CyberWire Daily - Kazakhstan shuts down its Internet as civil unrest continues (and one consequence is a disruption of alt-coin mining in that country). More on Log4j. Ransomware hits school website provider.
Episode Date: January 7, 2022Kazakhstan shuts down its Internet as civil unrest continues (and one consequence is a disruption of alt-coin mining in that country). The UK’s NHS warns of unknown threat actors exploiting Log4j bu...gs in unpatched VMware Horizon servers. In the US, CISA continues to assist Federal agencies with Log4j remediation, and observers call for more Government support of open-source software security. A major provider of school websites is hit with ransomware. Our guest is John Belizaire of Soluna Computing with a new approach to data center efficiency. Thomas Etheridge from CrowdStrike on supply chain risks. And the US extends the deadline to apply for grants in support of rip-and-replace. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/5 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Kazakhstan shuts down its internet as civil unrest continues.
The U.K.'s NHS warns of unknown threat actors exploiting Log4J bugs and unpatched VMware Horizon servers.
In the U.S., CISA continues to assist federal agencies with Log4J remediation,
and observers call for more government support of open-source software security.
A major provider of school websites is hit with ransomware. Our guest is
John Belisere of Saluna Computing with a new approach to data center efficiency. Thomas
Etheridge from CrowdStrike on supply chain risks. And the U.S. extends the deadline to apply for From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, January 7th, 2022. As widespread unrest and an increasingly violent government response continue in Kazakhstan,
that country's government has cut back Internet services to an effective blackout level.
NetBlocks says that the interruption, which began Wednesday at about 5 p.m. local time,
has also affected mobile and some fixed-line telephone services.
This morning, service had flatlined at 55% of normal levels.
President Kassim Zhamard Tokayev, who has requested and received military support
from the Russian-led Collective Security Treaty Organization of former Soviet republics to
put down civil disorder, opened up mass communications long enough to deliver an
address explaining the steps his government is taking. The CSTO includes Armenia, Belarus,
Kazakhstan, Kyrgyzstan, and Tajikistan, in addition to Russia. Shutting down the internet has now become a routine step in
coups and crackdowns, the equivalent of the 19th century's seizure of printing presses
and the 20th century's takeover of the radio stations. This, however, pales in comparison
to the kinetic violence in Kazakhstan, where President Tokayev has issued, Reuters reports, a shoot-to-kill order to forces confronting rioters.
One consequence of the internet blackout in Kazakhstan has been a disruption of cryptocurrency mining in that country.
After China cracked down on coin mining in 2021, many coin miners set up shop in Kazakhstan,
which became the world's second largest center of altcoin mining
after the U.S., which moved into first place after Chinese restrictions came into effect.
CNBC reports that the disruption of mining in the Central Asian country has already had an
effect on Bitcoin prices. The U.K.'s National Health Service has issued a warning that unknown threat actors are working to exploit vulnerable VMware Horizon servers to set up web shells in their victims, thereby establishing persistence in their targets.
VMware was quick to respond to notification of Log4J vulnerabilities, and its products have received appropriate upgrades.
and its products have received appropriate upgrades.
Nonetheless, as The Record points out,
a non-negligible number of users haven't yet updated their software,
and the threat actors are misbehaving accordingly.
NHS doesn't identify the threat actor whose behavior it describes,
and indeed there may not be any single actor responsible for the attempts.
Duo Securities Decipher says that there are more than one bad actor engaged in this kind of exploitation. Quote, Since the first disclosure of the Log4J bug, a wide variety
of attack groups have been exploiting it. APT groups, lone actors, and cybercrime groups all
have been seen exploiting one or more of the Log4J flaws that have been disclosed in the last few weeks.
Duo's Decipher also points out that while the U.S. Cybersecurity and Infrastructure Security Agency has indicated that the agencies it oversees are now in general compliance with Emergency Directive 22-02,
the agency has been tight-lipped about details of compliance.
This is understandable in what CISA characterized to Meritalk yesterday The agency has been tight-lipped about details of compliance.
This is understandable in what CISA characterized to Meritalk yesterday as an ongoing process of remediation,
and the agency intends to issue a cross-agency status report by February 15th.
The experience of finding and fixing Log4J vulnerabilities has demonstrated how complex the software supply chain is and how complicated the process of vetting it will inevitably be.
