CyberWire Daily - Keeping pentesting tools out of criminal hands. Updates from an intensified cyber phase in Russia’s hybrid war. Fars reports sustaining a cyber attack. The most common password remains “password.”
Episode Date: November 28, 2022Nighthawk’s at the diner (but maybe not on the crooks’ menu). Internet service in Ukraine and Moldova is interrupted by strikes against Ukraine's power grid. Sandworm renews ransomware activity ag...ainst Ukrainian targets. Russian cyber-reconnaissance seen at a Netherlands LNG terminal. European Parliament votes to declare Russia a terrorist state (and Russia responds with cyberattacks and terroristic threats). Carole Theriault reports on where these kids today are getting their news. Malek Ben Salem from Accenture on digital identity in Web 3.0. And, hey, the new list of most commonly used passwords looks...depressingly familiar. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/226 Selected reading. Sec firm MDSec slams Proofpoint for post on pen-testing framework (iTWire) Nighthawk: With Great Power Comes Great Responsibility - MDSec Cyberattack Hits Iran's Fars News Agency (RadioFreeEurope/RadioLiberty) Iran’s Fars news agency is hit by cyberattacks, blames Israel (Times of Israel) Ukraine and Moldova suffer internet disruptions after Russian missile strikes (The Record by Recorded Future) New ransomware attacks in Ukraine linked to Russian Sandworm hackers (BleepingComputer) Russian hackers targeting Dutch gas terminal: report (NL Times) Russia labelled state sponsor of terrorism as missile strikes leave Ukraine without power (The Telegraph) Killnet Group Claims Responsibility for European Parliament Cyber Attack (Digit) European Parliament hit by 'sophisticated' cyberattack (Deutsche Welle) European Parliament website suffers 'sophisticated' cyber attack after Russia terrorism vote (Computing) Hackers Temporarily Take Down European Parliament Website (Wall Street Journal) Guess the most common password. Hint: We just told you (Register) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Nighthawk is at the diner, but maybe not on the crook's menu.
Internet service in Ukraine and Moldova is interrupted by strikes against Ukraine's power grid.
Sandworm renews ransomware activity against Ukrainian targets.
Russian cyber reconnaissance is seen at a Netherlands liquefied natural gas terminal.
The European Parliament votes to declare Russia a terrorist state.
Carol Terrio reports on where these kids today
are getting their news.
Malek Bensalem from Accenture on digital identity in Web 3.0.
And hey, that new list of most commonly used passwords
looks impressingly familiar.
From the CyberWire Studios and Data Tribe,
I'm Dave Bittner with your CyberWire summary for Monday, November 28th, 2022. It's good to be back together after the long Thanksgiving weekend.
Today is Cyber Monday.
We trust you're staying safe as you shop online
and that you'll also give safely online tomorrow on Giving Tuesday.
On to the news.
We heard last Tuesday about steps Google was taking to render Cobalt Strike less susceptible to abuse by cyber criminals.
As you know, Cobalt Strike is a legitimate penetration testing toolkit
that's been frequently abused by criminals who've used it to move through victims' networks
and help stage attack payloads.
Google reduced open-source YARA rules that should make it easier for defenders to detect such abuse.
The step should also have the welcome result of returning the tool to its proper users,
white-hat penetration testers. Proofpoint also suggested that another newer pen testing framework, Nighthawk, might be
susceptible to similar abuse. Proofpoint said it hadn't observed any signs of Nighthawks being
abused, and they acknowledge that the tool is a mature and advanced commercial C2 framework for
lawful red team operations that is specifically built for detection evasion, and it does this
well, but they cautioned it might be abused. MDSEC, Nighthawk's proprietors, didn't care for
that discussion of a priori possibility at all, stating, Proofpoint also makes unsubstantiated
and speculative projections that Nighthawk could be abused by threat actors in the future.
speculative projections that Nighthawk could be abused by threat actors in the future.
This subsequently led to various questions over both Twitter and email about what precautions we take when distributing Nighthawk. MDSEC goes on to describe the steps it takes in its licensing
process to prevent Nighthawk from falling into the wrong hands. Their discussion is too lengthy
to recount in detail here, but it's offered to
support their conclusion. They do state, we firmly believe that the layered mixture of soft and
technical controls that have been implemented stand us in good stead to responsibly distribute
the product to responsible customers. Iran's state Fars news service says, according to AFP, that its operations have been disrupted since Friday in cyberattacks.
