CyberWire Daily - Potential cyber threats to agriculture. Cyber phases of Russia’s hybrid war. REvil prosecution at a stand (and it’s the Americans’ fault, say Russian sources). Microsoft mitigates Follima.
Episode Date: May 31, 2022Sanctions, blockades, and their effects on the world economy. Western nations remain on alert for Russian cyber attacks. REvil prosecution has reached a dead end. Microsoft issues mitigations for a re...cent zero-day. John Pescatore’s Mr. Security Answer Person is back, looking at authentication. Joe Carrigan looks at new browser vulnerabilities. Notes from the underworld. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/104 Selected reading. In big bid to punish Moscow, EU bans most Russia oil imports (AP NEWS) EU, resolving a deadlock, in deal to cut most Russia oil imports (Reuters The E.U.’s embargo will bruise Russia’s oil industry, but for now it is doing fine. (New York Times) Russia’s Black Sea Blockade Will Turbocharge the Global Food Crisis (Foreign Policy) Russia’s Invasion Unleashes ‘Perfect Storm’ in Global Agriculture (Foreign Policy) ‘War in Ukraine Means Hunger in Africa’ (Foreign Policy) Afghanistan’s Hungry Will Pay the Price for Putin’s War (Foreign Policy) Remote bricking of Ukrainian tractors raises agriculture security concerns (CSO Online) Major supermarkets 'uniquely vulnerable' as Russian cyber attacks rise (ABC) Italy warns organizations to brace for incoming DDoS attacks (BleepingComputer) Whitepaper - PIPEDREAM: CHERNOVITE's Emerging Malware Targeting Industrial Environments (Dragos). Experts believe that Russian Gamaredon APT could fuel a new round of DDoS attacks (IT Security News) Putin horror warning over 'own goal' attack on UK coming back to haunt Kremlin (Express.co.uk) Putin plot: UK hospitals at risk of chilling ‘sleeper cell’ attack by Russia (Express) Will Russia Launch a New Cyber Attack on America? (The National Interest) Hackers wage war on Russia’s largest bank (The Telegraph) REvil prosecutions reach a 'dead end,' Russian media reports (CyberScoop) Microsoft Office zero-day "Follina"—it’s not a bug, it’s a feature! (It's a bug) (Malwarebytes Labs). Microsoft Word struck by zero-day vulnerability (Register) Clop ransomware gang is back, hits 21 victims in a single month (BleepingComputer) Conti ransomware explained: What you need to know about this aggressive criminal group (CSO Online) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Sanctions blockades and their effects on the world economy.
Western nations remain on alert for Russian cyber attacks.
Our evil prosecution has reached a dead end.
Microsoft issues mitigations for a recent zero day.
John Pescatori's Mr. Security Answer Person is back and looking at authentication.
Joe Kerrigan looks at new browser vulnerabilities.
And notes from the underworld.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, May 31st, 2022. We begin by mentioning the progress of some sanctions and blockades imposed in the course of Russia's war against Ukraine. The European Union, after prolonged and difficult internal discussions, late yesterday agreed on an embargo of Russian oil.
The AP reports that the EU will cut its purchase of Russian oil by about 90% over the next six months.
Reuters notes that the EU has agreed to immediately halt delivery of Russian oil by tankers.
Europe receives about two-thirds of its Russian oil by ship and the
remainder through pipelines, so yesterday's decision amounts to an immediate embargo of
two-thirds of all Russian oil exports to Europe. The New York Times points out that the effects
of the embargo are likely to be significant, but that they won't be felt in Russia immediately.
The Russian blockade of Ukraine's Black Sea ports has begun to have an effect on world food supplies,
particularly in Africa and the Middle East,
where deliveries of both grain and fertilizer have been disrupted.
On Sunday, the British Ministry of Defense reviewed the effects of sanctions
and the Russian blockade of Ukrainian ports.
They said on 25 May, Russia's Deputy Foreign Minister Andrei Rudenko
said Russia is ready to provide a humanitarian corridor
for vessels carrying food through the Black Sea in return for the lifting of sanctions.
The minister also requested Ukraine demine the area around the port of Odessa
to allow the passage of ships. Rudenko's request for Ukraine to demine the area around the port of Odessa to allow the passage of ships.
Rudenko's request for Ukraine to demine follows a core tenet of modern Russian messaging strategy,
introducing alternative narratives, however unconvincing, to complicate audiences' understanding.
In this instance, Ukraine has only deployed maritime mines because of the continued credible threat
of Russian amphibious assaults from the Black Sea. Here's the MOD's bottom line. Russia has
demonstrated it is prepared to leverage global food security for its own political aim and then
present itself as the reasonable actor and blame the West for any failure. Russia's attempt to
achieve a reduction
in the severity of international sanctions also highlights the stresses sanctions are placing on
the regime. This suggests that the agriculture sector could easily become a target in other ways.
