CyberWire Daily - Moscow poorly served by its intelligence services, say London and Washington. Cyber phases of the hybrid war. A new zero-day, and some resurgent criminal activity.
Episode Date: March 31, 2022Russian cyber operators collect against domestic targets. More details on the Viasat hack. Ukrainian hacktivists say they can interfere with Russian geolocation. Spring4shell is another remote-code-ex...ecution problem. The Remcos Trojan is seeing a resurgence. Malicious links distributed via Calendly. Johannes Ullrich from SANS on attack surface detection. Our guest is Fleming Shi from Barracuda on cybersecurity champions. Phishing with “emergency data requests.” Lapsus$ may be back from vacation. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/62 Selected reading. Vladimir Putin is being lied to by his advisers, says GCHQ (The Telegraph) U.S. intelligence suggests that Putin’s advisers misinformed him on Ukraine. (New York Times) White House: Intel shows Putin misled by advisers on Ukraine (AP NEWS) Russian troops sabotaging their own equipment and refusing orders in Ukraine, UK spy chief says (CNBC) Phishing campaign targets Russian govt dissidents with Cobalt Strike (BleepingComputer) KA-SAT Network cyber attack overview (Viasat.com) Tracking cyber activity in Eastern Europe (Google) Ukrainian Hackers Take Aim at Russian Artillery, Navigation Signals (Defense One) Russian efforts in Ukraine have not yet spilled over into cyberattacks on US, says lawmaker (C4ISRNet) New Spring Framework RCE Vulnerability Confirmed - What to do? (Sonatype) New Spring4Shell Zero-Day Vulnerability Confirmed: What it is and how to be prepared (Contrast Security) Spring Core on JDK9+ is vulnerable to remote code execution (Praetorian) Spring4Shell: No need to panic, but mitigations are advised (Help Net Security) Remcos Trojan: Analyzing the Attack Chain (Morphisec) Apple and Meta Gave User Data to Hackers Who Used Forged Legal Requests (Bloomberg) Fresh Phish: Phishers Schedule Victims on Calendar App (INKY) Lapsus$ claims Globant as its latest breach victim (TechCrunch) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Russian cyber operators collect against domestic targets.
More details on the Viasat hack.
Ukrainian hacktivists say they can interfere with Russian geolocation.
Spring for Shell is another remote code execution problem.
The Remco's Trojan is seeing a resurgence.
Malicious links distribute via Calendly.
Johannes Ulrich from SANS on attack surface detection.
Our guest is Fleming Shi from Barracuda on cybersecurity champions.
Phishing with emergency data requests.
And Lapsus may be back from vacation.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, March 31st, 2022.
Music Citing research by Malwarebytes,
Bleeping Computer describes a large-scale phishing campaign directed against potential Russian dissidents.
It seems to be an internal security measure intended to keep an eye on dissatisfaction with the war
and to offer a measure of insurance against the possibility of insurrection or a coup d'etat.
against the possibility of insurrection or a coup d'etat.
A malicious RTF file attached to a phishing email carries either a Cobalt Strike or PowerShell payload.
Employees of certain agencies are of particular interest
to those carrying out the campaign,
and it's interesting to see how many of them work
for either educational organizations or regional authorities.
Viasat has provided more information on the cyber attack against ground terminals
that knocked its satellite Internet service offline in Ukraine and in other parts of Europe
during the early stages of the Russian invasion.
The company says it's working to fully restore service to affected customers
and that it's taking other steps to shore up its resilience.
Those steps it's prudently not sharing since it doesn't wish to give the attackers insight into
Vyazat's own defenses. Defense One reports that Ukrainian operators, hacktivists of the Cyberpan
Ukraine group, say they've found weaknesses in Russian tactical battle management systems
that render them susceptible to disruption by interfering with their ability to use GLONASS
systems. GLONASS is the Russian equivalent of the more familiar US GPS. They also hint that
they're exploring ways of directly interfering with Russian artillery computers and that they've identified
some possibly exploitable weaknesses in those systems. This wouldn't be surprising. Russia did
it to the Ukrainians a few years ago. During the early stages of the Donbass insurrection,
Russia fomented and supported. CrowdStrike reported that Russian operators were able to
gain access to Ukrainian fire direction systems.
Russia's war against Ukraine has yet to spill over in any significant ways to other sections
of cyberspace, but the U.S. remains on alert, C4ISR reports. And of course, cyber threats
continue to be active in and around the active theater of war. Google's threat analysis group has published an update on cyber threats in Eastern Europe.