Fars calls the incident a complex hacking and cyberattack operation and cautioned that disruptions might continue for some time.
There's no attribution, but Fars did say that it was often under Israeli cyberattack.
but Fars did say that it was often under Israeli cyber attack.
There's also the possibility of hacktivism,
given Fars' role as an official source of information during ongoing protests in Iran over the death of Masha Amini.
The story is still developing.
And while Russia's war against Ukraine has settled for now into artillery exchanges
and Russian drone strikes against
civilian targets. The cyber phase of the hybrid war has seen an uptick of Russian activity.
Some of it is incidental, some disruptive, and some informational. First, the incidental.
Moldova's Vice Prime Minister Andrei Spinyu tweeted last Wednesday morning,
massive blackout in Moldova after today's Russian attack on Ukraine's energy infrastructure.
Mold Elektrika, Moldova's TSO, is working to reconnect more than 50% of the country to electricity.
The Record reported over the weekend that the attacks against the power grid have also taken
down Internet service in both Moldova and
Ukraine. Ukrainian internet service providers are using emergency generators as they work to
restore online connectivity. Second, some disruptive activity has also been seen in the ongoing
conflict. ESET reported over the weekend that it's observed a surge in a ransomware strain the company calls Ransom Bogs.
The malware is written in.NET and represents a new strain of ransomware,
but the deployment, according to ESET, is similar to what they've observed in Sandworm activity in the past.
Sandworm has been associated with Russia's GRU.
The researchers tweeted,
There are similarities with previous attacks conducted by Sandworm.
A PowerShell script is used to distribute the.NET ransomware
from the domain controller, which is almost identical to the one seen
last April during the InDestroyer 2 attacks against the
energy sector. ESET also sees similarities
between Ransom Bogs and Iridium, Microsoft's name for the
GRU operation the company detected in prestige ransomware attacks against Polish and Ukrainian
targets in October. Other Russian threat activity linked to past attacks against energy infrastructure
has been observed in at least one
Western European port. So far, it seems to amount to battle space preparation for a broader cyber
war against Europe as a whole. According to the NL Times, industrial cybersecurity firm Dragos has
warned that Xenotime and Camasite may be engaged in reconnaissance of liquid natural gas terminals in the Netherlands.
The two threat groups have been linked with GRU attempts against industrial targets in the past.
The publication quotes Dragos' Casey Brooks as saying,
We know that LNG terminals are a target. It's just a question of when and how.
These are tests to see where they could potentially have an impact with a digital attack.
The researchers have seen signs of such preparation in the systems of Gasuni's LNG terminal in Rotterdam port of Eemscheven.
Oilprice.com reports that threat intelligence and security firm Eclectic IQ has seen increased activity around critical infrastructure in the Netherlands and in Europe generally.
And in informational response to criticism of Russia's war,
the European Parliament last Wednesday voted to declare Russia a state sponsor of terrorism
on the grounds that its strikes against Ukrainian civilian targets,
including energy infrastructure, hospitals, schools, and shelters,
violate international law and warrant the terrorist designation.
It's effectively a symbolic vote since the European Parliament, Reuters explains,
lacks a legal framework that might provide some mechanisms for enforcement,
but the designation is thought likely to spur deeper sanctions.
Maria Zakharova of the Russian Foreign Ministry responded in her Telegram channel, stating,
I propose designating the European Parliament as a sponsor of idiocy.
A few hours after the vote, the Parliament's websites were taken down for a short period of time
by a DDoS attack,
which the Wall Street Journal and others report members of the EU's parliament described as sophisticated.
It took about two hours to restore service,
and since the incident appears to have been a relatively routine DDoS attack,
it's difficult to see where the sophistication lay.
The Russian auxiliary threat actor Killnet has claimed responsibility
in a message posted to its Telegram channel, which reads in part,
Killnet officially recognizes the European Parliament as sponsors of homosexualism,
which one supposes is one way of looking at the conflict.
Most observers are inclined to credit Killnet's claims of responsibility.
The attack looks like something up their alley. And finally, NordPass has released its list of
2022's most commonly used passwords. It's so familiar as to be, well, depressingly familiar.
The top five will come as no surprise to anyone. Number one, password. Check, always there.
Number two, 123456. Double check for the numerically lazy. Number three, 123456789.