A small-scale event in Russia shows one way in which cyberattacks could affect agriculture.
Ukrainian owners of tractors
stolen by occupying forces and shipped back to Russia suggest the ways in which farm equipment
itself could be held at risk. Some 27 agriculture machines were taken by Russian forces and carried
off for use in the Chechen region of Russia, CSO reports. But their former owners have rendered them
inoperable and useless, much as one might remotely brick a stolen laptop. What's networked
can usually be remotely disabled by its owners, and tractors are no different in this respect
from a tablet. Should Russia decide to increase its pushback against sanctions by exacerbating the food shortages
its blockade has already induced, some observers have expressed concern that it could mount a
general cyber campaign against the agriculture sector. The privateering against JBS Foods,
ABC says, foreshadows what might be possible. They say JBS Foods, the world's biggest meat processor,
was held ransom by Russian-based hackers for $11 million last year.
Flipping Computer reports that Italian authorities warned yesterday
that Italy could see more distributed denial-of-service attacks
of the sort recently conducted by the Russian Killnet group,
nominally independent patriotic hacktivists working in Russia's interest,
but probably also receiving some direction from Moscow's security and intelligence services.
Kilnet declared Operation Panopticon,
that is the creation of a space in which everything is seen, last week,
and has since been seeking to rally sympathetic hackers to its cause.
The original panopticon was proposed in the 18th century
by the English utilitarian philosopher Jeremy Baltham
who intended it as a proposal for prison reform.
Prisons ought to be designed, Baltham argued,
with a central panopticon from which all of the prisoners
could be observed
continuously and without interruption. We leave the unpacking of Kilnett's choice of metaphor as
an exercise for you, our listener, but it seems to provide an instructive window on how they view
the way the world ought to be organized, like, perhaps, a prison. Observers in the U.S. and U.K. also continue to express concern
about the prospects of major Russian offensive cyber campaigns,
although so far at least no such successful campaigns have developed.
Some warn of a potential for attacks against industrial control systems
using pipe dream malware tools.
Others see more risk of distributed denial-of-service attacks organized by Gamerodon,
also known as APT-53 or Primitive Bear.
Ukrainian hacktivists continue to conduct nuisance-level attacks against Russian targets.
Spurbank, Russia's largest bank, remains a favorite target, The Telegraph reports.
largest bank, remains a favorite target, the Telegraph reports.
Remember when Russian authorities arrested some alleged leaders of the R-Evil ransomware gang back on January 14th? It would seem that their prosecution is now at a standstill.
And, moreover, it's the Americans' fault, or so the word on the courthouse steps in Moscow has it.
The Russian media outlet Kommersant reported Friday that America did nothing
and suggests that this is a disappointment for the Russian authorities.
Russia did its best in good faith with a commitment to procedural equality,
but the Americans failed to deliver the evidence they promised, so says Kommersant.
The U.S. suspended its cooperation with Russian law
enforcement after the special military operation in Ukraine began, and so the Russian prosecution
can now proceed no further. Cyberscoop points out that this is basically the defense attorney's
perspective and that perhaps it should be taken with a grain of salt. Anyway, defense counsel has apparently suggested that the alleged leaders of our evil are patriots
willing to turn from their young, misguided life of crime
and that they're in a unique position to render assistance to Russia in her hour of cyber need.
They've got the chops for it, apparently, having honed their skills as privateers.
Or, if you prefer, criminals.
Malware researchers describe a zero-day vulnerability that could allow attackers to achieve remote code execution in Windows systems.
Exploitation of Folina, as the researchers call the bug, circumvents Microsoft's protected view and anti-malware
detection. The attack vector uses the Word remote template feature to retrieve an HTML file from a
remote web server. It goes on to use the MS-MSDT protocol URI scheme to load some code and then
execute some PowerShell. Microsoft addressed the issue yesterday.
Malwarebytes says, On Monday, May 30, 2022, Microsoft issued CVE-2022-3190
regarding the Microsoft Support Diagnostic Tool in Windows Vulnerability.
The workaround offered by Microsoft consists of an alternative method
to unregister the MSDT URL protocol.
In full disclosure, we note that Microsoft is a CyberWire partner.
NCC Group has been tracking the return of CLOP ransomware,
which last month emerged from its temporary hibernation to hit 21 targets.
NCC Group noted, the most targeted sector for Klopp was industrials,
which made up 45% of Klopp's attacks, followed by technology with 27%.
