CyberWire Daily - Liquidating Lviv botfarms. Notes on hybrid war. Digital frameups in India? The Lazarus Group’s new yet familiar phishbait. Warnings about ransomware.
Episode Date: February 10, 2022Ukraine takes down two botfarms pushing panic. Thoughts on hybrid warfare. Russia and China explain how we ought to see the political and online worlds. Digital frameups are reported in India. Lazarus... phishes with bogus job offers. Espionage services looking for journalists’ sources. David Dufour from Webroot ponders the Metaverse. Our guest is Amanda Fennell, host of the Security Sandbox podcast. And public and private-sector warnings about ransomware. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Ukraine takes down two bot farms, pushing panic.
Thoughts on hybrid warfare.
Russia and China explain how we ought to see the political and online worlds.
Digital frame-ups are reported in India.
Lazarus fishes with bogus job offers.
Espionage services look for journalist sources.
David DeFore from Webroot ponders the metaverse.
Our guest is Amanda Fennell, host of the Security Sandbox podcast
and public and private sector warnings about ransomware.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday,
February 10th,
2022. The Ukrainian SBU Security Service announced its liquidation of two bot farms in the Ukrainian city of Lviv,
which the SBU says were operating under Russian direction.
Three arrests were made.
Two of the suspects are accused of lending their apartments to bot farming.
The third maintained the equipment and software.
The two farms controlled some 18,000 bots and were largely engaged in disruptive influence operations,
spreading rumors of bombings and the placement of mines in critical infrastructure.
The record describes the bot farm's goal as spreading panic.
The bomb threats may be connected to a wave of such threats Euromaidan reported near the end of January.
threats Euromaidan reported near the end of January. The SBU at that time characterized the campaign as a preparatory operation in a Russian hybrid war. An essay in the New Atlanticist
argues that adversaries, Russia in particular, has the advantage over the U.S. with respect to
hybrid warfare. Russian hybrid warfare isn't confined to the current situation in Ukraine,
and the essay in fact emphasizes other earlier operations as varied as election influence and
nerve agent assassination attempts. The essay sees five areas where the U.S. needs to improve
its capabilities, doctrine, and policies. They include timely attribution and its timely public release,
pain points, the clear-eyed assessment of what the adversaries value and how those values may
be vulnerable, tempo and sequencing. U.S. responses must be effective and close enough in time to the
original offense to be correctly viewed as retaliatory. Strategic coordination, that's in the first instance internal coordination with national strategy.
The U.S. government has had some difficulty staying on message.
And finally, effects-based messaging.
The goal is to shape the adversary's behavior,
and the messaging, in both words and action,
should be designed to do so in a way consistent with overall strategy.
The Olympic Games meeting between Presidents Putin and Xi resulted in a long communique,
a joint statement of the Russian Federation and the People's Republic of China
on the international relations entering a new era and the global sustainable development.
While it's easy to read too much into the meeting,
an essay in Foreign Policy argues it's worth reading the joint statement
as a summary of the worldview that Russia's government would advance.
They note that Beijing's account of the session has been more muted than Moscow's.
It's especially relevant in its implicit framing of Russia's ambitions with respect to Ukraine.
Fundamentally, Russia sees the dispute with NATO and Ukraine as an internal Russian matter.
As the joint statement puts it,
The sides reaffirm their strong mutual support for the protection of their core interests,
state sovereignty and territorial integrity,
and oppose interference by external forces in their internal affairs.
Russia and China stand against attempts by external forces to undermine security and
stability in their common adjacent regions, intend to counter interference by outside forces in the
internal affairs of sovereign countries under any pretext, oppose color revolutions, and will increase cooperation
in the aforementioned areas. End quote. Note the mention of common adjacent areas,
which seems to suggest that a declared sphere of influence should be regarded as a matter of
state sovereignty and not something other nations may legitimately meddle with. That is, a matter of big-state sovereignty,
a matter for what used to be called great powers. Looking ahead to other long-running conflicts,
the joint statement includes a by-the-way warning about Taiwan,
quote, the Russian side reaffirms its support for the one-China principle,
confirms that Taiwan is an inalienable part of China and opposes any forms of independence
of Taiwan. The villain is NATO, frozen in its Cold War mindset and led by an America that's
interested in replicating the malign NATO model in Asia and the Pacific with an assist from the UK
and Australia. Respect for sovereignty is also cited as a core principle
with respect to Internet governance and information security.
