CyberWire Daily - Putin goes medieval (we paraphrase the UK defense secretary). Cyberattack disrupts a logistics giant. Two reports look at the state of industrial cybersecurity.
Episode Date: February 23, 2022With diplomacy at a stand and Russian troops now openly in Ukraine, Western governments impose sanctions on Russia. A fresh round of distributed denial-of-service attacks against Ukraine. Cobalt Strik...e continues to be misused by criminals. A cyberattack has severely disrupted a major logistics firm. My conversation with Assistant Director Bryan Vorndran of the FBI Cyber Division. Our guest Ed Amoroso from TAG Cyber explains Research as a Service. And two looks at the recent and prospective state of industrial cybersecurity. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/36 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
With diplomacy at a standstill and Russian troops now openly in Ukraine,
Western governments impose sanctions on Russia,
a fresh round of distributed denial-of-service attacks against Ukraine,
cobalt strike continues to be misused by criminals,
a cyber attack has severely disrupted a major logistics firm,
my conversation with Assistant Director Brian Vordren of the FBI Cyber Division,
our guest Ed Amoroso from TAG Cyber, explains research as a service
and two looks at the recent and prospective state of industrial cybersecurity.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 23rd, 2022.
Diplomacy seems to be at a standstill, at least temporarily.
Russia stands more or less alone with full support from Syria and Belarus and some relatively tepid support from China.
In general, Russia's President Putin is playing an aggressive role
Europe hasn't seen since the 1930s.
Reuters reports that Ukraine yesterday renewed its warning
that it saw signs of renewed cyber attacks against its banks, its defense sector, and government
websites. The warning appears to have been based upon indicators and warnings and not merely a
matter of a priori probability. CERT-UA based its assessment on what it observed in dark web chatter. Those attacks have
in fact materialized over the last few hours. It's a massive distributed denial of service campaign
and it's said to have hit banks and government websites, particularly sites run by the foreign
ministry and the security services. The telegram says that authorities are working to mitigate their effects.
The U.S., U.K., and Australia have attributed recent cyberattacks
against such Ukrainian targets to Russia's GRU.
The EU's Cyber Rapid Response Team has been activated and will deploy to Ukraine.
The move, Politico says, has been welcomed by Kiev.
Activation was a joint decision of the six states that contribute to the team,
Croatia, Estonia, Lithuania, the Netherlands, Poland and Romania.
Speaking of the GRU, the Russian Military Intelligence Service has upgraded its attack toolkit,
replacing the VPN filter malware familiar from earlier attacks with an improved version the
UK's NCSC and the US agencies CISA, NSA, and FBI are calling Cyclops Blink. The four agencies issued
a joint advisory warning of Cyclops Blink just a few hours ago. It's a large-scale modular malware
framework being used to attack network
devices. Cyclops Blink is normally distributed to its victims under the guise of a firmware update.
Ukrainian officials say that the most recent round of cyberattacks has been accompanied by
a wave of phony bomb scares. The former defense minister of the so-called Donetsk People's Republic, one Vladimir
Kononov, is said to have been the target of an attempted assassination by bomb, the nominally
separatist region announced. TASS asserts that one man, not Mr. Kononov himself, but someone going
to meet the former defense minister, was injured in the attempt. Germany's refusal to certify the Nord Stream 2 pipeline,
a move that blocks a substantial increase in Russian sales of natural gas to Europe,
was the first and most consequential of the sanctions imposed as the week began.
TASS communicated the Kremlin's regret over the decision,
quoting spokesman Dmitry Peskov to the effect that this is a purely
economic commercial product which is also called to become a stabilizing element for the gas market
in Europe further to mutual benefit, and both suppliers and consignees of our gas, in the first
instance Germany and other European states, are interested in it. Other sanctions have aimed to reduce Russian access to
global financial and capital markets. The Telegraph reports that Britain has imposed what Prime
Minister Johnson describes as the first barrage in its own sanctions program, singling out five
banks and three high-net-worth individuals. Prime Minister Johnson said, quote, any assets they hold in the UK will
be frozen. The individuals concerned will be banned from traveling here and we will prohibit all UK
individuals and entities from having any dealings with them, end quote. He signaled that other
sanctions are being held in reserve, quote, this is the first tranche, the first barrage of what we are prepared
to do, and we hold further sanctions at readiness to be deployed alongside the United States and the
European Union if the situation escalates still further, end quote. The EU has, according to the
AP, sanctioned the 351 members of the Duma who voted for recognition of Donetsk and Luhansk, and also
27 other Russian institutions and individuals from the defense and banking sectors. President
Putin himself was not among them. And the U.S. introduced further sanctions beyond those already
imposed Monday that prohibit U.S. persons from doing business with the two Ukrainian provinces Russia is seeking to detach.
