CyberWire Daily - Patches, and some incentive to apply them. Hacktivism, privateering, and patriotic banditry in Russia’s hybrid war.
Episode Date: August 10, 2022Patch notes, and the risks associated with failure to patch. Finland's parliament comes under cyberattack. Killnet says there will be blood, but they may just be grandstanding for the home crowd. Cybe...rattacks against a UK firm that's criticized Russia's war. We’re joined by FBI Cyber Division AD Bryan Vorndran and Adam Hickey, deputy assistant attorney general for the National Security Division with an introduction to Watchguard. Our guest is Matthew Warner from Blumira with tips on avoiding burnout. And not all criminal organizations are working for Russia. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/153 Selected reading. Already Exploited Zero-Day Headlines Microsoft Patch Tuesday (SecurityWeek) Microsoft August 2022 Patch Tuesday fixes exploited zero-day, 121 flaws (BleepingComputer). IBM Patches High-Severity Vulnerabilities in Cloud, Voice, Security Products (SecurityWeek) Adobe Patch Tuesday: Code Execution Flaws in Acrobat, Reader (SecurityWeek) ICS Patch Tuesday: Siemens, Schneider Electric Fix Only 11 Vulnerabilities (SecurityWeek) VMSA-2022-0022 (VMware) Emerson OpenBSI (CISA) Emerson ControlWave (CISA) Mitsubishi Electric GT SoftGOT2000 (CISA) Multiple attackers increase pressure on victims, complicate incident response (Sophos News) Life After Death—SmokeLoader Continues to Haunt Using Old Vulnerabilities (Fortinet Blog) NBI launches probe into attack on Finnish Parliament site (Yle) Russian hacker warns cyberwarfare will turn deadly (Newsweek) Russian hacker warns cyberwarfare will turn deadly (Newsweek) Suspected Russian cyber attack on British soil as firm subjected to ‘daily’ hacks (The Telegraph) Meet DUMPS Forum: A pro-Ukraine, anti-Russia cybercriminal forum | Digital Shadows (Digital Shadows) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Patch notes and the risks associated with failure to patch.
Finland's parliament comes under cyber attack.
Kilnett says there will be blood.
Cyber attacks against a UK firm that's criticized Russia's war.
We're joined by FBI Cyber Division AD Brian Vordren and Adam Hickey,
Deputy Assistant Attorney General for the National Security Division,
with an introduction to WatchGuard. Our guest is Matthew Warner from Blumira, with tips on avoiding burnout.
And not all criminal organizations are working for Russia.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, August 10th, 2022.
Yesterday was August's Patch Tuesday, with updates released by IBM, Adobe, Siemens, Schneider Electric, and of course, Microsoft.
Redmond addressed 118 CVEs, 17 of them critical.
Yesterday, the U.S. Cybersecurity and Infrastructure Security Agency, that's CISA, released three industrial control system advisories, one covering equipment from Mitsubishi, the other two equipment from Emerson,
and VMware has warned that exploit code for vulnerabilities it patched last week is now available online. The vulnerabilities affect Workspace ONE Access, Access Connector,
Identity Manager, Identity Manager Connector, and vRealize Automation.
The availability of exploit code should lend urgency to patching.
Failure to patch is obviously not a good practice,
but two security companies last week explained that it can have some specific effects.
An unpatched organization can draw more than one attacker,
and it will also find itself vulnerable to older forms of malware. A study by Sophos concludes that vulnerabilities
that go unaddressed often draw multiple attackers. In some cases, the attackers are interdependent,
in others competitive, but whatever their relationship with one another, their simultaneous
presence in victim systems complicates the defender's challenge.
The researchers recommend keeping systems patched and up-to-date while giving priority to the most potentially damaging vulnerabilities.
And old vulnerabilities continue to be vulnerable to old malware.
to old malware.
Fortinet reported this week that CVE-2017-0199
and CVE-2017-11882
are nearly five years old,
but they're still being exploited.
Worse, both vulnerabilities
have had official patches
for some time.
Some of the exploitation
is by SmokeLoader,
a malware variant
that itself has been
in circulation since 2011.
It's recently been used to drop ZG-RAT in vulnerable Windows systems.
The website of Finland's parliament was unavailable yesterday as it came under a
distributed denial-of-service attack. The attack is under investigation but is believed to originate
from Russia. Finnish news outlet Ella reports that the website was inaccessible
between 2.30 p.m. and 10 p.m. local time.
