CyberWire Daily - Fears of Russian escalation, with both chemical and cyber weapons, rise. DPRK APTs exploit Chrome vulnerabilities. Mustang Panda is back. Arrests made in the Lapsus$ case.
Episode Date: March 25, 2022Fears of Russian escalation as Ukraine’s counteroffensive sees successes. Warnings of possible Russian cyberattacks gain context from attribution of the Viasat incident and two US unsealed indictmen...ts. CISA continues to recommend best practices. North Korean APTs exploit Chrome vulnerabilities. Mustang Panda is back. David Dufour from Webroot on ransomware gangs and cartels. Our guest is Liliana Monge of Sabio Coding Bootcamp on creating opportunities for those looking to pursue a career in tech. And boy, boy, your wild ways will break your mother’s heart. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/58 Selected reading. Ukrainian forces advance east of Kyiv as Russians fall back (Reuters) Counteroffensive in Ukraine Shifts Dynamic of War (New York Times) Ukrainian forces claim to destroy a Russian landing ship. (New York Times) Putin's war in Ukraine nearing possibly more dangerous phase (AP NEWS) Syrians watch in horror as Putin deploys the Aleppo playbook in Ukraine (CNN) Joe Biden: We will respond in kind if Vladimir Putin uses chemical weapons in Ukraine (The Telegraph) A month into the Russian invasion, Ukraine is still mostly online (The Record by Recorded Future) Russian military behind hack of satellite communication devices in Ukraine at war’s outset, U.S. officials say (Washington Post) Hackers Attacked Satellite Terminals Through Management Network, Viasat Officials Say (Air Force Magazine) Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide (US Department of Justice) US charges four Russian hackers over cyber-attacks on global energy sector (the Guardian) North Korean Actors Exploited Chrome Flaw to Target U.S. Orgs (Decipher) Countering threats from North Korea (Google) New Mustang Panda hacking campaign targets diplomats, ISPs (BleepingComputer) Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection (Threatpost) Lapsus$: Oxford teen accused of being multi-millionaire cyber-criminal (BBC News) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Fears of Russian escalation as Ukraine's counteroffensive sees success.
Warnings of possible Russian cyber attacks gain context from attribution of the Viasat incident.
CISA continues to recommend best practices.
North Korean APTs exploit Chrome vulnerabilities.
Mustang Panda is back.
David DeFore from Webroot on ransomware gangs and cartels. Our guest is Liliana Monge of Sabio Coding Bootcamp on creating opportunities
for those looking to pursue a career in tech. And friends, friends, friends,
your wild ways will break your dear mother's heart.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Friday, March 25th, 2022.
The U.S. Justice Department has unsealed two indictments of four Russian nationals, all employed by the Russian government, in connection with cyberattacks against energy
sector targets. The first indictment involves the ultimately unsuccessful 2017 Triton tricis attack
against safety systems in a petrochemical plant. The second involves the
Dragonfly campaigns between 2012 and 2017. These sought to compromise and maintain persistence
within industrial control systems used in the energy sector. The unsealed indictments are being
widely taken as showing the sort of active threat Russian operators pose to critical infrastructure,
CISA Director Jen Easterly clapped at the Justice Department over Twitter.
She said,
Good to see the Justice Department indictments on Russian state-sponsored cyber actors.
Along with our FBI and DOA teammates,
we're releasing a cybersecurity advisory with information and actions
to defend against related threats to the energy sector.
An unnamed Justice Department official told The Guardian,
These charges show the dark art of the possible when it comes to critical infrastructure.
The Washington Post reported this morning that U.S. intelligence analysts have now attributed the attack against Viasat services to Russia's GRU, the country's
military intelligence service. The U.S. government has yet to make a public announcement of the
determination. Ukraine has for some time claimed that Russia was behind the cyber attack, which
Ukraine's military intelligence services viewed as Russian battle space preparation. The Post writes, Ask this week whether Ukraine knew who was behind the attack.
Viktor Zora, deputy head of the State Service of Special Communications and Information Protection,
Ukraine's main cybersecurity agency, said,
We don't need to attribute it since we have obvious evidence that it was organized by Russian hackers
to disrupt the connection between customers that use this satellite system. He added, of course, they were targeting the
potential of the Ukrainian military forces first as this happened just before the invasion.
California-based Viasat, which hasn't offered any attribution of the incident,
told Air Force Magazine how it was accomplished. The ground management network
that manages the KASAT network and manages other UTILSAT networks, that network was penetrated,
and from there, the hackers were able to launch an attack against the terminals
using the normal function of the management plane of the network.
The company said the damage was limited. Only users who inherited their service from Utilsat were affected.
Viasat said,
Even on that network, none of our mobility and none of our government customers were affected.
The controls we have around those users kept them safe.
Russia's ability and up to a point will to conduct cyber attacks against its adversaries in the hybrid war against Ukraine is
not in doubt. But at this stage of the conflict, Ukraine itself remains largely online, and the
wiper and distributed denial-of-service attacks it has sustained since the run-up to Russia's
invasion haven't seriously impeded access to the Internet. The records coverage suggests that this
is largely due to the resilience of
Ukrainian infrastructure and the hard work of the country's telecommunications sector.
