CyberWire Daily - Hacktivism, protestware, and information operations in a hybrid war. Brazi-based cyber gangs active in extortion. Steganography opens a backdoor. A free decryptor for Diavol ransomware.
Episode Date: March 21, 2022The widely expected, intense Russian cyber campaign has yet to appear. "Protestware" as a dangerous turn in hacktivism. Information operations and the persistence of independent channels of news. Soci...al media as an opsec problem.Lapsus$ may have hit Microsoft. A second Brazilian gang tries its hand at extortion. A snakey backdoor afflicts French organizations. AD Bryan Vorndran of the FBI Cyber Division on what the agency brings to the table in the cyberspace. Rick Howard considers infrastructure as code. Emsisoft offers a free decryptor for Diavol ransomware. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/54 Selected reading. Volodymyr Zelensky tells Russia to seek ‘meaningful’ peace talks or face catastrophic losses (The Telegraph) Cyber threats and the Ukraine conflict (Avast) Cyber ‘cold war’ rages online but Russia holds back on massive digital attacks (Times of Israel) Mar 13- Mar 19 Ukraine – Russia the silent cyber conflict (Security Affairs) Former CIA officer shows what a Russian cyberattack on the US would look like (Fox News) EU and US agencies warn that Russia could attack satellite communications networks (Security Affairs) Banks on alert for Russian reprisal cyberattacks on Swift (Ars Technica) Activists are targeting Russians with open-source “protestware” (MIT Technology Review) Cyber warfare gets real for satellite operators (SpaceNews) More Conti ransomware source code leaked on Twitter out of revenge (BleepingComputer) Open Source Maintainer Sabotages Code to Wipe Russian, Belarusian Computers (Vice) Anonymous has unleashed a successful cyberwar to undermine Putin's Ukraine invasion (Fortune) Some Russians are breaking through Putin’s digital iron curtain — leading to fights with friends and family (Washington Post) On Russia's VK, anti-war messages defy Vladimir Putin's Ukraine censors (Newsweek) Why Russia’s anti-war movement matters (Atlantic Council) Telegram Thrives Amid Russia’s Media Crackdown (Wall Street Journal) British soldiers are ordered off WhatsApp amid fears that sensitive military details could be accessed by Russian hackers (Daily Mail) Microsoft Investigating Claim of Breach by Extortion Gang (Vice) Hacking group that went after NVIDIA may have also attacked Microsoft (Windows Central) Microsoft Allegedly Breached by LAPSUS Group (Cyber Kendra) Lapsus$ gang sends a worrying message to would-be criminals (Register) TransUnion cyber attack – hackers demand R225 million ransom (Business Tech). TransUnion Confirms Data Breach at South Africa Business (SecurityWeek) UPDATE | TransUnion believes breach of 54 million SA records unrelated to current hack (Fin24) Banks move to protect consumers in wake of TransUnion cyberattack (TechCentral) Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain (Proofpoint) Emsisoft releases free decryptor for the victims of the Diavol ransomware (Security Affairs) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The widely expected intense Russian cyber campaign has yet to appear.
Protest wear as a dangerous turn in hacktivism, information operations and the persistence of independent channels of news.
Social media as an opsec problem.
Lapsus may have hit Microsoft.
A second Brazilian gang tries its hand at extortion.
A snaky backdoor afflicts French organizations.
A.D. Brian Vordren of the FBI's Cyber Division
on what the agency brings to the table in cyberspace.
Rick Howard considers infrastructure as code.
And Emsisoft offers a free decryptor.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 21st, 2022.
We open again with a brief note on the situation on the ground in Ukraine.
On Saturday, Ukrainian President Zelensky called upon Russia to engage in meaningful peace talks.
Russian ground forces are digging in, in place, along most of their avenues of advance,
especially in the approaches to Kiev, which suggests that the invasion continues to
stall. The British Ministry of Defense's Friday Evening Spot report simply said, quote,
President Putin continues to wage war on the people of Ukraine by striking dense urban areas,
killing and displacing innocent civilians with non-precision weapons, end quote. Apart from the
widely reported distributed denial of service incidents
and wiper attacks against Ukrainian targets,
large-scale Russian cyber attacks have failed to materialize,
although most governments remain on alert for some such campaign,
which they fear would not remain confined to the combat theater.
Security Affairs has a timeline of recent cyber activity in the war.
