CyberWire Daily - Fire and cyber in Ukraine. Stone Panda (Cicada, APT10) expands its interests. Bogus e-commerce sites harvest banking credentials. Advice and guidance from CISA
Episode Date: April 6, 2022There’s a maneuver lull in Russia’s hybrid war against Ukraine, but fire and cyber ops continue. The US provides cyber assistance to Ukraine. The Cicada call of Stone Panda. Phony e-commerce sites... seek to harvest banking credentials. CISA offers some advice and some guidance. Hydra Market sanctioned. Awais Rashid from Bristol University on anonymous communication systems. Our guest is Armaan Mahbod of DTEX Systems with a look at supermalicious insiders. And the most popular password is... For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/66 Selected reading. Russian military ‘weeks’ from being ready for new push as war takes its toll (The Telegraph) Russia's failure to take down Kyiv was a defeat for the ages (AP NEWS) U.S. Cyber Command providing cyber expertise and intelligence in Ukraine's fight against Russia (FedScoop) Cyber Command chief: U.S. has 'stepped up' to protect Ukraine's networks (The Record by Recorded Future) How Ukraine has defended itself against cyberattacks – lessons for the US (FIU News) Cicada: Chinese APT Group Widens Targeting in Recent Espionage Activity (Symantec) Fake e‑shops on the prowl for banking credentials using Android malware (WeLiveSecurity) CISA adds Spring4Shell vulnerability, Apple zero-days to exploited catalog (The Record by Recorded Future) LifePoint Informatics Patient Portal (CISA) Rockwell Automation ISaGRAF (CISA) Johnson Controls Metasys (CISA) Philips Vue PACS (Update A) (CISA) Treasury Sanctions Russia-Based Hydra, World’s Largest Darknet Market, and Ransomware-Enabling Virtual Currency Exchange Garantex (U.S. Department of the Treasury) Most Common Passwords 2022 - Is Yours on the List? (CyberNews) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. provides cyber assistance to Ukraine.
The cicada call of Stone Panda.
Phony e-commerce sites seek to harvest banking credentials.
CISA offers some advice and some guidance.
The hydro market's been sanctioned.
Awais Rashid from Bristol University on anonymous communication systems.
Our guest is Arman Mabad of DTEX Systems with a look at super
malicious insiders. And the most popular password is...
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday,
April 6th, 2022.
Russian cyber operations in Moscow's war against Ukraine haven't developed in the expected
directions. Those expected directions.
Those expected directions included crippling attacks against Ukrainian infrastructure,
attacks against countries sympathetic to Ukraine,
and widespread damaging attacks that would spread globally and indiscriminately,
like WannaCry and NotPetya did in May and June of 2017.
But of course, Russian cyber operations have taken place at lower levels, especially in the form of nuisance-level distributed denial-of-service attacks and attempts
to push disinformation through accessible channels. An essay in Foreign Affairs argues that, in fact,
Russian cyber operations were both extensive and successful, and that it would be naive to
underestimate them simply because they didn't unfold as expected. Extensive seems correct,
but successful is less clear. It may be that the cyber operation's success was lost in the
general noise of Russian tactical ineptitude. The authors maintain that Russian cyber operators performed as planned
and that the failure was a general strategic one.
In addition to the DDoS attacks,
the foreign affairs piece mentions the Wiper attack against Viasat customers.
There has also been Russian interference with GPS.
Simple Flying reports that France's Civil Aviation Authority has attributed interference
with GPS signals near Finland to Russian jamming. That jamming has been ongoing since early last
month and is probably intended as a hedge against attacks against Russian forces by precision-guided
weapons. And of course, there have also been cyber attacks against Ukrainian telecommunications
infrastructure, notably the March 28th attack on ErkTelekom. The Wall Street Journal reports that
both Microsoft and Cisco have been helping Ukrainian telcos with remediation. But this
doesn't change the fact that Western expectations of the damage Russian cyber attacks would produce
were inflated. And it also seems inarguable that Ukrainian networks have proven more resilient
than expected and that Ukraine has probably received more foreign assistance than Moscow
anticipated. General Paul M. Nakasone, commander U.S. Cyber Command, yesterday delivered his organization's posture statement to the 117th Congress.
Prominent among the threats and responses he outlined were those presented by Russia's invasion of Ukraine.
Russia, in Cyber Command's estimation, is using a broad range of its capabilities against Ukraine.
Nakasone said, Russia's invasion of Ukraine demonstrated Moscow's determination to
violate Ukraine's sovereignty and territorial integrity, forcibly impose its will on its
neighbors, and challenge the North Atlantic Treaty Organization. Russia's military and
intelligence forces are employing a range of cyber capabilities to include espionage,
influence and attack units, to support its invasion,
and to defend Russian actions with a worldwide propaganda campaign.
General Nakasone also described the response by Cyber Command and the NSA to the invasion.
That response extends to readiness and intelligence services to the U.S. and its allies,
but also to direct support of Ukraine.
That support included assistance with network hardening and threat hunting.
