CyberWire Daily - Escalation in Russia’s hybrid aggression. APT10’s espionage against Taiwan’s financial sector. Developments in the C2C market. Jamming your teen’s Internet access.
Episode Date: February 22, 2022Russia escalates its hybrid war against Ukraine, with cyber implications for the rest of the world. Xenomorph banking Trojan hits European Android users. APT10’s months-long espionage campaign again...st Taiwan’s banks. Hive ransomware’s flawed encryption is good news. Trickbot’s place in the C2C market. Joe Carrigan shares the latest evolution of business email compromise. John Pescatore’s Mr. Security Answer Person returns. And there’s a right way and a wrong way to keep your teen offline. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/35 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Russia escalates its hybrid war against Ukraine with cyber implications for the rest of the world.
Xenomorph banking Trojan hits European Android users.
APT 10's months-long espionage campaign against Taiwan's banks.
Hive ransomware's flawed encryption is good news.
TrickBot's place in the C2C market.
Joe Kerrigan shares the latest evolution of business email compromise.
John Pescatori's Mr. Security Answer Person returns, and there's
a right way and a wrong way to keep your teen offline.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Tuesday, February 22nd, 2022.
More Russian troops move into Ukraine in what Russia represents as a calming,
peacekeeping move, but which most other governments
are calling aggression. Here's a quick overview of the hybrid war and its broader implications
for cybersecurity. It's not the shock and awe predicted in some quarters, and in fact Russia's
foreign ministry has continued to deny that it's not sure if it's really happened at all.
But Russian President Vladimir Putin did announce in his major speech yesterday
that he had authorized the dispatch of peacekeeping troops
into the eastern Ukrainian regions of Luhansk and Donetsk.
Kremlin spokesman Dmitry Peskov expressed the facially implausible hope
that Moscow's recognition of the two regions Russia wishes to detach from Ukraine
would help restore calm, and that Russia remained open to diplomacy with the EU and the US.
The relatively gradual, and for all that violent, escalation
may be intended to divide Western Council and mute some of the response the action will summon.
Russia said early yesterday that it had killed five saboteurs who attempted to cross into Russia near Rostov, The Guardian
reports. Interfax said Russian forces also destroyed two Ukrainian army vehicles that
crossed the border in a failed attempt to come to the saboteur's rescue. Ukraine denied the claims, which indeed seem preposterous.
The principal line of disinformation Russia has pursued with respect to Ukraine
is to accuse Kiev of genocide against ethnic Russians.
It's an absurd claim that's gained little traction abroad, as the Atlantic Council argues,
but its principal audience may be a domestic Russian one.
And who's really beating the war drums in eastern Ukraine? Why, the House of Windsor, of course, and
Russian TV will hip you to this if you, like the Telegraph, have been watching. This particular
explanation, and it's really worthy of the late Mr. Lyndon LaRouche, which the outlet Russia One offers, runs like this.
Prince Charles and Prince Andrew need something to distract the public from recent royal scandals,
hence Ukrainian aggression against Russia, because nothing says, hey, there's nothing to see on that
Lolita Express, then, you know, Ukrainian plans to attack Russia.
We leave the assessment of this analysis as an exercise for you, dear listener.
Syria and presumably Belarus appear to be in Russia's corner.
Syrian Foreign Minister Makhdad said his country's government supports Russia's move and will cooperate with the two breakaway regions.
But most other governments have condemned Russia's recognition of Donetsk and Luhansk
and the dispatch of Russian troops to the Ukrainian territories.
TASS quotes an aggrieved Russian Foreign Minister Lavrov,
who says the itch to punish Russia is familiar and enduring,
quote,
We understand that now our colleagues are seeking to put all the blame
for the breakdown of the Minsk agreements on Russia.
Our European, American, and British colleagues will never stop and rest content until they use all the possibilities for the so-called punishment of Russia.
They are already threatening with possible hellish sanctions, or as they say, mother of all sanctions.
So they're used to this in Russia.
We would like to suggest to Mr. Lavrov that given what his stooges have been saying about the Prince of Wales,
you ain't seen nothing yet, but he'd be used to that too.
The UN Security Council held an emergency meeting last night to consider Russian actions.
Separately, UN Secretary General Antonio Guterres called Russia's action
a violation of the territorial integrity and sovereignty of Ukraine and inconsistent with
the principles of the Charter of the United Nations. NATO's Secretary General also condemned
Moscow's recognition of the two regions as independent republics. Quote, I condemn Russia's
decision to extend recognition
to the self-proclaimed Donetsk People's Republic
and Luhansk People's Republic.