The newest measures are designed to punish Russian oligarchs and impede Moscow's ability to sell sovereign debt.
Administration officials say they're holding more and more severe sanctions in reserve,
but The Telegraph reports critics call the limited measures appeasement.
The Telegraph reports, critics call the limited measures appeasement.
S&P Global records informed speculation that the incremental approach may be at least in part motivated by concerns about economic blowback.
After today's round of cyberattacks,
Western governments announced their intention to ratchet up sanctions.
The U.S. is sanctioning the Nord Stream 2 pipeline's parent company
and is considering comprehensive export controls.
The U.K. and the EU are also preparing to increase their sanctions.
Moody's Investors Service has taken a look at the cyber implications of the crisis, which it sees as central to assessing credit quality. Its analysts have concluded that attacks on critical
infrastructure are a high risk in terms of consequence, vulnerability, and likelihood.
Quote, critical infrastructure is a likely target of cyber attacks amid ongoing Russia-Ukraine
tensions for two reasons. First, the Russian government has a history of launching cyber
attacks on critical infrastructure might take. take, quote, Ukraine has been a testing ground for Russia's cyber capabilities for at least the
past decade, with critical infrastructure a frequent target. Critical infrastructure sectors
include food and agriculture, energy, health care, emergency services, chemicals, dams, financial
services, information technology, nuclear reactors, transportation systems, and water and wastewater systems.
The report also sees NotPetya as providing an example of the way in which cyber attack would,
in all likelihood, not remain confined to a specific geographical region.
In the case of NotPetya, for example, large multinationals became channels through which malware delivered as the payload in a maliciously modified Ukrainian tax preparation software package spread well beyond the initial points of infestation.
Not only were the multinationals themselves affected, but their customers were as well.
Nor should businesses count on being able to transfer the risk of cyber attack to their insurance carriers.
Cyber exclusion clauses are growing increasingly common.
Cyber coverage has tended to migrate away from more traditional lines of coverage
to cyber-specific policies, which generally offer lower coverage limits.
Such policies now commonly have war or hostile action exclusions,
and insurance associations have developed and shared model exclusion clauses.
Criminals continue to misuse Cobalt Strike.
OnLab reports that the tool is being distributed to vulnerable Microsoft SQL servers.
Sleeping Computer explains that the legitimate penetration testing software package
is attractive to the underworld because of its
ready availability and extensive suite of capabilities, hence its widespread misuse.
Operations at the major logistics firm Expeditors International have been disrupted by a cyber
attack disclosed Sunday, and the Wall Street Journal reports that the company currently still
has only a limited ability to conduct operations.
There's speculation that the incident was a ransomware attack, but as ZDNet notes, the company won't confirm that.
Dragos has released its 2021 ICS Cybersecurity Year in Review.
It identifies new threat activity groups with a probable focus on ICS targets,
It identifies new threat activity groups with a probable focus on ICS targets, and it also comments on the continuing expansion of the attack surface industrial organizations represent.
One problem the report outlines is a widespread lack of visibility organizations have into their own systems.
According to the report, 86% of organizations report limited to no visibility of ICS environments.
And finally, IBM also sees a growing threat to industrial firms,
specifically to those involved in manufacturing.
They're particularly vulnerable to supply chain attacks,
and they've recently been receiving unwelcome attention from ransomware gangs.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Many organizations find value in getting outside, independent insights from researchers Thank you. TAG Cyber and also a professor at NYU. He and his team recently published their 2022
Q1 Security Report, which focuses on research as a service.