The threat actor behind the incident is believed to be a Russian group
calling itself NoName05716,
and the motive is to harass Finland's government
for its decision to seek NATO membership.
The group said,
We decided to make a friendly visit to neighboring Finland's government for its decision to seek NATO membership. The group said, we decided to make a friendly visit to neighboring Finland,
whose authorities are so eager to join NATO.
Killmilk, the hacker name used by the person or persons
who claim to be the founder or founders of the nominally hacktivist group Killnet,
has upped the ante on earlier promises to punish the West for its support of Ukraine,
and especially for its provision of HIMARS rocket artillery.
Newsweek quotes Killmilk as saying in an interview,
In Russia, I will become a hero and abroad a criminal.
Soon, I and Killnet will launch powerful attacks on European and American enterprises,
which will indirectly lead to casualties.
I will do my best to make these regions and countries answer for each of our soldiers.
Kilnett had announced last week that it was undertaking a radical new form of cyber attack
against targets it regarded as particularly objectionable,
notably Lockheed Martin, which produces HIMARS,
and against some unspecified system or subsystem of HIMARS itself.
But so far, nothing has materialized.
It's notable, perhaps, to see the repeated Russian theme,
We're not threatening nuclear war, but we're threatening nuclear war,
which has surfaced in Killmilk's remarks.
Killmilk said, we are crazy guys, but we see the boundaries and are not going to cross them.
I don't think that because of several dozen human casualties, nuclear missiles will fly in the face
of Lockheed Martin employees. That is, nice company you got here. Shame if something happened to it.
Anyway, while we understand that absence of evidence is an evidence of absence,
Kill Milk strikes many as more hot air than innovative, dangerous threat actor.
The Telegraph reports that Britain's National Cyber Security Centre
and Scotland Yard are investigating a series of denial-of-service attacks
the alt-currency firm Currency.com has sustained since its founder criticized Russia's war at the end of February.
Viktor Prokopenya, the company's founder, said,
The cyber attack has been going on almost on a daily basis every day for the last three months.
It's like someone repeatedly trying to break down your front door.
He said his security
team is convinced that the attack is Russian in origin. The NCSC believes that the operators
behind the DDoS are privateers, as opposed to Russian government organizations. And finally,
Digital Shadows reports on a cybercriminal gang that's exhibiting some sympathy for the cause of Ukraine.
Dump's forum was established in May of this year,
and Digital Shadows says it looks a lot like other criminal forums.
They say,
There is a section for trading illicit material, carding, malware, and establishing access to targeted networks.
At present, this forum is open to members without any vetting or registration process.
However, there is an ongoing request for an invite system that may become the main method
of gaining access if the forum builds its notoriety. But Dumps is different in the
allegiances it declares. Posted to the forum is this opening statement,
Information services and leaks, or other services on our forum,
are allowed in relation to only two states.
These are the Russian Federation and Belarus.
Topics that mention other countries are not allowed.
This is the main rule of our forum.
So it's an anti-Russian and anti-Belarusian operation.
Digital Shadows characterizes Dump as unusually brazen,
even going so far as to post what they claim is an overhead image
showing their headquarters in a Kiev apartment building.
Who knows if that's true or just a goof,
but the roof does have some demonic graffiti that reads roughly,
Putin effed up.
Dump may represent, if not exactly privateering, patriotic banditry,
mainly because it's unclear whether Dump has anything like the virtual letter of mark
Russian gangs enjoy.
Digital Shadows concludes,
Dump's forum likely has an important role to play in the ongoing Russia-Ukraine war
as a hub for hacktivists and patriotic cyber threat actors,
as a symbol of resistance and making a demonstrable difference on the cyber battlefield.
Any success achieved by Dump's forum will, however, attract unwanted attention.
The ban on Russian citizens visiting the forum highlights that the forum is already on the radar
of the Russian state. It is also realistically possible that the success of Dump's forum may A linguistic note, Dumps is written in Russian,
and so Digital Shadows speculates that it may be designed to appeal to disaffected hoods within Russia itself,
but the forum may have a broader reach than that.
Russian is commonly spoken in the near abroad and former Warsaw Pact,
although in the latter countries that proficiency is aging out.
It's also easy to underestimate the degree of mutual intelligibility
found among the Slavic languages,
and especially between Russian and Ukrainian.
Anglophones may find this comparison useful.
Sure, you may have a hard time understanding
the Australian accent we put on sometimes in Hacking Humans,
but trust us, in Brisbane they howl at those gags.
