CyberWire Daily - Information operations and the invasion of Ukraine. VMware patches vulnerabilities. F5 BIG-IP vulnerabilities actively exploited. TDI clarifies data incident. Robo-calling the Kremlin.
Episode Date: May 19, 2022Russian information operations surrounding the invasion of Ukraine. VMware patches vulnerabilities. F5 BIG-IP vulnerabilities undergoing active exploitation. Texas Department of Insurance clarifies fa...cts surrounding its data incident. Robert M. Lee from Dragos is heading to Davos to talk ICS. Rick Howard speaks with author Chase Cunningham on his book "Cyber Warfare –Truth, Tactics and Strategies”. Robo-calling the Kremlin. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/97 Selected reading. Information Operations Surrounding the Russian Invasion of Ukraine (Mandiant) CISA Issues Emergency Directive and Releases Advisory Related to VMware Vulnerabilities (CISA) Emergency Directive 22-03 (CISA) Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control (CISA) Threat Actors Exploiting F5 BIG IP CVE-2022-1388 (CISA) CISA Alert AA22-138A – Threat Actors Exploiting F5 BIG-IP CVE-2022-1388. (The CyberWire) Additional facts: TDI data security event (Texas Department of Insurance) This Hacktivist Site Lets You Prank Call Russian Officials (Wired) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Russian information operations surrounding the invasion of Ukraine,
VMware patches vulnerabilities,
F5 Big IP vulnerabilities are undergoing active exploitation,
the Texas Department of Insurance clarifies facts surrounding its data incident,
Robert M. Lee from Dragos is heading to Davos to talk ICS,
Rick Howard speaks with author Chase Cunningham on his book Cyber Warfare,
Truth, Tactics, Cyber Warfare, Truth,
Tactics, and Strategies, and RoboCalling the Kremlin.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner your CyberWire summary for Thursday, May 19th, 2022.
Mandiant this morning published an overview of the Russian information operations it's
tracked during the run-up to
Russia's war against Ukraine, through the actual invasion, and continuing until now.
Senior analyst Alden Wallstrom, one of the lead authors of this report, said that the research
sought to exhibit how known actors and campaigns can be leveraged or otherwise refocused to support
emerging security interests,
including large-scale conflict.
For years, analysts have documented that Ukraine, a key strategic interest of Russia's,
is a testing ground for Russian cyber threat activity that they may subsequently deploy elsewhere.
Now, we witness how pro-Russia actors have leveraged the assets and campaign infrastructure developed over time, in whole or part, to target Ukraine.
The operations exhibit a mixture of disinformation and disruptive attacks,
mostly ransomware, wiper malware disguised as ransomware, and nuisance-level distributed denial-of-service attacks.
Defacement of Russian government websites began as early as January 14th of this year,
with messages claiming theft and subsequent deletion of data.
February 23rd, the eve of the invasion proper, saw a repetition of this style of attack.
In this case, the defacements coincided with destructive attacks against Ukrainian government targets using the near-miss master boot record wiper and party ticket wiper disguised as ransomware.
And during the war itself, on March 16th,
a deepfake video of Ukrainian President Zelensky appearing to announce surrender to Russia
was distributed over compromised Ukrainian news sites.
This incident coincided with another Wiper attack.
Some familiar threat actors have been in evidence.
APT-28, Fancy Bear, the GRU, has been behind much of the Russian activity,
and the Allied Ghostwriter operators of Belarus' satellite intelligence and security services
have also been active in the Russian interest.
The Internet Research Agency, well-known as an election-meddling troll farm, intelligence and security services have also been active in the Russian interest.
The Internet Research Agency, well known as an election-meddling troll farm, seems to have resurfaced as Kyber, that is, Cyber Force Z, and resumed influence in amplification
operations.
And there have been the usual covert media outlets working under inauthentic persona.
have been the usual covert media outlets working under inauthentic persona.
Kyber-4C's style is as familiar as it is tasteless,
featuring a Russian-uniformed Pepe the Frog.