Well, most companies rely on research analysts to assist them in understanding vendors and
understanding where they come from and how they might fit. Even some of the companies that do it perhaps are maybe because of the
complexity of cybersecurity or the size of the industry or just the amount of revenue that's
being tossed around. It's been our observation that the original goals have sort of gone awry
to some degree. So we've been focused on trying to bring enterprise teams back to their roots
and think through selection of vendors in the same way that an engineer would think about the materials and components that go into building a bridge.
You wouldn't want to drive over a bridge and ask the engineer, hey, how did you pick those cabling?
And they scratch their head and think, you know, not really sure.
They were kind of legacy.
They were laying around here before, so we figured we'd just use them on the bridge.
I mean, we laugh at that on a bridge,
but how many times would you hear exactly that,
the analog to that, made by, say, a CISO at a bank?
Why are you using that endpoint tool?
You know, it's funny.
We had some.
It was just here when I got here.
I don't really know.
It's insane.
It's not the way to do it.
And I will say that with virtualization and cloud, it's much easier to swap things in and out than it used to be.
It's very possible now that if you're not happy, for example, with some gateway that you're using, firewalls,
if it's running on a virtual platform, you don't have to wait three months for the
vendor to ship something.
You pull it off the loading dock, you put it in a data center.
None of that is applicable anymore.
You can very quickly swap images out.
So it's a good time for people to get their arms around a more rational means for managing
their cybersecurity portfolio.
What are you finding in terms of how organizations kind of turn the dials of how much they handle
internally and how they coordinate with an outside provider?
It really depends on the size in the sector.
You know, as you go down market to smaller companies, everybody's using applications
that sit in a SaaS infrastructure or cloud.
It's kind of cool, right? Like you could be a little company. You and I,
Dave, could start a company tomorrow. In the afternoon, we'd have
our own IT department. We'd get it from Microsoft. We'd have our own
payroll system. We'd get it from some payroll SaaS provider.
On and on, you get sales capability from Salesforce
or Pipedrive or one of these CRMs.
It's amazing.
You really very quickly can build up capability in and around.
So for research and for selection of cybersecurity, it's become the same thing where these things can be turned up like utilities.
where these things can be turned up like utilities,
and managed service providers are morphing from, say, managing your firewall to something that is more timely.
That's why you hear this designation DR, detection response,
like managed detection response, endpoint detection response,
or even extended or X detection response.
That's really just providing a utility-based security capability
that would be plug-compatible with all these SaaS and cloud capabilities
that people are doing.
So the security becomes more a service utility.
Now, that's really found everywhere for smaller companies.
As you move upstream, it's more a mix, right?
If you're a big, giant bank or you're a
big service provider, like the program I used to run in telecom, you have the ability to mix and
match and do things internally, build things in your own data centers. But there's no question
that the economics and sort of the mood, the general trend and tenor of our industry
is more and more toward outsourcing things and letting some expert do what they do well.
That's unmistakable, and it's certainly also true in cybersecurity.
What's your advice for organizations to find someone to provide this who's a good fit?
What sort of questions should they be asking?
to provide this? Who's a good fit? What sort of questions should they be asking?
Well, again, it really does matter what sector you're in and how big the organization is. So,
for example, in the federal government, as you deal into critical infrastructure that have national security or even life implications, say military, then there are specialized
experts that you want to be working with who understand
your domain. Once you get into commercial, then there's a whole host of different research and
advisory teams that work. Obviously, I'm pretty biased. I think we do a wonderful job, but there's
a lot of smaller and bigger ones that work. If you're a vendor, then it's quite a decision to make because if you jump in a little
too soon with some of the larger research and advisory firms, you could be wasting your money.
I'd rather see you hire an engineer than go pay $150,000 to be mentioned in a report.
But at some point, the vending community can benefit from using these types of services.
So I would say it really does vary.
But if there's one bit of advice, I would say make sure that you don't waste your money.
If you feel like it's a decision whether to hire engineers or go, say, get mentioned or use advisory services in a marketing capacity, much rather you hire the engineer.
I think that's a better decision.
That's Ed Amoroso from TagCyber.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. And I'm pleased to welcome to the show Brian Vordren.
He is the assistant director of the FBI's Cyber Division.