That's what we hear anyways.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, Thank you. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Let's face it, the past couple of years have been a lot.
What with a global pandemic, political discord, the war in Ukraine,
and, oh yeah, the ongoing shortage of qualified cybersecurity professionals,
it's easy to see why many folks are feeling at their wit's end when it comes to doing more with less.
Matthew Warner is CTO and co-founder at SIM provider Blumira, and I checked in with him for insights on avoiding burnout. You run into the situation where you have this
feedback loop of exhaustion and trying to push forward. And at the same time, you have this
need for maturity across organizations from an IT and security perspective, where if you don't have that
continuous growth in the organization, you only have continuous burnout at the same time of the
staff within that organization as well. How much of this do you suppose is just plain old
understaffing, that we don't have enough people to take care of what needs to be done?
I think part of it is understaffing to an extent,
but when understaffing gets brought up,
I tend to think about things like,
well, how large are the IT needs
and how large are security needs within organizations?
Is security being gatekept away
from certain IT professionals, for example?
Because classically, there's some gatekeeping
that lives in kind of every segment of IT and IT security. And I do think that there is some understaffing
exists, some forced by the organization. They don't want to spend that budget.
Some forced by the market. There just aren't enough people to take those positions.
And in some situations, it's forced through the legacy nature of the organization. If you are continuing to update your organization, if you're continuing to build maturity and good process into that organization, the need for more and more people can be reduced.
You can get some scale out of your organization.
that kind of continuous pressure of more things to do, more things to solve, and doing that at the exact same time as trying to scale your organization or scale your IT teams,
often the easy answer is we'll throw some people at it, and then you run into that staffing problem.
Where do we find those people? How do we really make it work?
And having to kind of mesh those two needs, which is growing the company from a process maturity perspective at the same time as growing it from an IT staffing perspective,
makes it really hard for company leaders to then understand where the sysadmins are and creates a kind of like breaking point where both sides are not necessarily working on the same problem.
They're just kind of working in the same organization.
So what are some potential ways that organizations can come at this
to take some of that pressure off of folks?
I think some of the best ways for organizations to approach the problem of just stress and anxiety
that lives within IT and the exhaustion that comes from it
really comes from the top of process definition, which I know is the most boring thing ever from
a business perspective. But it's really important. And for me and my organization, when I talk to
companies, it's really easy and not necessarily the best way to just throw a solution out there and run with it.
And I think that's where almost everyone in the IT world, like we're accustomed to say, I have a problem.
I'm going to solve that problem.
I'm going to ask you another problem.
This is how I'm going to solve it.
But doing that day in and day out doesn't necessarily help the organization as it grows. So you really kind
of have to take a step back, look at who's in your organization, talk to the leaders in the IT part
of your organization, determine if they are the people that are going to help you mature that
organization, and really look at the people who are your independent contributors and think about
how are they doing? Are we asking them to do too much?
What are their hours looking like? Are they able to execute on what we're asking of them? And really,
most importantly, are they able to support business needs at the same time as just getting
through the problems in the day? And the only way to do all of those things together is to sit down,
look at your processes, look at what you're asking your staff to do,
or as a system man, looking at what you're being asked to do
and then going up and talking to your leaders
and saying, this isn't working.
Here are the ways that we can start to solve this.
And maybe adding people, but it may also be,
we need better automation with our endpoints.
We need an RMM in place.
We need some better scanning tools in place
because we just don't have time to sit down and do this work and really the best way to save time these days is to find
that tool that really works best for your organization you can embed into that process
and then scale that team around your tool set and your automation rather than just trying to scale
it around people because people people make those decisions for you they solve those problems for
you they have to use those tools for you. They solve those problems for you.
They have to use those tools for you. And if they aren't there and you're burning them out,
then you will have at one point nothing and it will just become you trying to churn through those people. And that's a punishing way to run a business. And it's a punishing way to
be a system as well. To what degree do you think there are cultural elements at play here? I mean, I think, I know we've all seen people who
almost, you know, they look at their lack of sleep or the hours they spend at work
almost as a badge of honor. You're never going to be able to build out a team that's mature and
that you trust without having a culture that focuses around it. So I definitely think that
there is a cultural issue of overwork in IT and IT and security. And part of that goes
to the 24-7 nature of IT and IT security. They're always having to deliver. There's always an
ongoing thing. But that also goes back to how do we build tools? How do we make processes that work
for our people? And if there are things that are maybe awful in culture, if they have to be on
call, if they have to be on call,
if they have to be working late, if they have to have a difference in work-life balance,
how do you pay that back to them?
