CyberWire Daily - Hacktivism and other cyberattacks continue against Russian targets, but some hacktivism may go too far. C2C market notes. Advice from CISA and NIST. Prank calls as statecraft.
Episode Date: March 18, 2022Hacktivism and other cyberattacks continue against Russian targets, but some hacktivism that affects software supply chains may go too far. An initial access broker in the criminal-to-criminal market.... BlackMatter may be working with BlackCat. CISA offers a warning and advice to SATCOM operators. NIST offers some guidance on industrial control system security. Johannes Ullrich reminds us to patch our backup tools. Our guest is Armando Saey from MISI with insights on maritime port security. And Rear Admiral Mehoff, call your office. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/53 Selected reading. Popular NPM Package Updated to Wipe Russia, Belarus Systems to Protest Ukraine Invasion (The Hacker News) Software Supply Chain Weakness: Snyk Warns of 'Deliberate Sabotage' of NPM Ecosystem (SecurityWeek) Russian government websites face ‘unprecedented’ wave of hacking attacks, ministry says (Washington Post) Ukraine’s Digital Ministry Is a Formidable War Machine (Wired) Exposing initial access broker with ties to Conti (Google) Experts Find Some Affiliates of BlackMatter Now Spreading BlackCat Ransomware (The Hacker News) Strengthening Cybersecurity of SATCOM Network Providers and Customers (CISA) NIST SPECIAL PUBLICATION 1800-10 Protecting Information and System Integrity in Industrial Control System Environments: Cybersecurity for the Manufacturing Sector (NIST) Hoax caller claiming to be Ukrainian PM got through to UK defence secretary (the Guardian) Russians target Priti Patel and Ben Wallace with fake video calls (The Telegraph) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Activism and other cyber attacks continue against Russian targets,
but some may have gone too far.
An initial access broker in the criminal-to-criminal market.
Black Matter may be working with Black Cat.
CISA offers a warning and advice to SATCOM operators.
NIST offers some guidance on industrial control system security.
Johannes Ulrich reminds us to patch our backup tools.
Our guest is Armando Say from Missy with sites on maritime port security
and Rear Admiral Mayhoff, call your office.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, March 18th, 2022.
Anonymous has resumed or continued its campaign of defacement against Russian-networked closed-circuit cameras,
rigging them to display such messages as
Putin is killing children,
352 Ukraine civilians dead,
Slava Ukraini,
Vice reports.
Russian government websites have also come under attack.
In an unusual announcement,
Russia's Ministry of Digital Development and Communication said the attacks were unprecedented.
They appear, from the account offered by the Washington Post, to be a mixture of distributed denial-of-service attacks and website defacements.
A statement from the ministry, apparently addressing the DDoS attacks, said,
We are recording unprecedented attacks on the websites of government authorities.
quote, we are recording unprecedented attacks on the websites of government authorities.
If their capacity at peak times reached 500 gigabytes earlier, it is now up to one terabyte. That is two to three times more powerful than the most serious incidents of this type previously recorded, end quote.
Among the website defacements was one affecting the Russian Emergency Situations Ministry website,
whose content was changed.
The ministry's hotline number was replaced by a heading
Come Back from Ukraine Alive,
followed by a number Russian soldiers could call for assistance
should they be interested in desertion.
It's not always clear which actions are those of hacktivists
and which are conducted by Ukrainian digital services.
Wired gives high marks to Kiev's Ministry of Digital Transformation in what amounts to a
mash note to a government agency run by tech-savvy freaks who've proven themselves to be a formidable
war machine. The closeness of Ukraine's cyber operators to NATO hasn't escaped Russian notice
either. Moscow's ambassador to Estonia, where NATO's Cooperative Cyber Defense Center of Excellence is located,
sees more evidence of Western plotting and blackmail, Bleeping Computer reports.
Ambassador Lipayev explained to TASS in an interview today,
quote,
Our suspicions on this score have turned out to be correct.
This first step will certainly entail others pursuing the aim of converting Ukraine into a stronghold for political, economic, ideological, and military blackmail of Russia.
Cloud security firm Snyk has found malicious code in the NPM open source ecosystem
that seems motivated by a hacktivist determination to strike
russia and its increasingly shy junior partner belarus sneak explained quote on march 15 2022
users of the popular view.js front-end javascript framework started experiencing what can only be
described as a supply chain attack impacting the npm ecosystem
this was the result of the nested dependencies node-ipc and peace not war being sabotaged as
an act of protest by the maintainer of the node ipc package this security incident involves
destructive acts of corrupting files on disk by one maintainer and their attempts to hide and
restate that deliberate sabotage in different forms. While this is an attack with protest-driven
motivations, it highlights a larger issue facing the software supply chain. The transitive
dependencies in your code can have a huge impact on your security, end quote. Hacker News explains
that Node IPC is a prominent node module used for local and remote interprocess communication with support for Linux, macOS, and Windows.
It has over 1.1 million weekly downloads.
An NPM manager wrote and published an NPM module that he described as follows, quote, This code serves as a non-destructive example
of why controlling your node modules is important.