Its most recent entries mention Chinese cyber espionage attempts against Ukraine's government,
but these seem common, expected intelligence collection about an ongoing conflict and not
an extraordinary campaign. The Times of Israel describes a conflict in which hacktivists and deniable criminal organizations have played the most prominent roles.
Anonymous has been active on behalf of Ukraine, and the Conti gang, itself infiltrated by Ukrainian hacktivists, on behalf of Russia.
The most significant incidents so far have been some disruption of Viasat ground station operations in Ukraine and some episodic GPS jamming,
both of which remain under investigation,
but which appear circumstantially to represent Russian operators.
Both U.S. and EU authorities have warned satellite communications operators
to look to their defenses.
So far, according to the Washington Post,
Starlink has given Ukraine some surprisingly robust access to the Internet and also the means of controlling some of its drones.
Ars Technica reports that Western banks are also taking measures to protect themselves against Russian retaliation against the swift interbank transfer system from which sanctions have excluded it.
But again, so far, no attacks have surfaced.
Hacktivists have generally favored the cause of Ukraine in the current war,
and some of their methods have come under strong criticism. Last week, a hacktivist who goes by
the hacker name Ria Evangelist wrote source code for an NPM package they called Peace Not War and distributed it within the open source by making it a dependency of a popular and widely used NPM module,
thus affecting the software supply chain.
Peace Not War was designed for use against systems in Belarus and Russia,
but even if that form of supply chain attack were deemed legitimate,
it seems indiscriminate and difficult to contain.
Since then, Russian organizations have grown understandably warier
of the possibility of software supply chain corruption.
MIT Technology Review reports,
In response to the threat,
Esper Bank, a Russian state-owned bank and the biggest in the country,
advised Russians to temporarily not update any software due to the increased risk
and to manually check the source code of software that is necessary,
a level of vigilance that is unrealistic for most users.
End quote.
Hacktivism is susceptible to becoming indiscriminate and uncontrolled.
It's also frequently criminal,
albeit not usually criminal
in the sense of being financially motivated. Computing points out that most Western authorities
have discouraged individuals from engaging in hacktivism. Quote, participating in Ukrainian
cyber attacks from the USA or the UK could violate local laws, such as the Computer Fraud and Abuse Act in the U.S. and the Computer Misuse
Act in the U.K. Alan Woodward, a professor of cybersecurity at Surrey University, noted,
while I totally understand the sentiment behind the actions of many in this IT army,
two wrongs do not make a right. He added that not only might it be illegal, but it also runs the risk of playing
into Putin's hands, who could use the attacks to spread anti-Western rhetoric. Russian President
Putin has vowed to purge Russia of scum and traitors insufficiently committed to the special
military operation in Ukraine. The Kremlin has sought to crack down on both public protest and online dissent,
both now fully criminalized, the Atlantic Council reports. But public protests by Russian standards
have been surprisingly prominent. This suggests that news other than the official Kremlin line
that the war is an ultimately defensive one, waged against genocidal Nazis, is getting through.
Some of the channels in which it's
circulating are surprising. Groups within the widely used Russian social media platform VK
InTouch are serving as conduits for dissent and unofficial news. The groups involved are,
according to Newsweek, long-standing groups focused on common interests such as art, sports, music, and
celebrities. VK is by no means a nest of dissenters. The executives who run it are close to the
government and have themselves come under U.S. sanctions. The sharing of unofficial news on the
war in Ukraine seems to be a function of the sheer difficulty of effective content moderation on a platform with more than
90 million users. The social media platform Telegram has surged in Russia, where it's
continued to operate without the interruption and blockage experienced by Instagram, Twitter,
and the like. Telegram originated in Russia, which may be why it's been permitted to operate.
The Wall Street Journal quotes Ivan Kopikov,
editor-in-chief and co-founder of the now-blocked Russian independent media outlet Meduza,
which is itself surviving in its Telegram feed.
Telegram isn't perceived as a total enemy resource. It's not perceived as a tool of
information war against Russia. In Russia, a huge culture of uncensored journalism and so-called
journalism appears on Telegram. Telegram itself told the journal it didn't know why it hadn't
been blocked, and it didn't know if it would be blocked in the future, but, quote, we believe in
freedom of speech and are proud we can serve people in different countries in difficult times,
end quote. The Daily Mail says the Royal Army has told its troops to stay off WhatsApp
regarding the platform as receiving too much attention from Russian intelligence services.
