targeted several entities in Ukraine, including ICTV, a private TV channel. Unlike
previous attacks that were trying to convince victims to open a URL and download a first-stage
payload or distributing fake translation software.
In this campaign, the threat actor is using a spear phishing attack that contains macro-embedded
Excel documents. Malwarebytes has a blog post which provides technical analysis of the new campaign.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Seibel describes a new and unusually capable remote-access Trojan Borat rat,
an homage to the Sacha Baron Cohen character,
which the researchers call a triple threat,
combining, as it does, the functionality of a rat, spyware, and ransomware.
Leaping Computer reports that Borat's place in the C2C underground market is unclear.
It's not known whether it's being sold or being freely traded, but it seems to be spreading
through the underworld.
The U.S. State Department today stood up its new Bureau of
Cyberspace and Digital Policy. The bureau will be led initially by Jennifer Bacchus, a career
Foreign Service officer. She'll serve as Principal Deputy Assistant Secretary for the CDP Bureau
until the Senate confirms an ambassador-at-large to lead the organization.
The Senate confirms an ambassador-at-large to lead the organization.
CISA continues to set the table for a meal of best practices.
April is National Supply Chain Integrity Month,
and CISA's focus is on the information and communications technology supply chain.
They say, Information and communications technology products and services
ensure the continued operation and functionality of U.S.
critical infrastructure. However, recent software compromises and other events have shown the far-
reaching consequences of these threats. The BBC reports that two teenagers, one 16, the other 17,
were arraigned Friday at London's Highbury Corner Youth Court on charges connected with the
activities of the Lapsus gang.
Both are charged with fraud as well as a variety of computer-related offenses.
Both have been released on bail. Their names are being withheld on account of their tender years.
And finally, to return to the war against Ukraine, unsecured Russian tactical communications appear
to remain an important
source of detailed information on the movements and condition of Russian units. Wired describes
the intercepts and what they reveal. It's not just tactical comms either. Gustatory comms are also
spilling the metaphorical beans. The Verge reports that Yandex Food, a food delivery subsidiary of the Russian internet giant
Yandex and, roughly speaking, Russia's equivalent of Grubhub or DoorDash, disclosed in early March
that it had sustained a data breach that exposed customer information. The company blamed the
dishonest actions of an employee for the leak, and reassured customers that their login credentials
and payment information, at least, weren't compromised. About 58,000 diners were affected,
and the Russian powers that be aren't happy. According to Reuters, the information regulator
has restricted access to an online map that appeared on March 22nd, where the names, phone numbers, and addresses of Yandex
Yeda customers was exposed, and said Yandex faced a fine of up to 100,000 rubles. It's about a
thousand bucks. There's also woofing about a class action suit on behalf of injured diners.
The fine may be low, but the data is interesting. Bellingcat has sifted through it and found that a lot of
deliveries go to military and intelligence personnel. The GRU seldom appeared in the data,
but the FSB was well represented. Maybe the GRU has better OPSEC than its sister agency,
or perhaps the military intelligence types just tend to brown bag it. The data exposed betrayed both identities and,
indirectly at least, affiliations. Particularly interesting are the instructions the purchasers
gave the delivery people on how to get through various checkpoints. Things like,
go up to the three boom barriers near the blue booth and call, after the stop for the bus 110
up to the end. Or as another diner wrote on their order,
close territory, go up to the checkpoint.
Call number 10 minutes before you arrive.
Well, what are you going to do, right?
It's not like you're going to just walk over to McDonald's
for that happy meal anymore.
Cyber threats are evolving every second Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. It's always my pleasure to welcome back to the show the Cyber Wire's own Rick Howard.
He is our chief security officer and chief analyst. Rick, the CSO Perspectives podcast
over on the pro side has been on hiatus for a couple of weeks now. But, you know, we've had recent
developments in the war in Ukraine, and I know you've got some thoughts about how all network
practitioners should be thinking about potential Russian cyber attacks in the near future.
What do you got for us today? Yeah, hey, Dave, and that's right. The Cybersecurity and Infrastructure
Agency, or CISA, issued their shields up warning on 21 February this year.