It also serves as a non-violent protest
against Russia's aggression that threatens the world right now.
This module will add a message of peace on your users' desktops,
and it will only do it if it does not already exist,
just to be polite, end quote.
At the very least, Sneak says, this particular form of protest calls into question the
trustworthiness of the maintainer, who goes by the hacker name Ria Evangelist, and his other
contributions. Sneak concludes, quote, Sneak stands with Ukraine, and we've proactively acted
to support the Ukrainian people during the ongoing crisis with donations and free service to developers worldwide, as well as taking action to cease business in Russia and Belarus.
That said, intentional abuse such as this undermines the global open-source community and requires us to flag impacted versions of Node IPC as security vulnerabilities. end quote.
Google's threat analysis group is investigating a financially motivated,
that is, criminal, initial access broker its researchers are calling Exotic Lily.
The group is working with the gang known variously as Finn 12 and Wizard Spider,
best known as proprietors of the Conti ransomware.
Exotic Lily has exploited a vulnerability in Microsoft MSHTML.
Security researchers with Cisco Talos describe a suggestive convergence between Black Cat
malware and the Black Matter DarkSide gang.
Black Cat has poo-pooed other attempts to link them to Black Matter and its Dark Side
ancestor, denying that it's just a rebranding of Black Matter and insisting that it's a new team
made up of alumni from other ransomware-as-a-service groups. But in one respect, at least Talos seems
to have the goods on them. Black Matter was an early adopter of Black Cat. The researchers write, quote,
Black Cat seems to be a case of vertical business expansion.
In essence, it's a way to control the upstream supply chain by making a service that is key to their business,
the ransomware as a service operator,
better suited for their needs and adding another source of revenue.
Vertical expansion is also a common business strategy
when there is a lack of trust in the supply chain. There are several cases of vulnerabilities in
ransomware encryption and even of backdoors that can explain a lack of trust in ransomware as a
service. One particular case mentioned by the Black Cat representative was a flaw in DarkSide
Black Matter ransomware, allowing victims to decrypt
their files without paying the ransom. Victims used this vulnerability for several months,
resulting in big losses for affiliates. CISA and the FBI have advised satellite
communications operators to take a number of steps to increase the security of their systems.
For immediate action, they recommend that operators take the following steps today.
Use secure methods for authentication, enforce principle of least privilege,
review trust relationships, implement encryption,
ensure robust patching and system configuration audits,
monitor logs for suspicious activity,
and ensure incident response, resilience,
and continuity of operations plans are in place.
It's familiar advice, but nonetheless valuable for having been offered before.
Basic cyber hygiene is always a good idea.
The alert doesn't explicitly mention the Russian threat to satellite systems, but as
Security Week points out,
it's likely that the warning was prompted by the ongoing investigation of probable interference with Vyassat service in Ukraine and parts of Eastern Europe. It's significant that the agencies
recommend reading the recent annual threat assessment of the U.S. intelligence community
for what it has to say about state-sponsored threats to satellite systems.
NIST has released SP1800-10,
Protecting Information and System Integrity in Industrial Control System Environments,
Cybersecurity for the Manufacturing Sector.
The document is noteworthy for communicating its advice by walking its audience through 11 attack scenarios
that cover physical, network, and software supply chain avenues of approach.
And finally, the UK's Defense and Home Secretaries, Ben Wallace and Priti Patel, respectively,
separately entered Microsoft Teams meetings, which Mr. Wallace said had been properly set up,
during which they believed initially that they were talking to Ukrainian Prime Minister Denis Shmyle.
The Telegraph reports, while the person he was speaking with looked like Mr. Shmyle
and was sitting in front of a Ukrainian flag,
the Defense Secretary grew suspicious when the person who looked like Shmyle
began asking about British naval deployments and Ukrainian intentions.
Presumably, the real Prime Minister Schmeil wouldn't need the UK to tell him what his
government's intentions were. Mr. Wallace ended the call after eight minutes and has ordered an
investigation. Ms. Patel's experience was similar. The Guardian's account of the incidents considers
them hoaxes, leaving open the question of whether Russian services were behind them,
but it's equally severe about the security measures that made it possible
for an imposter to get through to members of the Cabinet.
So, a question.
Are phone pranks more or less credible when they arrive through business collaboration tools?
If the calls were the work of Russian intelligence services,
it represents something new.
Who expected Moscow to call in
and effectively identify themselves as IP freely?
One would expect more.
A call like that might convince Mo Sislak for a minute,
but a cabinet minister? Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Taking place next week in Fort Lauderdale, Florida,
is the Maritime and Control Systems Cybersecurity Con, Hack the Port 22.
The event is put on by MISI, the Maryland Innovation and Security Institute,
and DreamPort in support of U.S. Cybercom and its mission partners.
The event highlights the importance of securing our maritime ports.
