CyberWire Daily - Mixer gets sanctioned. Reward offered for Conti hoods. Ag company hit with ransomware. Hacktivism and cyberattacks in Russia’s hybrid war. That apology? The Kremlin takes it back.
Episode Date: May 9, 2022The US Treasury Department sanctions a cryptocurrency mixer. Rewards for Justice is interested in Conti. US tractor manufacturer AGCO was hit by a ransomware attack. Russian hacktivism hits German tar...gets and threatens the UK. A Russian diplomatic account was apparently hijacked. Tracking Cobalt Strike servers used against Ukraine. Dinah Davis from Arctic Wolf defends against DDOS attacks. Rick Howard looks at Single Sign On. And no apology for you, Mr. Bennett. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/89 Selected reading. U.S. Treasury Issues First-Ever Sanctions on a Virtual Currency Mixer, Targets DPRK Cyber Threats (U.S. Department of the Treasury) Reward Offers for Information to Bring Conti Ransomware Variant Co-Conspirators to Justice (United States Department of State) AGCO ransomware attack disrupts tractor sales during U.S. planting season (Reuters) Agricultural equipment maker AGCO reports ransomware attack (The Record by Recorded Future) Russia’s chief diplomat in Scotland condemns Ukraine invasion in social media post (The Telegraph) Pro-Russian Hackers Hit German Government Sites, Spiegel Says (Bloomberg) Tracking Cobalt Strike Servers Used in Cyberattacks on Ukraine (IronNet) Russia tensions with Israel may intensify as Kremlin denies Putin's apology (Newsweek) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The U.S. Treasury Department sanctions a cryptocurrency mixer.
Rewards for Justice is interested in Conti.
U.S. tractor manufacturer Agco was hit by a ransomware attack.
Russian hacktivism hits German targets and threatens the U.K.
A Russian diplomatic account was apparently hijacked.
Tracking cobalt strike servers used against Ukraine.
Dinah Davis from Arctic Wolf defends against DDoS attacks.
Rick Howard looks
at single sign-on, and no apology for you, Mr. Bennett. From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Monday, May 9th, 2022.
The U.S. Department of the Treasury has sanctioned Blender.io on the grounds that
the cryptocurrency Mixer was involved in laundering money for the Lazarus Group, North Korea's well-known government criminal organization.
carried out the largest virtual currency heist to date, worth almost $620 million,
from a blockchain project linked to the online game Axie Infinity.
Blender was used in processing over $20.5 million of the illicit proceeds.
The sanctions are believed to be the first levied against a mixer service.
On Friday, the U.S. Department of State added members of the Conti ransomware operation to its Rewards for Justice program.
They said,
The Department of State is offering a reward of up to $10 million for information leading
to the identification and or location of any individuals who hold a key leadership position
in the Conti ransomwareomware Variant Transnational Organized Crime Group.
In addition, the department is also offering a reward of up to $5 million for information leading to the arrest
and or conviction of any individual in any country conspiring to participate in or attempting to participate in
a Conti Variant Ransomware incident.
or attempting to participate in a Conti variant ransomware incident.
Reuters reports that Agco, a major manufacturer of farm equipment,
has sustained a ransomware attack that's affected production and delivery of tractors and other agricultural equipment.
The company said Friday that disruptions might last several days and potentially longer.
Some customers said they began to have difficulties
accessing AGCO sites on Thursday.
Which strain of ransomware was used
and which gang was behind the operation are unknown,
but the record offers some informed speculation
that it may have been black matter.
The record also notes the coincidence,
if you believe in such things,
that AGCO had on Thursday announced plans to donate $50,000 to BORSH,
a Ukrainian relief effort devoted to helping that country's farmers.
The U.S. FBI had warned back in September that the agriculture and food sector could expect ransomware attacks,
and the Bureau updated its warning at the end of April,
could expect ransomware attacks, and the Bureau updated its warning at the end of April,
saying that attacks on agriculture could be expected to coincide with planting and harvest seasons.
