CyberWire Daily - Notes on the cyber aspects of the ongoing hybrid war. DDoS in the Marshall Islands. Lapsus$ Group post mortems. US FCC sanctions Kaspersky. CISA adds Known Exploited Vulnerabilities to its Catalog.
Episode Date: March 28, 2022Preparing for the spread of cyberattacks. A look at Cyber operations in the hybrid war. C3 and electronic warfare. The Republic of the Marshall Islands suffers rolling DDoS attacks. Okta gives a detai...led account of its experience with the Lapsus$ Group. Lapsus$ under the law enforcement microscope. The FCC sanctions Kaspersky. Malek Ben Salem from Accenture on getting full potential from deception systems. Our guest is Greg Scasny of Blueshift Cybersecurity with remote workforce security concerns. And CISA adds to its Known Exploited Vulnerabilities Catalog. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/59 Selected reading. ‘Preparation, not panic’: Top US cyber official asks Americans to look out for Russian hacking efforts CNN Russia hacked Ukrainian satellite communications, officials believe BBC News Chinese cyberattacks on NATO countries increase 116% since Russia's invasion of Ukraine: study Fox Business Why hasn't Russia used its 'full scope' of electronic warfare?Breaking Defense Russian troops’ tendency to talk on unsecured lines is proving costly Washington Post Marshall Islands telecom service hit by cyber attack RNZ Okta: "We made a mistake" delaying the Lapsus$ hack disclosure BleepingComputer Who is LAPSUS$, the Big, Bad Cybercrime Gang Hacking Tech's Biggest Companies? Gizmodo FCC puts Kaspersky on security threat list, says it poses “unacceptable risk“ Ars Technica U.S. FCC adds Russia's Kaspersky, China telecom firms to national security threat list Reuters CISA Adds 66 Known Exploited Vulnerabilities to Catalog CISA Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A look at cyber operations in the hybrid war, C3 and electronic warfare.
The Republic of the Marshall Islands suffers rolling DDoS attacks.
Okta gives a detailed account of its experience with the Lapsus Group.
Lapsus is under the law enforcement microscope.
The FCC sanctions Kaspersky.
Malek Ben-Salem from Accenture on getting full potential from deception systems.
Malek Bensalam from Accenture on getting full potential from deception systems.
Our guest is Greg Skazny of BlueShift Cybersecurity with remote workforce security concerns.
And CISA adds to its known exploited vulnerabilities catalog. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 28, 2022.
Western governments continue to warn that Russian cyber attacks remain a real possibility and that organizations should prepare to defend themselves.
CISA Director Jen Easterly put it this way to CNN over the weekend.
She said,
All businesses, all critical infrastructure owners and operators need to assume that disruptive cyber activity
is something that the Russians are thinking about,
that are preparing for, that are exploring options, as the president said.
That's why we are so focused on making sure that everybody understands the potential for this disruptive cyber activity.
And it's not about panic, it's about preparation.
The largest Russian cyber operation of the hybrid war so far still seems to be interference with Vyassat ground stations,
now pretty clearly attributed to Russia's GRU military intelligence service.
There was some spillover of this attack into neighboring countries.
Other parties not directly involved have stepped up cyber espionage during Russia's war against Ukraine,
as they might be expected to do in any period of crisis and heightened tension.
Chinese attempts against NATO networks, for example,
are said to have risen by 116% since Russia invaded its neighbor.
Russia's failure to execute the widely expected intense cyberattacks is joined by another small but probably related mystery.
Why hasn't Russian electronic warfare, particularly jamming, been more in evidence?
Breaking Defense reports that Ukrainian command, control, and communications have gone largely undisrupted. Why that's so isn't entirely clear, but the matter is less mysterious than
Russia's failure to engage in widespread cyberattacks against Ukrainian infrastructure.
Among the possible reasons, which aren't mutually exclusive for a lack of jamming, are
concern that jamming Ukrainian comms would also interfere with Russian comms.
Both armies use common or adjacent portions of
the electromagnetic spectrum, and jamming must be highly directional to avoid interfering with
one's own forces. Such directional jamming might not be feasible when opposing forces
interpenetrate one another to the extent seen in Ukraine. They may not want to interfere with
cellular communications when both sides are using them.
There may be a desire to continue to monitor enemy communications because intercepting them is yielding valuable intelligence.
There may be resistance of some Ukrainian tactical communications to jamming.
Some of the sources Breaking Defense talked to think that Ukraine may have received enough jam-resistant radios from the West to give Russian electronic warfare units difficulties.
And finally, simple combat failure.
This seems unlikely since Russian electronic warfare capabilities
have for decades been highly regarded,
but it's a possibility,
especially given the extent of the combat failures on display elsewhere.
In a related problem, the Washington Post reports that Russian units are apparently
making extensive use of insecure tactical communications, which has enabled Ukrainian
forces to collect against and target Russian formations.