Troops are chatty and people tend to be disinhibited online.
Reports circulating in Reddit and elsewhere suggest that the Lapsus group
has posted and deleted material that
suggests an attempt against Microsoft. Cyber Kendra reports, and points out that the story
is early and so far unconfirmed, that Lapsus may have compromised an Azure DevOps account.
Microsoft told Bleeping Computer that they were investigating the gang's claims of successfully
penetrating the company.
The register last week offered a brief history of the relatively young gang,
which is thought to be based in Brazil and which has made a specialty of hitting targets in the tech sector.
Lapsus is thought to be a new group, not merely a rebranding of an existing criminal gang.
Their approach is unusual in that they don't deploy ransomware,
but rather steal source code and threaten to release it.
In disclosure, we note that Microsoft is a CyberWire partner.
TransUnion disclosed a data breach late last week when a gang,
identifying itself as NaughtySecTU,
succeeded in accessing one of the credit bureau's South African servers.
The gang, which, like Lapsus, is thought to be based in Brazil, demanded $15 million in ransom.
Security Week reports that TransUnion has said it won't be paying.
Tech Central says the South African Banking Risk Information Center is working with the
country's banks to protect consumers who might be affected by the breach. Proofpoint reports that a new backdoor is being installed
in French targets. The attack is unusual in its use of steganography. Proofpoint says in their
report that the attack represents new targeted activity impacting French entities in the
construction and government sectors.
The threat actor used macro-enabled Microsoft Word documents to distribute the Chocolaty installer package, an open-source package installer. Various parts of the VBA macro
include ASCII art and depict a snake. It's crudely drawn, as benefits an ASCII picture,
but a snake it is.
The attacker's identity and motives are so far unknown.
And finally, Bravo Emsisoft, the company has released a free decryptor for Diavol ransomware.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Rick Howard. He is the CyberWire's Chief Security
Officer and also our Chief Analyst. Rick, it's always great to have you back.
Hey, Dave.
I don't know if I'm misreading things here, and honestly, I don't know where the time has gone.
But according to the notes I have in front of me, you are finishing up the last episode in season eight of the CSO Perspectives podcast.
I feel like I'm still, like, putting away ornaments from my Christmas tree.
How did you get through an entire season
without me hardly noticing? What do you have in store for us on this last episode?
I know exactly what you mean. I mean, I turned around twice and spring arrived. It was like,
gee whiz, what's been going on? All right, so for this last episode of the season,
I'm delivering some good news, something we can all use in these
crazy days of this year. I'm listening. Well, when I started this podcast about two years ago,
I did an entire episode on how DevOps, or DevSecOps if you like, was going to be the way
forward to deploy some of these first principle strategies that I keep yammering on about. But
I was frustrated because it seemed to me that the IT people doing DevOps
had kind of left the security people in the dust.
You know, in other words, they didn't bring us along.
As they made progress in building these continuous integration,
continuous delivery pipelines, or CICD pipelines for short.
And the security community wasn't smart enough to tag along with them.
So back then, the gap was widening between what the DevOps teams were doing and what the security teams were doing.
Well, I'm here to tell you that it looks like both sides of the equation had come to that conclusion themselves
and have started to make the necessary course corrections.
It's too soon to say that we've got the problem solved.
But the one key indicator is that the folks over at Gartner, you know, the folks that do
the hype charts
about different things,
they placed DevSecOps
as just coming out
of the trough of disillusionment.
So they're slowly put DevOps
in the slope of enlightenment
and it's about,
according to them,
you know, five to 10 years away
from reaching the plateau
of productivity.
Who has that kind of time?
Yeah, I know.
Okay.
But it's better than what I thought.
That's all I'm saying.
Okay.
So in this episode, we're going to talk about how we got here and the steps that the senior
security executive should be taking right now to take advantage of this kind of new
development.
All right.
Well, we will check that out for sure.
It is the final episode of season eight of CSO. All right. Well, we will check that out for sure. It is the final episode
of season eight of CSO Perspectives. That is part of CyberWire Pro. You can find out all about that
on our website, thecyberwire.com. Rick Howard, thanks for joining us. Thank you, sir.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And I'm pleased to welcome back to our show Brian Vordren. He is the Assistant Director of the FBI's Cyber Division. Mr. Vorendran, welcome back to the Cyber Wire.