The diplomatic heavy lifting is bucked up to the United Nations.
There are some routine avowals about supporting an international convention
that would address cybercrime, and this matter is also bucked up to the UN.
And finally, Internet governance is to be internationalized
in a way that establishes national control over information as a fundamental principle.
Governments will decide what transits the web in their countries,
let every country erect its own great firewall,
or at least let Moscow and Beijing do so.
firewall, or at least let Moscow and Beijing do so. Sentinel Labs describes a long-running operation by an APT it calls Modified Elephant. The group has been active since 2012, at least,
and its targets have for the most part been located in India. It's been engaging in apparent
frame-ups. Quote, Modified Elephant is responsible for targeting attacks on human rights activists,
human rights defenders, academics, and lawyers across India
with the objective of planting incriminating digital evidence.
End quote.
The group uses commercially available remote access Trojans
and so may have connections with the commercial surveillance or lawful intercept industry.
Modified Elephant's preferred method of attack is the familiar spear phishing campaign,
with the payloads usually carried in malicious Microsoft Office files.
The researchers are cautious about attribution,
but they do say that modified elephant activity aligns sharply with Indian state interests
and that there is an observable correlation between modified elephant attacks
and the arrests of individuals in controversial politically charged cases.
North Korea's Lazarus Group continues its tiresome practice of fishing for victims with bogus job offers
imputed to major defense and aerospace companies. Northrop Grumman
and BAE have been impersonated in the past. More recently, ZDNet reports, it's been Lockheed Martin.
Researchers at Qualys, who've tracked the activity, are calling this particular campaign
lulzurous for its use of lulbins, that is, living off the land binaries.
The fish bait is familiar, but this incident shows some evolution of capability on behalf of the Lazarus Group.
As Qualis puts in its conclusion of their report,
Lazarus continues to evolve its capabilities by utilizing lesser-known shellcode execution techniques and incorporating various lull bins as part of its campaign.
Qualis will continue to monitor for other similar phishing lures related to Lazarus.
What were the Chinese state actors after in their compromise of News Corp?
Sources, apparently, and CPO Magazine reports that those state actors took a particular interest in
Wall Street Journal reporters. The attribution of the cyber espionage to China remains tentative, a best guess on the
basis of the available evidence. The interest in sources has an obvious motivation. An authoritarian
government would regard talking to the media, especially the foreign media, as first cousin to espionage. A joint advisory by Australian,
British, and U.S. authorities outlines the current state of the ransomware threat.
They see more underworld cooperation, especially ransomware-as-a-service operations and 24-7 help
centers that expedite ransom payment and restoration of encrypted systems or data,
a greater focus on the cloud, and more software supply chain attacks.
They also say that double extortion remains common.
The Australian Cybersecurity Center in particular is observing this,
and that they're beginning to see more threat actors using triple extortion.
In triple extortion, the threat actor does three things. It publicly
releases sensitive information, it disrupts the victim's internet access, and it tells the victim's
partners, shareholders, or suppliers about the incident. The ransomware operators are also going
after managed service providers and industrial systems. And there's an interesting trend in
timing. More ransomware approaches are being made on weekends and holidays
when organizations are presumed to have relaxed,
if not actually their vigilance,
at least the level of security support they make available to their people.
There's also a private sector advisory on ransomware out today.
The National Cybersecurity Alliance and the PCI Security
Standards Council warn that such extortion is on the rise, and they offer some advice
on best practices organizations should follow. Train your people, keep your systems up to
date and secure, monitor your networks, and back everything up. Sound advice, all. security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I am pleased to welcome to the CyberWire podcast, Amanda Fennell.
She is the host of the Security Sandbox podcast, which is joining the CyberWire network of podcasts.
Amanda, welcome to the CyberWire.
Thanks for having me. Excited.
Well, let's get started by learning a little bit about your podcast and you as well.
