CyberWire Daily - How a hybrid war spreads its cyber effects. Russian and Chinese cyber ops in Latin America. Greenwashing influence. Iranian threat actor exploits Log4j vulnerabilities against Israeli targets.
Episode Date: August 29, 2022Russian cyber operations in Southeastern Europe. The challenge of containing the cyber phases of a hybrid war. Russian and Chinese cyber activity in Latin America. Greenwashing influence operations. R...ick Howard looks at risk probabilities. Dinah Davis from Arctic Wolf looks at ransomware payment myths. And an Iranian threat actor exploits Log4j vulnerabilities against Israeli targets. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/166 Selected reading. Russia blamed for wave of hacker attacks in Southeast Europe (BNE) Montenegro declares it is in 'hybrid war' with Russia after massive cyber attack (Metro) Montenegro reports massive Russian cyberattack against govt (ABC News) Montenegro Reports Massive Russian Cyberattack Against Govt (AP via SecurityWeek) Montenegro's state infrastructure hit by cyber attack -officials (Reuters) Cyber Element in the Russia-Ukraine War & its Global Implications (Modern Diplomacy) Swiss secret service worried about Russian cyber operations (SWI swissinfo.ch) China and Russia Step Up Cyber Presence in Latin America (Diálogo Américas) Dominican Republic refuses to pay ransom after attack on agrarian institute (The Record by Recorded Future) China-Linked Bots Attacking Rare Earths Producer ‘Every Day’ (Bloomberg) Iranian Hackers Exploiting Unpatched Log4j 2 Bugs to Target Israeli Organizations (The Hacker News) MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations (Microsoft Threat Intelligence Center) Iran exploiting Log4j 2 weakness to attack Israel, says Microsoft (Israel Defense) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Russian cyber operations in Southeastern Europe,
the challenge of containing the cyber phases of a hybrid war,
Russian and Chinese cyber activity in Latin America,
greenwashing influence operations,
Rick Howard looks at risk probabilities,
Dinah Davis from Arctic Wolf looks at ransomware payment myths,
and an Iranian threat actor exploits log4J vulnerabilities against Israeli targets.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 29th, 2022. On Friday and Saturday, respectively, Montenegrin and Bulgarian
officials accused Russia of conducting cyber attacks against their country's infrastructures.
conducting cyber attacks against their country's infrastructures. BNE IntelliNews reports,
Montenegro's national security agency said on August 26th that several Russian agencies were behind a cyber attack on key IT systems of state institutions earlier in August. Outgoing Prime
Minister Dreyton Abozovic said that Montenegro was at the peak of a hybrid war,
adding, the following day, Bulgaria's former ruling Gerb party said it was attacked by Russian
hackers, who aimed at publications on three specific topics on its social media pages.
Earlier attacks, also attributed to Russian threat actors, had hit Albanian government services.
All three countries
have generally supported the cause of Ukraine in the present war, with Albania and Montenegro
being particularly vocal in their support of extensive sanctions against Russia.
Public Administration Minister Maras Dukaj said on Twitter,
certain services were switched off temporarily for security reasons,
but the security of accounts belonging to citizens and companies and their data have not been jeopardized.
The state-owned power utility was among the services affected
and has switched some automated services to manual operation as a precaution.
Montenegro's attribution of the incidents to Russian cyber attack was direct and
unambiguous. Metro News reports, the Podgorica-based agency for national security blamed hackers based
in Russia for efforts to bring down government websites, communications, and transport
infrastructure. Airports and border crossings could all be impacted, it warned, adding,
coordinated Russian services are behind the cyber attack. This kind of attack was carried out for
the first time in Montenegro, and it has been prepared for a long period of time.
According to an AP report cited by ABC News, a government spokesman said, I can say with
certainty that this attack that Montenegro is experiencing these days
comes directly from Russia.
What's being seen in southeastern Europe is a deliberate campaign,
but there are also inherent difficulties in constraining cyber effects in a discriminating way.
Modern Diplomacy has an essay that,
while overstating the actual tactical and operational effects of cyber operations in Russia's war against Ukraine,
points to the difficulty of waging cyber war in a discriminant fashion.
Cyber effects easily cross borders, and the blurred lines between state and non-state actors render it difficult to apply familiar principles of war involving requirements
that forces operate under effective government control. The essay singles out terrorists but
might have with equal justice said criminals. And in hybrid war, other people's servers represent
an irresistible temptation, practically what the lawyers call an attractive nuisance.
temptation, practically what the lawyers call an attractive nuisance. Concern about spillover is not, however, simply a matter of academic speculation or a priori probability. Switzerland's
Federal Intelligence Service is reported to be concerned about possible Russian exploitation of
Swiss servers to mount interference campaigns against Western elections. The FIS didn't comment on the report directly,
saying only, Switzerland as a European nation and as part of the Western community is a target of
anti-Western influence campaigns promoting the Russian narrative. Dialogo Americas reports
increased Russian and Chinese efforts to establish a cyber beachhead in Latin America.
