CyberWire Daily - Powergrid attacks, DDoS, and doxing in a hybrid war. Notes on botnets, and a threat actor changes its phish hooks. Patch Tuesday. Sentence passed in a sanctions evasion case.
Episode Date: April 13, 2022Indestroyer2 and Ukraine's power grid. More on last week's distributed denial-of-service attack against Finland. Anonymous claims to have doxed Russia's Ministry of Culture. Hafnium gets evasive. Enem...ybot is under development but worth keeping an eye on. Changing the phish hook. Patch Tuesday notes. Tim Eades from Cyber Mentor Fund on digital & security transformations. Our guest is Aaron Shilts from NetSPI onproactive public-private sector security collaboration. Sanctions evasion is serious business. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/71 Selected reading. Why Russia’s Cyber Warriors Haven't Crippled Ukraine (The National Interest) In Ukraine, a ‘Full-Scale Cyberwar’ Emerges (Wall Street Journal) Russian hackers tried to bring down Ukraine’s power grid to help the invasion (MIT Technology Review) Russia's Sandworm Hackers Attempted a Third Blackout in Ukraine (Wired) Ukraine Thwarts Cyberattack on Electric Grid, Officials Say (Wall Street Journal) Zhadnost strikes again… this time in Finland. (SecurityScorecard) Anonymous Hits Russian Ministry of Culture- Leaks 446GB of Data (HackRead) Tarrask malware uses scheduled tasks for defense evasion (Microsoft Security Blog) Enemybot: A Look into Keksec's Latest DDoS Botnet (Fortinet Blog) Enemybot: a new Mirai, Gafgyt hybrid botnet joins the scene (ZDNet) Qbot malware switches to new Windows Installer infection vector (BleepingComputer) Microsoft Releases April 2022 Security Updates (CISA) Google Releases Security Updates for Chrome (CISA) Citrix Releases Security Updates for Multiple Products (CISA) Apache Releases Security Advisory for Struts 2 (CISA) Valmet DNA (CISA) Mitsubishi Electric MELSEC-Q Series C Controller Module (CISA) Inductive Automation Ignition (CISA) Mitsubishi Electric GT25-WLAN (CISA) Aethon TUG Home Base Server (CISA) U.S. crypto researcher sentenced to five years for helping North Korea evade sanctions (Reuters) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
In Destroyer 2 and Ukraine's power grid,
more on last week's distributed denial of service attack against Finland.
Anonymous claims to have doxed Russia's Ministry of Culture.
Hafnium gets evasive.
Enemy bot is under development but worth keeping an eye on.
Changing the fishhook.
Patch Tuesday notes.
Tim Eads from Cyber Mentor Fund on digital and security transformations.
Our guest is Aaron Schiltz from NetSpy on proactive public-private sector security collaboration.
And sanctions evasion is serious business.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 13th, 2022.
We begin with a note on disinformation.
Russia's recent We Meant to Do That emphasis on the Donbass is intended to tell everyone that the special military operation is all going according to plan.
In fact, it represents a significant departure from Moscow's pre-war planning,
which appears to have anticipated
the quick decapitation of the government in Kiev. The change in plans was motivated by the
invasion's failure in the northern part of Ukraine. The UK's Ministry of Defense yesterday
offered a terse rebuttal of President Putin's claim that his war against Ukraine was going
according to plan. Quote, the Kremlin says its war in Ukraine is going to plan, but it's not.
Russia's plan is failing.
As evidence, the MOD cites the loss of at least six Russian generals killed in action,
instances of Russian troops turning on their commanding officers,
and 2,151 vehicles, artillery pieces, or aircraft damaged, abandoned, destroyed,
or captured, that is more than three times the rate of comparable Ukrainian losses, the
forced retreat of Russian forces into Russia and Belarus, and Russian aircraft lost to
friendly fire.
All armies face friction in real war, but Russia's record seems to go far beyond the normal difficulties,
and it hardly seems that much at all has gone according to plan.