But Russia does seem to have pulled its punches. An essay in We Live Security, while cautioning
that a major cyber attack certainly can't be ruled out, considers the possibility that Russia's
apparent restraint may have been induced by effective deterrence.
That would be both deterrence by denial and deterrence by promised retaliation.
Yesterday, CISA and the FBI released an alert titled
Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector.
It provided background on the Russian cyber attacks
addressed in the two indictments the U.S. Department of Justice unsealed Thursday.
The advice the alert offers on hardening an organization against similar attacks
is comparable to the advice the agencies have been circulating since CISA told everyone to go to
shields up. Familiar but nonetheless sound sets of best practices
for both enterprise and industrial control systems russia's foreign ministry whose twitter
feed has been marked by defiance self-pity and implausible insistence yesterday shared its take
on russian progress in ukraine exactly one month since the start of the special military operation in Ukraine,
it is going according to plan, and all the stated goals will be achieved. Life is returning to
normal in the territories already liberated from nationalists. No one else sees it quite this way.
North Korean threat actors have been exploiting two remote code execution vulnerabilities in
Chrome, Google reports. These groups' activity has been publicly tracked as Operation Dream Job and
Operation Apple Juice. The former has been largely interested in journalists. The latter has mostly
busied itself with operations against cryptocurrency users and the financial services sector more
generally. Chinese intelligence services, who have increased their collection activity as the crisis of
Russia's war against Ukraine intensifies, have combined a new remote-access Trojan with
complex evasive techniques intended to impede detection.
The group researchers are observing is the one generally known as Mustang Panda.
are observing is the one generally known as Mustang Panda. And finally, the mystery of who Lapsus is and what it's up to may have been solved. The BBC reports that City of London
police have arrested at least seven teenagers in connection with the gang's activities.
They told the BBC, seven people between the ages of 16 and 21 have been arrested in connection with an
investigation into a hacking group. They have all been released under investigation. Our inquiries
remain ongoing. So, Lapsus seems to have been a crew of script kiddies. For all that, their
activities were damaging and disruptive. Lapsus was in it for the lulz, the cash, and the cachet. As minors, none of the
names of those arrested have been released. The apparent leader, who goes by the hacker name
White and Breachbase, is said to be a 16-year-old boy in Oxford. The BBC talked with the kid's
father, who said, I had never heard about any of this until recently. He's never talked about any
hacking, but he is very good on computers and spends a lot of time on the computer.
I always thought he was playing games. The father added, we're going to try to stop him from going
on computers. Good luck with that, dad. If you figure out how to keep him offline, let us know.
We could all use that parenting tip.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. The cybersecurity industry needs more qualified workers, and it needs them now.
Demand is high, and that's leading some candidates to forgo a four-year degree
and instead opt for a coding boot camp.
Hands-on vocational-style training designed to get students up to speed and ready for employment ASAP.
Liliana Monge is co-founder and CEO of Sabio Coding Bootcamp.
When we first began, we thought maybe we would work with high school students that decided not to go to college.
However, because this is vocational training and the expectation is that when you're done, you will go get a job. We have actually found that people who are about 22 to 29 are the most likely to want to enroll in the program.
enroll anyone. We actually had a gentleman who had retired from the State Department at age 65.
He came to the program and he's now a software engineer in Irvine. However, most people who are in their early 20s are most drawn to the program. So someone who completes the types of programs
that you all offer here, what are their expectations in terms of entering the
job market? To what degree are they prepared for the jobs that are out there? Yeah, so we have
found that most of the people who graduate from our program are ready to join a team because they
will, you know, obviously have a certain amount of experience. And so they're going to need
assistance and support inside of an
organization. So typically, if it's a smaller business, maybe there's already a senior engineer
architect on the team, and they need someone to support them with maybe some front end work or
some SQL work. If you have larger organizations like Microsoft, they themselves have an onboarding process that
takes four months for people who are graduating from coding bootcamps. And so they themselves
will bring you in, they will give you additional curriculum for four weeks, just so that they can
once again, give you additional context for how they do things at Microsoft. And then they will
put you with a team for an additional three Microsoft. And then they will put you with a
team for an additional three months. And then depending on how you perform, Microsoft can hire
you as a full-time software engineer. So it really depends on the type of organization
that our grads are interested in joining. There are different types of opportunities.
It's rare that one of our grads will go and be like the first
technical team member in an organization's org chart. That typically is not what we see,
just because our fellows are going to have less than six months of experience.
So in terms of comparing this to someone who might have their sights set on, let's say,
someone who might have their sights set on, let's say, a four-year degree. How does this compare to that? Yeah. So as I started in the beginning, we like to make sure that people understand that
this is vocational training. It's something that is going to give you sufficient skills
so that you can join a team and add value. And so there has to be some infrastructure already there. My understanding of computer science grads is that, you know, they're going to come out with
a lot more theoretical understanding of how those systems were designed and why they were designed
a certain way. So, you know, software development takes a lot of its words and, you know, the way
they structure it from the world of construction. And so a lot of us are
familiar with the concept of what an architect will do, right? They design the blueprints,
but they're not the ones out there swinging the hammer and actually building your house.