There's also been some nominally hacktivist activity conducted in support of Russia.
Mandiant notes,
established hacktivist personas JokerDNR and Baragini have remained active in their targeting of Ukraine in the lead-up to and since Russia's invasion,
including through their publication of allegedly leaked documents featuring possibly personally identifiable information of Ukrainian military members.
Additionally, newly established hacktivist groups, whose degrees of affiliation to the Russian state are yet unknown,
like Kilnet, Zaknet, and Rodit, have engaged in hacktivist-style threat activity in support of Russia,
including distributed denial-of-service attacks, hack-and-leak operations, and defacements.
There is, we think, a strong likelihood that these hacktivist personae are operating under the control of,
or at least direction, of Moscow's intelligence services.
The report concludes by offering its take on the outlook for influence campaigns aligned with Russian goals.
Russian operators can be expected to continue to push disinformation
with a probable assist from their satellite services in Belarus.
push disinformation with a probable assist from their satellite services in Belarus.
China and Iran serve as allies of convenience,
retailing Russian themes when it serves those regimes' long-standing anti-Western strategic goals.
The U.S. Cybersecurity and Infrastructure Security Agency released an alert,
AA-22-138B, threat actors Actors Chaining Unpatched VMware Vulnerabilities for Full System Control,
which warns that malicious cyber actors, likely advanced persistent threat actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination.
The alert adds, CISA expects malicious cyber actors to
quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972
and CVE-2022-22973 in the same impacted VMware products. In response, CISA has released Emergency Directive 22-03, Mitigate VMware Vulnerabilities, which requires emergency action from federal civilian executive branch agencies to either immediately implement the updates or remove the affected software from their network until the updates can be applied.
U.S. federal civilian agencies have until next Tuesday to identify and remediate the issues.
Yesterday, CISA also issued Alert AA22-138A, Threat Actors Exploiting F5 Big IP CVE-2022-1388,
which warned that the flaw was being exploited in the wild,
and advised users to either upgrade F5 Big-IP software to patched and supported versions,
or, should that not be immediately feasible,
to implement the three temporary mitigations F5 has provided.
The Texas Department of Insurance has distributed a fact sheet
that clarifies a data incident the agency sustained earlier this year.
It says, in January 2022, TDI found the issue was due to a programming code error that allowed
internet access to a protected area of the application. TDI promptly disconnected the web
application from the internet. After correcting the programming code, TDI placed the web application back online.
The forensic investigation could not conclusively rule out
that certain information on the web application
was accessed outside of TDI.
This does not mean all the information was viewed
by people outside TDI.
Because we could not rule out access,
we took steps to notify those who may have been affected.
While data could have been accessed by unauthorized personnel,
TDI has investigated and found that there is no evidence to date that there was a misuse of information.
Finally, imagine a conversation that went something like this.
What are you talking about, Vladimir Vladimirovich?
There's no IP freely here? No? Then why did you call me Sergei Kuzgetich?
Or words to that effect.
Activists looking for ways of throwing sand in the gears of Russian governance have established a website,
WasteRussianTime.today, according to Wired's story, where if you're of like mind, you can place
robot calls that connect a couple of Kremlin apparatchiki while you listen in as they try
to figure out who called them. The technology the hacktivist group uses is first cousin to
that employed by the people who call you about extending your car warranty or getting credit
card interest relief. Wired quotes one of
the services organizers as explaining, this war started inside Moscow and St. Petersburg within
the power circles of Putin, and that's who we want to annoy and disturb. So the effort is meant to be
irritating, and no doubt it is, but these aren't prank calls in the classical genre,
like calling the local smoke shop, inquiring whether they've got Prince Albert in a can,
and then saying, well, you'd better let him out.
Or like asking the bartender to page Amanda Huggenkiss.
The organizers decided against facilitating such direct interaction,
which they deemed too dangerous to the participants,
who might inadvertently reveal their identity or location.
What they did instead was to set up a program that would initiate a voice-over IP call,
automatically dialing 40 of the leaked Kremlin phone numbers
and merging the user into a three-way call
with the first two Russian officials' phones that connect.