Not necessarily in money, but it could be in their own time.
It could be in giving them something that they want to be working on.
It could be paying them outright for that time as well, just as much that there's a
trade-off.
So instead of that culture being about, well, you're in IT,
your job is just to burn your time
and get problems solved.
Rather, it's about, you're in IT,
how can you help us solve these problems?
How can we do it in a way that is reliable
and best for all of us?
Because having a tired system
and having tired security teams
only results in negative outcomes for an organization.
It might solve that one problem that came up, but over time, that burnout just kind of layers on and
layers on. And there's definitely a cultural impact with it, but that kind of goes all the
way back to people that are used to that culture will only get out of that culture if
they're brought out of it. It's really easy to get embedded into a culture like overwork or
IT rotation that burns you out. Like when you're just rotating like weekly primary and then the
next week you're secondary and that's just what you do for your entire life. That's a really hard
way to exist. And you end up with this cricket in the back of your head
that says, well, I could be working.
I could be getting these problems solved.
I need to be getting these things solved.
And when you don't have that downtime,
that's when you create this burnout situation.
You start to break culture a little bit more.
And it really needs to be more focused on.
And IT is classically not great at this, but focused on the human,
helping them help you and building that kind of environment for them
that will allow them to.
Because it will be way, way more successful in the grand scheme of it all.
It doesn't feel more successful when you're going through it.
That's Matthew Warner from Blumera.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your
company safe and compliant.
And I'm pleased to welcome back to the show Brian Vordren.
He is the FBI Cyber Division Assistant Director.
Also joining us today is Adam Hickey.
He's a Deputy Assistant Attorney General at the Department of Justice.
Gentlemen, welcome back to the Cyber Wire.
David, it's good to be here.
Hello.
So, Brian, let me start with you here. I know you and your colleagues, as the war in Ukraine has been underway for quite some
time now, you and your colleagues at the FBI have been working against some Russian botnets. Can you
bring us up to date on what's going on there? Of course, Dave. Thanks for the opportunity to be
here today. You know, the botnet that everyone is referring to is referred to as Cyclops Blink or Sandworm.
And essentially what it is is a vulnerability that Russian actors from the GRU found in WatchGuard firewall devices, which sit at the edge of a network.
And so that vulnerability was first discovered in late November of 2021, and the FBI had a very, very fruitful initial meeting with WatchGuard.
And WatchGuard was an exceptional partner throughout the entire process.
But it did take WatchGuard some time to build a mitigation criteria and a remediation plan for that vulnerability because of the complexity of the vulnerability.
because of the complexity of the vulnerability.
On February 23rd, WatchGuard published their mitigation advice in a blog, and contemporaneous with that, the UK's NCSC, FBI, NSA, and CISA
published a quad-seal cybersecurity advisory
that was also released on the Cyclops Blink threat,
the malware, and the mitigation advice from the blog.
And that was a really important step.
And that cybersecurity advisory, coupled with the blog from WatchGuard, essentially reduced the command and control nodes in terms of mitigation.
The global command and control nodes are reduced by about 50%.
And the command and control nodes for the botnet in the United States were reduced about one-third.
So when we look at moving from least intrusive to most intrusive, certainly a least intrusive step is the publication of cybersecurity guidance to owners of the WatchGuard device. And again, in this scenario, when you look at the global command and control nodes of the botnet, that step effectively mitigated 50% of the global
nodes and a third of the US-based nodes. But if you're tracking dates, on February 24th,
Russia invaded Ukraine. And so just one day after that mitigation guidance, Russia invaded Ukraine.
And so just one day after that mitigation guidance, Russia invaded Ukraine.
And so we then moved into a scenario where we started conducting hundreds of victim notifications to try and get the attack surface of that botnet reduced even further from the numbers I mentioned earlier.
What was most concerning to us, though, was that the GRU from Russia continued to operate and maintain the botnet.
And the only reason you would operate and maintain a botnet is for future use.
And so through the victim notification process, we were able to reduce the global attack surface by about another 25%
and the U.S.-based attack surface by about 50 more percent.