The GRU's attempt against the Ukrainian power grid appears to be the cyber attack most people were expecting back in February,
especially because of the way it tracked earlier GRU takedowns of sections of Ukraine's power grid.
It also appears to have failed, and that failure may be attributed in part to successful Ukrainian defenses
as well as to the methods Russia chose to use.
In cyberspace as well as on the ground, Ukraine appears to have proved a tougher opponent than Russia expected.
appears to have proved a tougher opponent than Russia expected.
In the December 2015 attacks, the GRU's Sandworm unit pivoted into the grid via spear phishing emails that carried black energy malware as their payload.
The outages then induced lasted up to six hours.
The 2016 attack against Ukraine's grid used in-destroyer malware, also called Crash Override, an updated version
of which was used in this month's attempt. ESET, which provided some of the initial response to
the attacks, did not speculate on how the GRU gained access to the systems it hit, but the
record cited CERT-UA as saying that the attackers moved laterally between different network segments by creating chains of SSH tunnels.
While the overall effect of the recent attempt on the grid may have been negligible,
reports obtained by MIT Technology Review indicate that the attack did succeed in taking some electrical substations offline.
electrical substations offline.
Security Scorecard has published a study of the distributed denial-of-service attack against Finnish government sites last Friday.
The incident coincided with an address to Finland's government by Ukrainian President
Zelensky and during a period of speculation that Finland is preparing to apply for EU
and NATO membership.
Finland is preparing to apply for EU and NATO membership.
The researchers attribute the DDoS attack to the Zadnost botnet, which they had observed in attacks against Ukraine in late February and early March.
Zadnost is greed in Russian.
Security Scorecard says they've identified some 350 bots,
most of them located in Bangladesh and a range of African countries.
The report says, the majority of the bots are micro-tick routers running various micro-tick
services or devices running squid proxy and vulnerable Apache web servers.
Attribution is, as usual, difficult and heavily circumstantial, but Security Scorecard assesses with moderate confidence
that Russian units or some threat actor aligned with Russian interests
were responsible for the attack.
The consequences of the attack were temporary and not particularly damaging,
but the researchers add that subsequent attacks might be more consequential.
If one were to bet on form,
one would expect the next move from the Russian cyber threat actor playbook to include deployment of wiper malware.
The hacktivist collective Anonymous has released 446 gigabytes of data to the DDoS secrets dump site,
emails for the most part.
They all seem to be targets of opportunity,
doxed because they were doxable and not with any immediate operational results in mind.
The Microsoft Threat Intelligence Center has published an update to earlier research
by both Microsoft and Palo Alto Networks describing the Chinese threat actor Hafnium.
The malware it's been observed using recently, Tarask,
evades detection by using hidden scheduling tasks
whose attributes it subsequently removes.
This has succeeded in concealing it
from many common forms of detection and identification.
Fortinet's FortiGuard Labs describes a botnet
used by the KeckSec group,
a criminal gang specializing in distributed denial-of-service and cryptojacking.
The researchers call the botnet EnemyBot, and while it appears to still be under development, it incorporates elements of older botnets.
ZDNet describes EnemyBot as a Mirai-Gafget hybrid. Prompted by recent Microsoft security moves against malware delivered by VBA Office macros,
Qubot's operators are changing tactics.
Instead of using malicious Microsoft Office documents as the hook in phishing emails,
they're switching to delivering malicious MSI Windows installer packages by password-protected zip files,
Bleeping Computer reports.
Yesterday was Patch Tuesday.
Microsoft released over 100 fixes, including two that address zero days.
One of the zero days, CVE-2022-24-521,
permits privilege escalation exploitation of the Windows Common Log File system driver,
and Microsoft credits NSA with tipping them off to the issue.
Citrix published four advisories and Apache upgraded Struts.
On Monday, Google issued an update for Chrome.
And CISA issued five industrial control system advisories yesterday.
issued five industrial control system advisories yesterday.
And finally, there's nothing inherently nefarious about cryptocurrencies or newfangled digital commodities,
but they do have a certain attraction for sanctions evaders.