Some are criminal and some are state-directed.
Among the state-directed activity is an uptick in Chinese cyber espionage
seeking to collect intelligence on the war.
Sonotype and Contrast Security report confirmation of the
Spring for Shell remote code execution zero-day.
It's a vulnerability in SpringCore, a widely used framework for building Java-based enterprise applications,
and a proof-of-concept has been circulated online.
Praetorian researchers say that the exploit bypasses an incomplete patch for CVE-2010-1622, which is
an old code injection vulnerability in SpringCore that affects SpringCore on Java Development Kit
version 9 or later. It's serious, but as HelpNet Security notes, it's not grounds for panic,
and remediations are available. Security firm Morphosec has discerned a resurgence in the Remco's Trojan.
The phishing emails represent themselves as payment remittances from financial institutions,
including Wells Fargo, FIS Global, and ACH Payment.
The fishhook is a malicious Excel file.
Security firm Inky this morning described how criminals have been able to abuse Calendly,
a freemium calendaring hub, by inserting malicious links into event invitations.
The crooks are using brand impersonation to distribute a credential harvesting link.
Many of the invitations are arriving from compromised email accounts,
which has enabled them to slip by some defenses. Bloomberg reported late yesterday that forged emergency data requests
last year induced Apple and Meta to surrender basic subscriber details, such as a customer's
address, phone number, and IP address. None of the companies who were affected by the scam are without experience in handling requests from law enforcement,
and they all have policies in place to prevent this sort of thing from happening.
But emergency data requests are a bit different.
They're issued in special circumstances by law enforcement agencies
when they're concerned about a clear imminent danger,
and they can be issued without the usual legal and judicial review. So urgency here, as in so
many other cases, seems to have served to lower the victim's guard. Researchers suspect that some,
perhaps all, of those responsible for the caper were minors in the UK and the US,
some of whom may also be involved with the Lapsus group, others with the Recursion team.
And finally, speaking of Lapsus, the gang, or someone claiming to be the gang, seems to have returned from the vacation it took after seven of its alleged ScriptKitty leaders were arrested last week.
TechCrunch describes the group's attack on software consultancy Globant.
Lapsus has pushed a 70-gigabyte torrent file in its Telegram channel that the gang claims
to have stolen from Globant.
The hackers also say their take included Globant's Corporate Customers Source Code.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. Thank you. $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of
new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
As the focus on security and software development continues to increase, some say it's time to assign an official cybersecurity champion role to someone on the development team.
Fleming Shi is chief technology officer at Barracuda Networks.
He shares his perspective on security champions.
He shares his perspective on security champions.
To me, it's actually for every department that has anything to do with software development or any type of operational components.
The champion's job is not in a way to, you know, block things, but actually assert cybersecurity practices.
You know, what we call the best practices in the very early stages of either design or planning. So it's less of a behind-the-scenes person, but more involved in a
conversation in initial architecture of doing any type of digital work. So to me, for engineers,
for example, cybersecurity champions will be the ones that
identify certain behaviors and maybe identify certain data processing behaviors or software
behaviors, even vendors that needs to be used or maybe open source projects that's going to be
included in the design, basically know, basically have a conversation
around that. So build up the security awareness or compliance awareness. Sometimes, you know,
it could be in a form of describing certain security practices or policies. Sometimes could
be also identifying the classification of the data. Could it be critical, you know, in terms
versus, you know, data that's intransient.
Those type of conversations need to happen early.
So the champion's job is to nurture and really kind of drive awareness in the very early
stages of the software development cycle.
It seems to me like a certain amount of diplomacy would serve someone well in this role as well.
You know, so the team doesn't see this person coming and say to themselves, oh, boy, here comes, you know, here comes cybersecurity champion Bob or Betty and, you know, let's all run the other way.
That's right.
I 100% agree with you. So there's a lot of diplomacy required or basically soft skills required to actually do this type of work and do it successfully.
Because we have talked about this in the past where security sometimes is viewed as a disruptor in innovation.
So I think you want to innovate with security in mind.
And that's what we need to kind of weave together and kind of get the team
working together. Sometimes the cybersecurity champion could actually seed from existing
development team or operations team where they're starting to build up that level of awareness and
understanding. So, you know, even if you do this early, there's going to be much more clear path
for you to actually get to market, right? Because if you do this early, there's going to be much more clear paths for you to actually get to market, right?