This is roughly along the lines of the target selection NCC Group observed on the part of
Conti and Lockbit, although Klopp is a bit more interested in the tech sector than
are its criminal competitors. Bleeping Computer reports that Klopp is a bit more interested in the tech sector than are its criminal competitors.
Bleeping Computer reports that Klopp exploited Accelion's legacy file transfer appliance
to exfiltrate large quantities of data from the companies it victimized.
CSO takes a look at Conti, which may or may not be breaking up or rebranding, but which
seems likely to persist in some form or another.
Among their observations is that Conti has been, relatively speaking, less concerned than its
competitors with delivering on promises made to victims, which suggests the gang either has a
different revenue model or is pursuing goals other than simple, immediate profit.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives
are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io. This is John Pescatori and welcome to Ask Mr. Security Answer Person, short drill downs
into timely security issues
with a lot of hype busting.
Now let's see what today's question is.
Here's our question from Curious Listener.
Earlier this year, the U.S. Internal Revenue Service
announced it would start requiring taxpayers
to use a commercial facial recognition service
to access their tax records.
Seemingly within minutes, after intense backlash,
the IRS backed off,
and it looks like strong authentication is off the table once again. Are we ever going to see
the U.S. federal government move away from reusable passwords to something more secure?
Well, unfortunately, curious listener, the short answer is no. The federal government will never
make any progress in this area if they take the same approach the IRS did here. The way the IRS first went about this violated two very important laws of nature. First, if you want to cook a frog, put
it in a pot of lukewarm water and slowly turn up the temperature. Don't try to throw a frog in a
pot of boiling water. It will just jump out. Next, if you're going to hit someone with a rubber mallet
just below the top of their kneecap, don't put your face in front of their foot. With no advanced notice,
as in forgetting to warm the water, the IRS came out with a mandate to use facial recognition,
a very privacy-sensitive form of biometrics, and run by a private firm. Insert knee-jerk
reaction squared to the jaw here. Let's start with the basics.
Replacing reusable passwords with stronger authentication is the single most effective action we can take to reduce security incidents.
In 2019, Microsoft analyzed over 300 million logins to their cloud services,
and the data showed that the use of two-factor authentication, such as cell phone messages or an authenticator app,
would have prevented 99.9% of phishing attacks from succeeding.
Using biometrics adds at least one more nine to that figure.
That was the math that caused the IRS to finally act.
The ability to cut successful account compromises
by a factor of a thousand through this one move.
But unfortunately, they didn't do the prep work.
They tried to build a bridge starting from the top,
and that never works out well.
I can hear the roar of yawns from here. Yeah, yeah, yeah,
we all know passwords are the root of all evil, but users love them and any form of stronger
authentication causes management to scream. It also seems to always cause breakage across
applications, often requiring double logins. When we try, we can never go from testbed to
a mass rollout because of the pushback from all levels.
Well, the times they are are changing.
First, a Mercator survey showed that 41% of consumers were already using biometrics on their cell phones in 2021.
Another study showed similar percentage for overall use of multi-factor authentication,
as many financial services have begun requiring it if a user logs in from a new device.
I've asked boards of directors many times if they use text messaging, two-factor authentication, or the fingerprint sensor in their
mobile phones. In their personal lives, they nearly 100% do. Resistance is much lower than it was a few
years ago. The breakage interoperability issue has been real, but in early May, Apple, Google, and
Microsoft announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium.
Okay, before the yawns start again, yes, the big guys have made announcements like this before around adopting common standards,
but never these three dominant players all at the same time, and never on a timeline as short as the one year they all announced for this effort.
time, and never on a timeline as short as the one year they all announced for this effort.
The promise, your user with an iPad, an Android phone, and a corporate Windows PC will be able to log in across Apple, Google, and Microsoft apps and services from any of those devices
without ever once using an oh-so-fishable password.
So, dig into multi-device FIDO credentials and passkeys to understand the details and
start working with IT to try a rollout, at least across the security team and possibly a few security-friendly
IT admin folks to see what wrinkles remain and to see if they do get ironed out over the next year.
To avoid knee-jerk reactions, start doing an internal messaging campaign about the impact
of phishing on users at home and how MFA can break that cycle of identity theft pain.
Of course, strong authentication is not penicillin.
It will not cure all security ills,
and there will be vulnerabilities found that need to be fixed.
But just imagine if 99.9% of phishing attacks against you
failed to obtain your users' credentials.
Your security resources could focus on the remaining complex and dangerous attacks
and reduce time to detect and time to respond dramatically.
It really feels different this time.
Phishing is costing the tech platforms and their customers too much money for them to
sit still.
Money talks, and I think we'll see progress.
So, the water is warming.
Throw your frog in and start turning up the heat.
Mr. Security Answer Person.