And unfortunately for some experts in the relevant fields,
helping governments under sanction evade sanctions
is something the authorities are taking seriously.
Virgil Griffith, formerly a researcher with the Ethereum Foundation,
took a guilty plea last September to charges of conspiring to violate the International Emergency Economic Powers Act
by traveling to North Korea to deliver a presentation on blockchain technology.
to North Korea to deliver a presentation on blockchain technology.
Reuters reports that a U.S. federal court yesterday imposed a sentence of five years and three months, plus a $100,000 fine on Mr. Griffith.
While stiff, the sentence was less than prosecutors had requested.
Griffith's attorney, Brian Klein, said in a statement that while the sentence was disappointing,
the judge acknowledged
Virgil's commitment to moving forward with his life productively and that he is a talented person
who has a lot to contribute.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI. Now that's a new
way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
An interesting aspect of the way cybersecurity has developed
is that neither the public nor private sectors
have any sort of monopoly on keeping the wheels of civilization turning.
Aaron Schiltz is president and CEO of NetSpy, and we reached out to him for a discussion on
why proactive public-private sector security collaboration is key to securing both corporate
and government networks. Here's Aaron Schiltz. We're fortunate in cybersecurity. Unlike other tech sectors in cyber, we all defend against a common adversary. So I think there's some benefit by default. We see a ton the ISACs. I mean, they're a great example
of member-driven organizations where there's just a lot of sharing that goes on. In some cases,
maybe more industry collaboration than it is public-private partnerships where,
candidly, I think there's actually some opportunities to improve there.
Or candidly, I think there's actually some opportunities to improve there.
It seems to me like certainly as of late, we've seen more of a desire and an intentionality from the public sector organizations to partner with private sector organizations.
Yeah, I think that's right. This is maybe a little less partnership, but just the simple basis with the Strengthening American Cyber Act from February of this year, just requiring organizations to report attacks within 72 hours.
Of course, this applies more to critical infrastructure and the Fed. But in a world where an organization facing reputational damage from a breach may not be quick to report it,
notwithstanding state and federal regulations. So simple things like that, requiring that
ransomware payments are reported and that just the overall industry can do better at understanding
what's happening at the macro level, I think can be very, very helpful. Do you understand some of the resistance that folks have with some of these reporting requirements?
Do their arguments make sense at all?
Well, yeah.
I mean, again, every organization is a little bit different.
Some of the reporting requirements vary significantly from state to state, from country to country.
So think about for a large multinational
enterprise, it's very complex just to figure out how to respond from a regulatory perspective,
just what you're required to do, even if you have the best intentions and are trying to do
the right thing. So that's kind of step one is just figuring out how to respond. And then,
of course, again, there's a lot of dollars at stake.
There's reputational damage.
There's the loss of customer data.
And are you reporting an incident at the federal level before you've even had an opportunity
to report to your customers?
There's just a lot of complexities there that I think well-intentioned organizations need
to work through.
And so if there's pushback, I think that's
probably some of it. You know, interestingly, one of the ways that we see public-private
collaboration, unfortunately, is federal law enforcement agencies sometimes being the first
ones to notify an organization that they've been breached. So, you know, said another way,
the organization doesn't have the controls and the systems to understand that a breach has occurred
and they're finding out through federal law enforcement. And that's actually fairly common,
especially in, you know, smaller and less mature organizations.
What are your recommendations for folks in the private sector in terms of
engaging with some of those public sector organizations?
in terms of engaging with some of those public sector organizations?