But it's still left between 15% and 20 percent of the C2 nodes available
for use in the botnet. And that's a significant concern to us because, as I said, the only reason
you operate and maintain a botnet is for future use for a catalyzed attack. And so we essentially
used our Rule 41 authority at that point and a very technical piece of code that we developed in-house with the FBI and essentially took steps to neutralize the remaining 15 to 20 percent of those command and control nodes globally.
A very, very successful operation at the end of the day, and we feel very, very positive about where it left the American public in terms of safety related to the GRU's
capabilities. Well, Adam, can you walk us through the process here of using that authority from the
DOJ's perspective? How do you collaborate with your colleagues at the FBI? So the FBI is going
to tell us what they've designed or the protocol they've developed that would allow them to take the operation.
And we're going to analyze that and look to see whether it amounts to a search or a seizure under the Fourth Amendment such that a warrant will be required.
And we're going to look at Rule 41, the rule of criminal procedure that governs warrants.
governs warrants and in particular allows us to go to a court in one district to address an infection or malicious computer activity that occurs in more than one district, right? Where
going to every single judicial district where the software is running would not be practical,
would not be feasible. And, you know, the first question I mentioned, whether it's a search or a seizure, we don't spend too much time on that because—and the reason is we're always going to want to have a warrant if we can get one.
We're always better off for a variety of reasons going to court, laying out our thinking and writing, and having a judge weigh in and authorize what we're doing, even if technically there might be an argument, say, that this was such a de minimis action, you wouldn't need a search warrant.
Or maybe you'd make an argument that there's no reasonable expectation of privacy and malware.
Those just aren't the arguments we're making.
We're fortunate that we are allowed to go get a search warrant, even if there's some argument we might not need one.
that we are allowed to go get a search warrant even if there's some argument we might not need one.
And then obviously we have to comply with Rule 41,
which has certain procedural requirements,
including after the fact, right, notice requirements.
So anytime we do an operation like this,
we may not be in a position to be public immediately.
It may take a couple days for the operation to play itself out
and make sure we've disrupted all the nodes that we're aware of.
But ultimately, we're going to make as much of the affidavit and warrant public as possible.
We're going to announce it on our website, and we're going to give notice to affected computer owners,
either directly if we can or through their ISP or through broad public notification.
So, Brian, can you clarify for us the timeline of
this? I mean, when you're dealing with those last remaining systems, is this an issue where you're
trying to hit them all as quickly as possible? David, it's a great question, and the answer is
yes, it is. We want to eliminate the remaining vector of attack, whether the adversary is China, Russia, North Korea, Iran,
or a criminal target set, as quickly and simultaneously as possible. So imagine a
scenario where we have 20 computers remaining in a command and control structure that are serving
as C2 nodes in a botnet, rather than going to each one of those 20 potential victims,
unwitting victims, and have them take their own mitigation steps over their own defined timeline, we would much prefer to run a technical operation under the right authorities that we have and essentially eliminate the remaining vector of that attack very, very quickly and simultaneously to just wipe it out completely.
So that decision is one we take seriously.
It's not one that we simply gloss over.
But the velocity at which we destroy those remaining vectors is very important to us. The way I think about it, Dave, we have to assume that the actor is watching what we do to their infrastructure.
And if the process of going door to door is going to take 72 or 96 hours and they're gradually seeing themselves go dark, as it were, over that period, that gives them runway to adapt, to retool, to figure out what we know and how we know it and to change how their malware runs in a way that
defeats our technical ability and denies us the ability to the objective of the operation.
So there are situations where if we don't act simultaneously, we will miss the opportunity
to disrupt the actor.
We will give the opportunity, the actor an opportunity to retool and maintain presence. And, you know, I'm conscious
of the fact that while I think there's pretty wide ranging support for this, there are folks
who would probably say, well, I just don't want you to touch my computer. I just don't want you
doing this. And we have as law enforcement to think about whether to give the heckler a veto,
if you will, or whether we're going to say, look, one person can't deny us
the ability to protect thousands
if we have the capability and the authority
to act in the interest of public safety.
All right.
Well, gentlemen, thank you so much for joining us.
That's Deputy Assistant Attorney General Adam Hickey
and also by the FBI Cyber Division
Assistant Director Brian Bordren.
Gentlemen, thank you so much for joining us. Cozy up with the familiar flavors of pistachio Or shake up your mood with an iced brown sugar oat shaken espresso
Whatever you choose, your espresso will be handcrafted with care at Starbucks
And that's The Cyber Wire
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabey, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Thanks for listening.
We'll see you back here tomorrow. Thank you.