CyberWire Daily - More cyberespionage in Russia. Advice on conducting propaganda. Iranian group conducts DDoS against Port of London Authority. News from the underworld. CISA alerts. Operation Delilah.
Episode Date: May 25, 2022More cyberespionage targets Russian networks. Lincoln Project veterans visit Ukraine with advice on conducting an influence campaign against President Putin. A politically motivated DDoS attack hits t...he Port of London Authority website. Is REvil back and looking into new criminal techniques, or is a recent DDoS campaign the work of impostors? RansomHouse may be operated by frustrated bounty hunters. Kevin Magee from Microsoft sets his security sights toward space. Our guest is Mathieu Gorge of VigiTrust to discuss the threat of printer hacks. Operation Delilah trims SilverTerrier’s locks. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/101 Selected reading. Unknown APT group has targeted Russia repeatedly since Ukraine invasion (Malwarebytes Labs) Hackers target Russian govt with fake Windows updates pushing RATs (BleepingComputer) Researchers Find New Malware Attacks Targeting Russian Government Entities (The Hacker News) Ukraine May Use Lincoln Project's Anti-Trump Tactics Against Putin (Newsweek) Pro-Iran Group ALtahrea Hits Port of London Website by DDoS Attack (HackRead) REvil Resurgence? Or a Copycat? (Akamai) RansomHouse: Bug bounty hunters gone rogue? (Help Net Security) Data theft gang RansomHouse might be 'frustrated' white hat hackers, researchers claim (Tech Monitor) CISA Adds 20 Known Exploited Vulnerabilities to Catalog (CISA) CISA adds 41 flaws to its Known Exploited Vulnerabilities Catalog (Security Affairs) Rockwell Automation Logix Controllers (CISA) Matrikon OPC Server (CISA) Mitsubishi Electric FA Engineering Software Products (Update D) (CISA) Mitsubishi Electric Factory Automation Engineering Products (Update F) (CISA) Suspected head of cybercrime gang arrested in Nigeria (Interpol) Interpol arrests alleged leader of the SilverTerrier BEC gang (BleepingComputer) INTERPOL hauls in alleged Nigerian cybercrime ringleader (CyberScoop) Operation Delilah: Unit 42 Helps INTERPOL Identify Nigerian Business Email Compromise Actor (Unit42) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
More cyber espionage targets Russian networks.
Lincoln Project veterans visit Ukraine with advice on conducting an influence campaign against President Putin. A politically motivated DDoS attack hits the Port of London Authority website.
Is our evil back and looking into new criminal techniques, or is a recent DDoS campaign the work of imposters?
Ransom House may be operated by frustrated bounty hunters.
Kevin McGee from Microsoft sets his security sights towards space. Our guest is Mathieu
Gorge of Digitrust to discuss the threat of printer hacks. And Operation Delilah trims From the CyberWire Studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, May 25th, 2022. Malwarebytes researchers have posted more information on a cyber espionage campaign being run against Russian organizations.
The operation implants a remote access Trojan via phishing emails.
The phish bait is a bogus security alert.
And the emails caution recipients not to open or reply toishing emails. The fish bait is a bogus security alert, and the emails caution recipients
not to open or reply to suspicious emails, which seems a nice touch. A number of recipients appear
to have been in the Russian media, notably working at RTTV. Malwarebytes is cautious about saying
who's behind the campaign. There are some signs that point to Deep Panda,
but there are also code overlaps with TrickBot and Bizarre Loader and other weak indicators
pointing to the Lazarus Group and Tropic Troopers, but some or all of these could be incidental or
even deliberate false flags. The researchers conclude attrib Mike Madrid and Ron Steslow, co-founders of the anti-Trump Lincoln Project, which they exited as the group became fractious,
are talking with Ukrainian officials about propaganda techniques that might work against authoritarians like Russia's President Putin.
According to Newsweek, they're not taking money from Ukraine, but are simply discussing a campaign of mutual interest.
money from Ukraine, but are simply discussing a campaign of mutual interest. Madrid and Streslo see the central weakness of an authoritarian regime as its dependence on an image of intimidating
competence. The way to beat these guys is to humiliate them, to turn them into a jester,
turn them into a clown, they advise, and say it's a mistake to portray an authoritarian leader as demonic.