Researchers at Symantec have found renewed cyber espionage on the part of the Chinese APT
it calls Cicada, also known as APT-10 or Stone Panda. Among the victims are government, legal,
religious, and non-governmental organizations
in multiple countries around the world, including Europe, Asia, and North America. Symantec thinks
the expansion of the APT's interests are significant. It had formerly been most concerned
with Japanese companies. Symantec says this campaignET reports finding seven bogus e-commerce websites that impersonate legitimate Malaysian businesses,
six of them cleaning services, the seventh a pet store.
The sites dangle the offer of an app as opposed to an opportunity to make immediate purchases.
The criminals' aim is to harvest banking credentials. For now, at least, the problem
is confined to Malaysia, but users anywhere should be alert to the possibility of this kind of scam.
should be alert to the possibility of this kind of scam.
CISA yesterday issued four industrial control system advisories.
They also added four vulnerabilities to their known exploited vulnerabilities catalog.
U.S. federal civilian agencies that CISA oversees have until April 25th to address them.
So hop to it, CISOs.
Following the takedown of the Hydra market by German federal police this week, the U.S. Treasury Department's Office of Foreign Assets
Control has sanctioned the Russian-language Hydra market and has identified over 100 virtual
currency addresses associated with the criminal operation. Contraband traded in Hydra market include ransomware as a service, hacking services
and software, stolen personal information, counterfeit currency, stolen virtual currency,
and illicit drugs.
Treasury pointedly notes that Russia is a haven for cyber criminals.
Decipher reports that experts think data seized from Hydra's market servers
will inform further investigations into the cyber underworld.
And finally, here's a proverbial dog-bites-man story.
What do you think is the most common password nowadays?
Wait for it.
According to a cyber news study,
1-2-3-4-5-6 is apparently still the world's most common password.
But you saw that one coming, didn't you?
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io.
DTEX Systems is a workforce cyber intelligence and security company,
and they recently released their 2022 Insider Risk Report. One element the report highlights is what they describe as the rise
of the super malicious insider. Arman Mabad is Director of Security and Business Intelligence
at DTEX Systems. Compared to a normal malicious individual, this super malicious person is more
technical, understands the risks and concerns that are out there that businesses are already
looking for, and essentially are the type of individual to know those risks, know how to kind of get behind or pass those risks
and essentially seem to be more normal than others, right? They understand the TTPs that are
out there and all those behaviors. So their goal and intent is to essentially, hey, I know that
this is already looking for that. I'm going to take these measures, these other steps to essentially bypass those things and not go detect it as much as possible.
And so what should the security people be on the lookout for?
I think it's a range of behaviors, right?
There's a lot more with the super malicious.
What we've noticed is although they may try to use social engineering tactics and do things to essentially push work onto others, in many cases, other people are still not convinced or able to be convinced that they should exfiltrate that data.
Right. So I may have access, for example, to to and I may be very knowledgeable on what is actually
worth something and what is not.
So maybe you would contact me and try to make friends with me in the business, try to perform
a little social engineering to get me to provide you some data.
Maybe you're trying to get a leg up in your business or your department, right?
And you're like, hey, maybe this is a mutual benefit for both of us, right?
Those are some incidents that we've seen over the past years where essentially they'll still
have to identify others, still communicate with others, but they'll try to skip the reconnaissance
and utilize social engineering as their way to circumvent, right?
To bypass and not seem to blame to be on them for taking this ad or aggregating it.
But they still generally need to
exfiltrate that. So what we've seen is a high spike in burner emails, instant messaging tools,
other things of that nature. Even actually the tools that organizations provide are actually a
very, very hot topic because things like Slack, things like Zoom, communication tools, have a lot more features in them.
But also what those features entail is less visibility for an organization.
And what I mean by that is, for example,
what we've seen is a higher rise
in Slack and communication tool usage,
obviously with remote working occurring.
But what actually is a slight byproduct of that
is people are more comfortable sharing documents
through these methodologies as well. And it's really simple now where, you know, hey, I can send a
Slack message to myself and actually go on my phone and download that file, right? Then I can
clean the stores. And I think it's really important for organizations to be more aware and cognizant
of those means. Are we looking for behaviors? Is that where we're
focused here? Or is this a matter of putting specific filters in place? Or is it a combination
of all those things? No, that's a great question. What we have is we have very compliance-driven
organizations and very innovative, and a mix of the two. And especially in the innovative space,
they feel as though these lockdown measures
can be a hindrance to the business, right?
So I think it's always a mix of both,
depending on the appetite of the business.
But what we see is that there should be
at least a level of understanding
and monitoring still of what's being shared.
And maybe at least consideration, to your point,
tweaking the thresholds, right?
How much can you actually send through this means, right?
I think that's really important.
I suppose also that the tone that you have matters a lot as well.
I mean, it's, you know, to go and slap someone on the wrist is different than saying, hey,
we noticed that you're using
Dropbox here. Is there something that you need to, are there capabilities you need to get your
work done that we're not providing you with? We want to help you stay on the straight and narrow
here. Yeah, no, you're right. Business is a spectrum, right? There's a varying degree of
compliance and regulation and corporate policy and all of
that kind of stuff in place.