The added three digits offering a thread of hope of additional security. Number four, guest. Be our guest. Five, QWERTY. Check-a-rooney for the alphabetically lazy.
The toughest of these to crack? It's guest, believe it or not, which is crackable in a
snail's paste 10 seconds. Don't misinterpret that comment as an endorsement, but cracking the others
takes less than a second. None of the top 200 is even funny,
although Batman at number 185 on the leaderboard
shows a little bit of playfulness,
more than Superman at 125,
but maybe Gotham City just seems a little more interesting than Metropolis.
And to those who use FU as their credential,
right back at you, bro, or sis, or whatever, girlfriend, whoever you are.
FU places at number 88, which offers a little bit of irony
since 88 in ham radio shorthand means love and kisses.
No 88 for you, bro, or for your girlfriend either.
There's some national variation in the results.
Among the five I's, Australia and the United Kingdom favor password,
Canada goes with 123456, and the United States likes guest.
There's no listing for New Zealand, which seems like a sad oversight.
Still, the four I's who got an entry all picked one that placed in the top five.
The master list appears to be a good guys only affair,
as neither Russia, China, North
Korea, nor Iran get so much as a look in, but we're pretty sure those lists would differ only in
detail. So what do you say, Fort Meade? What's the average Ivan using these days in those St.
Petersburg troll farms? Inquiring minds want to know.
Coming up after the break, Carol Terrio reports on where kids today are getting their news.
Malek Bensalam from Accenture looks at digital identity on Web 3.0.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more What do you consider your most trusted source for news?
Those of us old enough to remember Walter Cronkite certainly have some opinions on the matter,
but of course these days most people get most of their news from online sources, and that includes teens.
Our UK correspondent, Carol Terrio, files this report about how teens are finding their news.
So, Ofcom is the UK regulator on all things communication services.
They say on their site, we make Ofcom has recently put out a report on news consumption in the UK. And this report provides the findings of Ofcom's 2021-22 research
into news consumption across television, radio, print, social media,
podcasts, website, apps, magazines, etc.
And they had an interesting finding,
that social media is overtaking traditional channels for news among teens. So Instagram, TikTok, and YouTube are now teens' top three most used sources
for news. Now think about that. These largely unregulated sites definitely have targeted personalized ads
that must be almost impossible for a national regulator to monitor with any confidence.
This is the place where our kids are getting their news from. I mean, if someone asks you
a quick fire question, who do you trust, public broadcasting or the socials, what do you say?
TikTok, arguably the home to the full face wax challenge or the magnet ball challenge.
Instagram, the place that internal researchers called a teen mental health deep dive,
including a study that found Instagram made body issues worse for one in three teenage girls. Or YouTube,
the place with a reputation for taking users down dangerous rabbit holes. But thing is,
I kind of get it. Were I a teen or a tween? I am 100% sure I would much prefer to be glued to one of these social channels as opposed to the BBC, CBC or PBS.
But here's the kicker.
Ofcom's findings show that fewer than a third of teenagers trust TikTok's news content.
So a mere one in three trust TikTok for news, yet it has surpassed things like the BBC as a source for news.
It just seems like a weird dichotomy.
And maybe the answer here lies in training kids in the art of investigative consumerism.
Stay with me here.
In the same way that we as readers might put our trust into an investigative journalist to double-check their facts and sources,
we teach kids how to consume their daily news media so they can have confidence in what they're remembering, sharing, and commenting upon.
Is that crazy?
This was Carol Theriault for The Cyber Wire.
And it is my pleasure to welcome back to the show, Malek Ben-Salem.
She is the Security Innovation Principal Director at Accenture.
Malek, always great to have you back.
I want to touch base with you today about some stuff I've been seeing about Web 3.0,
and we can talk about that, but particularly digital identity within Web 3.0.
What do you have to share with us today?
Yeah, thanks, Dave.
So let's start with defining what is Web 3.0.
Please.
I'm not sure I have the answer, but basically it's a term that was first coined by Gavin Wood.
Gavin Wood is the co-founder of Ethereum, which is the second biggest cryptocurrency.
Now, recently, this term has gained prominence, and some people believe that the main premise of Web 3.0 is that it's supposed to break the world free of the monopolistic control
by using a mixture of blockchain, cryptocurrencies, and NFTs to give power back to the internet users,
giving back power in the form of control and ownership. And that's it, you know, that's great.
