CyberWire Daily - Influence operations in the grey zone. FSB raids REvil. Open Source Software Security Summit looks to public-private cooperation. Privateering and state-sponsored cybercrime.
Episode Date: January 14, 2022A large-scale cyberattack against Ukrainian websites looks like an influence operation, and Russian intelligence services are the prime suspects. The FSB raids REvil. The White House Open Source Softw...are Security Summit looks toward software bills of materials. MuddyWater exploits Log4shell. The DPRK is working to steal cryptocurrency. Caleb Barlow shares the consequences of the 3G network shutdown. Our guest is John Lehmann from Intellectual Point with programs that help military veterans transition to the cybersecurity industry. Honor among thieves, and spies. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/10 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A large-scale cyber attack against Ukrainian websites looks like an influence operation,
and Russian intelligence services are the prime suspects.
The FSB raids are evil.
The White House Open Source Software Security Summit looks towards software bills of material.
Muddy water exploits log for shell.
The DPRK is working to steal cryptocurrency.
Caleb Barlow shares the
consequences of the 3G network shutdown. Our guest is John Lehman from Intellectual Point with
programs that help military veterans transition to the cybersecurity industry and honor among thieves
and spies.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, January 14th, 2022. Reuters reports that a massive cyber attack hit Ukrainian government websites yesterday.
Websites operated by the Ukrainian cabinet and at least seven ministries were affected.
Some of the defacements told their Ukrainian audience to be afraid and expect the worst.
The attacks seem to be simple defacements, an influence operation, and not the data destruction and doxing the message claims.
Note the implicit attempt to suggest that Poland and Ukraine have a historical dispute over Ukraine's western territories. The Moscow Times reports that
Ukraine's SBU said that services had been restored to normal within hours of the attacks.
While it's impossible at this stage to rule out hacktivism or provocation by some third party,
the Ukrainian foreign ministry points to the obvious suspect, Russian intelligence services.
A spokesman told Reuters,
quote,
It's too early to draw conclusions,
but there is a long record of Russian cyber-assaults
against Ukraine in the past.
End quote.
Talks between the U.S. and Russia and NATO and Russia
have so far not produced public signs of progress.
The Baltic Times reports that Lithuanian President
Gitanas Nauseda said after a conversation on the talks with NATO Secretary General Jens Stoltenberg
that successful diplomacy would require reciprocity of a kind that's not on evidence
from the Russian side. Progress can, quote, only take place on the basis of reciprocity and not in the language of demands and ultimatums, which is unacceptable, end quote.
At yesterday's White House press conference addressing the talks,
U.S. National Security Advisor Jake Sullivan said, quote,
There are no dates set for any more talks.
We have to consult with allies and partners first.
We're in communication with the Russians, and we'll see what comes next.
End quote.
There may, however, have been some conciliatory Russian gestures toward the West.
Bloomberg notes that there seems to have been a decline,
a tapering of coverage of Ukraine by Russian state media.
Quote,
There is now a renewed diplomatic flurry with talks between U.S. and
Russian officials, again in Geneva, followed by other discussions, including a NATO-Russia
council meeting. Dialing back the heat in state media could be a move to see if such talks bear
fruit, end quote. Bloomberg's report reads this sign with cautious optimism, since no such quiet period was observed during the run-up to Russia's 2014 invasion of Crimea.
More interesting is a raid Russia's FSB has conducted against the Areval ransomware gang.
Russia's Interfax news agency reported this morning that the FSB has liquidated the gang in a series of arrests.
An official statement said, quote, the FSB of Russia has established the full composition of
the are evil criminal community and the involvement of its members in the illegal circulation of
means of payment and documentation of illegal activities has been carried out, end quote.
The FSB said it had conducted the raids at the appeal of competent U.S. authorities.
The raids netted not only 14 arrests, but $600,000 and 500,000 euros in cash,
as well as computers, crypto wallets used to commit crimes,
and 20 luxury cars, all of which are said to be ill-gotten.
and 20 luxury cars, all of which are said to be ill-gotten.
Heightened tension between Russia and NATO over the near abroad come during a period of heightened concern about the security of open-source software that's been driven by discovery of Log4Shell
and other vulnerabilities in the Apache Software Foundation's widely used Log4J library.
