CyberWire Daily - False flags, disinformation, and cyber operations in a hybrid conflict. Log4j vulnerabilities exploited. Wiper used against Iranian television. Kraken’s evolution. CISA’s guide to free security tools.
Episode Date: February 18, 2022False flags and disinformation in Ukraine, as Western governments warn of the risk of both Russian escalation and the prospects of cyberattacks spreading beyond Ukraine’s borders. Log4j “Day-1” ...vulnerabilities exploited in the wild. Threat actors deployed a wiper in the course of hijacking Iranian television. The Kraken botnet is evolving, picking up an information-stealing capability. Our guest is Brittany Allen of Sift to discuss the DOJ seizing 3.6B worth of stolen crypto. Chris Novak from Verizon addresses Geopolitics and threat intelligence. And CISA launches a Catalog of Free Cybersecurity Services and Tools. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/34 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
False flags and disinformation in Ukraine
as Western governments warn of the risk of both Russian escalation and the prospects of cyber attacks spreading beyond Ukraine's borders.
Log4J Day One vulnerabilities are exploited in the wild.
Threat actors deployed a wiper in the course of hijacking Iranian television.
The Kraken botnet is evolving, picking up an information-stealing capability.
picking up an information-stealing capability.
Our guest is Brittany Allen of SIFT to discuss the DOJ seizing $3.6 billion worth of stolen crypto.
Chris Novak from Verizon addresses geopolitics and threat intelligence.
And CISA launches a catalog of free cybersecurity services and tools.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, February 18th, 2022. False flags, information operations, and cyber attacks continue to mark Russia's hybrid war against Ukraine.
Whether Moscow will escalate the conflict with a large conventional campaign remains to be seen,
but senior officials in both the U.S. and U.K. have continued to warn that a large-scale invasion could be imminent, perhaps just days away. Reports of shelling in eastern
Ukraine continue. Russian media has accused Ukrainian forces of hitting a kindergarten
and blaming it on Russian-led separatists in an attempt at provocation. Separatist leaders in Donetsk, however,
acknowledged that their guns were the ones that hit the school,
but say it's Ukraine's fault anyway,
since, say the Russia-aligned separatists,
Ukrainian forces used mortars and grenades against them first.
Most observers see the ongoing artillery fire
as part of a Russian attempt to frame Ukraine as an aggressor against ethnic Russians in Donetsk and Luhansk.
British Foreign Secretary Liz Truss called the shelling and other abnormal military activity, quote,
a blatant attempt by the Russian government to fabricate pretexts for invasion, end quote.
The U.S. Embassy to Ukraine was equally unambiguous, tweeting,
Russia's shelling of Stanitsia Luhanska in Ukrainian government-controlled territory in
Donbass hit a kindergarten, injured two teachers, and knocked out power in the village. The aggressor
in Donbass is clear, Russia. This attack, as with so many others, is a heinous Russian violation of
the Minsk agreements and again demonstrates Russia's disregard for Ukrainian civilians
on both sides of the line of contact. End quote. The leader of the Donetsk separatists,
Denis Pushilin, has announced that the danger of Ukrainian military action is now so high
that the separatists have begun evacuating the province's population across the border to Russia's Rostov Oblast, the Telegraph reports.
Ukraine denies that it's engaged in any operations against the provinces Russia is seeking to detach.
Russia continues to disclaim any intention of preparing a further invasion of Ukraine, Bloomberg reports.
The U.S. continues to say that the risk of intensified ground combat remains high.
President Biden said yesterday, quote,
We have reason to believe they are engaged in a false flag operation to have an excuse to go in, end quote.
False flag operations are provocations staged as outrages that can be
more or less plausibly attributed to an adversary. U.S. officials, speaking on the condition of
anonymity, told the Washington Post that there was additional intelligence indicating a false flag
by Russia would involve the use of a chemical agent that would immobilize civilians, then use cadavers to make it appear as though the Ukrainians had gassed and killed civilians.
One of the officials said the blame might also be pinned on Americans.
U.S. Secretary of State Blinken made a similar case yesterday at the United Nations.
He enumerated three possible false flag provocations,
fabricated so-called terrorist bombing inside Russia,
a fake mass grave, a staged drone attack on civilians, or a fake, even a real attack using chemical weapons.
