CyberWire Daily - Epistemic closure in a hybrid war. Wiper used against VIasat modems. US Treasury sanctions more Russian actors. Remediating Spring4shell. Notes from law enforcement. And we’re not joking.
Episode Date: April 1, 2022Attempting to evolve rules of cyber conduct during a hot hybrid war. Waiting for major Russian cyber operations. Viasat terminals were hit by wiper malware. Patches and detection scripts for Spring4sh...ell. Warning of ransomware threat to local governments. Emergency data requests under Senatorial scrutiny. NSA employee charged with mishandling classified material. Andrea Little Limbago from Interos on Bots, Warriors and Trolls. Rick Howard speaks with Maretta Morovitz on cyber deception. And no April Foolin’ here For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/63 Selected reading. Russia’s War Lacks a Battlefield Commander, U.S. Officials Say (New York Times) Putin may be self-isolating from his military advisers, says White House (The Telegraph) Confronting Russian Cyber Censorship (Wilson Center) Zelensky Fires Two Generals (Wall Street Journal) French intelligence chief Vidaud fired over Russian war failings (BBC News) Cyber War Talks Heat Up at UN With Russia at Table (Bloomberg.com) Foreign Ministry statement on continued cyberattack by the “collective West” (Ministry of Foreign Affairs of the Russian Federation) New Protestware Found Lurking in Highly Popular NPM Package (Checkmarx.com) Russia targeting Ukraine, countries opposing war in cyberspace (Jerusalem Post) Conti Leaks: Examining the Panama Papers of Ransomware (Trellix) British intelligence agencies: Moscow continuously attacks Ukraine in cyberspace (The Times Hub) AcidRain | A Modem Wiper Rains Down on Europe (SentinelOne) SentinelOne finds ties between Viasat hack and Russian actor (SC Magazine) ExtraHop CEO: Expect a Russian cyber response to sanctions (Register) Treasury sanctions Russian research center blamed for Trisis malware (CyberScoop) Treasury Targets Sanctions Evasion Networks and Russian Technology Companies Enabling Putin’s War (U.S. Department of the Treasury) Evgeny Viktorovich Gladkikh – Rewards For JusticeArtboard 4Artboard 4 (Rewards for Justice) Spring confirms ‘Spring4Shell’ zero-day, releases patched update (The Record by Recorded Future) Spring4Shell (CVE-2022-22965): Are you vulnerable to this Zero Day? (Cyber Security Works) Ransomware Attacks Straining Local US Governments and Public Services (IC3) Senate’s Wyden Probes Use of Forged Legal Requests by Hackers (Bloomberg) NSA Employee Charged with Mishandling Classified Material (Military.com) National Security Agency Employee Indicted for Willful Transmission and Retention of National Defense Information (US Department of Justice) National Security Agency Employee Facing Federal Indictment for Willful Transmission and Retention of National Defense Information (US Department of Justice) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Attempting to evolve rules of cyber conduct during a hot hybrid war.
Waiting for major Russian cyber operations.
Viasat terminals were hit by wiper malware.
Hatches and detection scripts for Spring for Shell.
Warnings of ransomware threats to local governments.
Emergency data requests are under senatorial scrutiny.
An NSA employee's been charged with mishandling classified information.
Andrea Little-Limbago from Interos on bots, warriors, and trolls.
And Rick Howard speaks with Maretta Morovitz on cyber deception.
From the Cyber Wire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, April 1st, 2022.
A meeting this week of the United Nations Open-Ended Working Group for Security and the Use of Information and Communications Technologies, a body established some time ago at the instigation of Russia, continued its deliberation concerning international norms of conduct in cyberspace.
in cyberspace. Bloomberg says the sessions were dominated by sharp Western criticism of Russian cyber aggression and misconduct and Russian rejoiners to the effect that it
and nobody else is really the injured party in cyberspace. Vladimir Shin, the Russian representative,
said that accusations of Russian cyber offenses were completely unfounded, and channeling the spirit of Richard Milhouse Nixon,
that Mr. Shin was confident he spoke for the silent majority.
This technique of unlikely insistence was also seen earlier this week
in a statement issued by Russia's Ministry of Foreign Affairs.