This attack would seem to bear those warnings out.
Der Spiegel has reported that Russian-aligned hacktivists,
Putin fans, as the paper's headline calls them,
have claimed cyberattacks that temporarily disrupted websites belonging to airports,
the defense ministry, the Bundestag, federal police, and some state police authorities.
The group calls itself Killnet and counted coup over its telegram channels.
Killnet is of relatively recent origin and has specialized in distributed denial-of-service attacks, mostly at a nuisance level.
The threat actor has been active against Romanian targets since early in Russia's war against Ukraine,
and it's recently threatened to retaliate against British support for Ukraine by shutting down ventilators in UK hospitals. The threat against the UK was prompted by the British arrest in Tottenham
of a Romanian resident in Britain on charges connected with the earlier cyber attacks against
Romanian targets. Kilnett's communique read,
If he's not released within 48 hours, I will destroy your Romania, Great Britain and Moldova.
I will destroy your entire information structure and even your
Ministry of Health. All ventilators will be attacked. Only then will you begin to realize
the mistake you have made. Kilnett seems unlikely to be able to make good on this particular threat.
Still, shields up. The Telegraph reports that Russia's Consul General in Edinburgh, Andrey Yakovlev,
posted his opposition to Russia's war against Ukraine in his Instagram account. The now-removed
post read, I categorically condemn the behavior of the military special operation of the Russian
armed forces against the sovereign independent Ukraine. I fully support any assistance to the
Ukrainian armed forces from EU countries. The Russian consulate told the Telegraph,
our account was hacked. It has already been deleted. The consulate added in its Twitter
account, false information was posted about the position of the leadership of the foreign
institution. A number of news outlets cheerfully picked up Mr. Yakovlev's alleged post
and retailed it with the consulate's denial well below the fold.
Newsweek is one example.
In this case, however, the Russian foreign ministry is almost certainly telling the truth.
That a Russian diplomat would take such a public position in opposition to his own government is pretty far-fetched.
That he would do so without immediately thereafter defecting and asking for asylum is beyond belief.
Sure, strange events permit themselves the luxury of occurring, as a movie detective used to say in the 1930s,
but this event would really just be too strange.
IronNet has followed up on CERT-UA's April 18th alert 4490, which described a Russian
trick bot campaign using an urgent message about Maripol's Azovstal steelworks as fish bait.
IronNet explains, the goal was the installation of a cobalt strike and beacon on the victim's system through the use of an MS Office macro.
The researchers offer an account of how the threat actors used cobalt strike and do so with a view to understanding how this tool is likely to be turned to malicious use in the future.
in the future. They found that malleable profiles were used by the threat actors, and they observed both a jQuery profile, commonplace, and a minimal defender bypass
profile, more novel and only recently observed in the wild, in use.
And finally, that apology President Putin was said to have offered Israel last week,
the one that regretted Foreign Minister Lavrov's comments on Hitler's supposed Jewish blood?
Never happened, the Kremlin effectively said,
releasing what it insisted was a complete transcript of the call
between President Putin and Prime Minister Bennett.
There was no apology in that transcript, Newsweek reports.
A statement by Israel's foreign ministry after the call had said,
The prime minister accepted President Putin's apology for Lavrov's remarks
and thanked him for clarifying his attitude toward the Jewish people and the memory of the Holocaust.
And that, the Kremlin now seems to say, never really happened.
Do you know the status of your compliance controls right now?
Like right now?
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, Thank you. off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives
are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And it's always my pleasure to welcome back to the show the CyberWire's own Chief Security Officer and Chief Analyst, Rick Howard.
Rick, welcome back.
Hey, Dave.
You know, in our Slack channel,
I was reading the summary of this week's CSO Perspectives episode.