This further undermines Ukraine's sovereignty
and territorial integrity,
erodes efforts toward a resolution of the conflict,
and violates the Minsk agreements
to which Russia is a party, end quote.
Reuters reports that the U.S. and the U.K. on Friday publicly attributed
recent distributed denial-of-service attacks against Ukrainian banks and government websites
to Russia. Australia joined in this attribution shortly thereafter and promised cyber support to
Ukraine as it resisted further Russian activities. Western governments are on alert for Russian cyberattacks on their
own assets, and the Independent says that British Defense Secretary Ben Wallace suggested to the
House of Commons that the UK was prepared to undertake offensive cyber operations against
Russia should retaliation become necessary. The risk of Russian escalation in cyberspace
during its hybrid war is generally regarded as high.
The Harvard Business Review summarizes how businesses ought to prepare for this threat in the near future,
and Moody's Investor Service has issued a new research report that emphasizes the difficulty of such conflict remaining confined either geographically or economically.
either geographically or economically.
Quote,
Given the digitization of and interconnectedness of global markets,
such attacks could have economic implications across geographies and sectors.
End quote.
Friday's Aspen Institute conference on Russian aggression toward Ukraine asked, among other things,
what should be made of the recent Russian moves against its domestic ransomware
gangs. The panelists who discussed the arrests and announcements were skeptical, seeing the moves as
tactical and not as representing some newfound respect for legality. The gangs are reversible,
deniable assets, and the privateers can be expected to return once Moscow decides that
their return is in Russia's interest.
There is, of course, no lack of ordinary criminals ready to take advantage of the fear and unrest
that accompany a war. Accenture reports an uptick in Ukrainian-themed offerings,
especially offers a purported personal information of Ukrainian citizens, and expects it to continue.
Some of the cases it cites, like Whispergate,
have clear connections with Russian intelligence services.
Others seem to be the usual opportunistic work of gangs.
According to Accenture,
As of February 11, 2022,
ACTI assesses it is likely that as intelligence warnings
and postings related to Russia and Ukraine increase,
deep web actors will continue to increase their offerings for databases and network accesses
relevant to the Russia-Ukraine conflict in hopes of gaining high profits.
Global events occasionally serve as motivating factors for malicious actors
to claim they are selling important and relevant data for profit, regardless of whether such data is genuine or even exists. End quote. Threat Fabric researchers yesterday released a report on a new banking Trojan they're calling Xenomorph.
It shares some features with Alien Trojan, but Threat Fabric regards it as a distinct strain of malware.
Xenomorph resembles its related
Android banking malware functionality too. It seeks to get over the fence into the Google Play
Store by misrepresenting itself as a productivity app. In this, it has had some success, even as
user reviews continue to warn that the apps carrying the Xenomorph payload are malicious.
The Trojan has been most often found afflicting European users.
The record shares the results of a Psycraft investigation that found a months-long campaign
against Taiwan's financial sector.
China's APT10 is being held responsible for the incident, which Psycraft characterizes
as espionage.
The campaign, Operation Cash Panda, was interesting in the misdirection it employed.
It allowed itself to look like a conventional credential stuffing effort,
when in fact it exploited a vulnerability in the web interface of a security tool,
planted a version of the ASPXC-sharp web shell,
and then used a tool called Impacket
to scan a target company's internal network.
APT-10 is also associated with the names Stone Panda, Potassium, and Cicada.
Bravo to researchers at South Korea's Kookmin University who have found a flaw in Hive
Ransomware's encryption algorithm that can be exploited to enable victims to recover their files.
TrickBot, for all of its recent activity, may soon have run its course.
Advanced Intelligence says that TrickBot's criminal affiliate users are migrating to
Conti's services and that Conti intends to replace TrickBot with a spin-off successor.
And finally, are your kids spending too much time online? Too many in-game purchases? Are they
learning bad language and picking up ways that just aren't right? Are they above all staying up
late at night gaming, chatting, or looking at the unedifying content that, let's face it,
represents the bulk of the internet.
Don't be ashamed. We've all been there.
Some of our colleagues have reverted to locking basements, unplugging modems and putting them under parental pillows,
confiscating monitors and storing them in undisclosed locations. You know the drill.
One gentleman in the French commune of Massange, down in Nouvelle-Aquitaine,
was driven to take matters even farther.
A mobile phone carrier told authorities it had noticed odd signal drops affecting service in Messange.
The authorities of the ANFR found that it was a jammer,
and that it operated from midnight until 3 a.m. local time,
using some detection tools and a little shoe leather,
and I'll admit to not knowing the French idiomatic equivalent of foxhunt.
The authorities traced the jamming to a private home
where the dad was jamming the internet to keep his teenaged son offline during bedtime.