And by the way, my hat is off to them for using a Star Trek reference to warn of a pending Russian cyber attack.
How great is that?
Come on.
You got to like that part.
Yes.
So a couple of days ago, though, President Biden encouraged private sector companies to strengthen their cybersecurity against a potential attack from Russia.
And he said, I quote, it's part of the Russia's playbook, end quote. And he's right.
With the Ukraine war moving into a new phase, and specifically as allied countries in the West
push President Putin further and further into a corner with sanctions and whatnot,
it seems likely that he might lash out against the U.S.
and whatnot, it seems likely that he might lash out against the U.S.
Well, so the Shields Up program encourages all U.S. organizations that if you've been delaying cybersecurity projects for whatever reason, now is probably a good time to put
those on the front burner.
Well, absolutely, Aaron, and that's excellent advice.
And here at the Cyber Wire, we support CISA's efforts to get the word out on these general
purpose recommendations, things we all should have done by now, even before this Russian situation.
But let's face it.
These things are things that we've known in the security community to do for at least a decade.
So if you haven't done them yet, the chances that you will get them done, say, in the next few weeks
before the Russians do something catastrophic are pretty low.
So may I offer a little different advice
that you can do this very moment that will be more impactful, let's say? By all means, let's have it.
All right. So, for the last two years on the CSO Perspectives podcast, we've been talking about
four cybersecurity first principle strategies. Two of them, zero trust and resilience, would fall
under the umbrella of the Shields Up program.
These are general purpose strategies that would help against all kinds of adversaries, you know, criminals, hacktivists, nation states.
But one strategy, intrusion kill chain prevention, is tailor made for this unique situation that we find ourselves in.
The difference between intrusion kill chain prevention and zero trust is that on the kill chain, we are deploying specific detection and prevention controls on whatever security tools you have in place precisely designed for that known threat, in this case, Russia.
And we have a fantastic collection of open source intel on everything the Russians have done in cyberspace for the past 20 years. Just wag on over to the MITRE ATT&CK Framework Wiki
and look up the Russian adversary groups and campaigns.
There's like 19 of them, and at least seven of them have been active this year.
You know, you've heard them all.
All of the bears, like Fancy, Cozy, Voodoo, and Primitive,
and a few new groups we haven't heard of before, like Walleye, Zabrosy, and Earworm.
And in the ATT&CK Wiki, MITRE lists the tactics, techniques, and procedures for most of them.
So my recommendation is for all network defenders to go through that list
and install as many detection and prevention controls you can come up with
for all of those Russian actions across the kill chain
on the security stack that you already have in place.
Now, I hear the naysayers
out there, Dave. You know, there's a chance. No, in cybersecurity, naysayers? No.
So, I agree that there's a chance that Russia will come up with an entirely new campaign across
the kill chain that we've never seen before. But you know what? The odds aren't that great.
Instead, they will most likely
cobble together a bunch of their greatest hits and use those. So if you have prevention and
detection controls in place for as many of the known Russian tactics, techniques, and procedures
as you can, your chances of preventing a successful Russian cyber attack against your organization
is pretty high. All right. Well, I mean, that's excellent advice. But what
about for, say, smaller organizations, those folks who don't have SOCs or intelligence teams?
They're going to find this difficult to navigate. What should they do?
Well, I mean, that's a great question. And my advice to those organizations is they should be
turning to their own security vendors now and demanding to know the specific ways their products are
protected against the Russian adversary playbook. You know, the Amazons, the Googles, the Microsofts,
for sure, but also all those pure play security vendors like Palo Alto Networks, Checkpoint,
Cisco, and a gazillion others that are out there. The bottom line here is that we've been looking
at the kill chain philosophy for over a decade. The Lockheed Martin researchers published their paper on it in 2010.
This year, 2022, is the use case for the model.
We're pretty sure the Russians are coming.
We know how they operate in cyberspace.
And we're all going to look pretty bad if the Russians successfully attack us.
And we didn't have any of those protections in place beforehand.
All right.
Yeah.
Well, wise words, huh?
Well, I don't know about that.
We'll see how it goes.
That's right.