And I have to say, I am glad that you came on the show today to talk about it
because it's been a while now that I've noticed that when I'm bopping around on the internet and
trying to log into a site, let's say, I don't know, Twitter, for example, it gives me a few
options. It says I can enter my credentials right onto Twitter, which is what I normally do.
But then there are this list of other options to choose from where you can use one of the many
big Silicon Valley giant companies like Google or Apple or Facebook. I mean, I refer to them as the
usual suspects. That's exactly right. Yeah. And you can use them to log in. Now, I never do that
because I'm afraid that they're just trying to collect more information. Honestly, I have to say, I feel snakebit from back in the early days
when I took Facebook at its word and I uploaded my entire address book
because I thought, well, that'd be convenient.
And we all know how that worked out.
So it's a long way to ask you, is that fear legitimate?
Are they collecting my credentials for some ad campaign?
Are they tracking me as I go around the web?
Like, to what degree do I need to be worried about these folks offering up, you know, making it easy for me to log in?
Is there a penalty there?
Well, I totally understand that feeling.
And, you know, I thought that, too, in the past.
I've really been worried about it.
So, for this week's CSO Perspectives podcast, I looked into it and come
to find out that's not what's going on here. Thank goodness. All right. So what you're looking at
is one version of a concept called single sign-on, one of the holy grails that the InfoSec community
has been chasing since the beginning of the internet days, right? And it looks like we finally
got it. So Google is not collecting my Twitter credentials
then? No, they're not doing that, okay? But Twitter is taking advantage of the situation that you most
likely have already logged into your Google account before you try to access Twitter. Through
a standards protocol called OAuth, you've probably heard this, people talking about this, you know, in the
hallways, you know, getting water and stuff. Twitter asks you to go get an asymmetric key from Google
that will vouch for your digital identification at Google. So, you ask Google for the key when
you click that button on the Twitter logon site. Google sends it through you to Twitter, and since
Twitter trusts Google to be the authoritative source for your digital identity,
Twitter logs you in. No fuss, no muss, and you don't have to remember your Twitter credentials
or any of the other thousands of other website credentials that you probably have.
So in this week's CSO Perspectives episode, you're going to give us all the details on all how this works, all the nitty gritty, right?
Yeah, and that's right.
And we're also going to discuss OWASP's big sister called SAML, okay, or Security Assertion
Markup Language.
And it's the way to do single sign-on in your enterprise.
It doesn't work exactly the same way, but it's the same concept.
All right.
Well, I look forward to that.
Listen, before I let you go, why don't we check in here on what the word of the week is on your Word Notes podcast?
Yeah, this is a good one. It's one of my favorite topics of all time. We're going to talk about the MITRE ATT&CK framework. So if you've been leery about what that thing is I ever had. I think we were sitting together at RSA a few years ago, long before.
This is when you were still at Palo Alto, before being a member of the CyberWire team was just a gleam in your eye.
We talked about the MITRE ATT&CK framework, and you were cheerleading it, you know, all those years ago. I know, you know, it's become the de facto standard for open source cyber intelligence
on all known adversary campaigns, right? And if you're looking to improve your defenses,
that's the place to get the info. And I am happy to be a cheerleader on the sideline to get people
to use this. Yeah, absolutely. All right. Well, the show is CSO Perspectives. It is part of CyberWire Pro.
You can find that on our website, thecyberwire.com.
While you're there, check out WordNotes as well.
Rick Howard, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. And I'm pleased to be joined once again by Dinah Davis.
She is the VP of R&D Operations at Arctic Wolf.
Dinah, always great to welcome you back to the show.
You and I recently spoke about some DDoS attacks.
We were chatting about reflection amplification attacks.
I want to continue that conversation and get your take on what organizations should be doing to best defend themselves against DDoS attacks.
Yeah, so they pretty much are, they're very overwhelming, right?