The White House offered a preliminary readout of this week's Open Source Software Security Summit,
during which government and industry officials met to discuss ways of shoring up the security
of widely used open source software.
The discussion was given salience by this week's warnings from the U.S. intelligence community
that there was a risk of nation-state attacks
exploiting issues with that and other open-source products. Both government and industry sources
see cooperation on implementing an effective system of software bills of materials as an
important first step in the right direction. As Duo Securities Decipher points out, U.S.
Cyber Command's attribution Wednesday of muddy water to Iran's Ministry of Intelligence and Security included the posting of 17 samples of the threat actor's attack tools to VirusTotal. use of DLL sideloading in its operations, eSecurityPlanet summarizes Checkpoint's conclusion
that Muddy Water in its current operations is actively exploiting Log4Shell.
Lest one think that the FSB's raid on Areval means that the salad days of state-tolerated
Russian cybercrime are over, consider Krebs on Security's account of the work being done by the access broker known as
Wazawaka, a numero in Russophone cybercrime fora. Come on, Rob, and get dough, Wazawaka advertised
in the Exploit Forum back in 2020, inviting crooks to buy access to a big Chinese company and
show them who's boss. He's still going strong, and he says he adheres to the communitarian principle
that data taken in double extortion scams shouldn't be resold.
Rather, it should simply be posted for general use in the criminal-to-criminal marketplace
should the victim fail to pay the ransom.
Kaspersky reports on the activities of a group it calls Blue Norhoff and identifies as a subunit of North Korea's Lazarus Group.
Blue Norhoff's current campaign, Snatch Crypto, is aimed at various companies that, by the nature of their work,
deal with cryptocurrencies and smart contracts, DeFi, blockchain, and the fintech industry. An NBC News report puts Pyongyang's take in cryptocurrency theft last year
at almost $400 million, with Ethereum holdings particularly affected.
We return for a moment to that FSB raid on the R-Evil gang.
There's video being tweeted around that purports to be an FSB video press handout.
It's pretty good in a copsy sort of way.
Right, like what with the FSB muscle and windbreakers breaking down doors into some dingy-looking apartments,
coloring perps, some of whom are cuffed while face-down in their underwear, and who doesn't like that?
And then going through their swag.
The swag seems to be mostly U.S. and Russian currency.
We saw lots of pictures of Benjamin Franklin.
But it was mostly cash, and it was fanned out really cinematically
as they rolled the bills through automatic counters.
We were also struck by how mingy the Hood's apartments looked.
They need a makeover.
Gangland should watch Hilary Farr's Tough Love over on HGTV. I mean, come on, Hoods,
put a picture on the wall. Think more about going open concept. You're not an undergraduate anymore,
Malchik. Anywho, the arrests raise interesting questions like, is there a reward for something in all this?
Recorded Futures' Alan Liska, we hear, has wondered aloud if the FSB is going to claim a $10 million reward. So we ask you, listeners, what would you do? Should the FSB gunsles in the
video hit up the U.S. State Department under the Rewards for Justice program, or is this all to be
written off as professional courtesy?
And to all the are-evil goons who still may be out there,
a hearty Ruki Nazad on behalf of whatever Russo-American law enforcement cooperation there may be.
Finally, you've probably seen the ads for TV coverage of the Beijing Winter Olympics.
The Belgian Olympic and Interfederal
Committee has advised athletes to leave their mobile devices and phones home lest they be
subject of cyber espionage. The Chinese embassy in Brussels has published a Q&A on the warning
that reads in part, quote, the claim that relevant Belgian personnel traveling to China may be at
risk of cyber espionage
is completely unfounded and the worries are unnecessary.
The Chinese government is a firm defender of cyber security
and firmly opposes any form of cyber espionage and cyber attack activities.
End quote.
So there you go.
Nothing to see here.
Move on.
A quick program note for our listeners.
This coming Monday, January 17th, is Martin Luther King Day,
and we'll be observing the federal holiday with a brief hiatus from publication and podcasting.
The Cyber Wire will be back as usual on Tuesday, January 18th,
and in the meantime, we offer our greetings to all on a day that commemorates the life and work of Dr. King.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
It's well established that there's a strong demand for qualified employees in cybersecurity,
with some reporting millions of open positions around the world.
And every year, there are thousands of people wrapping up their service in the U.S. military,
looking to transition to meaningful work in the civilian world.