Those efforts have been marked by Spanish-language disinformation campaigns
and, in the case of Russia, a stepped-up tempo of privateering activity,
for the most part by well-known ransomware gangs.
Chinese efforts have been marked by an attempt at developing influence through technology exports.
ZTE has been used to induce a dependence on Chinese tech in Venezuela,
where it finds a welcome audience in the Maduro regime.
Russian military cyber personnel deployed to Venezuela in May of 2019
in the overt role of helping the country recover from the collapse of its power grid.
Many of those personnel have remained.
Bloomberg reports that a bot-driven Chinese influence campaign has been running against
Linus Rare Earths Limited, an Australian mining company engaged in the extraction and processing
of rare earth metals in Australia and Malaysia. Bogus social media accounts circulate accusations of environmental irresponsibility on
the part of Linus with a view to influencing Australian and U.S. public opinion. Rare earths
are essential to the electronic and green energy sectors. Dominance of both sectors is a key
long-standing objective of Chinese policy. Green is good from Beijing's point of view, but to be
realistic, it's good chiefly insofar as it's good for business, insofar as it provides a competitive
advantage. As a policy commitment? Not so much. Microsoft reports that the Iranian state cyber
threat actor it tracks as Mercury, and which others know as Muddy Water, Seedworm, and Static Kitten,
is exploiting Log4J2 vulnerabilities in SysAid applications.
All the targets have been organizations in Israel.
Microsoft says,
While Mercury has used Log4J2 exploits in the past, such as on vulnerable VMware apps,
we have not seen this actor using SysAid apps as a vector for initial access until now.
After gaining access, Mercury establishes persistence,
dumps credentials, and moves laterally within the targeted organization
using both custom and well-known hacking tools,
as well as built-in operating system tools for its hands-on keyboard attack.
The campaign is another instance in the long-running story of Log4J vulnerabilities.
Experts predicted that exploits would be endemic for years
until the vulnerabilities were worked out of the software supply chain,
and this recent wave is entirely consistent with those expectations.
We mention for disclosure that Microsoft is a CyberWire partner.
So, keep looking for the vulnerabilities in your enterprise, and this week, start with SysAid.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you
get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one
third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
It is always my pleasure to welcome back to the show the CyberWire's own Rick Howard. He is our
chief security officer and also our chief analyst.
Rick, welcome back.
Hey, Dave.
So over on the company's Slack channel this week, a bunch of us were discussing one of our favorite movies, which is 2012's Zero Dark Thirty.
I love that movie.
That was starring Jessica Chastain and, of course, the late, great James Gandolfini.
and, of course, the late, great James Gandolfini.
And for those who don't know it,
it's the movie about how the CIA found where Osama bin Laden was hiding after 9-11.
And you were saying that there's a scene in that movie that directly applies to calculating cyber risk.
I have to say, when I read that, I was a little bit skeptical.
I get that a lot, Dave.
Explain for us, how does the decision to
assassinate Osama bin Laden compare to calculating cyber risk? Well, I'm so glad you asked, all right.
So the scene in question is when Gandolfini, he's playing the CIA director at the time,
Leon Panetta, and he's in a conference room with his staff asking them for a recommendation
on whether or not Osama bin Laden is in the bunker.
And he's looking for a yes or no answer.
And one of his guys says that he fronted
the bad recommendation
about weapons of mass destruction in Iraq.
And Dave, do you remember what the CIA thought back then
about whether or not Iraq had WMD?
Yeah, I mean, my recollection is that the CIA
director, George Tenet, told President Bush that this was a slam dunk, that these weapons were in
country. And President Bush used that assessment as one of the main reasons to invade, right?
That's right. That's exactly what happened, right? And so in the movie, Gandolfini's staffer
says that because of that intelligence failure, that bad recommendation, the CIA doesn't deal
in certainties anymore. They deal in probabilities, which, you know, that's the right answer, by the
way. It's just not a very satisfying one. And in the movie, in the scene, they go around the room
and get a range of probabilities from 60% to 80% that Osama bin Laden's in the bunker.
And then Chastain breaks into the conversation and says, the probability is 100%.
And she says, okay, fine.
95% because I know certainty freaks you out, but it's 100%.
I love that scene.
Which, by the way, that's the wrong answer.
The probability was never 100%, no matter how sure she was with her evidence.