And so in software engineering, it's very similar. You may have someone who has a lot
more experience or someone who's secured a computer science degree who may architect a system,
or someone who's secured a computer science degree who may architect a system,
who may design a new system altogether from the ground up.
Coding bootcamps are designed to give you vocational skills
that will get you into the job market rather quickly.
So it doesn't have to be binary
in terms of an engineering team
can have different types of professionals.
Just like when you go to a hospital, you meet
with a doctor and they've had a certain type of education, but then you also meet with nurses,
with registered nurses, and different types of professionals. So the same thing works in
the tech ecosystem. I would imagine too, this provides a lot of folks with an opportunity to
get a foothold in the industry without loading themselves up with a lot of debt.
Yes.
So the opportunity cost is much lower
when you attend a coding bootcamp.
The price to participate in the Sabia Coding Bootcamp
is $15,000.
And that's pretty standard across the United States
in that range of 15,000.
And you're correct.
I mean, my understanding is that
if you want to do a computer science undergraduate degree, it's going to be somewhere between 100 to 200,000,
depending on where you're going to go. So there are very significant differences in opportunity
costs. You know, our program can be done in four months. A computer science degree can take you
four years. And it's really just about, you know, someone's personal preference, where they are in their life that, you know, you have to assess which solution is best for me.
That's Liliana Monge from Sabio Coding Bootcamp. There's a lot more to this conversation. If you
want to hear the full interview, head on over to CyberWire Pro and sign up for interview selects,
where you'll get access to this and many more extended interviews.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by David DeFore.
He is the Vice President of Engineering and Cybersecurity at OpenText.
David, always great to have you back on the show.
As we are well on our way into 2022 here, it seems as though ransomware continues unabated. And I have to say,
one of the things that strikes me is the ongoing professionalization of the organizations who are up to this. I know this is something you've had your eye on as well.
Absolutely. And you and I have touched on this topic many times, David, where these gangs have
become more and more professional. You know, several years back,
you and I were seeing proper quality control
in the actual ransomware itself
because some strains of ransomware
weren't decrypting properly
and those strains would die off
because no one would pay the ransom.
And the code itself just kept getting better and better.
And now, as with a lot of times we see in the threat
landscape, they've really institutionalized this, have well-defined processes, and are doing a
really good job at executing. It's interesting to me, in addition to that, that we see
different groups sort of specializing in different things that you can, you know, if I'm someone looking to
put together a ransomware offering, dare I say, I can get a little from column A, a little from
column B, depending on who I want to hit and, you know, how much I want to charge and how much help
I think I need. That's exactly right. And, you know, we've seen time and again where a new solid strain of ransomware will come out.
The creator of that ransomware will go out and look for folks to deploy that on devices for them.
Then they'll see who's the most successful at that deployment.
And then they will shut the whole thing down, tighten up the code base, modify it a little bit,
go with the
top tier folks at getting that stuff distributed, and then they will hit the world hard and fast.
And we see that time and again. And I hate to say it's kind of like if you imagine in the movies,
the mobster movies where they are all sitting around a table talking about, I'm going to take
the south side and you're going to take the north side. I mean, literally, they are all sitting around a table talking about, I'm going to take the South side and you're going to take the North side.
I mean, literally, they're not sitting around a table because it's COVID.
And obviously, they're staying at home and quarantining properly.
But no, seriously, they're sitting around and really communicating how they're going to divide this up,
who's the best at what component of this,
and then they execute with the best of the best. We've seen a little bit of disruption here.
Do you think we're going to see more of that this year? So we have seen pretty solid disruption.
We will continue to see that. But like we all know, it's a moving target. And once we disrupt
somewhere, knock some things offline, some folks will come up with something.
And, you know, what's next now?
Does that mean we should not be executing on this?
And should we not be trying to protect?
We obviously should.
I mean, we used to see types of threats 15, 20 years ago that we don't see anymore.
And so we'll get past this.
But for now, we've just got to kind of whack a mole and get it solved as we can until we come with a more holistic solution on how to resolve it. for the ransomware operators isn't so low anymore, that in general, there's better awareness around
that, you know, we talk about digital hygiene, that the general level of that has improved
in a measurable sort of way? I mean, in a jaded, I'm going to say no. I mean, these folks every
year are making more and more and more money. And so to your specific point, they started out attacking individuals, consumers, small businesses, and then just to see how things worked.
And now that we've kind of protected that level.
But what they've done is up level it and take that exploit path where they find exploits with larger organizations and they've gotten just more sophisticated.
So I would say we get better at each level as they attack that level.
We're not getting in front of it.
All right.
Well, David DeFore, thanks for joining us. Be sure to check out this weekend's Research Saturday and my conversation with Symantec's Dick O'Brien.
We're discussing the Shuckworm cyber espionage campaign against Ukraine.
That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Thank you. you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.