Russia's Ministry of Defense repeated its claim that units were returning to garrison yesterday
after Western intelligence services said they weren't seeing
signs of withdrawal from assembly areas near ukraine western governments aren't in general
buying it reuters reports that the u.s ambassador to the organization for security and cooperation
in europe michael carpenter told a meeting of the osce today quote quote, we assess that Russia probably has massed between 169 and 190,000
personnel in and near Ukraine, as compared with about 100,000 on January 30th. This is the most
significant military mobilization in Europe since the Second World War, end quote. Bloomberg quotes
Ukrainian authorities as calling the distributed denial-of-service attack
that began Tuesday and extended into Wednesday the largest the country had seen.
This may be an exaggerated local perspective.
Reuters cites Netscout to the contrary.
The security firm said that what Ukraine faced was relatively standard and not unusually large.
Netscout's Richard Hummel said,
quote, it's possible that it was the largest they'd seen against targets. It's definitely
not the largest we've seen, end quote. At the Chicago session last night, Milanovov said that,
contrary to most reports, the effects of the attack had not been confined to just two banks,
but had affected the banking sector as a
whole. He assessed the level of interference as comparable to that Estonia sustained when it came
under Russian cyber attack. That Ukraine escaped a crippling shutdown he ascribed to the country's
improved resiliency. Warnings that Russian cyber operations could affect countries beyond Ukraine continue.
The Voice of America reports U.S. concerns about the possibility of cyber attack,
and it cites the often-mentioned case of NotPetya,
which spread beyond its Ukrainian targets to affect commerce globally.
Media in the U.K. are retailing similar warnings,
although they focus on the possibility of a direct cyber attack against British assets.
Online shopping, paycard transactions, and healthcare information are regarded as especially at risk.
Speaking at the Munich Cybersecurity Conference, U.S. Deputy Attorney General Lisa Monaco warned again of the blended threat of criminals working with nation-states.
of the blended threat of criminals working with nation-states.
She also followed on a theme CISA enunciated in the course of this week's warnings,
that people should have their shields up.
While the general push to address the risk posed by log4j vulnerabilities seems to have limited the damage organizations might otherwise have sustained,
exploitation of vulnerable systems continues.
Sentinel Labs researchers
describe the activities of an Iranian-aligned threat actor they're calling Tunnel Vision,
and which is hitting vulnerable instances of VMware Horizon. Sentinel Labs notes overlap
between Tunnel Vision activity and the operations Microsoft describes to Phosphorus and CrowdStrike
to Charming Kitten or nemesis kitten.
Whether these represent activities of the same unit or distinct groups remains unclear.
Some are calling the Log4J vulnerabilities one days.
They're not zero days because they're known and mitigations are available,
but they're fresh enough so that a number of systems are still vulnerable to
exploitation. Iran itself has been the target of cyber attacks. Checkpoint looks into recent
incidents affecting Iranian state television. Their surface motivations seemed straightforwardly
hacktivist, designed to denigrate the regime and urge assassination of Tehran's supreme leader.
to denigrate the regime and urge assassination of Tehran's supreme leader.
But an examination of the malicious files finds that the unknown threat actors also deployed wiper malware against their targets.
ZeroFox this week published an update to its research on the Golang-based botnet
its researchers described last October.
It's called Kraken, but it's not to be confused with the botnet that
appeared in 2008 and had the same name. The two are unrelated. The current Kraken spreads via
SmokeLoader, and while it's still under development, it already features the ability to download and
execute secondary payloads, run shell commands, and take screenshots of the victim's system.
While it's still maturing, Kraken nets its operators a small but interesting sum of around $3,000 a month.
Its most recent infestations show signs of deploying an information stealer, but to what end is unknown.
The U.S. Cybersecurity and Infrastructure Security Agency, that's CISA,
today announced that it's
launched a catalog of free cybersecurity services and tools. The resources it offers fall into four
categories, reducing the likelihood of a damaging cyber incident, taking steps to quickly detect a
potential intrusion, ensuring that the organization is prepared to respond if an intrusion occurs,
and maximizing the organization's resilience to a destructive cyber incident.
You can find it all on their website, cisa.gov.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The recent news of the Department of Justice seizing $3.6 billion worth of stolen cryptocurrency
captured the attention of both good and bad actors in the cybersecurity
and cryptocurrency worlds. Brittany Allen is trust and safety architect at digital trust
and safety firm SIFT, and I checked in with her for perspective on the impact of the seizure.