Better to show them as a malign bozo than Milton's Satan.
Or, if you prefer Martin Luther's advice from his table talk,
the best way to drive out the devil, if he will not yield to texts of Scripture, is to jeer and flout him, for he cannot bear scorn.
An Iranian group has claimed responsibility
for a distributed denial-of-service attack
that interfered with the Port of London Authority's website.
The authority acknowledged the incident
but said that operational systems were unaffected.
The group that said it was behind the attack,
the Altaria team,
is a nominally hacktivist group,
Hackreed says,
that operates under the direction of the Iranian government.
Akamai reports that one of its clients has fallen victim to a distributed denial-of-service attack
at the hands of a threat actor claiming to be REvil.
The attack contains a wave of HTTP2 GET requests with demands for payment embedded in them,
as well as a Bitcoin wallet.
The attached Bitcoin wallet.
The attached Bitcoin wallet, however, has no history and no connection to REvil.
Researchers noted that this attack seems smaller in scale than most REvil attacks and seems to have a political purpose, which is something not seen before with the group.
It's also a DDoS attack, which is outside the old REvil playbook.
REvil had been known for its ransomware-as-a-service offerings in the C2C market.
Akamai thinks there are a number of possibilities here.
Either the operation is an imposture, trading on REvil's remaining reputational equity to spook its victims,
or it's REvil revived, back and looking into new approaches to crime,
or perhaps it's a splinter group of R-Evil alumni, getting part of the band back together.
In any case, the recent attacks and the techniques they display bear watching.
Ransomhouse, a new extortion gang, skips the data encryption customary with conventional
ransomware operators
and extorts victims by data theft and the threat of doxing.
Researchers at CyberInt, who've been tracking the group, note that it claims an elevated purpose.
Ransomhouse objects to the way organizations don't devote enough resources to security
and hopes to shove them in the direction of better practices.
security and hopes to shove them in the direction of better practices. Ransom House also objects to what it views as a cheapskate tendency with respect to bug bounties, and this suggests to
Cyberint that the members of the gang may be frustrated bounty hunters. White hats gone bad.
Cyberint says, throughout their entire introduction process, Ransom House sees themselves as the ones who do what's right and makes excuses such as the organizations are the ones to lead us to these actions as they are avoiding taking any responsibility.
Ransom House is practically forcing penetration testing services on organizations that never used their services or rewarded bug bounties.
And once they find any vulnerabilities, they fully
exploit them to steal as much sensitive data as possible. Ironically, Ransom House announced on
their Onion site that they are pro-freedom and support the free market, but on the other hand,
they punish organizations that choose to not invest in their protection systems.
Yesterday, the U.S. Cybersecurity and Infrastructure Security
Agency issued four Industrial Control System security advisories, and for immediate action
by U.S. federal civilian executive agencies, CISA yesterday added 20 issues to its known
exploited vulnerabilities catalog, joining the 21 vulnerabilities added Tuesday.
The agencies CISA oversees are expected to scan for and fix the vulnerabilities
and to report completion by June 14th and June 13th, respectively.
And finally, a joint operation by Interpol and the Cybercrime unit of the Nigeria Police Force, have concluded a year-long investigation into the Silver Terrier business email compromise gang
by arresting the man they believe is the gang's leader.
The investigation, which the police called Operation Delilah,
was assisted by three private companies, Palo Alto Networks, Group IB, and Trend Micro.
private companies, Palo Alto Networks, Group IB, and Trend Micro.
Palo Alto's Unit 42 blog provinces some interesting perspective on how closely and relentlessly the investigators
tracked the unnamed suspects' activities.
Emailed comments from Group IB highlighted the benefits
of public-private cooperation in breaking cybercrime cases.
The company's CEO, Dmitry Volkov, said in a statement,
prompt threat intelligence sharing, private-public partnership, and effective multi-party coordination
by Interpol's Cybercrime Directorate were crucial to the success of the operation.