Remarkable for mendacity even by the low standards of Russian diplomacy, it's worth reading
in full as a distillation of Moscow's talking points about its hybrid war, so do go and read
the whole thing. But to summarize, according to Russia, the foreigners who oppose the fundamentally
defensive special military operation, whose goal is the demilitarization and denazification of Russia's
smaller neighbor, those foreigners, the ministry says, are a bunch of russophobes incited and hired
by the United States and its satellites. They're carrying out hundreds of thousands of malicious
attacks daily against Russia. The foreigners are stealing Russians' personal data, and worse yet,
they're posting fake news online
to disorient and demoralize Russian society,
discredit the actions of the Russian armed forces and government agencies,
encourage unlawful activities of the public,
and complicate the operation of their industrial sectors
and sow fear and instability in their country.
It's all coordinated and unprecedented by the U.S. and NATO.
In fact, this cyber war is being waged by an army of cyber mercenaries who have been given
concrete combat tasks that often border on terrorism. Naturally, the Russians are fighting
back with great success, they say, and they're going to take all this up at the UN. So there.
The widespread and damaging Russian cyber campaign against Ukraine and Western targets that's been
widely expected has yet to appear, although Russian operators have maintained at least a
continuous nuisance level of attacks against Ukrainian networks. But Western authorities
continue to warn that such attacks are likely
and that organizations should be prepared to withstand them.
CISA's Shields Up alert is representative.
The Register, talking to private sector experts,
notes that Russian cyberattacks have increased over the past month
and that industry sees itself as having a narrow window
in which it can improve its resilience to such attacks. ExtraHop CEO Patrick Dennis told the Register that he expects the
rising effects of sanctions to increase the likelihood that Russia will retaliate in
cyberspace against economic warfare it's unable to counter in other ways. Sentinel Labs researchers
have concluded that Russian wiper malware,
specifically a variant they call Acid Rain, was deployed against Viasat modems,
and Viasat has substantially confirmed Sentinel Labs' analysis. The researchers explain,
Acid Rain is an ELF MIPS malware designed to wipe modems and routers. We assess with medium confidence that there are developmental similarities
between Acid Rain and a VPN filter Stage 3 destructive plug-in.
In 2018, the FBI and Department of Justice attributed the VPN filter campaign to the Russian government.
Acid Rain is the seventh wiper deployed against Ukraine since the beginning of
the hybrid war. The Vyosat attack is noteworthy because it alone had significant spillover into
operations outside Ukraine proper. It's regarded as the most serious cyber attack of Russia's war
so far, and the most likely suspect is the GRU's Sandworm APT.
suspect is the GRU's Sandworm APT. Spring has released a patch for the Spring for Shell remote code execution vulnerability in its framework. Cybersecurity Works has published a detection
script that enables an organization to determine its exposure to this particular vulnerability.
The FBI has warned, and CISA seconded the warning, that ransomware operators pose a rising threat to local governments.
The Bureau's advice is familiar. Apply sound security practices and don't pay the ransom.
Revelations that Apple and Meta responded to fake emergency data requests have led Senator Ron Wyden, Democrat from Oregon,
to begin an investigation of the emergency data request system as such.
Law enforcement surely needs ways of getting data in an emergency,
but there should be, the senator suggests,
some checks and balances that will enable companies
to distinguish real requests from subpoena fraud.
The U.S. attorney for the District of Maryland
has announced the indictment of an NSA employee,
Mark Robert Unkenholz, with 13 counts of unlawful retention of classified material
and 13 counts of unlawful transmission of classified material.
He's alleged to have used his personal email account to send classified information
to someone who worked at different times for
two unnamed companies. Mr. Unkenholz, who was arraigned yesterday in Baltimore,
is said by the Military Times to have worked for an office responsible for engaging private
industry. Sure, you want to reach out to private industry, but not with classified information
they're not authorized to receive, and especially not when you store that information and send it through your personal email account.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
It is April Fool's Day, which by our measure is the perfect day for our own Rick Howard to talk with Maretta Morovitz on the Engage framework for cyber deception.
Here's Rick.
I'm joined by Maretta Morovitz, the Engage lead at MITRE. Maretta, thanks for coming on the show. Thanks so much for having me. I'm really excited
to be here. You've been working for MITRE for over six years now and as a cybersecurity engineer,
but now you're running this relatively new MITRE project called Engage. Can you give me the
elevator pitch for what Engage is? Sure. So Engage is MITRE's
collection of resources to lower the barrier of entry and raise the ceiling of expertise
and adversary engagement. That's a fancy phrase for deception operations. Is that right?