What it really just highlights for me is confirmation of what we keep saying about the transparency of the blockchain, where even if
money is moved to dark web websites or taken to illicit locations for money laundering,
we can still follow the path of those funds and then eventually be able to figure out who is
behind that theft when they invariably make a mistake. One example I
would like to compare it to where we probably have some people in the audience who are true crime
fans because of how popular that genre is. If you think back to one of the most famous art
thefts in the United States, the 1990 robbery at the Isabella Stewart Gardner Museum in Boston,
where 13 priceless artworks were stolen, those still in 2022 have never resurfaced.
And we don't know who took them, but we also don't know where they are. Now imagine if it was
something similar to being able to have the path of these items tracked on a blockchain so that we would
at least know where the artwork is, even if we hadn't yet figured out who was behind the theft
and who we could go after to then get those items back. It would be a completely different picture.
So that's really something very exciting about this news from the DOJ.
Are we seeing a response from the usual suspects,
the threat actors out there? Is this giving them pause? I would say it is not as far as the
majority of those who are talking in fraud forums that we'll monitor, such as those on Telegram or
other messaging apps and services, even on Facebook, because they are not as big
of a scale to be targeted in the same way as these particular alleged criminals, those who have been
arrested here in Manhattan. And it's something that is unfortunate to have to face because
there is so much fraud that is happening online, such as the huge takeoff over the past 18 months of money that was made through PPP loans or small business association loans,
and the fact that fraudsters now have even more funds than they previously had to then be able to leverage and learn how to commit new different types of fraud attacks. I don't think they have a concern on that minor level, especially just
because we don't see regular focus on a fraudster who operates at not even billions or millions of
dollars worth of fraud. Do you suppose that this is an inflection point here that going forward,
both the folks who are up to no good and the folks who are using cryptocurrency exchanges
in legitimate ways? To what degree is this going to inform how they do business from this point on?
So I think 2022 by itself is an interesting enough inflection point where we have this major
breakthrough and potentially solving this crime. But then at the same time, we have continued
adoption of cryptocurrency. I don't know if you watched the Super Bowl last week, but quite a few
people held their phones up to the TV and scanned that QR code at the Coinbase ramp. And that might
have been a large population of people who had never considered cryptocurrency before, who had thought, oh, I don't know how to do that.
That's beyond me.
That now might be, you know, a little bit more comfortable or at least willing to try it out and talking about it amongst their friends.
So obviously, as a payment method or a payment type becomes more adopted, the fraudsters naturally gravitate towards it because they know there's more funds that they can access. They know that they're able to leverage it better for their fraud attacks.
But when it comes to what can be done, I really want to stress the importance of user education,
first of all, and then of the importance of crypto exchanges and other crypto companies,
of crypto exchanges and other crypto companies, making sure that they're putting protections in place beyond what is on the consumer responsibility side. So for consumers, you've got some now who
will for the first time be quote unquote their own bank by holding their own funds, whether in an
offline cold wallet or in some other method, but you can't rely on them entirely
to be able to protect themselves. It's also responsibility of the exchanges and other
businesses. That's Brittany Allen from SIFT. There's a lot more to this conversation.
If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects,
where you get access to this and many more extended interviews.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatL are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
and joining me once again is chris novak he's the global director of the threat research and advisory center at verizon chris always a pleasure to have you back on the show
it is a complex world in which we live and in the cyber world, geopolitics certainly plays into the things we do every day.
I just want to check in with you on that and the kinds of things that you're tracking when it comes to the political realities around the world and how that affects things like people's approach to threat intelligence.
Yeah, it's always a pleasure to be here, Dave, and you're spot on with that. I think that's a very interesting and poignant topic,
because I think if you're not looking at threat intelligence, you're missing a big piece of kind
of that radar view of what's happening around you. You're missing a big piece of situational
awareness. And I think whether or not you're in an industry that, you know, plays heavily into,
you know, the geopolitical conversation, you know, you're a big finance organization,
you know, the geopolitical conversation, you know, you're a big finance organization,
you're a big defense organization. I'd say that that is only part of it. I think every organization that has some kind of cyber defense requirements, which is probably everybody, needs to be looking
at this as well. Because, you know, to be honest, when we look at the geopolitical landscape,
whether it's, you know, Russia, China, North Korea,
you know, the U.S. withdrawal from Afghanistan, everything has some element to it where we're
seeing cyber playing a bigger role. Because, you know, to be honest, when we look at, you know,
things like military actions, those are not something that anybody wants to lead with.