Let's start out with the show here.
What are you setting out to do here with Security Sandbox?
Well, I think this began because there are a lot of security podcasts out there.
And I guess I wasn't listening to a lot of them.
And I started to wonder why was I not listening. And I think there was a bit of like, okay, I think I've heard this particular topic before
this way.
And that's the thing in security.
A lot of us have the same perspective because we've all been doing the same thing a long
time.
And so I was thinking about bringing in different perspectives to kind of throw into the mix.
And that was the creation of season one, where we kind of put this creativity and curiosity
from other areas that you're enjoying
or you're passionate about, like archaeology, and you bring that into how could we deploy some of
these same concepts into cybersecurity. Yeah, I mean, looking through and listening to some of
the episodes from your first season there, it seems to me like you're really focusing on the
human side of things, people bringing a bit of themselves to this work.
You know, it's true.
And for as much as I love the tech, the tech is always easy to either procure or implement or configure and so on.
It's the human element that always ends up making it successful or not.
And I think that's where season two really went and is going now.
Like we know it's about people.
Now it's less about random passions that might be able to come in. Now it's about how are these
people using the technology in combination to be successful for securing an environment.
Well, tell us a little bit about yourself. How did you get your start and what led you to where
you are today? I feel like if you go back through season one,
you'll find out what all of my random jobs were as a kid.
So I worked at Starbucks at one point, so coffee is a big passion. I went undergrad in archaeology,
so that was an episode, specialized in human remains. And then when I started to go through grad school, I found out
there just was not a really large market for archaeologists out there. And also once I started
doing the work, I was like, wow, this is not Indiana Jones or Laura Croft at all. It's living
in a hotel room and you have a very small brush and a trowel. So I started to look for different
programs for my master's to move into that would be
more security job, like to have one and to get paid and be able to pay off my student loans.
And at the time, digital forensics had just come out. And I specialized, like I said,
in human remains, which was forensic anthropology. So it wasn't a far jump for me to say, well,
what's this digital forensics? You're using the word forensics. And the word forensics
comes from Latin, you know, aforensis before the people and having to prove a case.
So I was intrigued. I went and talked to them and switched over to digital forensics.
And the first semester into it, I got recruited from guidance software for NCASE. And it just
went from there. And then it was government and Fortune 50s managing security stuff. And
I think after a while I decided I had a voice that I thought could be helpful. And I think
that's really what I think the podcast is about. Like, I think that we have something here we can
say that we think will be helpful and it is founded in the same curiosity today that I had
20 years ago. Well, as you say, season two is about to kick off here. Can you give us a preview of some of the things we can look forward to?
podcast. And he's an author, security researcher, all of these different things. And he's also behavioral science. And that is his enthusiasm. So love it. This is the area that I was I read
the book. And I was like, Oh, my gosh, this gentleman is just as emphatic about humans
being the strongest link as I am, but in a very fresh way. And so we came to it there
with March and sweaty, who's my director of global security and IT, and he's in Poland. And we chat about just effective training, technology, and support that can get everyone invested in how they'll protect your organization. So how will those things all come together? And I always go back to 300, which is one of my favorite movies, which is tragic. I literally named my firstborn child Leonidas. I get it.
I know.
It's not that.
Oh, my.
But I love the idea of how they were able to hold off.
So 30,000, a million, however many troops that were coming into the hot gates, and it
was just 300 men.
How were they able to do that was because they had trust in the person to their left
and right was just as strong and cared just as much as they did.
And that is how I think cybersecurity needs to be. We are holding off millions of threats every day.
You have to trust the person to your left and right and not just because they're on the security team.
Yeah, you know, it strikes me that in this world that cybersecurity people inhabit,
where there's so many ones and zeros and the alarms are always going off, that there's a
real hunger for these stories of human connection and being able to tap into that side of things.
So I really think you're onto something here. I hope so. I do think that there is always a
technical aspect to each episode, as there should be. We'll never get away from the tech.
But how we're implementing that tech to become something that's much more merged with humans,
I mean, honestly, that's where we go in the direction when we talk about AI, right?
This is exactly why that'll be one of the other topics that we tackle about,
like, what is the real role of AI in the future in cyber?