As ZDNet puts it in writing about this particular case,
"...the Log4J flaw for Java web applications will haunt tech people for years. An essay in Politico argues, in part, that Log4J has exposed the limitations of the self-correcting evolutionary model of security that's long informed the
open-source community's practices. You can follow the CyberWire's ongoing coverage of
the Log4J vulnerabilities on our website. Bleeping Computer reports that FinalSight, a major provider of web services to schools,
has acknowledged sustaining a ransomware attack that's interfered with its ability to deliver services to its customers.
The company had earlier characterized the incident as disruption of certain computer systems on FinalSight's network.
FinalSight is based in the UK, but it provides services to schools worldwide,
claiming to serve 8,000 systems from elementary schools to universities in 115 countries.
The ransomware incident led Final Sites to take down some 5,000 school websites.
The company said, quote,
The Final Sites security team monitors our network systems 24 hours a day, 7 days a week.
On Tuesday, January 4th, our team identified the presence of ransomware on certain systems in our environment.
We immediately took steps to secure our systems and to contain the activity.
We quickly launched an investigation into the event with the assistance of third-party forensic specialists
and began proactively taking certain systems offline.
End quote.
Recovery and investigation continue.
CISA has continued to issue updates on ICS systems.
The agency yesterday released four industrial control system advisories
covering Philips Engage software, Omcron CX-1,
Fernhill SCADA server, and IDEC programmable logic controllers.
And there's been another update from the U.S. government on its Rip and Replace program,
designed to eliminate Huawei and ZTE equipment from smaller communications infrastructure providers' networks.
The Federal Communication Commission's Secure and Trusted Communications Networks Reimbursement Program Thank you. Eastern Time, rural telcos, contact the FCC for details.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
It's common knowledge that data centers consume a lot of energy,
both for running the equipment inside and for keeping that equipment cool,
and hooking them up to the more green sources of energy, like solar or wind power, presents the well-known challenge of
what do you do when the wind isn't blowing or the sun isn't shining? Saluna Computing is an energy startup that's taking a novel approach to
powering data centers with renewable energy, built on the notion that not all computing needs to
happen right away. John Belisere is CEO of Saluna Computing. What we're saying is, what if you built a completely different type of data
center that wasn't designed to be on 24-7, that actually was designed to be less on less than 24-7
and could match its consumption, the load that it brings to the grid, to the actual production
of the power plants on the grid? In fact, what if you place that data center production of the power plants on the grid.
In fact, what if you place that data center right at the power plant,
and when there is wasted and spilled power,
that data center would consume that spilled power
and allow the power plant to balance itself better to the grid's needs,
and therefore you could put more of these power plants on the grid.
And that's what we're doing at Saluna. We're building specifically designed facilities
that are based behind the meter, if you will. They consume wasted energy, so we bring load
to places where you need that load. And inside those facilities, we put different types of
computing applications in there, computing applications that can be paused,
that are running jobs that are okay,
essentially matching the energy that's available.
Would you be handing off processing jobs from data center to data center
as the conditions were right around the world?
Is that one component of what will be going on here?
Actually, what we do is we've looked at
all of the different types of applications out there.
So let's say you're a CIO
of a big financial services organization
or a big corporation.
You've got different types of compute load
inside your organization.
You have one type that's mission critical,
has to be on all the time.
Your email service can never go down.
Your financial services app or ERP applications always have to be up.
What you want to do is place those applications in a regular data center.
And then you've got a whole new set of applications that are fast emerging.
Applications for modeling your business, for example, that are powered by machine learning.
modeling your business, for example, that are powered by machine learning.
You might have applications that are AI applications that help you determine which movie to show your customer next.
Or you might have other applications that are focused on helping you find the next cure to the next global pandemic,
where it's processing molecules and trying to find matches for how we might address, say, a particular new deadly virus. What we're saying is those two types of jobs, one is real time and one is batchable.
What if you took the batchable ones, group them together and built data centers specifically designed just to run those types of applications, and then connected those data centers to real
renewable energy resources on the grid and built an entire network of these data centers around
the world, well, now you can create this very large zero-carbon cloud platform that's powered
directly by green electrons that can deliver advanced computing processes to the global enterprise,
to universities, to pharmaceutical companies, to movie houses, to streaming services, etc.,
at a much lower cost than you can from an Amazon, let's say, and really help save the planet in the process.
really help save the planet in the process.
Is it ever a challenge getting folks to wrap their head around the notion that not all processing has to happen right now?
It does, yeah.