Armando Say is director of Dreamport. In 2020 and 2021, there were two maritime strategies,
one for the Coast Guard and then a national cyber policy for maritime. What we discovered
in communications with folks at CISA, Department of Homeland Security, and Coast Guard, actually
the Pentagon as well, was not getting enough attention. If you look at the Iranian playbook,
Cyber Command playbook that was released, it totally pointed out the fact that they were
looking to do malicious cyber attacks at maritime ports to disable forced projection of their
adversaries, to disrupt supply chains. In the U.S. alone or the world, like 90% of goods travel
through some sort of maritime
ports. I mean, they eventually make it onto rail systems and trucking systems, but it's transported
overseas through ships and they get to various shores when we export goods. So you can disrupt
entire global and domestic economies regionally and nationally by basically attacking a port.
There are some reports that there's been a 500, 400% increase in threats to maritime
ports around the world.
You can go all the way back to NotPetya, right, and all that, right, in Ukraine, which is
in the news, obviously, very much today.
And it all points to the impact of maritime ports as very critical to the U.S. economy
and our global ability,
but also force projection.
We deliver a lot of our military goods and supplies when we have to project force around
the world via ports.
You know, tanks and food and fuel and all of those things are done through maritime
ports in part.
And maritime ports connect to rail systems and other surface mount transportation systems.
So it's a very interconnected ecosystem.
And if you look at any port, take a very close look.
I'll give you an example.
The port of Tampa in Florida, 70% of Florida's fuel comes through that port.
Whenever there's a hurricane in Florida and people wonder, why are we running out of gas?
It's because all those tanker ships have moved away from the coast of Florida, and all of those fuel trucks waiting to get refueled by those tanker ships
don't have anything to wait for because the ships aren't coming in until the storm has passed.
So things like Colonial Pipeline and the water plant attack in the Florida
brought very, very keen attention to the fact that, whoa, wait a minute,
our ports transport fuel.
We offload, you know,
wastewater and other things, LNG gas. We aren't as prepared as we need to be for a cyber attack
that could have the same or worse impact than a hurricane could. The Hack the Port conference
kicks off next week in Fort Lauderdale, Florida. The Cyber Wire is a media partner. I'll be
attending in person and hosting
a session. You can learn more at hacktheport.tech. There's a lot more to this conversation. If you
want to hear more, head on over to Cyber Wire Pro and sign up for Interview Selects,
where you get access to this and many more extended interviews.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute
and also the host of the ISC Stormcast podcast.
Johannes, it's always great to have you back.
You know, I think the message has certainly got out there about backups.
You know, ransomware has been top of mind for so many people
that I suspect there are a few who are out there who aren't doing regular backups. But there's a little more to it than that, as you wanted to point out today.
Yeah, so backups are important. They're often sort of considered your last line of defense
when it comes to ransomware. But keep in mind, backup, it's complex, it's boring, so a lot of people don't really pay a lot of attention to it.
So in addition to just testing that your backups are working,
keep an eye on your backup software,
because one trend that I've seen over the last year
is that there are really a lot of vulnerabilities
in backup software.
And if you think about it,
the vulnerability can be either in whatever central platform
you use to manage your backups.
It may be in the agents that you need to deploy on systems
in order to create these backups.
All of these components have vulnerabilities.
They usually run with elevated privileges
because they need to have access
to all of your files on the system.
And I think it's a little bit that,
not to have too much of a Star Trek reference,
but the undiscovered country
of how attackers may get into your system.
So in addition to attackers outright wiping out backups,
we have seen that, of course, quite a few times,
they may actually use your backup software
as an entry point into your network.
I mean, it's not just the management software.
I mean, you should be checking up on the hardware too, right?
I'm thinking about like, you know,
Synology systems, things like that.
Yeah, these network accessible disk platform storage systems, Synology mentioned QNAP,
they have a rich history of vulnerabilities themselves.
They often have been already used as an entry point, like there was this Synolocker and
lately, I forgot what it was called, the QNAP was affected by some ransomware software.
So these platforms are part of it, part of the problem.
And the software, like recently IBM Spectrum Protect,
they're usually used to update containers, the backup containers.
They had some critical vulnerabilities.
Kaseya, Unitrends, they had, I think, back in December,
it's hardly a month goes by without one or two
sort of really critical vulnerabilities
in that kind of software.
Yeah, I mean, I guess it's worth noting
that putting that on your schedule,
the care and maintenance of your backups
includes checking to make sure
that you can actually restore from them,
but also add to that list that they're up to date.
Yeah, and always remember, once a month, delete a file and ask your sysadmins to recover it and see if
it works. If you don't do that, it will not work once you actually need it. I ran myself in this
a few times. Yeah, count on it, right? Oh, and before you delete that file, make your own backup
of it. Yeah, absolutely, absolutely. Right, right.
Take it home, store it under the steps in the attic or whatever.
Burn it out.
Right, yeah, yeah.
All right, Johannes Ulrich, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's Research Saturday.
My conversation is with Nathan Brubaker from Mandiant.
We're discussing their research,
One in seven ransomware extortion attacks leak critical operational technology information.
That's Research Saturday.
Check it out.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of
Data Tribe, where they're co-building the next generation of cybersecurity teams and
technologies.
Our amazing Cyber Wire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Justin Sabe, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Bilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.