Seems like a potential pipeline there, right?
John Lehman is Senior Director of Veteran Services at IT training company Intellectual Point,
and he joins us to highlight some of the programs in place to help make that connection.
There's two programs that we primarily work with at intellectual point, and I'm not going to do a hard pitch on intellectual point, but I will discuss these two programs that deal specifically with the veteran affairs.
One is the VRAP program, and the VRAP program was originally created during the first Gulf War, and it was created to assist veterans to go into different career fields that are needed within the job sector. And most of those jobs are derived
from case studies that are in the market. So truck driving is one of those careers that they
were trying to get veterans to pivot into because there were so many truck drivers that had retired during the COVID event.
There's a lot of folks that are retiring out of the IT.
So this is where the VRAP program was revamped and stepped up on the federal side of the house to allow veterans to pivot into that program.
to allow veterans to pivot into that program.
And it was one of the programs that I had come through,
Intellectual Point, originally,
and I came through the DevOps program. And the DevOps program consists of getting a Security Plus
certified ethical hacker in Splunk.
And this allows you to kind of pivot in a marketplace
if you're not familiar with IT to a point where you can step it up or you can step down, go to like a help desk position or you can go into a SOC, depending on what you're understanding your skill set is.
So that's a wonderful program.
The other program is called Vet Tech.
The other program is called Vet Tech. And Vet Tech was originally started in 2017. And it was designed to allow veterans to do continuing education with technology because there was such a noted loss of IT professionals over the last couple of years, and there's not enough infrastructure that's there to support oncoming and upcoming IT professionals within the federal government and also in the civilian sector.
Companies and also the federal government are not investing in the personnel like they should
to be able to bolster our critical infrastructure. That's my personal opinion from some of the
observations that I've seen. And for the most part, it's pretty successful. The main issues
that we have with it is that veterans that did have security clearances in the past are not
able to retain their security clearances, say, like a senator or a congressman does
after they leave the uniform, which I think is another initiative that needs to be
looked at on a deeper level. And two, there's going to be a backlog for up to 24 months to
three years. And that's something that we need to look at in the cybersecurity realm, because if we lack the critical infrastructure and we lack the
personnel that we can possibly spin up to the point where they would be able to fill in some
of the senior level positions, because a lot of it has to deal with aptitude. How hungry are you
to get the job done? In your experience working with these folks, to what degree does
the experience they had in the military, the training, the mindset that they leave the service
with, how does that align to the skills and the type of thinking that's going to serve them well
in an IT career? Oh, this is such a great question. I'm glad that you asked it. Okay, so each military MOS, or I'm using this because it's an Army term, or in the Air Force, AFSC. In the Navy, it's just a rating.
SHs or knowledge, skills, and assessments that you have to be able to fulfill once you get into these positions. And when you're dealing with your junior level military folks, your enlisted folks,
they are task orientated and they are able to be able to take information and run with that.
You know, if you tell them you need to do X, Y, and Z, they're really good at taking
direction and following in that direction. And then for your officers, the officers that are
getting out, they know how to multitask and they know how to deal with a lot of stuff under stress.
Soldiers in general know how to deal with information under stress, but particularly
within the cyber realm, the officers are primed
for this type of environment because they understand the corporate structure from the way
that everybody that I work with, for the most part, everybody that I work with is truly, honestly
wanting to grow in a way that is meaningful for their future.
And I just enjoy that portion of working with soldiers and Marines and seamen and airmen again is because there's that sense of camaraderie. And that's also something that these people bring to the workplace, that if you get two or more veterans around,
to the workplace that if you get two or more veterans around, there's a sense of camaraderie that comes along with being somebody that's prior to uniform. And at the end of the day,
it's the brotherhood. You know, it's what you've taken away from the uniform
that nobody can take away from you. That's John Lehman from Intellectual Point.
There's a lot more to this conversation.
If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects,
where you get access to this and many more extended interviews.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And I am pleased to be joined once again by Caleb Barlow. Caleb, it is always great to have you back to the show. You know, there has been no shortage of stories about
the transition to 5G and certainly lots of promotion about that. We've seen people churning
up conspiracy theories about 5G. Our friends over in the UK have had troubles with vandalizing 5G
towers and so on and so forth. You know, one of the things that I didn't realize was happening was at the beginning
of this year, they were winding down 3G service, and there are some unintended consequences
of that transition.