We're of two minds on this.
On the one hand, it's difficult to summon much sympathy for robocalling or even hacktivism
in general, which have typically been marked by poor control, bad aim, and unintended effects.
When Wired tried out the service, they found there were some difficulties connecting two
Russian parties.
Apparently, there are latency issues.
There are also sources and methods issues.
Kristo Grozev of Bellingcat and No Stranger himself, to Prank Calls,
explained this particular downside to Wired.
He said,
Whenever something like this becomes public, the whole department changes their numbers,
and that's not good for investigations,
including journalistic investigations. On the other hand, it's difficult not to appreciate
what this group is doing, at least as conceptual art. So, for your consideration, a thought
experiment. What if the prank calls weren't placed by various outraged randos, but by, oh say, U.S. Cyber Command, known to many
as a pretty low-latency outfit. We're fairly sure there must be some Title X authority for ordering
two dozen anchovy pizzas for delivery to the Russian president's office. If that is, you can
still get a pizza in Moscow. So we say, Rear Admiral John Jack Mehoff,
call Fort Meade.
America has need of you in this hour.
And General Nakasone, you're welcome.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
You're listening to the theme song of the HBO long-running hit Game of Thrones,
the unofficial anthem for the Cybersecurity Canon Project, the project
designed to find the must-read books for all cybersecurity professionals because
one of the greatest characters of all time, Tyrion Lannister, had this to say
about reading books. Why'd you read so much Canon Week here at the Cyber Wire, where we
are interviewing all the Canon Hall of Fame inductee authors for the 2022 season. I'm Rick Howard, the Chief Security Officer, Chief Analyst, and Senior Fellow at the CyberWire,
and today's book is called Cyberwarfare, Truth, Tactics, and Strategies by Dr. Chase Cunningham.
Enjoy.
I'm joined today by Dr. Chase Cunningham, the Chief Strategy Officer for Aircom Software.
Congratulations on your selection to the Cybersecurity Canon Hall of Fame, and thanks for coming on the show.
Hey, thanks for having me. I was very pleasantly surprised to notice that somebody read my book, much less that it made it into a Hall of Fame.
So more than your mom read it, so that's good to know.
Yeah, right.
So you're no stranger to the Cybersecurity Canon Project.
Your graphic novels, The Singe Volume 1 and Code of the Singe Volume 2, were selected
as candidates back in 2017 when they came out.
And they are still great introductory books for children of all ages.
The ideas in this book, Cyber Warfare, Truth, Tactics, and Strategies, published in 2020,
is a much broader concept.
So why'd you write it?
Well, I didn't think that there was a whole lot of nonfiction books that were very accurate
on the strategic sort of side of cyber warfare.
And I also saw that there was a gap in folks looking at it from a real practitioner standpoint.
There was a lot of kind of coverage media-wise and whatever, but I didn't find anything where someone who had done the work had written a book about it.
So you mentioned like strategically defending at the edge. Is that what you were talking about?
You call it edge and entity security, EES. Is that what we're talking about here?
I think that's the follow-on evolution of moving past just strictly sort of human identity and access
management. I think really what we're talking about there is everything nowadays has an identity,
a router, a firewall, a thermostat, a user, a robot, you name it, we all have an identity,
and it's going to operate on the edge of control. It's going to be some sort of digital entity. So
then apply your controls that way. So when I was reading through the book and you were describing EES or edge and entity security, it sounded similar to the Gartner
concept of SASE or secure access service edge. Are those two things the same thing or are they
different? I think that they're in the same line and parallel. I think Gartner's approach is a
little bit more limited because they're looking at the market specifics and which which tools do what for me i was looking at the bigger broad long-term implications there but i
don't think that they're totally orthogonal to each other at all so they're in the same ballpark
and so the sassy model says we're going to flip the architecture on its head in the old days
like when i was growing up the security folks would manage the security stack behind the
perimeter behind that dead perimeter defense thing you were talking about.