You get hit by all kinds of packets. How
do you come out from under that? Right. And so, you know, there's, there's three or four
different things you can do depending on, you know, what stage you're at. Right. So let's say
you haven't put much in place at all. Well, you might want to do something like, and you're
getting attacked. You might want to do something called blackholing or sinkholing, which is basically you just block all the traffic and drive it into a black hole where it's basically discarded.
And so that at least stops the attack on your site.
The problem with that is it also stops all the good traffic from coming to your site as well.
all the good traffic from coming to your site as well. So you're still DDoSed, but you're not handling that flow or maybe getting charged for all the Amazon. Like if you're using Amazon Cloud
and you're trying to process all that data, you're not getting charged with overages on high data
rates and stuff like that, right? So at least that stops that kind of thing from happening. It stops
overloading your servers on the inside. And so it can be a good thing to do. You should always have
routers and firewalls set up, right, to limit the data that you allow to your website and your
organization. They can at least filter out the non-essential protocols and stop stuff from invalid ip addresses
the problem is that firewalls and routers um can block from specific ip addresses but
they can't easily protect from a spoofing um ip spoofing where the they might be changing the ip
address constantly in the code that they're using to attack you.
So you can't easily just block like one IP address and make it end, right? So they're good
to have in place, but they don't always help you out of the situation if they're using IP address spoofing, right? Mm-hmm, mm-hmm.
What else?
You can set up your servers to be configured
so that they only talk with specific applications.
So if your servers are trying to, are getting,
so let's say you're getting some random DDoS,
like where you're just getting all kinds of traffic.
Well, if your servers only talk to specific types of packets
because they only talk to specific types of applications,
they're just going to ignore the cruft.
So that's another good thing.
And even like that's also a really good thing
just from a security perspective, right?
Like if you know your server should only be talking
to specific applications with specific packet types,
don't let them talk to anything else. That's just asking for trouble, right?
There are some DDoS mitigation appliances that you can get that, you know, they're dedicated
to sanitizing traffic and building DDoS, you know, mitigation functionality. Oftentimes,
and building DDoS mitigation functionality,
oftentimes some of your legitimate traffic can get dropped with these as well.
So I don't think there's one like wipe the magic wand.
But one last thing you can do is you can over-provision.
So the best thing would be,
can your service just handle
that traffic, right? If you, if you are able to scale your service up in a way that it just
handles it, the good stuff will still come through and you just handle the load. Right.
And one of the problems with that is if, if you're, especially if you're building your own infrastructure, that's a high capital,
right? Right. Yeah. And as you mentioned at the outset, the cost, even if you're using cloud
services, your costs that are being provisioned on the fly, you could get a big bill at the end
of the month. Right, exactly. So there are some services that you can work with that you could get a big bill at the end of the month. Right, exactly. So there are some services that you can work with
that you can get a better deal for when this might happen.
So it lets you buy on demand, but not premium on demand.
And you can make them more cost effective
and you can expense instead of buying all that stuff
from in the beginning, right? So it depends what, you know, instead of buying all that stuff from in the
beginning, right? So it depends what it also like, in my opinion, like which route you take here
depends on what your website does, right? If you're a critical infrastructure, like for example,
maybe you're the 911 dispatch, well, then you want to make sure
that the good traffic can still come in.
And so you might go with the over-provisioning
and pay those costs if that happens.
If you're a site that if you went down for a day,
your customers are still going to be fine.
Like maybe you're a store and you're selling stuff,
you're going to lose some revenue,
but you wouldn't sell as much as it's going to cost you to keep that data running through,
then the answer might be to black hole it. Yeah. I mean, it's an interesting, I guess,
risk analysis, right? Is my perception correct that the tools are out there that,
correct that, you know, we, that the tools are out there that, that, as you mentioned here,
there are a number of options that people have. So if you have the means, DDoS doesn't necessarily have to be the crippling thing that it once was. Correct. That's true. That's true.
All right. Well, Dinah Davis, thanks for joining us. Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security, huh?
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Liz Ervin, Rachel Gelfand, Elliot Peltzman, Trey Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you.