I want to touch today on some of the things that the FBI brings to the table when it comes to your
Cyber Division. And specifically, you know, I think there are a lot of private organizations
out there, and I'm thinking particularly of the small to medium-sized businesses. When they're
hit with some sort of cyber incident,
I think a lot of them think that maybe they're too small
to reach out to their local FBI field office.
They don't warrant the attention of an organization
at the federal level.
Is that a misperception on their part?
Dave, thanks for the question.
Let me start by saying the best assessment
that we have within the question. Let me start by saying the best assessment that we have within
the U.S. government is that we receive reporting on between 20 and 25 percent of the total computer
intrusions that occur against organizations in the country. And so when we're operating with
a data set that's only 20 to 25 percent deep, it does prevent us as the U.S. government, and that includes all members of
the intelligence community, from being more effective at preventing additional victimizations
against individuals, corporations, or organizations that may not know their next target. And I would
ask those that are evaluating whether they're too small to warrant the attention to change the question in their mind to this.
If I choose to engage the FBI, it may prevent someone else from being a victim.
And because of that, do I want to engage the FBI?
And we're hopeful that the answer to that question is yes.
Not in the spirit of are they too small to warrant the services. The question is
that can they contribute to the data set? Can they contribute to us understanding trends,
vulnerabilities that will allow us to protect others? And because of that, we have a clear
answer to the reporting question, which is that we would encourage everyone to report because it
really does put us in a
better position to help potential future victims. Can you give us some insights, you know, if I
report something to the IC3 website or I call my local field office with an incident or a question,
what should I expect in terms of a response? So I'm going to provide two answers to that question, Dave.
One is information specific.
One of the questions we get routinely is what type of information does the FBI or other agencies need, other agencies being CISR, Secret Service, need to really do meaningful work with our computer intrusion?
do meaningful work with our computer intrusion. So information such as malware variant, initial vector of attack, whether it affects the IT system only or the IT and the OT, whether we know if
there's any unique malware signatures, the variant of ransomware if appropriate? When and if the systems were segregated, are there viable backups?
This is the type of specificity and detail that will help us align the right resources quickly
for the benefit of the victim. We often get the question about, and we call it, we name it
myth-busting, about how is the FBI going to show up to my place of work?
Simple questions are, are there going to be black suburbans? Are there going to be red jackets?
Are you going to start going through all of my paperwork, right?
Right. And the answer to that question is absolutely not, but I'm going to make some
recommendations here and then walk you through what it will actually be. The recommendations would be develop that incident response plan
and bring your inside counsel or your outside counsel
into that incident response planning exercise functionality
on a very routine basis and work through your concerns
and work through your concerns with the FBI
before there's actually an incident.
What we say is let's lower the barriers to sharing
so that we can simply build trust in the moment of a critical incident very, very quickly.
So those are steps that can be taken today with inside or outside counsel that very much
lower the temperature at the moment of a cyber incident. But in terms of our work when we show up, we're very, very
flexible. We're happy to engage in conversations about memorandums of understanding or legal
documentation that puts a company's mind at ease. We are certainly not after PII of employees or
clients. We are certainly not after sensitive information for a company or intellectual property. We are simply looking for elements and evidence and intelligence of criminal activity so that we can bring people to justice or so that we can inform the larger intelligence community ecosystem.
different paradigms than thinking the FBI is going to show up in a very pronounced,
loud fashion. That is not the way we conduct our business. And I'll give you two other examples.
We've received requests as simple as, hey, can you help us safely take down servers? Because we're not sure how to ensure that we don't ruin our information on our systems that was hit by a
ransomware attack,
and we don't want to affect evidence that you need.
The answer to those questions are always going to be yes.
We've received questions to help with controlling media inquiries to companies who have become the victim of a ransomware attack.
Hey, Brian, or hey, FBI, can you help us take all the inbound media inquiries
while we're trying to do
meaningful incident response? The answer to those questions is absolutely. We will issue
press statements to direct all media inquiries to us. So really, the breadth of our options to
provide support is quite broad. We even have a victim services division that if employees are really, really
struggling with what they're going through as a result of a cyber intrusion, we'd be happy to get
our victim services involved to help specific employees who are really struggling. So the
options that we have are much deeper than technical, but the common thread is respect
for what's at stake for the company. And I do think we do that quite well.
All right.
Well, Assistant Director Brian Vordren from the FBI's Cyber Division, thanks so much for joining us.
Thank you, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security, huh?
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp,
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.