Last Wednesday, Internet service on the Republic of the Marshall Islands began to sustain rolling
distributed denial of
service attacks. RNZ reports that home, business, and government DSL and dedicated lines, as well
as mobile 4G services, became intermittent or non-functional, forcing the National Telecommunications
Authority to repeatedly issue messages updating customers about intermittent disruptions and urgent maintenance needed to restore service.
By Friday, the NTA had concluded they were under DDoS attack.
NTA CEO Tommy Kigener Jr. said,
After several days, it became apparent that NTA systems were shutting down as the result of a large-scale distributed denial-of-service attack.
shutting down as the result of a large-scale distributed denial-of-service attack.
The attackers and their motives remain unknown,
although Mr. Kitchener speculates that Russia might be a suspect.
Why Russia would have any interest in meddling with Internet service in the marshals is unclear.
In any case, recent reports indicate the attacks are over and service has been restored to normal.
Okta has published a detailed timeline of the attack it sustained in January from the Lapsus Group.
The company traced the incident to a compromised account belonging to a Cytol employee,
and the company also acknowledged that it was a mistake to have delayed notification of its own customers.
Okta's statement said, We want to acknowledge that we made a mistake,
explaining that they didn't initially recognize the extent of the issue.
At that time, we didn't recognize that there was a risk to Okta and our customers.
We should have more actively and forcefully compelled information from CITL.
Had they realized the extent of the threat, Okta said,
they would have made a different decision.
Several arrests have been made in the Lapsus case.
They're all teenagers, and the case indicates the degree of damage relatively inexperienced attackers can work.
Gizmodo over the weekend took a look at a paradoxical criminal operation that took advantage of weaknesses in their targets,
which were by no means amateurish, bereft, or ill-prepared organizations, and caused considerable disruption
to their operations. At the same time, the Lapsus gang showed an ultimately fatal inattention to
its own security, leaving clues that enabled law enforcement to run them to ground much faster than
would have been the case
with more sophisticated professional criminal organizations. The U.S. Federal Communications
Commission has added Kaspersky to its list of communications service and equipment providers
who pose a threat to U.S. national security, Reuters reports. U.S. concerns derive from
Kaspersky's obligation under Russian law to provide certain kinds of cooperation with the Russian government.
Kaspersky's official statement Friday deplored the FCC's action as unconstitutional and baseless,
adding,
Kaspersky will continue to assure its partners and customers on the quality and integrity of its products
and remains ready to cooperate with U.S. government agencies
to address the FCC's and any other regulatory agencies' concerns.
It is, indeed, a political judgment, that is, one involving a judgment of Kaspersky's
exposure to irresistible pressure from the Russian government.
But that doesn't mean it's not a security judgment.
In this case, the ultimate threat isn't Kaspersky's code or its behavior,
but rather its awkward position with respect to the Kremlin.
And finally, the U.S. Cybersecurity and Infrastructure Security Agency
has added 66 entries to its known exploited vulnerabilities catalog.
If you're responsible for a U.S. federal civilian agency,
take note, your organization is expected to remediate each vulnerability
by the deadline specified in the catalog.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
As we've settled into the new normal with many workers connecting remotely from home networks
into work networks, the traditional ways of achieving visibility aren't necessarily cut and dry.
Greg Skazny is CEO at BlueShift Cybersecurity, and I spoke with him about the growing spectrum
of monitoring options available to security teams. There are all kinds of telemetry agents,
and I won't mention any by name, but there are telemetry agents you can put on equipment to
watch what's happening, right, and pipe that into your SOC or your MSSP.
I think that's important.
And then depending on the risk, you have to understand the risk of individuals that are working from home, what they have access to.
You can go all the way to the point of even putting packet capture type nodes on their home networks.
It's not hard to do.
Hardware is very, very inexpensive.
That's not a barrier to entry any longer to be
able to get that information into your sock right but you have to plan that out right people need to
think just differently about you know zero trust is part of that too so i don't want to get i'll
get off on tangents because it's where my brain works but um you need to kind of sit down and
think about that and plan those things out and you can do that with all kinds of stuff whether
it's a tabletop exercise or just sitting and thinking creatively about, okay, here's what we have. Here's the risk of what these people have
access to. What do we need to put there? Is it just an agent that we can get security telemetry
from? Is it, hey, I need an agent and I need some packet capture type devices because they're very,
very effective. What is it? What is the threat model we have with this group of employees?
Executives can be a little different than end users. What do they have access to and how can we best protect that and detect and respond
should something bad happen? To what degree is it a challenge that everybody's environment now is a
little bit different? They're using different providers, you know, their home networks are
set up differently. It's not like they're all hosed in through that office network anymore.
Right. And that's, you know And that's part of the challenge.
But I think it still comes down to networks are networks.
And even though you may have your kids doing some things in the network
and you doing other things,
having those devices that you do use for work monitored appropriately,
to me, that's the biggest thing that needs to happen
is that defensive security, there's a lot of ways to go about it, right?