An aspirational goal.
An aspirational goal, definitely. If our listeners remember, Web 1.0 was basically the first version of the web where it was all about static pages.
Web 2.0 started in the early 2000s. There was an evolution of the initial scheme where now internet users can not just read content, but are able to read and
write content. And so companies like Facebook allow you to share content, right? You were the
producer of that content. It's no longer the bigger companies who are generating that content.
Now, in Web 3.0, there might be along that way of giving control back to users and enabling them more.
There is a natural development through the availability of technologies like blockchain to give back control to the users in terms of
owning and controlling their identities. Now we're dealing, we know what's the existing
form of digital identity, which is typically, you know, you have a user ID and password and
that's how you prove your identity to a company or to a digital service provider.
In Web 3.0, the natural evolution is this rise of decentralized identities, where, again, control is supposed to be given back to the users so that they own their identity.
It's a unique identity across multiple platforms.
And they can decide which pieces of their identity,
which pieces of data they can share
with this service provider or that service provider.
And when to revoke access to that piece of data.
Yeah, I mean, that revocation is really a key element here.
I suppose this is really intricately tied with privacy.
Oh, yeah, absolutely.
And that's the whole premise of this,
is that this should give the users that capability of protecting their privacy.
the users that capability of protecting their privacy.
The whole motivation behind building these decentralized digital identities is to basically, there is an imbalance, if you will,
between the power, between the big platforms today
and the internet users.
And we need to rebalance that.
I mean, I, as an internet user, would say that.
And one way of doing it is through these technologies.
But again, that's the aspirational goal.
Whether it's feasible, I think that remains to be seen.
Yeah.
Well, but that's my next question for you then.
I mean, have you seen anything
from a technology point of view? Is there anything on the horizon that makes you think
that this is a practical thing that we may come see to pass? I think in terms of the
early proofs of concept and proofs of value that we've seen, I think it's technically feasible.
There's no doubt about that. The technology allows it. But as some lawsuits have revealed recently,
we've discovered that some of the infrastructure or a large portion of the infrastructure behind blockchain or behind Ethereum is owned by big tech companies.
And therefore, if they are the owners of that infrastructure,
then they may end up being the owners of these platforms that are supporting these distributed digital identities.
So there are a lot of potential benefits here, but how about some of the risks?
Yeah, so we talked about the benefits of giving back control to the users,
providing seamless digital consumer experiences to the end user.
There are also benefits to the technology providers today.
Maybe they can reduce their costs of managing these identities if that management work is given back to the end users.
But there are also risks associated with decentralized identities.
The first being the risk of exclusion, right? There is a growing digital divide. And, you know, for certain demographics, you know, a Web3.0 wallet may not always be
intuitive, would be a steep learning curve. So I think there is definitely that risk.
There is the risk of, you know, being able to self-manage identity data
that may not be straightforward for a lot of people. Even though managing a large list of
passwords is daunting, but managing these identity pieces also in a decentralized manner may also be daunting.
There is the risk of a far-reaching implication of a certain hack.
So if your identity gets hacked,
then the threat actor who got access to that identity
may have access to many services, right, at once.
It's not just access to one platform.
It's, you know, this is your identity for all services on the web.
And so the implications are much higher.
There's a risk of imputability and privacy.
As we know, in these distributed ledgers,
particularly decentralized blockchains,
are immutable.
So any data that is entered on that blockchain is irreversible.
And if you have past identities,
there's no way to hide that.
Past transactions, even for legitimate reasons,
may not be hidden.
Well, interesting insights as always.
Malek Bensalem, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant. To be continued... You were white hat hackers before hacking was even a thing. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment called Security.
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
week. You can find Grumpy Old Geeks where all the fine podcasts are
listed. The Cyber Wire podcast
is a production of N2K Networks,
proudly produced in Maryland out of
the startup studios of DataTribe,
where they're co-building the next generation of
cybersecurity teams and technologies.
Our amazing Cyber Wire team
is Elliot Peltzman, Trey Hester,
Brandon Karp, Eliana White,
Puru Prakash, Liz Ervin,
Rachel Gelfand, Tim Nodar, Joe Kerrigan, Pearl Terrio, Thanks for listening.
We'll see you back here tomorrow. needs AI solutions that are not only ambitious, but also practical and adaptable. That's where
Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.