But with SASE and now Edge and Indy Security,
the architecture is flipping so that you hire a cloud provider to manage your security stack
and the first hop from all of your devices, wherever they are,
your employees' phones or laptops or cloud services, wherever they are, your employees' phones or, you know, laptops or
cloud services, whatever they are, the first hop out to the internet goes through
that cloud provider security stack. And then all you have to do is manage the policy.
So how is that fundamentally different than this EES thing you're talking about?
It's really not. I mean, I think that the interesting thing is the most difficult part
of that problem you're talking about to manage actually becomes the policy. It's no longer that it's difficult to
manage at the entity level because the entities kind of do what they do and they need to access
things that they need to access. But the control plane is the policy engine. And if you don't have
a really good policy engine, you can't keep up. And like you were saying, because we operate at
scale and because we operate so dynamically, you have to be able to do that with automated solutions that have those capabilities.
I realize the policy would be complicated, but it's one policy scattered across all those data islands we're talking about.
So presumably it makes it simpler, but I understand what you're saying.
It doesn't make it easy, I guess, is the way to say it.
It's still going to be a complex policy, right?
Yeah, it's got to be accurate, I think, is the most important part.
The ease will come with rollout, but it has to be extremely accurate.
And it's got to be something that's updated dynamically.
So it's good stuff, Chase.
And the book is excellent.
So congratulations on that.
This has been Dr. Chase Cunningham, the Chief Strategy Officer of Ericom Software
and the most recent author inductee into the Cybersecurity Canon Hall of Fame.
Dr. Cunningham, congratulations and thanks for coming on the show.
Thank you so much. I really appreciate it.
For more information on the Cybersecurity Canon Project, go to your favorite search engine and look up Cybersecurity Cannon.
That's cannon with one N
as in cannon of literature,
not two Ns where you blow stuff up.
And Ohio State University,
the project's official sponsor.
If you like what you hear and want to hear the full interview,
subscribe to CyberWire Pro today
to get access to the latest episodes of CSO Perspectives,
plus much more.
Cyber threats are evolving every second, Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Robert M. Lee.
He is the CEO at Dragos.
Rob, I noticed that you have an interesting event coming up on your calendar here towards the end of May.
You're taking a trip to Switzerland for a presentation.
What's going on here?
So the event is the World Economic Forum's Davos conference.
And so for a couple of years now, I've been on the World Economic Forum and their electricity subcommittee and oil and gas subcommittees kindizing and talking about OT security and helping those conversations.
Luckily, those committees are made up of CSOs
of other large infrastructure companies
and they're super on top of it.
So it's been very, very good interactions.
Beyond me being excited and humbled of like,
oh cool, I got into Davos,
the thing that actually excites me is OT security
got into Davos. I think it's less like, oh, cool, I got into Davos. The thing that actually excites me is OT security.
Got into Davos.
I think it's less like, oh, we know who Rob was.
And it's more of like, oh, we need to talk about OT security.
Is Rob the guy? Then fine, let's do that.
But the focus is CEOs, board members, parliament members,
world leaders, et cetera, are actually focused on,
cool, we need to talk about world order, Russia-Ukraine conflict is
going on, we need to talk about climate change and how we're going to get there, and we need to
talk about OT security. It's like, oh, wow. That's kind of a level up of that discussion, and it
feels kind of like almost like a coming out party globally on this topic of industrial security we've
been talking about for so long. Yeah, I mean, can we touch on that? I mean, the fact that this has been elevated to this level,
overall, I mean, I think we could say a good thing, but you've been shouting about this from
the sidelines for quite a while now. It must be gratifying for you that folks at this level
are ready to hear what you have to say. Yeah, it is, but I am immediately thinking about the next thing,
which is, great, we got their attention, now how do we deliver?
What I'm finding is at a global leader stage, truly,
I mean, I still have conversations to this day
with different government leaders and CEOs and whatnot anyways,
and what's very, very common is they genuinely think
the problem is already kind of solved,
not realizing how bad of a place they're in.