But it really comes down to a big data issue is that when something goes bad, how quickly can you detect and how quickly can you respond to make that just a non-issue, right?
The earlier you get to those things in the kill chain, the better off it is.
So planning out what you can do in your environment.
And again, it sounds difficult coming from a guy who's
technical. I get that, but it's really not. It's really not all that hard. Again, if you plan it
out correctly, it doesn't take that much. It doesn't take that much budget. It can be done
cost effectively and it can be very effective for the organization, right? So again, the faster you
can get to those things, the better it's going to be. And that's not going to stop anytime soon.
What about the need to respect people's privacy, that this is a blended network and they're
probably doing stuff at home that they wouldn't be doing at the office, but that's okay?
Yeah, but those things are risky too, right?
So depending on what those things are, and I won't get into things that we detect, but
you do have to kind of blend that.
You know, things that I think there are things you can do, right?
I think there are things you can do like not breaking SSL and things like that, that while that does give you good security telemetry, they get you on people's privacy, but still give you the
telemetry that you need from a defensive standpoint to be able to detect and respond to
alerts and events that happen when you're accessing corporate data.
Do you have any practical tips for rolling out a program like this to make it so that it's
not overwhelming all at once?
You know, it's so custom to businesses,
it's hard to give out those practical tips, right?
But you need to understand where your data sits.
People talk about data classification,
but truly understand what that means
if that data gets out, right?
Some data is more important than others.
Some data have worse repercussions
should that fall into the wrong hands than others.
So that's a hard task to do, but it's something that you need to do and you need to sit down with. data have worse repercussions should that fall into the wrong hands and others. So, you know,
that's a hard task to do, but it's something that you need to do and you need to sit down with not,
it's not just IT's job. It's not just the security department's job, right? That's kind of everybody's job. Then you need to start that educational campaign, right? To, to, to teach people why
it's important. And then the very last thing you need to do is implement the technology, right? So,
and I'm a tech guy, right? And I, I sell technology solutions, you know, and, and people need to do is implement the technology, right? So I'm a tech guy, right? And I sell technology solutions, you know, and people need to realize that technology is that last step, right? The
people in the process need to come first. You need to get the buy-in and then that makes the
technology part easy. And then when you do that, the solutions almost become self-evident, right?
It's one of those things that, okay, I know what I need to do. I know where my risks are. I know
what I need to do. I know that these are where my people need to be and where my data's at. Now I need to find XYZ solution to reduce that risk,
eliminate that risk, or provide some compensating control around that risk.
That's Greg Skazney from BlueShift Cybersecurity.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Malek Ben-Salem.
She is the Technology Research Director for Security at Accenture.
Malek, it is always great to welcome you back to the show.
You and I have been talking about deception systems,
and I want to dig in today and really talk about ways to maximize their full potential,
if this is something that you're going to deploy to get the most out of it.
What can you share with us?
Yeah, so we talked about the potential use of
deception systems for a resilient design of software, right? And this notion of
expanding the users of deception systems or the folks who benefit from deception systems
beyond the security community.
As we talked before,
information security professionals are comfortable or familiar with this idea of honey files and honey tokens,
but application developers, software engineers,
system admins are not familiar with that concept.
And there is a big opportunity for them to use this technique,
this deception technique, and these deception systems to gather more information about attackers
and how they behave and to use that information in their software system design. So that's one
big opportunity. The way they can do that is this information that they gather can expose opportunities
for architectural improvements in operability and in simplicity of the software systems.
For instance, you know, is spawning a remote interactive shell is a consistent attacker behavior that is seen in the deception environment,
they may decide to disable that as they, you know, deploy a real world system.
They can monitor attacker behavior and they can, you know, through that attacker tracing,
they can develop attack trees that they can leverage for threat modeling.
One of the assumptions that we typically make about attacker behavior is that attackers would always take the path of least resistance when moving laterally within a network.
But that assumption may not be correct, right? They may be motivated with
something specific. They may be motivated by a target they want to attack. So if we have these
systems in place and we're monitoring the attacker behavior, then we can correct our assumptions.
And then we can leverage that information again
in threat modeling. Also, that information can be even used to design, if you will,
experimentation platforms, right? We can start playing with, you know, what are the defenses
that are, you know, most useful to deploy within a real-world environment? What deters these attackers from going further
into your environment? Maybe what's something that triggers them that this environment is not
realistic? Maybe if they see certain monitoring tools, that would make the environment more
believable to them. If they don't see those tools there, then that could tell them that this environment is not valuable to the organization and therefore is not worth deploying ransomware on.
lot about how these attackers are behaving. And then again, how do we design the real world environments so that they are resilient to any type of attack? All right. Interesting for sure.
Malek Ben-Salem, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security, Ha!
I join Jason and Brian on their show for a lively discussion of the latest security news every week. Thank you. Our amazing CyberWire team is... Thanks for listening.
We'll see you back here tomorrow. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.