CyberWire Daily - Ransomware groups continue to shift identities and targets. Assessments of the cyber phases of a hybrid war. Is wartime tough for criminals? Anonymous counts coup…against Moscow’s taxis.
Episode Date: September 2, 2022REvil (or an impostor, or successor) may be back. A Paris-area medical center continues to work to recover from cyber extortion. An assessment of Russian failure (or disinclination) to mount effective... cyber campaigns. Cyber criminals find wartime to be a tough time. Josh Ray from Accenture looks at cyber threats to the rail industry. Our guest is Dan Murphy of Invicti making the case that not all vulnerabilities are created equal. And Yandex Taxi’s app was hacked in a nuisance attack. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/170 Selected reading. REvil says they breached electronics giant Midea Group (Cybernews) Paralysed French hospital fights cyber attack as hackers lower ransom demand (RFI) French hospital hit by $10M ransomware attack, sends patients elsewhere (BleepingComputer) Hacks tied to Russia and Ukraine war have had minor impact, researchers say (The Record by Recorded Future) Getting Bored of Cyberwar: Exploring the Role of the Cybercrime Underground in the Russia-Ukraine Conflict (arXiv:2208.10629v2) Why Russia's cyber war in Ukraine hasn't played out as predicted (New Atlas) Cyber key in Ukraine war, says spy chief (The Canberra Times) Montenegro Sent Back to Analog by Unprecedented Cyber Attacks (Balkan Insight) Montenegro blames criminal gang for cyber attacks on government (EU Reporter) Ransomware Attack Sends Montenegro Reaching Out to NATO Partners (Bloomberg) “I’m tired of living in poverty” – Russian-Speaking Cyber Criminals Feeling the Economic Pinch (Digital Shadows) Yandex Taxi hack creates huge traffic jam in Moscow (Cybernews) Anonymous hacked Russia's largest taxi firm and caused a massive traffic jam (Daily Star) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Our evil may be back.
A Paris-area medical center continues to work to recover from cyber extortion.
An assessment of Russian failure to mount effective cyber campaigns.
Cyber criminals find wartime to be a tough time.
Josh Ray from Accenture looks at cyber threats to the rail industry.
Our guest is Dan Murphy of Invicti, making the case that not all vulnerabilities are created equal.
And Yandex Taxi's app was hacked in a nuisance attack.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberW Wire summary for Friday, September 2nd, 2022.
The ransomware group behind R-Evil may have returned, Cyber News reports. The gang had been
in hibernation for some months and many concluded
that it had disbanded. That may still be true, but someone claiming to represent R-Evil has said
they successfully attacked the Medea Group, a major Chinese manufacturer of electrical appliances,
and they've revived a version of the R-Evil dump site to post a proof of hack.
The story is still developing, and what's been reported so far is as consistent with imposture and rebranding as it is with the gang's return.
The large French medical center CHSF, hit in August by an extortion attack
that reduced the medical center's ability to deliver patient care,
is still in the process of recovering from the cyber attack. The effects of the incident have been unusually protracted. RFI reports that the Gendarmerie's GIGN has come to the assistance of
the hospital located south of Paris and is both investigating and negotiating with the criminal attackers.
CHSF continues to refuse to pay ransom.
Bleeping Computer has reviewed the grounds for thinking the attack involved a LockBit variant,
even though hitting a medical center amounts to a violation of the Robin Hood code LockBit has postured with in the C2C marketplace.
it has postured with in the C2C marketplace.
An essay in the New Atlas looks at the decidedly mixed record of cyber operations in the current Russian war.
While Russian operators have some early success deploying wiper malware against Ukrainian
communications infrastructure, that success was short-lived.
Since the first weeks of the war, Russian cyber operations have tended
toward conventional espionage, augmented by some ransomware privateering and nuisance-level
distributed denial of service. The reasons for this are obscure, but while due credit should
be given to Ukrainian resilience, Russia's cyber shortfalls may be a species of the more general Russian problem of coordinating effective combined arms operations.
The essay says,
What has been apparent over the last six months is that few, if any, of Russia's cyber attacks
have been launched in support of a clear military objective.
There were no assaults on military command and control systems,
no critical infrastructure attacks,
and nothing that could put real pressure on Ukraine
to force concessions from the country or its friends.
Drawing on a range of data sources,
we argue that the widely held narrative
of a cyber war fought by committed hacktivists
linked to cybercrime groups is misleading.
That's the conclusion a study conducted by researchers
at the universities of Cambridge, Strathclyde, and Edinburgh reached.
The researchers looked at web defacements,
reflected distributed denial-of-service attacks,
and communiques posted to a volunteer hacking discussion group.