Congratulations to Interpol, the Nigeria Police Force, and their private sector partners,
and may you make many additional callers.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time
visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
For nearly as long as there have been computers in business settings, there have been printers.
Those of us of a certain age may have fond memories of tractor-fed dot matrix printers or even daisy wheels.
These days, many printers are computers in their own right, often with network access, and that means they deserve security scrutiny. Mathieu Gorge is founder and CEO of
security risk management firm Vigitrust. They're often forgotten as one of the devices that
actually is used to either transfer, manipulate, or store data.
And then on top of that, a lot of the printers are now wireless printers,
and some of them are even smart printers in a way that they belong to the deployment of a smart office or a smart home. So as you can see, the risk surface that started with some sort of a very private connection for one single function
is now completely different. We've got like risk exposure because if you don't purge the hard drive,
you can actually replay all of the jobs that have been printed or scanned or whatever, you can link a document from a printer into your email or your fax service.
And therefore, those services are probably part of your disaster recovery
and business continuity plan.
So all of the data is backed up.
And you can see that you can start with one document with confidential information.
And that document ends up
on your cloud storage facility, it might end up on your email service, and so on and so on.
So you went from one single piece of data to multiple pieces of data, some of which will
never be protected. So what are your recommendations in terms of both making a purchasing decision, but then also securing that device once it becomes part of your network?
So there's always kind of a disconnect between making employees' lives easier because they can work, the iPads, the laptops and so on. You also need to include those devices that are multifunctional printing and document capture devices.
They granted, it doesn't sound half as sexy as looking at managing 10,000 remote points,
but it's actually super important.
The next thing to do is to treat them a little bit like a firewall, right?
So with a firewall, you only let the traffic in and out if you think there's a business justification.
And then you put in security levels on top of it.
there's a business justification. And then you put in security levels on top of it.
Multi-factor authentication, increased login, maybe file integrity software, that type of stuff. You can do the same with the printers.
Your printers, obviously your network printers or the networks used to
deal with confidential data must be behind the firewall.
I would recommend that you use some functionality such as follow me printing, which is where
let's say I'm traveling from Dublin to New York and I have to go to a meeting to negotiate
contracts and so on. Instead of printing the contracts, bringing them with me,
and I could lose them at any point during the trip,
I go to my office in New York, I authenticate, the job is there,
it's encrypted, nobody else could get it, and at least it's there in the office
and I didn't have to travel with it.
I would also recommend that you use the native logging functionality that comes
with the multifunctional device. And of course, that you purge the hard drive automatically at a
very regular interval, probably every 30 minutes would be the norm in the industry, but it could
be shorter than that depending on the data. You should also include secure printing and secure document capture best practices in
your security awareness training.
Same way as you train people to not fall for phishing scams, they should be aware of what's
happening at the printing device level.
And of course, the overall process needs to be incorporated in your
technical policies and procedures and in any type of incident response plan, because an incident
could be linked to an issue with the printer or with the device. Maybe somebody stole the device,
maybe the device was purged in time or whatever. So that could potentially become an incident for your organization.
So it needs to be part of the incident response plan.
That's Mathieu Gorge from Vigitrust.
Cyber threats are evolving every second, and staying ahead is more than just a challenge
it's a necessity that's why we're thrilled to partner with threat locker the cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant. And joining me once again is Kevin McGee.
He is the Chief Security Officer at Microsoft Canada.
Kevin, it's always great to welcome you back to the show.
I wanted to touch today on some of the developments that we are seeing when it comes to space.
On our side of the border, we have famously spun up a space force.
And it seems like more and more communications.
We've got Internet providers, Elon Musk's big activity of launching all of his satellites into space. So
it's sort of a hot area right now. And I wanted to check in with you to see
what kind of stuff you and your colleagues are tracking when it comes to space.
Thanks for having me back, Dave. And I thought Space Force was canceled on Netflix or whatnot.
I thought I heard that. But that'll keep up on these things. But I really think we are at this moment with
space technology, about 1993-94 with the internet, where we're developing all of these new technologies.
They're starting to go mainstream in commercial businesses. And it's only a matter of time before
we start launching the Raspberry Pi equivalent of satellites. And I think it's going to happen
sooner rather than later.
