CyberWire Daily - Hybrid war and disinfo from the swamp. Stormous hacks on behalf of Russia. DNS poisoning risk. Updates on Chinese cyberespionage campaigns. Notes on ransomware operations.
Episode Date: May 3, 2022Russia reroutes Internet traffic in occupied regions of Ukraine through Russian services. The Stormous gang, hacking on behalf of Russia. DNS poisoning risk. Updates on Chinese cyberespionage campaign...s. Our guest Chetan Mathur of Next Pathway finds similarities between the cloud industry and the 1849 California Gold Rush. Eldan Ben-Haim of Apiiro on why cybersecurity is largely a culture issue. Notes on ransomware operations. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/85 Selected reading. Microsoft sees Russian cyberattacks on Ukraine 'getting more and more disruptive' (Inside Defense) Sergey Lavrov claims Hitler had 'Jewish blood' (The Telegraph) Lavrov’s anti-Semitic outburst exposes absurdity of Russia’s “Nazi Ukraine” claims (Atlantic Council) Russia likens Zelensky to Hitler as Mariupol says Russia worse than Nazis (Newsweek) Russia reroutes internet in occupied Ukrainian territory through Russian telcos (The Record by Recorded Future) Stormous: The Pro-Russian, Clout Hungry Ransomware Gang Targets the US and Ukraine (Trustwave) Zhadnost ‘stamps’ out Ukrainian National Postal Service’s website. (SecurityScorecard) Industrial cybersecurity researchers, looking for help, go public with unpatched IoT bug (The Record by Recorded Future) Nozomi Networks Discovers Unpatched DNS Bug in Popular C Standard Library Putting IoT at Risk (Nozomi Networks) Chinese "Override Panda" Hackers Resurface With New Espionage Attacks (The Hacker News) Chinese Hackers Caught Exploiting Popular Antivirus Products to Target Telecom Sector (The Hacker News) New Black Basta Ransomware Possibly Linked to Conti Group (SecurityWeek) Experts Analyze Conti and Hive Ransomware Gangs' Chats With Their Victims (The Hacker News) Conti and Hive ransomware operations: What we learned from these groups' victim chats (Cisco Talos) Conti and Hive ransomware operations: (Cisco Talos) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Russia reroutes Internet traffic in occupied regions of Ukraine through Russian services.
The Stormus gang hacking on behalf of Russia.
Risks of DNS poisoning.
Updates on Chinese cyber espionage campaigns.
Our guest, Chaitan Mathur of Next Pathway, finds similarities between the cloud industry and the 1849 California gold rush.
Eldon Benheim of Epiro on why cybersecurity is largely a culture issue,
and some more notes on ransomware operations.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday,
May 3rd, 2022.
Inside Defense reports that Microsoft foresees an increase in Russian attempts to conduct disruptive cyberattacks.
Meanwhile, Russia has rerouted Internet traffic in occupied regions of Ukraine through Russian services.
The occupiers shut down the Internet in Kherson over the weekend
and then restored it by routing traffic through Russian infrastructure.
NetBlocks reports that on 1 May, hours after the Internet blackout in Kherson,
regional provider Skynet partially restored access. However, connectivity on the network
has been rerouted via Russia's Internet instead of Ukrainian telecoms infrastructure,
and is hence likely now subject to Russian Internet regulations, surveillance, and censorship.
now subject to Russian Internet regulations, surveillance, and censorship.
Trustwave has been tracking the activity of Stormus,
a group largely unknown before Russia's invasion of Ukraine,
and which since February has announced ransomware attacks against Western targets.
The attacks are designed to work in the interest of Russia by disrupting or otherwise discrediting Western brands,
prominent companies, and other organizations.
An attack it claimed against Coca-Cola is representative, flashy, and unconfirmed.
Stormus has been received skeptically by the security industry,
as many analysts regard them as scavengers of old leaks,
and not as exhibiting any genuine ransomware chops.
They remind Trustwave of another wildcard outfit, Lapsus. Trustwave says the group's motivating principles and behavior somewhat
resemble the Lapsus hacker group, which targets entities mainly in the Western Hemisphere.
Like Lapsus, Stormus is quite loud online and looks to attract attention to itself, making splashy proclamations on the dark web and utilizing Telegram
to communicate with its audience and organize to determine who to hack next.
While Lapsus seems to have been motivated by cash and cachet, the lulls and money,
Stormus' motivations appear political.
They say they're hacking in the Russian cause,
and there's no reason not to take them on their word.