They enriched their analysis by interviewing people
who'd actively engaged in defacing websites in Russia and Ukraine.
It appears that hacktivism shades quickly into slacktivism
as much of the initial enthusiasm fades.
The researchers summarize,
our main finding is that there was a clear loss of interest
in carrying out defacements and DDoS attacks after just a few weeks.
Contrary to some expert predictions, the cybercrime underground's involvement in the conflict appears to have been minor and short-lived.
It is unlikely to escalate further.
Rachel Noble, chief of the Australian Signals Directorate, has, according to the Canberra Times,
a higher assessment of how privateers, at least, have performed in the war.
She told a conference this week,
cyber criminals started to take sides in the war.
These are serious and organized criminal gangs with deep resources
who took it upon themselves to take action both on behalf of Russia
and on behalf of Ukraine and involve
themselves in the conflict. So, perhaps privateering isn't decisive, but it's messy and troublesome
nonetheless. Concluding that privateering may be played out, however, may be premature,
if the Montenegro incident is any indication, Balkan Insight characterizes the effects of the Cuba ransomware on Montenegrin networks as having sent the country back to analog.
Bloomberg reports that investigation and recovery are still in progress, as Montenegro calls in assistance from its NATO allies.
And a second piece in Bloomberg cites a warning from the Italian foreign minister that cyber attacks against Western European targets have spiked since Russia's invasion of Ukraine.
Apparently war is tough on the underworld, too.
Digital Shadows, in the course of its continuing observation of Roussophone's cybercriminal fora
and its ongoing nosing around the dark web,
finds that the war has been tough on the cyber underworld too.
Part of the tough times seems to be the normal fluctuation
of the criminal business cycle.
Gangland is just going through one of its periodic troughs.
But sanctions and other war-driven downturns
have had their effect as well.
Digital Shadows writes,
With recent sanctions and additional scrutiny on activity originating from Russian entities,
it's likely that many of these cybercriminals have been forced to constantly refine and adapt their techniques,
and therefore having to climb out of that trough again.
A good example of this is the use of Google Pay and other financial technologies becoming banned for use across Russia.
This led to many scams becoming redundant almost overnight.
There's one surprise in this report.
Some of the bite taken out of their earnings seems to have come from the Russian authorities themselves,
who've cracked down on the carding they'd formerly winked at.
Taxi! Taxi over here! Taxi!
Like everybody else, all us bots need a lift too!
Or something like that.
The latest incident in nuisance-level hacking to be seen in the hybrid war Russia opened
with its February invasion of Ukraine took place in Moscow.
Yandex's taxi ride-hailing app was breached by hackers this week
who summoned dozens of cabs to the Hotel Ukraina, snarling traffic and generating much inconvenience,
CyberNews reports. For what it's worth, Anonymous TV claimed responsibility on behalf of the
hacktivist collective, tweeting, Moscow had a stressful day yesterday. The largest taxi service in Russia, Yandex Taxi,
was hacked by the anonymous collective. A traffic jam took place in the center of Moscow
when dozens of taxi were sent by the hackers to the address on Kutuzovsky Prospekt.
The tweet associated the action with anonymous's OpRussia.
Sky Prospect. The tweet associated the action with Anonymous' OpRussia. So what can you do?
Well, you can take the bus or take the metro. And seriously, what does Anonymous hope to accomplish with the cyber equivalent of prank phone calls? Much hacktivism is like slacktivism in that it
seems mainly aimed at enhancing the hacktivist's self-esteem.
Coming up, Josh Ray from Accenture looks at cyber threats to the rail industry,
and Dan Murphy from Invicti makes the case that not all vulnerabilities are created equal.
Stay with us. Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one third of new members discover they've already been breached.
Protect your executives and their families
24-7, 365 with Black Cloak.
Learn more at blackcloak.io. Threat actors have been exploiting remote code execution vulnerabilities across all industries.
And faced with that reality, organizations are working to prioritize their remediation and threat hunting strategies.
But knowing how to go about setting those priorities is often easier said than done.
Dan Murphy is a distinguished architect at software security firm Invicti.
One of the key challenges that organizations have is how to prioritize what to fix first.
There's so much that you need to know where to spend those precious development hours and patching things.
In an ideal world, every possible vulnerability would be fixed.
But in reality, we have to find out the ones that can be exploited, the ones that can be attacked, the ones that can actually be used by someone hostile on the network.
And figuring out that balance is something where tools can help you.
Good tooling is essential to be able to find out what to fix first.
Well, and traditionally, how have folks gone about this?
What would have been the methods by which people have prioritized these things?
Yeah, so there's a number of different ways that we can find vulnerabilities in software.