So there's an opportunity right now to start thinking about
how do we correct the mistakes we made with an open internet
and having to sort of revamp security as we went,
as we rush into the space era,
how do we start to build it secure by design?
And I'm starting to have many, many more discussions
with senior leaders about these very topics as we see space technology, GPS, communication satellites,
start to weave their way into critical business processes.
What sort of things are you seeing here? I mean, can you give us an example of a use case where
satellite communications are critical to someone's business?
Sure thing. I had my first epiphany, I think, my ghost fleet moment, as Peter Singer and August
Cole would say, when I read Ghost Fleet. And the opening chapter was sort of a thought experiment
about how an adversary would attack the U.S. And the first thing they did was take out the
communication satellites. And when you say take out communications, that's kind of a broad term. When you start to really
dig in and what effect that would have, it wouldn't just affect the military, it would affect
businesses, it would affect hospitals, it would have incredible additional effects. So I started
using this in my boardroom cyber risk education sessions. I call them rapid fire tabletop
exercises, where I throw out a scenario
and say a solar flare, not even an adversary, but a solar flare takes out a large portion
of the communication satellites of the world. How would that affect your organization?
And the initial response is it wouldn't. But as we start to take apart major critical business
situations, we see bank ATMs are updated, primarily with satellites
in remote locations, satellite phones, all sorts of critical business systems are unknowingly running
through satellites that we're not aware of. And if we're not building that into our resiliency
plans as organizations, then we're leaving a huge gap open to these potential technologies
right now.
Imagine where we'll be in 10, 15 years reliant on space technologies.
Well, who do you suppose should take responsibility for this function?
I mean, is this a government thing?
Is this, you know, again, here in the States, would this be a federal communications type of thing?
Is this NASA, the military?
Who should lead the way?
Well, I think we all have a role to play. One private sector, of course, when we're building
these products, we should build them secure by design. Microsoft is beginning to develop some
of these products. And we've actually come up with a preview, something called the Azure Orbital
Ground Station Platform. And we're going to cloud enable your ability to build out a satellite infrastructure.
We actually launched a new software-as-a-service version
of this product as well, too.
So we're leveraging new technologies
and new design platforms
that we can build in Secure by Design.
So leveraging some of these platforms like cloud and whatnot
to build Secure by Design is going to be key as well.
On the legislation side, interesting, the U.S. has a Satellite Cybersecurity Act, which I think is
quite interesting, that has asked the government to go back and look over a year of what effectiveness
the efforts of the federal government is having in improving security for satellites,
what resources are being made available to the public, but more importantly, to what extent commercial satellite
systems are reliant or being relied on by critical infrastructure, and analyzing what the threats are
to your overall critical infrastructure and what contingency plans can be put in place.
So I like this act because it's asking the right questions at the right time. I'd like to see more
larger organizations, especially critical infrastructure organizations, just ask the similar questions. And I think you'll be stunned by some of the answers that are coming up much faster in this area than you believe.
sitting on boards of organizations should bring this up as a discussion point.
You know, hey, this may sound out of left field,
but to what degree are we relying on space infrastructure?
I think that's the role of boards and in governance is to really run through some of those scenarios.
And often, too, we go to what we know, which is finance and risk and whatnot.
And some of these attempts to discuss it
might feel a little weird at first.
Where, like I mentioned Ghost Fleet earlier,
which is Peter Singer and August Cole's work,
is storytelling to really communicate some of these ideas
and to bring home some of these concerns.
So if you can talk to your board about this
and you can bring in some real use cases or you can bring in some representative news stories or whatnot to really tell the story of what is happening out there, other than going to Star Wars and how you could have better protected the Death Star, how can we make it real for them?
How can we make them understand it?
How can we attach it to risks associated with real
business processes? Yeah, just make sure you don't have an exhaust port that's only two meters wide,
right? And if you're going to have that exhaust port, Dave, don't put a stateful
inspection firewall that'll let one proton torpedo through. Fair enough. All right,
Kevin McKee, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Rachel Gelfand, Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Bilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.