But the group may have experienced a setback.
Trustwave updated its report late yesterday and says,
The Trustwave Spider Labs team has noted Stormis' underground website
became inaccessible on April 29th.
At this time, it is not known why the site is down. We will continue to
monitor for additional threat intelligence. Security Scorecard has released a summary of
its study of the distributed denial-of-service attack against Ukroposhta, Ukraine's National
Postal Service. The attack seems to have represented a reprisal for Ukoposhta's issue of a stamp
commemorating the Snake Island middle finger of defiance, Russian warship Go F Yourself,
and the subsequent destruction of the Russian warship in question, Black Sea Fleet flagship Moskva.
Some of the key points Security Scorecard brings out include
the attack lasted just over 16 hours and was launched by nearly
1,000 bots which are now considered to be part of the zadnost botnet the majority of the botnets
were microtic routers located in indonesia thailand and the philippines and the ddos attack
used dns amplification similar to previous zadnost attacks on attacks on Ukrainian government and financial websites in February.
UkrPoshta was able to recover from the attack without undue difficulty.
Security Scorecard thinks it sees signs that the Zadnost botnet may be running out of resources.
They say,
SSC observes the first-time use of Russia-based bots and the reuse of Zadnost infrastructure,
a possible indication Zadnost is starting to exhaust its inventory of unique infrastructure.
Nozomi Networks reports finding a vulnerability that affects the domain name system implementation of all versions of UCLibc and UCLibcNG.
This involves a C standard library widely used in IoT products.
The vulnerability opens affected devices to DNS poisoning attacks.
Sentinel Labs has been following the activities of Motion Dragon, which they describe as a Chinese-aligned
cyber espionage threat actor operating in Central Asia. Motion Dragon's approach is interesting,
involving trial-and-error abuse of traditional antivirus products to attempt to sideload
malicious DLLs. Another Chinese APT, variously called Lotus Panda, Override Panda, or Nikon,
has resurfaced. Cluster 25 is tracking the APT's cyber espionage against ASEAN nations.
Security Week reports that security firms see evidence suggesting links between the recently
observed Black Basta ransomware operation and the Conti gang. Black Basta's high-profile victims
have included Deutsche Windtechnik and the American Dental Association.
Researchers at Minerva believe each black Basta sample is specially created for a specific victim,
as a company ID is hard-coded into the ransom note as well as a public key.
And finally, Cisco Talos researchers have released the results of their study of leaked Conti and Hive ransomware gang chats.
Both groups do extensive pre-attack research into prospective victims, and both gangs negotiate
their demands and are quick to lower them, presumably on the proverbial grounds that
half a loaf is better than none.
Conti is hands down the more professional of the two, with Hive exhibiting a crudely
direct approach to extortion, as well as Slipshod
OPSEC.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The shift to the cloud is progressing full speed ahead, picking up momentum like a snowball rolling downhill.
But for many organizations, particularly those with substantial legacy assets, cloud migration is not so straightforward. Chaitan Mathur is CEO at NextPathway, a company
that helps automate organizations' cloud migrations, and he thinks the move to the cloud
is not unlike a gold rush from days gone by. I call it a revolution in technology, Dave,
and specifically what I mean by that is our clients and enterprises all over the world are realizing what an absolute benefit it is to migrate to the cloud.
And I'll give you two examples of what the benefits are there.
For the first time in our lives, we have literally unlimited computing power.
And then also we have unlimited storage capacity at a very cost-effective price.
So it to me is the panning of gold and getting everything migrated over to the cloud
where people can literally save millions of dollars on infrastructure costs
once they have migrated over to the cloud.
Well, where do you suppose we stand right now?
I mean, I think it's fair to say that
we're a few years into this migration. How would you describe the state of things? The state of
things is very complex. I think we're in early years of migration. We've recently conducted a
survey of 1,200 IT professionals around the world, and our data shows that only about a third of folks,
enterprises around the world have migrated applications to the cloud. And I suspect that
these are probably some of the easier ones. And therefore, I believe that the journey is going to
be at least another five to seven years before we've completely migrated everything to the cloud,
years before we've completely migrated everything to the cloud, perhaps even longer.
And what do you suppose is keeping people from jumping on the bandwagon?
Yeah, absolutely. There's a couple of things that we're finding is, and these aren't criticisms, these are just facts of legacy systems that have evolved over 20, 30, 40 years in large
financial institutions, perhaps, that are very complex and very intertwined.
