CyberWire Daily - Nuisance-level cyber ops in a hybrid war. “CatalanGate.” Industrial Spy caters to victims’ competitors? Conti chatter. $5 million reward for info on DPRK ops. Exercise Locked Shields.

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.

Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.

Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.

Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. Nuisance-level cyberattacks continue on both sides of Russia's hybrid war against Ukraine. Face-saving disinformation, Catlingate, industrial spy says it caters to victims' competitors. More on what's been learned from Conti's leaked chatter. Rewards for Justice offers $5 million for tips on DPRK cyber ops.

Starting point is 00:02:21 Aweis Rashid on supply chain risk management. Our guest is Jack Chapman from egress to discuss a 232% increase in LinkedIn phishing attacks and exercise lock shields begins tomorrow. From the Cyber Wireire studios at DataTribe, I'm Trey Hester with your CyberWire summary for Monday, April 18th, 2022. Interfax Ukraine relays a warning from the State Service for Special Communications and Information Protection that Russian operators are sending phishing messages that represent themselves as communications from Kyiv Security Service, the SBU. The State Service's warning says in part, quote, The enemy does not abandon attempts to arrange cyberattacks in Ukraine. And although they are usually unsuccessful, each of us should be attentive to information security.

Starting point is 00:03:29 Yes, this time the occupiers are sending out computer viruses, allegedly on behalf of the SBU. Cyber criminals use popular instant messengers for correspondence, and messages they ask to download a file with instructions for actions for a period of wartime. Although in fact it is a computer virus. End quote. The targets of the phishing campaign are, for the most part, government officials. The authorities advise the usual precautions against social engineering. The Gibraltar-based cryptoexchange Currency.com has disclosed that it experienced a disruptive

Starting point is 00:04:02 denial-of-service attack last Tuesday. It describes the attack as unsuccessful and, while offering no attribution, notes that the incident occurred the day after the exchange announced it was halting operations for residents of the Russian Federation. Russian organizations have come under hacktivist assault. The record summarizes recent activity by Old Gremlin and NB-65 against a range of Russian interests. NB-65's motivation, in particular, are clearly and explicitly expressed in terms of opposition to Russia's war against Ukraine. The University of Toronto's Citizen Lab describes Catalangate, a spyware campaign against targets associated with Catalonia.

Starting point is 00:04:44 Catalangate, a spyware campaign against targets associated with Catalonia. Quote, the hacking covers a spectrum of civil society in Catalonia, from academics and activists to non-governmental organizations. End quote. Citizen Lab adds, quote, Catalina's government and elected officials were also extensively targeted, from the highest levels of Catalan government to members of the European Parliament, legislators, and their staff and family members. We do not conclusively End quote. One noteworthy feature of the campaign is what Citizen Lab calls its, quote, off-center targeting. That is, the operators of the intercept tool pursued, quote, is, the operators of the intercept tool pursued, quote, spouses, siblings, parents, staff, or close associates of primary targets, end quote. This can be a way of getting information on targets who

Starting point is 00:05:31 might otherwise be inaccessible. Most of the targets were infected with Pegasus, a smaller number with Kandaroo. A new criminal-to-criminal market has opened for business, bleeping computer reports that the new criminal market, Industrial Spy, trades in stolen data. Some of those data seem to have been culled from dumps associated with earlier ransomware attacks. The site markets its services to businesses who compete with victims whose data Industrial Spy trades. Blue Voyant this morning offered a summary and analysis of the leaks that have emerged from the Conti ransomware gang since the onset of Russia's war against Ukraine. Quote, Conti is a ransomware as a service group first noted by security researchers in May of 2020. It has since risen to one of the largest and most active ransomware groups currently operating.

Starting point is 00:06:20 End quote. The U.S. State Department has offered a reward of up to $5 million for information on a range of Pyongyang's prohibited activities. State is asking for information under its Rewards for Justice program, quote, that leads to the disruption of financial mechanisms of persons engaged in certain activities that support North Korea, including money laundering, exportation of luxury goods to North Korea, specified cyber activity, and actions that support WMD proliferation, end quote. And finally, appropriately, given Russia's ongoing hybrid war against Ukraine, NATO's Tallinn-based Cooperative Cyber Defense Center of Excellence will kick off Exercise Lock Shields 2022 tomorrow. The annual cyber exercise

Starting point is 00:07:04 will give the Atlantic Alliance an opportunity to train for cyber warfare and assess its readiness for conflict in the fifth domain. The CCDCOE explains that this exercise is built around a topical scenario. Quote, according to the scenario, a fictional island country, Borrelia, is experiencing a deteriorating security situation. A number of hostile events have coincided with coordinated cyber attacks End quote. environment where cyber incidents are unlikely to happen in isolation and are employed as part of a wider geopolitical strategy, end quote. That current geopolitical situation is obviously Russia's special military operation against Ukraine. Participation in locked shields is not confined to NATO military organizations. Government agencies and groups from private

Starting point is 00:08:01 sector also participate since a whole-of-alliance defense would seem to require a whole-of-nation approach from the alliance's members. Good luck and good learning. Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.