Because if you do this early, you will have a plan for how data is processed.
And you can also talk about all the open source components and why you chose this path because it's better for security and compliance, right?
So once you have all those in place, actually the job gets easier towards them because you have transparency, you have information, you have the ability to really kind of ensure your legal department or to your customers you have certifications that you can get to quicker.
So I believe doing it up front is better instead of kind of just, oh, build a whole bunch of things and do some pen testing and hope it's okay.
Right.
How do you measure success?
How do you know that the programs you put in place are being effective?
I think that's a great question, partially because it's something new.
I will say you have to really kind of apply it based on the context. So for software development, obviously adding security, one way I will measure is adding
security towards the end, maybe going through months and months of pen testing back and
forth and fixing things versus if you do it early, you probably have a shorter development
cycle to get to market, right?
That's one way to measure it. It's basically doing it early,
having everything ready by the time you're getting to the point where you're doing the pen test and
the outcome is amazing. We actually had that kind of experience at Barracuda where
we were surprised how secure the product is once it's done because we have applied security all
along from architectural perspective to design to
implementation to you know all the functional requirements and all the things added together
so point there is that you can measure based on the success of delivery of the software the other
one is obviously using metrics that you can gain you know know, along the way from, you know, testing security on top of
like pen testing is absolutely still required. And from that point on, you just get to that
agile component of the development cycle, and hopefully security doesn't become
a friction for you. That's Fleming Shih from Barracuda Networks.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can
keep your company safe and compliant. And I'm pleased to be joined once again by Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute
and also the host of the ISC Stormcast podcast.
Johannes, it's always great to have you back on the show.
I wanted to touch today on attack surface detection.
What can you share with us?
Yeah, so one problem a lot of smaller business and enterprises are struggling with is,
what are we exposing to the internet?
Now, for enterprises, that usually means hiring some fairly expensive service and software in order to do that for you.
Smaller businesses, there are a couple of cheap or even free options that you can use in order to figure out what are you exposing to the internet.
What kind of stuff do you recommend?
Actually, my favorite, even though that requires maybe a little bit more work to set up, is Seek.
Seek is really an intrusion detection system.
It summarizes everything that's sort of happening on your network,
but it has a couple of neat reports or logs
it generates of all the known services it sees,
new hosts it sees in your network,
or also software, so software versions and such.
It does that by looking at the banners.
If you want a little bit simpler setup here,
there's something called Security Onion, It does that by looking at the banners. If you want a little bit simpler setup here,
there's something called Security Onion,
which is a bootable Linux CD,
also as a virtual machine,
that sort of has Seek and a bunch of other tools pre-configured for you to not just detect attacks,
but also any new services that you have
on the more active side,
doing occasional scans with tools like Nmap
of your network aren't a bad idea.
Of course, in order to do that,
you need to know what IP addresses you have.
For a smaller organization, it's usually not a big problem.
For enterprises, this can be a real issue.
One question here I have also for people who are doing this,
how you're dealing
sort of with people working from home. Are you scanning your home users occasionally? Because
the kid may have set up some gaming platform or whatever in the same network that's now being
exposing ports here. Yes. Yes. Yes. You have seen it happen. Yes.
But of course, there are a couple of legal and technical issues
you may want to request.
You don't want to take down the kid's gaming platform.
No.
I know, service level agreements with home networks
are a little bit tricky there.
Right.
And then there are actually some services that actually do it for you,
like Shodan, Census, and RiskIQ and such
collect some of that data.
Some of it you can get for free,
some of it relatively cheaply.
But you basically tell them,
hey, these are the IP addresses that I have.
Just send me an email
whenever you find something new with that.
What degree of technical expertise
do you have to have
to use something like this?
I'm thinking of that mom-and-pop shop
who kind of sits at the lower end
and can't afford to have a full-time IT person.
Is this something they could likely handle?
Maybe.
Shodan and such platforms are roughly easy to set up.
The problem comes once you get an email from them
alerting you of an exposed service.
How do you really make sense of that?
How do you figure out what you're exposing here?
I would hope that a company like this
may have some IT person
that is managing some of that for them
on a part-time basis
or as a managed service.
Yeah, yeah.
Money well spent, right?
To know a person to have on call.
All right.
Well, Johannes Ulrich, thanks so much for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Liz Ervin, Elliot
Peltzman, Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar,
Joe Kerrigan, Kiril Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Thank you.