We know that automation and machine learning is happening in the cyber realm with adversaries.
How are we fighting that battle
and what would be the future for that?
Well, the podcast is titled Security Sandbox
and it's hosted by Amanda Fennell.
Thank you so much for joining us.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And I'm pleased to be joined once again by David DeFore.
He is the Vice President of Engineering and Cybersecurity at OpenText.
David, always great to have you back on the show.
I am really looking forward to checking in with you because I want to get your take on what the heck you think about this new thing
coming down the pike.
I've heard it mentioned.
It's called the metaverse.
Yes, the metaverse.
Well, it's a lot of things to a lot of people. So I think the good news is, David, we're in those early days where no one's exactly sure what it looks like. And the other good news is we have a template, I think, in how to do it 100% correctly. If we look back over the last 20 years on how well humanity has executed social media, I think we can't lose with the metaverse.
Sure. And the pedigree of the company that's leading it, right? It's been completely flawless.
It's exactly. I mean, it's going to be a friendly, open place where everyone gets along and there's
no trolls or anything like that.
No, it's going to be Skittles and Rainbows the whole way.
Exactly. going to be Skittles and Rainbows the whole way. So what are your concerns coming into this
sort of new thing from a security point of view? Yeah. So first of all, we do need to articulate
there's a handful of key things appearing. You know, there's VR. So you say metaverse,
some people think of virtual reality. You say metaverse, some people think of gaming environments
where they can go in and socialize. Some people think of these new platforms where they're going in and buying land
and it's tied to cryptocurrencies and blockchain. And I think we're going to see some amalgamation
of all of that. And so the beauty is for our good friends, the cyber criminals, David, is there's
going to be a litany of places they'll be able to steal from, hack into, and things of that nature. And no one's going to listen to you and I, but let's
just say it today. We really need to take a security-first perspective on how we approach
this because there's going to be a lot of transactions, a lot of money that's going on
in this in the next five to 10 years. And we need to secure it now because it's easier than retrofitting later.
Well, speak for yourself. But I think that, or I wonder if, you know, the lessons that we have learned from social media are going to be applied here. Can we be so optimistic as to say that any
of those lessons are going to be learned. And this next wave of online interaction
will come with more security baked in.
To be completely forthright, of course.
There's going to be things where we see better protection for children,
where we see better security around transactions.
But one of the biggest money makers in cryptocurrency right now
is stealing people's
crypto wallets, right? It's not actually making money on the currency. So there's a lot of that
that we have to pay attention to now. And it's kind of tongue in cheek to say how rough social
media has been. I do think we will go into this with some eyes wide open on how to proceed.
with some eyes wide open on how to proceed.
And the hope is some good thought is put into how to proceed,
not government regulation.
You know, I'm not advocating for that,
but where people really try to do the right thing up front and facilitate this moving forward
from both a socially acceptable perspective and security perspective.
Do you have your goggles ready?
Are you ready to be an early
adopter here? So joking aside, several months back, I put on a kid's, a friend of mine, I have
a couple of boys and one of their friends had a VR headset. I put it on and I literally went out
and bought one that night. Really? Yes. The VR component to this is mind-blowing.
And the potential there, all the drawbacks to using, I don't want to say Zoom, but not Zoom itself, but all the Zooms, the GoToMeetings, the Teams, all of those products, using the communication products we use today virtually.
And using the communication products we use today virtually, when you put on a headset and it's three-dimensional and you can look around and in five years, David, you and I can say, hey, let's meet in Central Park on the bench at this crossroads.
And we can both put on our headsets and do that.
That's going to be like huge.
And the ability to whiteboard and do things you would do in an office, it's a big deal. And it's the early days. There's a lot coming.
And I really think this will be the next wave. Not just from a
post pictures of your kitties in virtual reality.
But I do think there's a lot to this coming.
All right. Well, David DeFore, bullish on the metaverse. Thanks so much for joining us.
Hey, great to be here, David DeFore, bullish on the metaverse. Thanks so much for joining us. Hey, great to be here, David.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Thanks for listening. We'll see you back here tomorrow. Thank you. but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.