Starting point is 00:08:43 Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.

Starting point is 00:09:49 Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. The threat intelligence team at egress software technologies have been tracking a 232% increase in phishing attempts impersonating LinkedIn. Jack Chapman is VP of Threat Intelligence at Egress, and I caught up with him for the details. We quite often analyze the threats and trends,

Starting point is 00:10:33 mostly to see what the attackers and bad guys are and how they're attempting to manipulate and target organizations. And there's quite a clear uptick in terms of impersonation targets. And with that, it normally goes in terms of quite an event-driven basis. And what we're seeing is quite a lot of new templated attacks that are featuring LinkedIn as the impersonation. Well, can you take us through how exactly it works? How are they coming at their victims? So quite often coming at the victims as focused on the job element. We believe it's sort of linked to the culture we're in where everyone seems to be looking for a new job at the moment.

Starting point is 00:11:13 And very much focused around either new job matches or you've appeared in so many profile searches for the week. So it's really playing on people's curiosity. It's on someone's been looking at my profile, therefore I want to know who. And on sort of a similar vein, the other half of the LinkedIn attacks we're seeing, it's very much there's these new job opportunities. Someone's offered you a new job in this area. Click here to see more information. you a new job in this area, click here to see more information. So it seems like it's very much sort of playing on the human element of curiosity. Now, if I were the victim of one of these attacks, would the message come to me through LinkedIn or would it come through my regular email account?

Starting point is 00:12:01 So the majority that we see are coming through the email account as that's the easiest way for attackers to automate these sorts of attacks. So you just receive an email and what we're noticing with these attacks quite often they're coming from some compromised sources. So they're coming from sort of legitimate email accounts that have been compromised before and then you basically get one and it's perfect sort of LinkedIn email with all of the proper logos. It's all very professional looking. And the interesting thing for us is just the impersonation on how they're actually using genuine email footers, for instance, of LinkedIn itself. When you say a legitimate email from LinkedIn, I mean, so it appears as though the email is coming from LinkedIn, the company proper?

Starting point is 00:12:47 So they're not doing a spoof. So it doesn't say from LinkedIn.com. However, all of the logos, the sort of sign off at the bottom, the alias name of the email, almost every other element of the email appears to be legitimately from LinkedIn. So it's a very good and professional template of that attack. And so what happens if you click through to the link? Where does it take you next? It then takes you to a credential harvesting site. So essentially a fake LinkedIn login page, or in some cases, a fake Microsoft login page. And the purpose of these attacks are essentially in order to scrape users' credentials. That's nothing new in that sense.

Starting point is 00:13:32 That's by far the most targeted sort of outcome of a phishing attack at the moment. I have an interesting thing there is how it's targeting both Microsoft as well as LinkedIn credentials. As quite often, based on sort of password hygiene, people use the same for both. Now, one of the things you point out in the research here is that you've seen a real increase in these attacks. Any insights onto why the focus on using LinkedIn as the lure? I think it's got something to do with this post-COVID world we now live in. It's the great resignation that we're now facing, where a lot of people are reassessing their career goals. A lot of people are looking for new work, potentially even remote working from different

Starting point is 00:14:17 countries, for instance. And I think this uptick of activity has sort of inspired the criminals to refocus on LinkedIn. We know through some of our other research that impersonation targets typically go through a two or three year cycle and this seems to be LinkedIn's time to be impersonated again. So it coincides quite nicely with world events and the way we're changing how we work and what we prioritize in work. And the criminals are making the most of that. How do you recommend that organizations protect themselves against this? I think first and foremost, it's the understanding of the risk and not sort of having a blame culture against individuals. It's far easier to remediate any risk or any threat if people come

Starting point is 00:15:06 forward and say, I've received this or I think I've made a mistake here. But at the foremost, it's ensuring you've got the right technology in place, the right policies so that if a human does make a mistake, it mitigates the impact to the organization. And lastly, to ensure you're working with your people and making them aware of these threats. That's Jack Chapman from egress software technologies. Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.

Starting point is 00:15:57 ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Thank you. And I'm pleased to be joined once again by Professor Awais Rashid. He's the director of the Center for Doctoral Training in Cybersecurity at the University of Bristol. Awais, it's always great to have you back. I wanted to touch today on supply chains and particularly risk management when it comes to supply chains. I know this is something that you and your colleagues at University of Bristol have your eye on. What can you share with us today? So this is really potentially one of the kind of biggest frontiers for cybersecurity at the moment because threat actors are increasingly targeting extended supply chains and potentially abusing client-supplier trust to conduct compromise of existing systems.