I'm just imagining you with your hands on your hips saying, I told you so.
I told you.
I'm wagging my finger at everybody right now.
That's right.
That's right.
All right.
We'll get to it, folks.
Rick Howard, thanks so much for joining us. Thank you, sir.
And I'm pleased to be joined once again by Josh Ray.
He is Managing Director and Global Cyber Defense Lead for Accenture Security.
Josh, it's always great to have you back.
Dave, happy to be back as always.
You know, I know you and your team, as lots of people are,
are keeping a close eye on the conflict between Russia and Ukraine.
I wanted to check in with you today to see what sorts of things
you all are monitoring on underground forums.
Yeah, Dave, this is really kind of a first for us.
In the sense that we've been kind of in this mission space for,
shoot, now over at least over a decade around monitoring underground forums.
And I think for the first time,
we've really started to see an ideological split
amongst cyber criminals.
Now, you see it all the time with the hacktivists
and things like that.
But we're talking about financially motivated criminals
that are now choosing sides.
And that's got some really significant implications
around targeting, around capability,
that I think your listenership really should be aware of.
You know, we've joked for a while that there's no honor among thieves.
And so it's interesting for me to hear you describe some of these fractures that are happening among this community.
Any specifics you can share with us?
Yeah, it's actually, I mean, talk about no honor among thieves.
I mean, there's even one forum that one of our researchers was telling me about
where instead of actually selling wares or looking to profit from some of this activity,
they're offering places to stay for some of these
different refugees that are coming out of Ukraine.
But the big shift, I think, for us and what we've seen is really around this idea of,
are you actors?
And a lot of these forums, which have banned some of these ransomware affiliate cartels
because of the heat that was brought on from a lot of law enforcement
are now welcoming them back in.
So the gloves are really starting to come off here.
We're starting to see activity around actors that are leaking data
instead of actively selling it.
They're giving significant discounts on some of the things that
they would normally look to drive a high degree of profit
on as well. And from a targeting standpoint,
I think the thing that's most disturbing is that for a while,
critical infrastructure had abated, or the targeting of critical infrastructure
for a while.
But now we're starting to see that come directly back into the fold. So Western critical infrastructure targets like oil and gas companies, but especially financial services and insurance
companies are looking to be targeted because I think they're being viewed as that kind of
quote unquote working arm of the sanctions. So this is something that especially I think folks need to be worried about.
And is this a response to some, as you say,
the sanctions and the financial squeeze that's going on for folks who are in
Russia?
I mean, I think part of it, but it's,
I think it's primarily politically motivated, right? I mean,
they're really lining up as far as either pro-Russian
or pro-Ukrainian and taking their capability
and their wares with them.
Here's the thing to really think about.
When we first started watching Hacktivist way back when,
some of the other hackers in the forum would laugh
at some of the capability.
This is early on, 10 plus years ago, and they were using tools that were commoditized or whatever.
Now we're talking about cyber criminals that are highly technical, that are highly capable,
that have the resources to pay millions of dollars for zero-day exploits.
And we've seen them do that now over the past few months, and with the
access and the ability to impact companies significantly.
So it's kind of bad enough now that we're starting to see
individuals line up across these different
ideological lines, but when they start to cross-collaborate or organize,
I think we're going to see a heightened threat,
especially to Western corporations.
I think a lot of folks are left scratching their heads
that we haven't seen more cyber activity than we have.
What's your reaction to that?
I think the fact that the kinetic attack has been kind of methodically plodding along,
there maybe hasn't been a need to bring out some of those cyber weapons that they might be kind of
holding close to the chest. But also, you know, the fear of invoking additional impact from, say, like Western countries like the U.S.
or other NATO countries could be also playing into that as well, too.
Like once they start to significantly target critical infrastructure in those countries,
we may see an escalation.
And I think everybody's kind of a little bit leery potentially of that happening.
Yeah. All right.
Well, Josh Ray, thanks for joining us.
Thank you, Dave.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security.
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
The Cyber Wire podcast is proudly produced in
Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of
cybersecurity teams and technologies. Our amazing Cyber Wire team is Liz Ervin, Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Justin Sebi, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. Thank you. act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.