I think most people believe that computing is a continuous stream of activities.
I think part of it is because we're now so used to computing really being close to our person.
We carry pretty powerful machines in our pockets and they keep us connected all the time.
And so, you know, a typical person, if you grab them in the street, wouldn't imagine this concept of computing that's plausible or computing that can be performed in time slices.
computing that's plausible or computing that can be performed in time slices. But the truth is that just even to create the real-time experience that we get from lots of applications, it's really a
stream of multiple different smaller, you know, plausible elements that are doing their work to
participate in that. You know, look at some of the social platforms, To generate your feed, there's an entire AI and machine learning process that's running just for you to make sure that you're seeing the best content and directing you, perhaps, or influencing you to buy products on certain platforms.
platforms, that's all being performed by processes that are continuously running. But you could stop those processes and move them to another location and then restart that running and your feed
wouldn't even, you know, you as a human wouldn't even notice that. That's John Belisere from Saluna
Computing. There's a lot more to this conversation. If you want to hear more, head on over to CyberWire Pro and sign up
for Interview Selects, where you get access to this and many more extended interviews.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. And I'm pleased to be joined once again by Thomas Etheridge.
He's Senior Vice President of Services at CrowdStrike.
Thomas, it's always great to have you back.
You know, with Colonial Pipeline getting farther and farther in the background,
in that rearview mirror as time goes on.
I just wanted to check in with you for kind of where we stand at this moment when it comes to supply chain risks.
What's your take there?
Thanks, Dave. I appreciate you having me again on the show.
Yes, supply chain has been a topic that's been top of mind for firms like CrowdStrike for a long time. Third-party application
vulnerabilities and the vulnerability of the supply chain in general has been something that
threat actors are able to take advantage of to supersize the impact they can have on their
victims. And that's something that we've been responding to as incident response service
providers for quite a long time. Where do we stand right now in terms of your recommendations
for folks? I'm thinking of the checklist, the due diligence that they should be doing with
their own suppliers. That's a great question. I think for me, I talk to organizations all the time about their vendor management programs testing? Are they doing compromise assessments
before they onboard a new technology or vendor to make sure that those organizations are
not bringing a problem to the relationship? And then lastly, what else can be done from a
documentation and, you know, a compliance perspective to make sure those vendors have the ability to respond
in the event that there is a vulnerability or a breach. Well, let's talk about incident response
itself. When you and your colleagues there from CrowdStrike are brought in in an incident response
case, how does all of the communication work between the folks that you're dealing with
directly and then their suppliers down the chain? Well, incident response is a team sport, Dave. We talk about
this all the time. It does require orchestration and collaboration from all the interested parties.
We are having conversations, not just with the customer and their legal team and their
compliance team and outside organizations that
may need to help with communications, but working with the vendors and making sure they understand
where some of these risks are at and how we can solve for some of those problems specifically
around things like implementing zero trust architectures, as well as making sure we are
looking past the vulnerability into how threat
actors might be moving in that infrastructure. As we look toward this coming new year,
any thoughts on where things might head when it comes to supply chains? Or is it going to be more
of the same? Or is there anything on your horizon that may indicate an evolution of how we deal with
these sorts of things?
Something we talk to victims about all the time, Dave, is really focusing on post-vulnerability
exploitation and the value add of threat hunting.
If you assume that a zero-day exploit or a supply chain vulnerability is going to be
used by a threat actor. And I think that's
a safe assumption given the history and what we've seen over the last few years with some of these
supply chain attacks. You need to have the capability to threat hunt on what threat actors
are doing after the exploit's been taken advantage of. And really building out, whether it's
internally or in collaboration and partnership
with a third-party organization that provides threat hunting capabilities, the ability to
look past the vulnerability and understand the telemetry of the infrastructure and what's going
on in the environment so you can respond faster to a threat that's taking place in your environment.
faster to a threat that's taking place in your environment. The other thing that we emphasize as well is the importance of identity and zero trust. A lot of these e-crime threat actors and the big
game ransomware hunting type activities that we see in the market today are precipitated by
the use of stolen credentials. Understanding identities and
solving for credential theft and poor identity management through the implementation of
zero trust capabilities is something we discuss with victims all the time.
All right. Well, Thomas Etheridge, thanks for joining us. Don't miss this weekend's episode of Research Saturday and my conversation with Rob Boyce from Accenture Security reviewing their Karakurt Threat Group research.
That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Thank you. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.