His son had become addicted to social media during COVID
sequestration, and the father was at wit's end. Sure, it's a technical violation of French law.
The father faces a 30,000 euro fine and maybe even a jail term of up to six months,
ZDNet reports. But it's hard not to sympathize, at least a little. After all, we're all in this together.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Mr. Security Answer Person.
I'm John Pescatori.
Let's get into our question for this week.
Cybersecurity asks,
I work for a medium-large retail company,
and I've known our CEO since before he got the CEO job.
We had lunch together recently, and he asked me an interesting question.
A board member wanted to know why we called it cybersecurity
since nothing else in the business or in the media ever mentioned anything cyber anymore. question. A board member wanted to know why we called it cybersecurity since
nothing else in the business or in the media ever mentioned anything cyber
anymore. The board member jokingly suggested that maybe we should call it
crypto security since cryptocurrencies does seem to come up a lot. So my
question, should we call cybersecurity something new so we can better capture
management attention? Hold on a second. I have to clean up
some sprayed coffee that just got on my desk. The short answer is no, we shouldn't change the
term cybersecurity to something new, though crypto security is kind of tempting, I have to admit.
But we should change it back to something old. Before we drill down, in the interest of full
disclosure, a while back I did an Ask Mr. Security Answer Person segment where I weighed in against brand freshening in our profession.
I was actually against changing information security to cybersecurity back when it happened.
In fact, I've done entire hour-long webinars just on that topic.
Let me give you the elevator pitch of why I feel that way.
Our profession started out as information security.
There were no computers, but there was still lots of information, mostly in hard copy form.
Security was mostly about physical access control, making sure only authorized people could read documents to provide confidentiality.
But integrity was in there too, with notarization and watermarks, as well as availability via carbon copies and the like. Important to note,
it was not called file cabinet security or paper security. The focus was on the valuable part,
the information. When the mainframe came into more widespread use by businesses in the mid-60s,
you began to see the term computer information security used. But the focus was still on access control, digital safeguards to assure
confidentiality by only allowing authorized computer users to access the information.
The computers were locked down in the basement. There were no external networks, and there were
no real external attacks. We weren't worried about the computers, so information security
remained the dominant term. Flash forward to 2001, so information security remained the dominant term.
Flash forward to 2001, as business use of the Internet exploded.
We were still calling what we did information security, but that year,
the code-reader nimda worms took advantage of numerous critical vulnerabilities in Microsoft Windows, SQL Server, and the IIS web server,
and gained mainstream press coverage by wreaking havoc on corporate
networks and the internet overall. But those were really denial-of-service attacks, not breaches.
No information was exposed. The computers and networks were brought down.
Slammer and Blaster in 2003 continued this trend, and people began to say,
why do we call this information security? The issue is not the information, it is keeping all those computers and networks safe.
Business use of the internet was still growing exponentially,
and everything was being called cyber this or cyber that,
and voila, everyone switched from calling it information security to cyber security.
For two reasons, really.
The first is simply brand freshening.
Trying to make something old more exciting.
More disclosure. I'm reading this in a building in a planned community called Maple Lawn that for hundreds of years was known as Skaggsville.
The second reason is the one that will finally get us back to answering your question.
In the digital world, protecting information is really, really hard.
Encryption and strong authentication are required to do so, but implementing those has
a lot of impact on IT and users and many business flows. Protecting networks and computers may seem
hard, but it is way less work overall than securing digital information while still allowing the
business to do what it needs to do. It didn't take long for cyber criminals and nation-state
attackers to start going after information, but the really badly needed controls and processes, persistent encryption and strong authentication, were nowhere to be found.
That needs to change.
So that's my answer.
Let's change cybersecurity back to information security to both freshen up our brand.
Heck, I bet your CEO doesn't even know we used to call it
InfoSec, and to convince management to back the changes needed to protect critical business data
from breaches, ransomware, and all forms of attack. Multi-factor authentication, persistent
data encryption, and privilege minimization are at the top of the list of the necessary changes
we would like management to back.
By the way, have you thought about what you'll say when they ask you, how can we secure the metaverse?
Mr. Security Answer Person.
Thanks for listening.
I'm John Pescatori, Mr. Security Answer Person.
Mr. Security Answer Person.
answer person.
Mr. Security Answer Person.
Mr. Security Answer Person with
John Pescatori airs the last Tuesday
of each month right here on the Cyber Wire.
Send in your questions for
Mr. Security Answer Person to
questions at thecyberwire.com dot com. Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute and also my co-host over on the Hacking Humans podcast. Hello, Joe.
Hi, Dave.