And what I mean by that is nobody thinks cybersecurity is solvable.
They all understand it's a process.
But they'll say, well, look at all these standards,
these frameworks, these regulations, and look at this.
I get these board slides with these FICO scores
and this cybersecurity framework, heat maps and all this stuff,
blah, blah, blah, look at all we're doing.
And every conversation, I'm like, great.
CISO or CSO or whoever's presenting it to the CEO,
is that enterprise IT or is that the enterprise?
Every time, oh yeah, that's enterprise IT.
And the CEOs will look at me like,
wait, no, no, no, that includes our factories,
that includes our oil fields,
that includes our substations. And the CSO, no, sir or no. That includes our factories. That includes our oil fields. That includes our substations.
And the CSO, no, sir or ma'am.
Enterprise IT.
And it is a light bulb moment
for these executives, board members, world leaders,
when they realize all the cybersecurity efforts,
probably 95% of it,
has been put towards the IT side of the house
and not the operations technology side of the house,
which is what's the critical part of that company
and what's keeping that company in business.
That's where the safety impacts can happen.
That's where the revenue is generated.
And for a CEO to realize that they're spending
10 times the amount of money on the website
than they are the gas turbine is insane.
But there's so many executives
that are intimate on their business.
And there's a lot of CSOs I meet that are not.
I meet a lot of CSOs that are wonderful, especially in the sectors we work.
But you will find a lot of CSOs are like, well, here's the playbook to run, or here's the new cybersecurity framework, or here's what we're going to do.
And they're not really in tune with what the business is trying to accomplish. And so the big risk is that the CEOs get better educated on the OT problem and risk than their security staff.
And then you're going to lose trust
and you're going to see a flip
in how those businesses handle that.
And you don't want that.
You want the internal experts
to be the voice to the executives.
You want the internal experts to be the people they turn to,
not government vendors or standards bodies.
But I think that's the risk.
But the opportunity is, with an understanding
of what hasn't been getting done,
the security staff who are plugged in
have an amazing opportunity to talk about
where they need resourcing
and what they're trying to accomplish.
And to not platinum and gold coat it,
but to get
down to the couple things, like the five critical things that you'd have to do inside of industrial
operations environments. So we can really see an up-leveling of security globally, but it's going
to require real candid conversations and no finger pointing. To that point, I mean, when you head off
to something like this, to give this sort of presentation to this kind of audience, how do you calibrate what they're ready to hear? So I don't. Usually, anytime that I'm in an
audience, and this is maybe what gets me critiqued, but also gets me listened to, I guess, is I just
am transparent and candid. It's, hey, I don't really care if you're ready for this or not.
Here's the problem. Because as much as I hey, I don't really care if you're ready for this or not, here's the problem.
Because as much as I love,
I think a lot of people in the infrastructure community sometimes will look at me as like,
I just love the infrastructure community.
And that's true, but the real reason I love
the infrastructure community
is because they're servicing our citizens.
And I think about my family in Coleman, Alabama,
and the Coleman Power Cooperative
delivering power to their house.
And I'm not there to support
Coleman Cooperative Power Company.
I'm there to support the livelihood
of my family that needs that
critical infrastructure.
If that means helping them,
then of course I'm on board with that.
But if it means like,
oh, I might insult somebody by telling them
that they're not really doing good security work,
that's not my concern.
I'm happy just to have candid conversations.
So just aligning on what we're talking about,
being candid and transparent about the challenges,
but not blaming people.
It's not, your staff is stupid for not doing this.
It's, hey, the world has changed,
and we are going through a transformation.
And you may have been fine two years ago doing this,
but the world ahead of us is dicey and these programs take a while to get out
the ground.
You need to start now and this is what you need to do.
I think that's a perfectly viable CEO conversation.
All right.
We're looking forward to hearing what you have to say.
Robert M.
Lee,
thanks for joining us. thecyberwire.com. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios
of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Rachel Gelfand, Liz Ervin, Elliot Peltzman, Trey Hester,
Brandon Karp, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.