So, but the CIA staff was right for really complex questions like, is Osama bin Laden in the bunker?
And will my organization get hit by a ransomware attack this year?
We don't deal in certainty.
We deal in certainty. We deal in probability. So for this week's CSO's Perspective Show, I walk everybody through that process of how you can assess the probability of material impact to your organization due to some cyber event in the next year.
Well, before I let you go, you have your Word Notes podcast. What is the phrase of the week over there?
of the week over there.
Yeah, so we're talking about a concept called sideloading,
which is the process of legitimately or illegitimately,
depending on your perspective,
of installing apps onto your smartphone without going through your vendor's app store,
which might be a good thing for you
because you can install any piece of software that you want,
but it also opens up an attack vector for blackheads
to install Trojan horse malware onto your systems.
All right, well be sure to check that out and of course CSO Perspectives is part of Cyber Wire Pro.
You can find out all about that on our website thecyberwire.com. Rick Howard, thanks for joining Thank you. trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant. And it is always my pleasure to welcome back to
the show, Dinah Davis. She is the VP of R&D Operations at Arctic Wolf and also the founder of Code Like a Girl.
Dinah, great to welcome you back.
There is a recent ransomware report that caught your eye, and there was something they highlighted in here.
It had to do with some myths when it comes to ransomware.
What can you share with us today?
Yeah, there's this really interesting report from
Coveware, and they highlighted something that I hadn't seen very much before, which is four myths
of why you should pay ransomware. So when they may be explaining to customers or when industry
experts are telling people don't pay the ransom, these are reasons why companies tend to come back
and say, no, I need to pay the ransom for these four reasons or one of these four reasons, right?
The one is paying mitigates the risk of harmful impact to the parties. So they believe that like
if I pay the ransom, I get everything back. Even if they exfiltrated data, they're going to give it back to me, and then nobody is going to be impacted.
The problem is the moment the data is stolen, there's already liabilities, right?
Even as simple as having to report to local governments that the data has been stolen.
So the victim company may have to pay for credit protection and notify impacted parties that their data was stolen, even if they get it back, right? So there's also nothing that will guarantee that the hackers will delete your data or even resell it after you pay.
So not paying because you think you're going to not have impacted parties is it just it's not going to work
for you like not a good reason the second reason companies often give for saying they should pay
uh the ransom is to mitigate the potential for class action liability that one was really
interesting to me i'm like oh i didn't know people know people were considering that as a reason they should pay.
Issue there is there's no case law at all, especially in the U.S., to support that paying ransom will protect you from a class action lawsuit.
And typically, if somebody is going to try and come after you with a class action lawsuit, they're going to do it whether you pay it or not.
The fact that it happened was enough for them to, you know,
get on that bandwagon and try and make a buck. So the next one is paying shows my impacted parties
that we did everything to protect their data. So they're saying like, okay, like, you know,
we did everything to try and protect your data. We even paid the ransom. Well, dude, except you lost my data. Except it's already gone. What's going on here? to your impacted parties how the breach happened. They're saying that the better response is to be
candid, to be honest, contrite. And then your impacted parties are going to, like, respect
and appreciate your transparency a lot more. And I think, you know, that's definitely what we've
seen in the media, right? People who try and squash it and quiet it down and just say, well,
I paid, so we're good, haven't been getting as much good press as the people who have said, yes, we got hit. It's very likely most
companies are going to get hit by some kind of breach at some point, right? That's just how
rampant things are, and it's much more important on how you're handling that afterwards now.
And then the last one goes right into that as well, which is paying will limit the brand
damage from negative PR. Well, I think that just goes right back to what we were just saying,
right? If you pay it and try and hide it a little bit more, it's not going to be good for you. It's
better to just get it out there. It was interesting because one article I read said that the PR wave
that happens when cyber criminals leak data that were previously
stolen has a media half-life of six hours. So if you go out there and you say, look, our data was
stolen, like your half-life is six hours. It's going to be gone and done within a day or two,
right? Wow. As opposed to the hacker coming out and said, hey, we stole your data.
That lives on much, much longer, right?
So you can scoop the criminal, basically, if you post that you've done it before they post that they're doing it to you.
Oh, interesting.
And I suppose that so by getting in front of it, you really can control the narrative.
Yeah, that's basically what they're saying.
Because I think it's also like becoming more and more clear to people and just the everyday person that these things are going to happen to everyone.
So a responsible company tells you as soon as they know and then manages the situation from there.
Yeah.
All right.
Well, interesting, interesting advice for sure.
Dinah Davis, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security.
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
Every week, you can find Grumpy Old Geeks where all the fine podcasts are listed.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karpf, Eliana White,
Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.