Almost. We like to kind of think about it as you have sort of two pillars. You have
denial and you have deception. And when you think of these two sets of activities, you can do either one sort of on their own, but when you work with them together and then you
layer a strategic planning and analysis on top, that's what we really talk about as adversary
engagement, that full process from planning to operating where you're incorporating that
deception and that denial. And then ending with that understanding where you're really taking
the outputs of your operations, understanding sort of what you're getting.
Is it driving towards your goals?
Did you make progress towards your goals?
And then feeding that back in.
So you have that kind of continuous iterative loop of refining and learning and growing.
You officially announced the project, although it's been in beta for a few months, but you officially announced it in February.
And you and your team have created a website with resources and information for all kinds of stuff.
So can you walk us through what we can find at the site?
Yeah.
So obviously kind of core and central to who we are is our Engage matrix.
So that features prominently on our site.
One of the things that we did between releasing our beta and now is we had a lot of conversations with folks in the community, whether those were CISOs, defenders, vendors, all our different user groups, and really understood what were their use cases,
how were they thinking about this, did Engage support them? And one of the big lessons we
learned was that just putting a matrix out into the world, while useful, really didn't provide
enough support and guidance for the community to enable really what they needed to do. And so
one of the things you'll find on the website is we have a starter kit.
If you're looking to just sort of understand
what is this space and how do I jump in,
we have a starter kit.
If you'd rather kind of see the whole picture
of all the different tools,
we have a whole collection of resources
and that includes white papers,
it includes posters, it includes the matrix,
it includes a variety of things
that sort of you can pick and choose
and a la carte style what you're interested in.
And we also have pages where we're highlighting things going on in the community. So we have a whole community spotlight section. We're really focusing on just showcasing what's out
there and all the other interesting work and interesting directions the community is going in.
So I've been a big fan of the idea of deception and operations around deception, you know,
actually blocking bad guys from what you've discovered since my early days in the cybersecurity world. But in the commercial world, and maybe even
the academic world, spending resources on deception always felt like it was a nice-to-have item
compared to other things that would probably have a bigger impact, like zero trust or
resilience or intrusion kill chain prevention using the MITRE ATT&CK framework.
And deceptions operations aren't fire and forget. They're pretty work intensive.
My experience, you need heavy lift of people and process and technology to even get a basic
program working. Has that situation changed here recently? Is that why MITRE and Engage
are pursuing this now? Yeah, I think, so I think in a lot of ways, there's a lot of different pieces
and layers to what you just said.
So I'm going to walk through them all.
I think first and foremost,
that a lot of what adversary engagement is,
is it's a mindset shift, right?
And I think zero trust is that same mindset shift.
It's adversaries are eventually are going to get in
and we need to make a presumption of compromise mentality
when we think about our defenses, right?
It's not enough to think about hardening.
It's not enough to think about defense in depth if you don't think about what happens
when they eventually get through. And so a big piece of what MITRE is trying to say with Engage
is not that you need to go buy the super fancy subatomic honeypot that does a million things.
The subatomic honeypot? I need that.
On the blockchain. And maybe that might fit your needs,
but maybe what fits your needs
is a number of decoy share drives
that you sort of identify
where your high value data lives
and maybe your high value employees.
And you start sprinkling decoy shares
around their drives
and making sure that there's some ambiguity
in that environment.
Or maybe it's a matter of sprinkling decoy credentials
in your network.
So that way, when one of those credentials gets used, you get a high fidelity alert
that something is going on. So I think a lot of what deception is, it can be sort of this
resource intensive, but it also can be, how do I think about upping the ambiguity in my environment,
upping the uncertainty, so that when someone gets in, I'm not automatically lost.
And that's sort of the kind of the main point that we care about.
Good stuff, Marietta, but we're going to have to leave it there. That's Marietta Morovitz,
the Engage lead at MITRE. Marietta, thanks for coming on the show.
Thanks so much for having me. This was great.
There's a lot more to this conversation. If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects, where you get access to this and many more extended interviews.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to the show Andrea Little-Limbago.
She is Vice President of Research and Analysis at Interos.
Andrea, great to speak with you again. You know, I think all the things that we've been tracking here in regards to Ukraine and Russia and the tension on the border there has really brought to light a lot of the information issues that I know are things that you track and have your eye on.