Mr. Vordren, it's great to have you here on the Cyber Wire.
I wanted to start off today by just getting a sense for the mission of the cyber division of the FBI, the strategies that you have, your place among the various federal agencies.
Can we start there?
Thank you for the introduction, Dave.
I'm very much looking forward to our conversation today.
The FBI has a few unique authorities within the United States government relative to cyber.
Certainly, we're the lead federal investigative agency for threat response, which essentially means that when there is a computer intrusion, the FBI would have the lead for any investigative action or to enable intelligence community partners or private sector partners for follow-on action.
Secondly, we have a keen interest in domestic intelligence.
And in order to inform that authority, that means that we have to have very good working knowledge
of everything going on relative to cyber within the United States.
And that allows us to inform the intelligence community about trends, academic networks,
defense industrial-based networks, and those are important authorities to us as well.
Where we fit in with an agency such as CISA is that CISA would be on the asset response side.
They would be responsible for mitigation, for patch management, these types of things about
broad vulnerabilities, and to inform the resiliency and net defense side.
So we're very much on the investigative, proactive operational side, whereas in comparison,
CISA would be on the asset management.
We do do a lot of work in our space with the United States Secret Service.
They are a very, very good partner of ours,
and they have complementary authorities to ours for the U.S. government.
Give me a sense for how you all dial in with the limited resources that you have, as any government agency does. How do you turn those dials and decide what your priorities are when it comes to the mission for cyber?
Sure. We essentially segregate into five key buckets on the operational side.
Four of those buckets are the major state actors of Russia, China, Iran, and North Korea. And then
we have a broad overarching criminal threat that we would know as ransomware, botnets,
overarching criminal threat that we would know as ransomware, botnets, SIM swapping,
these types of threats faced by individuals and companies here in the United States.
But in terms of priorities, those are very much at the state actor level as well as within the criminal space. Decisions that are made within the interagency of the intelligence community
based on available intelligence, but really guided by which state actors or which criminal groups are having the biggest impact
and causing the most disruption and the most loss to organizations here in the United States.
So that's a very, very focused answer about how we try to delineate our adversaries
and how we try to prioritize against them.
And what are the primary ways that people interact with the FBI? I mean, you have the IC3,
which is a way for folks to report issues, but what are the major ways that those interactions
take place? Sure. We have a few different mechanisms. So first of all, we obviously
have a very decentralized workforce. So we have 56 field offices in the FBI. We have hundreds of
additional resident agencies that are offshoots of those FBI field offices. So we have the capability
to get a cyber-trained FBI agent really to any
doorstep in the country here within an hour. That becomes very, very important when a corporation
or an organization or an academic institute becomes the victim of a cybercrime. We do have
great capacity to respond domestically, to have meaningful conversations with people
who have become victims. And I think, you know, while we talk cyber, it is important to remember
that the victims behind cyber attacks are still human beings. And I do think the FBI is very,
very strong in that space. We also have very proactive outreach efforts that have been sustained for decades at this point. We have relationships with hundreds and probably thousands of organizations throughout this country and even abroad where there is a proactive, ongoing dialogue for exchange of information and intelligence related to cyber.
That's a two-way flow of indicators of compromise, TTPs, other malware signatures,
just to make sure that we are doing our best to stay in line with the threat and to keep channels of communication open.
You know, we always encourage organizations, companies, academic institutions to build
that relationship with the FBI before they become a victim of an intrusion.
The familiarity of having a personal relationship with someone in the FBI or someone in CISA
for that matter.
So we always make these recommendations and build those relationships now.
You had mentioned IC3. IC3 is
www.ic3.gov and is the primary intake for internet crimes for the FBI. That would cover online frauds
such as romance scams. That would cover business email compromise and it would cover traditional cyber intrusion reporting.
And so that is a very, very key portal.
On a weekly basis, that intake portal receives about 20,000 individual leads.
So it's a very, very active portal for us.
But we also encourage people that it's specifically related to cyber.
If they are the victim of a computer intrusion, they should call their local field office immediately to try and get support. All right. Well, Brian Borndren is the
assistant director of the FBI's Cyber Division. Thank you for joining us today,
and I'm looking forward to continuing our conversation.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland at the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Thank you.