And so I use the analogy of bowl of spaghetti. So if you want to migrate something over to the cloud,
you first have to understand what you want to migrate over, because you certainly don't want
to lift everything and migrate it over. That just doesn't make good business sense. It would be very expensive to do so in operating it. So unraveling the spaghetti, so to speak, Dave, is really the first and most
complex problem in understanding the planning of your migration. Once that's understood,
then clients can intelligently start to plan their migration journey over the next X number of years.
I suppose any size organization,
but particularly medium and large size organizations over the years, they've accumulated
so much digital stuff that it has to be a little bit intimidating to even take something like this
on. Absolutely. And I think that the, I don't want to call it hesitation,
because I don't think it's hesitation. I think it's just good diligence and planning. I just think that folks have been trying to do that manually. And as you can imagine, it would be
very complex. And just to give you a quick statistic, we just finished a very large scan,
a crawl of a financial institution. And we came up with over 30 million permutations and combinations
on just a couple of their data warehouses, for example. So you can just imagine if you were
trying to do that in a manual fashion, there's just no way that you'd be able to do it.
How do you dial in the things that can be and should be automated and the things that really deserve a closer look
by a human to really figure things out
on an individual level?
Yeah, if a client is,
so there's two things that we do.
We have this notion of what we call lift and optimize
that I just mentioned,
which is taking kind of exactly on an as-is basis, Dave,
and migrating it over to the cloud. And those use cases are typically end of life of an appliance. I don't
want to renew my licenses with whichever vendor is providing me that technology. However, there's
also something called lift and modernize. And so in an example, what a lift and modernize would be is if a client wants to build a completely new enterprise data model, for example.
In that case, we would be looking at it and there would be some more manual intervention into that, which is still better parts of it are still automatable.
But in the lift and optimize case, it could be nearly 100% automatable, where in the lift and modernize, it would be a little bit less than that.
They just have to rethink the way that our clients would be wanting to create their new data structures on the cloud.
That's Chetan Mathur from NextPathway.
Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
A common challenge developers face is keeping meaningful communications open between various departments in the software development life cycle.
Eldan Benhaim is chief architect at software supply chain security firm Apiro,
and he makes the case that software supply chain security is largely an issue of corporate culture.
The thing is that many software development shops have partitioning or sil you know, siloed security organizations
versus development organizations. And if you think about it, application developers, you know,
they make tens of potentially security impacting decisions every day. So, you know, taking
application security and making it, you know, someone else's job is very similar to deciding that, you know, application performance or concurrency correctness is someone else's job.
Now, in many teams, you would have a concurrency or performance expert, which is fine and helpful because they are like, you know, subject matter expert.
But this does not mean that day-to-day development work can, you know, put aside information security and specifically application security.
Where do we stand today when it comes to the siloing of those different groups?
Is this recognized as being an issue and are there efforts to break down those walls?
I think that there are efforts to break those walls. I think some organizations have adopted an approach where there are security champions embedded in development teams, which is probably a step in the right direction. I think that there is some recognition of the notion that basic security training is something that developers should have.
But still, I think that there's some way to go. I mean, I think that our expectations from
developers as far as security is concerned are still lower than what they could be.
I think that it makes sense to expect developers to understand
method of operations of cybersecurity attacks
and understand vulnerability types and their mitigations
and understand all of this in depth.
Obviously, we need to help them with this understanding by, you know,
proper training and making this part of the day-to-day conversation in the development shop.
In addition to understanding the attack methods and mitigation techniques,
I think that it's important to nurture a culture where developers remain, you know,
up to speed and they constantly consume news
and state-of-the-art information about application security
and cybersecurity at all.
And then it's very important for developers to gain a thorough understanding
of the APIs and services and third-party services and products
that they consume so that they understand their overall impacts
on the system that they're designing.
So, Log4Shell is probably a very good example of what could go wrong if you do not
take into account the full capabilities and consequences of the APIs and services that
you're using. I'm talking about, you know, the Log4Shell team versus the Java runtime team. What about people who are going to resist this?
People generally don't like change,
and they're used to doing things the way that they're used to doing them.
How do we get those people to come along?
People often get it when you explain the importance,
and I have found the analogy of, security is just part of the job as much as, you know, understanding concurrency or understanding performance or correctness is part of the job. to most developers that code without unit testing is incomplete
because testing the code is simply part of the code.
We need to make people realize that the same applies to application security.
That's Eldan Ben-Haim from Apiro.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios
of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.