But cyber actions are, for many countries and for many military
organizations or intelligence operations, a cyber action may be an easier thing to pull off,
may be an easier thing to disguise. And there's a lot more potential, you know,
deniability aspects to it while also being able to inflict and cause pain on their intended targets.
So that geopolitics understanding and that threat intelligence nexus, I think, are absolutely
critical.
When it comes to threat intelligence, to what degree having it be an internal function of
my organization versus engaging with an outsider, What are the pros and cons of each
of those approaches? Yeah. So, I mean, I'd say every organization should have some internal
capability and some understanding of what their desired outcome of a threat intelligence program
is, right? In fact, oftentimes when we talk to organizations, that's going to be one of the
first things we ask them is, what do you or how do you define threat intelligence?
What does it mean to you?
What is it that you want to accomplish with it?
And then typically at that point, we'd have further conversation with them as to, okay, this might be the art of what's possible, right?
These additional things could be layered into or on top of what it is you're doing. And I think it always is beneficial, especially from an intelligence standpoint,
for there to be some kind of hybrid
internal-external approach.
I think organizations that try to do everything internally,
there may be an ego aspect to that,
but the reality of it is,
if you're trying to do intelligence really well,
world-class, you need to be plugged in
with external entities that may be able to
source intelligence from places that you might not have access to, right? And even the best and
the biggest organizations, they do exactly that. What about the regulatory regime, you know,
of organizations that fall under those sorts of rules, having an external source of this sort
of information, how much does that contribute to their ability to stay within those guardrails?
Yeah, so I think a lot of organizations can benefit from that because they can depend on
those external entities to do a lot of that vetting and compliance and regulatory aspects for them, if you will.
So in other words, that becomes that third party's responsibility as opposed to their own internal responsibility.
And typically, we'll see that everybody will put that kind of language in their contracts and say, look, we're depending on you for this intelligence.
And we're expecting that you meet and comply with all various laws and
regulations around the same. And to be honest, that is a typical kind of table stakes for us
when organizations engage with us for threat intelligence. We assure them that, look,
we're meeting all those laws and regulations as well. And to be honest, we even see organizations
will reach out and sometimes they will kind of do that wink, wink, nod, nod. Yep, we get it.
You're going to follow all the laws and regulations,
but you're going to get us this kind of information, right?
We're like, no, no, we're really going to follow all the laws and regulations.
There's no wink, wink, nod, nod.
Right, right.
It's all by the book.
Yeah, yeah.
For organizations that are starting down this pathway
and trying to figure out how to calibrate, you know,
how much of their cybersecurity spend
should be going towards this sort of thing? Where's a good place for them to begin?
So, I mean, typically there's a lot of really good white papers out there. And then also typically
would talk with a lot of the analysts, you know, so we engage with all the big analysts out there.
In fact, you know, we maybe toot our own horn here a little bit, but we've rated really well with all the analysts as, you know, a leader in all their different ratings as it relates to this as well.
And I'd encourage, you know, organizations to talk with the analysts because they can be an independent, unbiased third party that can give a view into both what is it that organizations are typically spending.
Not that spending has to equal quality, but typically it
is a metric organizations use to try to figure out where they are. Are they investing enough?
Maybe not enough. How do they compare to their peer groups? And then also, where is it that the
analysts might suggest that if they're going to invest additional dollars, that they might see
the best or biggest return on their investments? And look you know, look, I'd love to tell everybody, you know, come to us, talk to us.
But honestly, I prefer to send people towards that third-party route to kind of get that unbiased view
because I believe strongly in what we do, and I think a lot of those conversations are important.
All right. Well, Chris Novak, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
If you're looking for something to fill your time on the upcoming long holiday weekend, check out Research Saturday and my conversation with Marcel Lee from SecureWorks.
We're discussing ransoms demanded for hijacked Instagram accounts.
That's Research Saturday. Do check it out.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan,
Kirill Terrio, Ben Yellen, Nick Volecky, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.