Starting point is 00:17:11 And we don't have to go far to think of an example. You know, SolarWinds has been in the news very much, where actually the supplier of a security product was compromised as a way to then reach into the companies to which they were supplying that particular security service in the first instance. And this is one of the big concerns at the moment that governments have about attacks against supply chains that may, for example, compromise critical infrastructure, that may have large-scale impacts on all sorts of systems. impacts on all sorts of systems. So one of the things that we have been doing at the moment is really looking at what kind of advice and guidance actually exists in, for example, the UK, US, and the EU regarding

Starting point is 00:17:54 cybersecurity, supply chain risk management, and where really we need to focus as a research and a practice community to improve our practices around this particular area. We're seeing lots of movement here in the U.S. when it comes to a software bill of materials. Do you think that's a good move? I think it's an interesting direction to go, to think about really thinking of a software bill of materials. But I think there is even a step before that, in the sense that when we look at all this work, we find that there are often very, very contrasting interpretations of what constitutes a supply chain.

Starting point is 00:18:38 So depending on where you're getting your guidance from, which particular kind of national or regional authority, UK, US, or the EU, and which sector do you work in, you may have very, very different interpretations of the supply chain. So some people think of supply chain as only the hardware that you're sourcing. You referenced just now software. Some people may include software in that. But what about your third-party services, like your cloud provider, for instance, and all those things? What about your security services, your cybersecurity services that are coming in and all those kinds of things? When you are handing off, for example, particular types of security operations to a third party

Starting point is 00:19:13 whom you're commissioning to do that work. And the interesting thing is that at the moment, we don't really have a very consistent definition of what constitutes the supply chain. And as a result, if you are at the other end, as an organization is trying to understand what the risks are, you may not have very good appreciation of the gaps that it may leave in your cybersecurity strategies when you're trying to craft your approach to how do you manage these risks. It strikes me that one of the challenges is deciding how deep you want to go down the path. I guess there's the analogy that a bridge collapses and it's because there was a defective bolt that was made decades ago in a factory far away.

Starting point is 00:19:57 And I wonder for security how that analogy plays out. How far down the line do you go? How far is reasonable when it comes to risk management? And it's really a very, very hard question to answer. And that's why I started the discussion by saying this is potentially the new frontier for cybersecurity, because the challenge exactly we have is that how far do we assure, but how do we then ensure that those assurances are trustworthy in the first instance? So in this case, for example, again, with the current geopolitical situation, you would have heard about chip manufacturing sovereignty and all those kind of debates that are going on in the media at the moment.

Starting point is 00:20:44 sovereignty and all those kind of debates that are going on in the media at the moment. So you can go as far as who is manufacturing the chips and what kind of features that exist on the chips. But how do you actually make sure that what your 10, 15 removed supplier is telling you is actually trustworthy? And how do you actually ensure that all of that can be fully attested across the supply chain? And it's a non-trivial problem because when we think of supply chain, we think of that as kind of a singular thing. But if you're a large organization, for example, you're running a critical infrastructure, you don't have a singular

Starting point is 00:21:18 supply chain. Depending on the systems that you're running, you have potentially many, many supply chains for those systems that are coming in. And they have all sorts of combinations of hardware, software, services, even sort of people, subcontractors providing services into your environment. And that makes things very, very complex. So in an ideal world, I'd like to tell you, we have the perfect answer. But one of the things that we have discovered is that at the moment, even the kind of depth and breadth of coverage that is offered by authorities and sectors in this area varies really, really greatly. It also depends on what your regional focus is or what your regulatory requirements in the environment in which you are operating. But as, for example, organizations become increasingly more and more global and we rely on a global supply chain, all of this becomes very, very complex, resource-intensive,

Starting point is 00:22:15 and costly to assure. And that's really why we need to have some kind of a more consistent way of understanding what are the risks in the cybersecurity supply chain and how do we manage them. But we have a long way to go. We have developed the first taxonomy in this area. It is publicly available, but I see that very much as a first step rather than the end game, as a start of a conversation about saying, these are the kind of things we all need to consistently think about. And I know that in the U.S. CISA are doing some very interesting work in this area as well. So all of that has to come together in a cohesive manner. All right. Well, Professor Owais Rashid, thank you for joining us.

Starting point is 00:23:00 Clear your schedule for you time with a handcrafted espresso beverage from Starbucks. Savor the new small and mighty Cortado. Cozy up with the familiar flavors of pistachio. Or shake up your mood with an iced brown sugar oat shaken espresso. Whatever you choose, your espresso will be handcrafted with care at Starbucks. where they are co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Liz Ervin, Elliot Peltzman, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Karel Theriault, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Trey Hester filling in for Dave Bittner.

Starting point is 00:24:04 Thanks for listening, and we'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com. That's ai.domo.com.

CyberWire Daily - Nuisance-level cyber ops in a hybrid war. “CatalanGate.” Industrial Spy caters to victims’ competitors? Conti chatter. $5 million reward for info on DPRK ops. Exercise Locked Shields.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.