Thanks for listening. I'm John Pescatori, Mr. Security Answer Person Thanks for listening. I'm John Pescatori, Mr. Security Answer Person.
Mr. Security Answer Person Mr. Security Answer Person with John Pescatori airs the last Tuesday of each month right here on The Cyber Wire. Send in your questions for Mr.
Security Answer Person to questions at thecyberwire.com.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute and also my co-host on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Saw some interesting coverage over on Forbes.
This was written by Davey Winder,
coverage over on Forbes. This was written by Davey Winder, and he had some news from the recent Pwn2Own event in Vancouver. What was going on here, Joe? Well, there is a, let's call him a
security researcher. That's the term I'm looking for. His name is Manfred Paul. Yeah. And he is
a very good security researcher. Yeah. And he found two critical vulnerabilities in Mozilla. And these were JavaScript vulnerabilities that one of them is a prototype pollution in top level await implementation is what it's called. Okay. It allows an attacker who corrupted an array object in JavaScript to execute code in a privileged context. Okay. Okay.
And then there's another one that is untrusted input used in JavaScript object indexing,
which leads to prototype pollution, again, allowing you to get back to the original exploit.
The key is that you can run any kind of JavaScript you want in a privileged setting.
Okay.
So that's really, really bad.
Yeah.
Firefox has already fixed these and released patches for them. Okay. So that's really, really bad. Yeah. Firefox has already fixed these and released patches for them. Okay. So one of the things I wanted to talk about in this story is that
how often do you see when you're using your browser, whether it's Chrome, whether it's
Edge or whether it's Firefox, it has a little update alert up in the upper right corner.
Right. And Chrome starts off with a green one, then it goes yellow, then it goes red
to catch your eye for it. But as soon as I see the green one, then it goes yellow, then it goes red to catch your eye for it.
But as soon as I see the green one, I make a habit of just stopping what I'm doing and hitting that button and updating it.
Because vulnerabilities like this are remarkably bad.
And what's interesting about this one is that vulnerability is also present in the Tor browser because Tor is built on top of Mozilla.
Okay.
And if you're in a place where you need to keep your IP hidden from the oppressive regime that's watching you, right?
Right.
You need to protect your identity online.
You don't want to go to some malicious website that allows this, that allows them to de-anonymize you.
They can actually get your actual IP address.
I see.
Now, one of the things about Tor
is that the browser comes with JavaScript disabled
by default, I believe.
So you have to actually go on and enable it.
Right.
But if you're browsing the open net,
you pretty much have to do that
for many of these pages to be usable.
You have to turn JavaScript on.
You have to turn JavaScript on, correct.
Yeah, yeah.
So I can absolutely see
where this would be a problem for people.
Now, Manfred Paul here,
the researcher who took advantage of this,
he had a pretty good day here, didn't he?
He had a pretty good eight seconds.
Okay.
Because it's prone to own,
you get cash when you find these things.
He got $100,000 by exploiting this – demonstrating this vulnerability.
Wow.
It's kind of like a bug bounty program.
Yeah.
And it's – he gets – you want to say he gets $100,000 for eight seconds of work, but he doesn't get that.
He put a lot of time into developing the exploit.
Yeah, it's eight seconds that he spent a career, a lifetime career learning how to do the thing that ultimately took eight seconds
to do. Right. It's just an automated attack. I mean, those things take no time at all.
Right. The skill comes in developing the attack. Yeah. So yeah, good for Manfred here. Yeah. It
says later in the same day, he went on to win another $50,000 for a zero DX Bloyd in Safari.
Yeah. So Manfred's buying the first round at the Pwn2Own bar that evening.
What do you make of these sort of hacking events, Joe? Is this, yeah?
I think they're great. This is what we need to have as a security community. And this is the
kind of attitude we have to have. So this bounty money comes from the event organizers, right?
They probably go out and get sponsorships from all these different companies that are sponsors.
But other companies have their own bug bounty program.
And then there are actually companies out there like HackerOne that manage bug bounty programs for other companies.
Yeah.
Which is great.
So events like this that bring legitimate security research to the forefront are fantastic.
security research to the forefront are fantastic. And, you know, you at Hopkins, you work with a lot of students. These are great events for them to attend as well. Yes. If they can get to them,
they can do some exploitations. Absolutely. Or just go to learn. Right. That's why you go.
Yeah. Really. Yeah. All right. Well, this is an article from Forbes, again, written by Davey Winder. It's titled Firefox Browser Hacked in Eight Seconds Using Two Critical Security Flaws. Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Rachel Gelfand, Liz Ervin,
Elliot Peltzman, Trey Hester,
Brandon Karf, Eliana White,
Haru Prakash, Justin Sebi,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.