You know, it's just important to be involved in a world where, you know, one of our biggest challenges is just finding the talent, finding qualified cybersecurity talent to run our
programs and run our organizations. There's a lot of people moving fast and just trying to get
through each day. So sometimes it's a matter of just kind of
like taking a deep breath, thinking strategically, and ensuring that part of your security program
is to work with those public sector organizations. It could be as simple as monthly InfraGard
meetings where you're attending and listening and building relationships with InfraGard and
some of these other organizations. There's a lot of collaboration that takes place, again, even in the ISACs. And sometimes it's less
about specific targeted thread information that's actionable. And it's more about,
hey, I'm a financial services organization. I have a certain problem. And you kind of put it
out to the group. And it's amazing the collaboration that takes place. I see this in the ISACs often where it's, you know, these are competitors working
closely together to defend against a common adversary. And so I think some of it's just,
again, kind of that blocking and tackling and being purposeful about taking the time
to build the relationships. That's Aaron Schiltz from NetSpy. Thank you. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Tim Eades.
He is the CEO at vArmor and co-founder of the Cyber Mentor Fund.
Tim, always great to welcome you back to the show.
I want to touch today on some of the transformations when it comes to digital technology and security that I know you and your colleagues are tracking.
What can you share with us today?
Thanks, Dave. Great to be here.
I love the show.
So when we look at over the last few years,
digital transformation has really accelerated with the pandemic.
Whether it's your Levi's or whether you're a large bank,
everybody has been accelerating to the cloud.
But that transforms your attack service.
And that leaves you open.
Your attack service, whether it's across your infrastructure
from your data center to your mainframe all the way through to your public cloud, has been stretched.
And so that's causing resiliency issues. So then you put this wave on it from ransomware. And
obviously Colonial Pipeline was the big one last year that made everybody in the country wake up.
When you look at ransomware, it's an attack where people are obviously holding assets
in order to get money back,
but they're crippling the infrastructure
in order to get the leverage.
So that's the first time where you've really seen
over the last, I don't know, 20 years,
where cybersecurity has now become a resiliency play, right?
Because once things are getting compromised
in a ransomware attack,
they are compromising the ability
for the business to function.
And so the cybersecurity function in the past
obviously has a whole breadth of skills.
But what I'm seeing now is this rise
over the last two or three years
of resiliency as a conversation
and resiliency as a responsibility of the CISO, not just as they secure against the ransomware attacks, they are making it and they
are ensuring that the business is more resilient. Now, difficult in a pandemic, very difficult as
you accelerate digital transformation, because people will put business priorities sometimes ahead of security,
but security has to be an enabler to digital transformation, not a restrictor.
When we're talking about resiliency, can you give us some insights as to, I mean,
what is the spectrum of areas that that covers? Because I suspect it touches a lot of different
places in a business. Let me give an example. There's a great bank that I know couldn't process 100,000 plus credit cards in one morning
because the payment system was down.
The payment system in that particular case was dependent on multiple applications serving it.
As one of those applications serving the payment gateway was actually compromised,
the whole payment system collapsed
and couldn't process these credit cards.
So that's an example where the payment solution has multiple dependencies on it.
And if you have one outage, the whole thing is affected.
And the challenge becomes, as you move certain apps to the cloud,
and not all of them go there, right, into the hybrid cloud world, which everybody's adopting,
applications talk horizontally, not vertically,
as in across the environment.
So they will go horizontally.
And so your multi-hop dependency is across the environments
as well as anything else.
So it's difficult.
You have to embrace, obviously, digital transformation
to compete and to survive.
But at the same time, you time, resiliency is becoming a critical function
for the CSO to keep his head on.
The organizations that you see doing this well,
are there any common threads there?
That's a great question.
So the level of resiliency understanding really does vary.
I mean, what we find is companies and large retailers,
a friend of mine runs security,
one of the largest retailers in the States,
really struggle to understand the terrain of their applications,
the terrain of their environments that's been served up.
So the lack of visibility, the lack of understanding
is really hard to get
because they will see what these workloads,
but they don't understand what they are
because a lot of the data within the organization is mislabeled or not labeled at all.
And so they might see all these applications, all these flows, but they don't know what they are.
So I think that's what's causing the challenges.
All right. Well, interesting stuff for sure. Tim Eads, thanks for joining us.
Thanks for joining us. with an iced brown sugar oat shake and espresso. Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of
cybersecurity teams and technologies. Our amazing Cyber Wire team is Liz Ervin, Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan,
Kirill Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.