What specifically has caught your eye here?
Yeah, and thanks for having me back, Dave. So what I've been researching
and sort of discussing across the community
for a while is this notion of bots, trolls, and warriors,
because I think it's an easy thing to remember,
if nothing else.
But really what it does is it epitomizes
what I think of as the modern
digital authoritarian playbook.
And within that, you have the bots,
which are basically leveraging automation,
everything from simple automated scripts to machine learning and AI, that then, in turn, helps inform the range of cyber attacks.
That's where you get the cyber warriors, which are not necessarily my favorite term, but that's kind of where we have fallen with how we describe some of the folks in that field.
But that really does reference the range of cyber attacks from DDoS to ransomware, wiper malware, and so forth. And then there's the trolls, which are the disinformation, misinformation that goes on. And for each of those, the automation,
the bots, and so forth can both help spread the, cast a wide net really, really well for a very
broad impact. But they also enable really strategic and tactical
targeting. So it's almost, you know, it's a multi-use approach to basically achieving
objectives. And what we've seen, you know, over the last few months with Russia towards Ukraine
is exactly this modern authoritarian playbook in the digital realm where we see the disinformation combined
with cyber attacks, combined with bots all working together to try and spread both for
the psychological impact and also for a physical impact. It's been interesting to me to see,
for example, the U.S. intelligence community has been unusually open about the things that
they're seeing here. And it seems to me to be an effort to counter
exactly the thing you're talking about. No, that's right. I think this is actually a really
interesting example where we're seeing what it actually looks like for democracies to come
together and actually try and counter some of that playbook. And again, while this authoritarian
playbook has been around for a while now, almost a decade if you think about the digital components to it, democracies really haven't pulled together a counterweight for a playbook.
And so it's interesting to watch what's going on right now.
It'll be interesting to see how well it plays out.
But I think there has been good coordination, being very open about when they're getting the biggest DDoS attack that they've ever had before, which happened early February, the attacks on their financial systems and so forth. And so I think the transparency and openness about that, which in some regards is a little bit different. For a while, companies or entities that are hit by
various kinds of cyber activity tended to keep it quiet and try to deal with it on their own.
Now we're seeing that that paradigm is flipping to be very open about all this, to really call
Russia out for what they're doing, what their activity is. And I think that's a good example
for how transparency can help counter it. And it's hard. And for sure, there are competing narratives that
are going on right now. Yeah. I mean, it's even just things like saying, they've been saying,
this is what we expect to see from them. We think they're going to put stories about atrocities
out there in the press that by preempting that, it can take away some of the sting.
It can. And the challenge, though, is that it's targeted pretty well for the English-speaking
parts of the world. But you still hear that Russia is doing a very good job basically
infiltrating various kinds of Russian language media outlets as well. But at the same time,
the U.S. also has called them out for doing that, saying that the Russian intel services
are coordinating with various kinds of Russian language
media outlets.
But it's hard.
If you have parts of the world only getting news
from certain areas or only reading from certain
influenced content, that becomes very hard to counter.
So it does have to be a really broad approach to doing it.
But I think we're seeing, this is the norm that we'll be seeing from now on.
This isn't, I think very often we've talked about cyber taxes and hybrid warfare,
almost thinking about it as being down the road.
But I mean, it's what we're seeing now.
We've seen it in the past.
Again, this isn't new.
When Russia invaded Ukraine in 2014, there were cyber components to that.
So that's, you know, on the one hand, we shouldn't be surprised because we've seen sort of that steady drumbeat.
We saw NotPetya.
We saw NotPetya actually, you know, expand well beyond the borders.
And I think that's where, you know, for folks in the U.S. who still may not be watching it that closely, especially businesses, that what Russia may
continue to do against Ukraine most likely won't stay in Ukraine. And again, not petty,
it really just is such a good example for how very targeted Ukrainian software can then attack
on that, can end up causing billions of dollars of damage across the globe.
All right. Well, Andrea Little-Limbago, thanks for joining us.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this
weekend's Research Saturday and my conversation with Michael DeBolt from Intel 471. We're discussing
Private Loader, one of the most popular commodity malware loaders on the underground.
That's Research Saturday. Do check it out. The Cyber Wire podcast is proudly produced in
Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Thank you. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.