You know, we cover a lot of scams over on Hacking Humans, and there was a public service announcement from the FBI that came across my desk recently, and this had to do with a particular kind of business email compromise that's making
the rounds here. What's going on here, Joe? So business email compromise is like, I call it the
king of social engineering attacks, right? The reason I call it the king of that is because
it is so wildly successful and these guys make huge payouts. They make bank. We've seen
losses in the millions of dollars from business email compromise.
Right.
And basically how that works is somebody compromises the email account of somebody high up in an organization
and then asks somebody lower in the organization to transfer a lot of money out to an account they control,
all while telling the person they're talking to to keep it quiet because it's secret
and intonate
that they need this done quickly. There's always the artificial time horizon. The key part is don't
tell anybody about it, right? Right. This is some secret business deal and we don't want to screw
it up. So just keep this between the two of us for now. Right. First off, that should be a red flag.
Yeah. Whenever you hear that, that should be something you should be concerning yourself with.
Yeah.
Whenever you hear that, that should be something you should be concerning yourself with.
The new angle here is once they've compromised the email account, they really have a lot of access, right?
And if they've compromised something with a single sign-on thing, kind of account going on, like a lot of organizations use, they may also have compromised the teleconferencing application that is used.
So they may call a meeting or inject themselves into a meeting.
So like a Zoom meeting?
Yeah, like think Zoom.
Right.
And then when they get on the meeting, they're going to have a still picture of the person.
Let's say it's a CFO of a company.
They're just going to have a still picture of the CFO that they probably copied directly from the company's website.
Right.
And they've put it up as the image.
Right. And they've put it up as the image. Right. And the thing about this in Zoom is when I go into Zoom,
I can change my name to say just about anything.
Yeah.
Right?
So that's what they do.
And the picture, and it's really easy to impersonate somebody.
Mm-hmm.
Then they say, I'm having trouble with my audio and visual.
I can hear you guys just fine, but I can't say,
or you can't hear me and my camera doesn't work.
There's some technical difficulty here.
Sure.
Which is a ruse.
Or they'll say my camera isn't working, but I do have audio.
And they're saying in this article that they'll use deepfake audio, which could be a number of things.
I know that you're dubious of that claim.
I'm glad you brought that up because I am skeptical of deepfake audio and anything that requires real-time interaction.
Right.
So I don't see deepfake audio as being a thing for any sort of real-time conversation.
But what this story made me think about and I think is plausible is I could have deepfake audio that said something like, hang on, hold on, I'm having trouble with my audio here.
Hold on.
This isn't working.
You know, something like that.
Yep. I'm having trouble with my audio here. Hold on. Oh, this isn't working. You know, something like that. That doesn't require any interaction is just enough so that the person on the other end
hears the voice they're expecting to hear.
Right.
And then the audio drops off and they type, oh, sorry about that.
Let's just do this over text.
I don't have time for this.
Exactly.
This is movie crap, you know, and Bob's your uncle.
Right.
And that's what they're doing is they're using this kind of like as a second vector for convincing people that they are who they say they are when in fact they're not.
Right.
And they're seeing an increase in effectiveness.
You and I talk about this all the time on Hacking Humans.
If you get an email from your CFO that says transfer the money, that merits a phone call.
Right. says transfer the money, that merits a phone call, right? But if you've heard from the CFO first,
someone you think is the CFO and what you think is a legitimate meeting, and that person tells you,
I'm going to send you an email with some banking information. I need you to send to transfer this
much money to that account. And I'll repeat that in the email. And then you get an email from the
CFO's email address that says this. I think you're a lot more likely to believe that this is legit. Yeah. And I talk about adversarial thinking and how I like to think
that I'm pretty good at it. And that makes a lot of people look at me and go, you're just a horrible
person, Joe. Puts a bit of a target on your back, Joe. Why would you think like that? Because this
is the way bad guys think, right? Yeah. You've got to think, if I was a bad guy, how would I scam me out of a million dollars? I would pose as this guy. And you've got to think,
as a person in an organization, that I'm concerned this might be fraudulent. I want to actually go
talk to the CFO or make a phone call to the CFO's office or do something. You have to have that
channel communication open as a matter of corporate policy. And people have to be able to ask these questions to validate it. And management has to
be receptive to these kind of questions. Right. Right. Because management that isn't receptive
to these kind of questions is a risk. Right. A business risk. Yeah. Why not? There's no downside
to that extra call. Right. Absolutely. There's big dollar signs on the line.
Yep.
Yeah.
All right.
Well, again, this is a note from the FBI over from their IC3, the Internet Crimes Complaint Center.
Joe Kerrigan, thanks for joining us. My pleasure, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security. I join Jason and Brian on their show for a lively discussion of the latest security news
every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. The CyberWire
podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're
co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire
team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.