And also, you know, your people, you know, as humans, we all have different emotions.
We all react differently.
And usually it's good to let the manager in on it and have them take on this level of
human aspect that we don't want to lose because we want to make sure the relationship between
security folk and employees is not just virtual, right? It's a human thing. We are here. We're
here to help you make sure that you have the tools in place to be more successful.
If you're going to use Dropbox, oh, you know, we actually have this other service and you can
utilize it in this way. If you're doing it for personal means, then obviously we would look at the corporate policy and if that aligns with the
business practices that we have today. You know, and thinking about it in that way, it's making it
more, instead of it generic, making it a little bit more authentic and one-to-one is what we've
seen done, you know, wonders for organizations. That's Arman Mabad from DTEX Systems.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Professor Awais Rashid.
He's the director of the National Research Center on Privacy, Harm Reduction, and Adversarial Influence Online at the University of Bristol.
Awais, it's always great to have you back. I wanted to touch base with you today on this whole notion of anonymous communication
systems. And, you know, the work that you're doing there at the National Research Center on Privacy,
Harm Reduction, and Adversarial Influence falls right into this. With everything going on in the
world today, it seems as though there's been quite a focus on the ability for people to communicate anonymously.
Yes, indeed.
And one of the things is that, you know, kind of end-to-end encryption and anonymous communication systems have been in the news for various reasons,
you know, and you can go from the discussion about, for example,
protecting children online, an area in which I have worked myself quite a lot,
protecting children online, an area in which I have worked myself quite a lot, and potentially the use by criminals in sharing imagery relating to children using potentially anonymous communication
and end-to-end encryption systems to also the other end, you know, in the case of, for example,
geopolitical conflict, you know, where people are able to actually communicate with the outside world
in a private and secure fashion because they have these tools and applications readily available to them.
And that really brings to the front this really interesting point that it's actually not
technology itself or the techniques that provide a positive or negative consequence.
It's how they are potentially used.
But there is also a fundamental question that underpins them.
When you are using an end-to-end
encryption system, or you're using an anonymous communication system, how do you really know
for sure what kind of properties it is preserving or not? Is it really, really preserving your
privacy and under what conditions? And that's really what we are trying to do here. At the
moment, we are working on a big effort to build what we call a privacy
testbed where, for example, application developers or potentially users of applications in due course
or privacy professionals can run large-scale analyses on these kinds of applications without
really having to deploy any specialist infrastructure on their own or having to
access several potentially costly devices.
This allows you to then simulate effectively information flows
on a large scale around these kind of systems,
and then analyze if they are potentially leaking
any privacy-sensitive information.
You know, you and I have spoken previously
about supply chain risk management,
and it seems to me like that applies
to this technology as well. To your point, if I want to use a secure messaging platform,
how do I know that the claims that they are making are actually so? Is there some sort of
chain of custody that can verify that? Absolutely. And this is a really interesting
case in point
that you mentioned,
because I also recall in a previous discussion,
we also, at the start of the pandemic,
we talked about the cybersecurity risks
arising from homeworking and things like that.
And at that point, you might recall,
there was a lot of debate in the media
about whether Zoom-based communications
were end-to-end encrypted or not.
And it is quite interesting that when,
for example, we talk about something being end-to-end encrypted or not. And it is quite interesting that when, for example,
we talk about something being end-to-end encrypted,
in this case, we know that the content of the message,
depending on the protocol that they're using,
would not be visible.
But there is also, of course, metadata that exists
alongside the content of the message,
and that metadata may be possibly accessible. And that's why there was a
lot of backlash against WhatsApp's decision to update their privacy policy that they would be
sharing information, for example, with Facebook being the same parent company. And a lot of users
started to migrate to Signal because they were very concerned. But it was also quite interesting
that a lot of that migration
was from a misconception that the content of their message
could be read rather than that it's the metadata
that was being shared.
So, for example, WhatsApp knows to whom you talk at what point,
but they don't know the content of the message
because they can't read it because they use the signal protocol.
And it is these kind of things that are hard to establish
unless you are an expert.
So what we are trying to do is that if you're a software developer
and you're implementing such features in your applications,
then you can deploy in the testbed to see
whether it actually really works as you thought it would.
If you are a system administrator, in this case,
deploying an end-to-end communication system in your organization, then you can test whether it actually preserves the properties that it's claiming to preserve.
But also, if you're a privacy professional and you want to see whether an application really delivers on its promises with regards to privacy and anonymity, then you can actually also deploy it and test. And again, this goes to the heart of some of the discussions
we, again, that were in the media around contact tracing
and centralized and decentralized contact tracing and so on.
And it would have been wonderful at that time
to have a testbed like this
for us to really test all these things.
But, you know, as they say, better late than never.
So we are building something now
and it's quite an exciting time.
All right.
Well, Professor Awais Rashid, thank you for joining us.
Breaking news happens anywhere, anytime.
Police have warned the protesters repeatedly,
get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app or visit cbcnews.ca.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Liz Ervin, Elliot Heltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Justin Savi, Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Patrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.