What's going on here?
Well, I mean, like you said, you can't get past not only the 5G real information that
is coming, but also the misinformation that it's going to be used for government mind control and all kinds of other crazy things. So the problem here is no one's
paying attention to 3G. And historically, you know, this might have meant that grandma needed
to upgrade her flip phone when, you know, it was time to transition technologies. But the difference this time is 3G is being used by a lot of things other
than phones. So this was a widespread data platform used by IoT devices, including cars for things
like navigation, weather, and traffic, as well as a whole lot of IoT remote sensors. And probably
the biggest thing that I'm concerned about is 3G was routinely used
as a backup to traditional networks in the event of a failure. So the challenge with 3G literally
being shut off in the very near future is that we are often unaware of where these devices are,
they need to be upgraded, or they're simply going to stop working. And worse yet,
many of them support life safety systems, things like emergency call boxes,
in-vehicle crash notification systems, and burglar alarms.
Yeah, you know, I was at my bank recently, and there was a technician there, and while I was
waiting for the tellers, I struck up a conversation with him. And he said he was there upgrading their systems, their alarm system backups were all 3G. And so
he said he's been busier than ever going from bank to bank, getting this done before they throw the
switch. That's right. So the FCC, if you go to their website, does have a list of products that
are likely impacted by the changes.
And it's all the things you could imagine. Medical devices, tablets, smartwatches, home security
systems. I even got a notice from a car manufacturer that a car I have that's not that old,
all of its, you know, network-connected navigation, weather, it's all going to stop working here in a
couple of months.
And what was most interesting about that notice is there's no alternative.
There's no upgrading this.
It's just going to stop.
So I think, you know,
the folks listening to this call
that are in IT or security,
there are a few things you really need to go look at.
So if you have something that's actively being monitored,
the good news there is like, for example,
your home alarm, hopefully the alarm company is sending you notice that you're not ignoring going, hey,
we got to upgrade this. It's more of the things you haven't thought about. Like, you know, if
you've got a remote location with IoT sensors, very good chance the backup, you know, is a cellular
3G connection, and that's got to get upgraded. So when does all
this go down? Well, AT&T has said that it's going to start shutting down 3G networks in February,
like next month. Verizon's going to pull the plug at the end of the year. T-Mobile and Sprint are
starting around March. I don't get the impression there's going to be one day where it all goes off.
So it's almost worse in that this stuff's just going to start rolling out, various towers are
going to come down, and they have to do this because they need the spectrum and they need
the space on the towers. Yeah, you know, I'm wondering, you know, some organizations could
potentially find themselves saying, gosh, you know, we haven't had any alert signals from our devices
out on the field. Things must be going great. Oh, that's exactly the problem, right? I mean, a lot of these devices
are in scenarios where, because remember when 3G was deployed, it was really expensive and,
you know, wind back, well, almost a decade or whatever it was, right? That network time was
really expensive. So the way most of these things were built is they only called if there was a problem. And you're going to be sitting there a year and a half from now going,
hey, that remote sensor's working great. And maybe it is. And then maybe there's a power
outage or some reason you lose traditional network connectivity. You're not going to hear from it.
And I think we're going to have a lot of scenarios where the pump, the valve, the car don't work. I
mean, here's the other scenario.
You get in a car accident and you used systems like OnStar or other things that would call back.
It's not going to call. It's just not going to work.
Yeah, that's interesting. I wonder if there's a market opportunity here for a
3G to 5G converter box. Get on that, Caleb.
to 5G converter box.
Get on that, Caleb.
Well, I mean, the good news,
I think, for the cars is if,
you know, and I'll use my car as an example, right?
It's what, 2014.
The navigation system on it
kind of is kind of blah now
relative to what I can use on my phone.
So it's not going to be
the end of the world,
but it is kind of a giant pain.
Yeah, yeah, absolutely.
All right. Well, a good reminder to go out there and check your device inventory
when these sort of transitions happen.
Caleb Barlow, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's episode of Research Saturday and my conversation with researcher Alyssa Knight, along with Carl Mattson from No Name Security.
We're discussing Alyssa's research concerning API vulnerabilities in US banking applications.
That's Research Saturday.
Check it out.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen,
Nick Bilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here
next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.