When we take a look at how software is built using something like software composition analysis, you can do kind of an inventory of all of the libraries that go into your software and just make sure that everything that goes in is from a trusted version.
and look for harmful patterns where an untrusted source of input,
say a parameter that comes over an HTTP request,
goes to an untrusted sink, something like a SQL call where someone didn't care to escape all of the hostile parameters that are injected.
So these two things are great, but they find potential.
If you've ever been a developer that's been on the other end of a static analysis tool,
you know that they tend to
be somewhat noisy. You get flooded with all sorts of potentialities, things that could go wrong. But
oftentimes as a developer, you know the conditions in which software is deployed. You know where it
sits. You know, generally speaking, what's possible to be an input. Now, you can't get overconfident
in knowing what those inputs are, but there's a lot of noise.
And there's a third class of tool as well, which is dynamic analysis tools.
And those tools, those work by actually sending the attacks over the network.
They perform the real exploits that the black hats will use.
And these three lenses, they're all important.
They all give kind of a different sense of what is out there,
what the risk is. However, when it comes to prioritizing, really taking a look at what is
provably exploitable, that's kind of key. So I tend to favor that last lens, have a bit of a bias
working at Invicti, but actually doing those attacks the way that the attackers are doing them is a great way to know what to fix first.
When people fall short on this, I mean, what typically leads to that?
I mean, everyone's intentions are good, of course, but as you say, there's just so much noise.
Yeah, and there's a lot.
I mean, if we look at the number of CVEs that have come out within the last year, even just in the realm of RCE, remote code
execution, there's been a ton. If you look at since the start of the pandemic, it's basically
a big hockey stick that is getting exponentially larger. And because of that, it's almost impossible
to keep up with the number of packages that software is getting increasingly complex. It's
composed of more and more packages that are out there.
And you just kind of have this explosion of complexity.
It almost leads to a situation where simple software is now composed of hundreds of packages.
And for a development team to keep up with that, it's tough.
It's that combination of the lens of knowing what goes in, trying to limit that complexity,
but also making sure that you're doing that real testing that can kind of tell you what is actually exploitable. That's kind of the way to cope with that complexity, but also making sure that you're doing that real testing that can kind of tell you
what is actually exploitable. That's kind of the way to cope with that complexity.
Well, in your experience, the organizations that are having success here, who are doing the right
things and being able to measure it, what sort of things do they have in place? Is there a common
thread there? Yeah. In fact, I think that a successful organization really applies all of those techniques at
different stages of the software development lifecycle.
So great organizations, they will scan their source code as soon as it's checked in to
look for vulnerabilities.
They will automate the practice of auditing things and checking out the composition to
make sure that stuff doesn't get old.
With software systems that are increasingly composed of many open source solutions, what was good today is not going to be
safe tomorrow. And automating that practice, not just kind of deferring it to a manual once over
every quarter, but making it part of the continuous integration, continuous delivery pipelines,
making it part of that CI CD practice is key. So automation and frequency of scanning.
In fact, we've actually noticed when Log4J came out,
which was a bit of an earthquake back in December,
we noticed a very strong correlation
between those who scanned frequently and those who fixed.
So those who scanned were those who fixed.
And we noticed that those companies
that had that regular practice of a scheduled scan that was either automated, happening daily or weekly, those are the ones that were able to respond.
We actually found that the mean time to remediate was eight days or so, which is not that bad.
But it comes from that constant practice, not just making security an afterthought, but baking it into the software
delivery process to make sure that it's something that you designed for from the start.
Can you give us some insights on dialing in the human element versus the automation and
finding the proper balance?
Yeah.
So I'm a huge believer in the human element is often what causes vulnerabilities, and
it's often what is
great at being able to detect them. So automatic scanning is very important because you can throw
robots at it. You can have it be repetitive. But the true, a lot of very interesting attacks,
those come from very creative applications of problem solving. I tend to try to go to
hacker conferences like DEF CON. And one of
the main reasons that I go is to see the incredible display of human ingenuity that is just up on
stage. The tiniest crack that someone can get and then turn that into a way to execute code on a
remote system. It never ceases to amaze me what human creativity can do. So I think that combination of automated testing,
but then also with manual penetration testing
and threat hunting is key.
There's going to be things that,
particularly very clever ways
that exploits can be chained together.
Gadgets can be constructed to start with that tiny crack
and then widen it and ultimately achieve
kind of a shocking objective.
That is, you can't forget that human element.
That's Dan Murphy from Invicti.
There's a lot more to this conversation.
If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects,
where you get access to this and many more extended interviews.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Josh Ray.
He is Managing Director and Global Cyber Defense Lead at Accenture.
Josh, great to welcome you back.
Thanks for having me back, Dave.
You know, I want to touch base with you today on what I consider to be perhaps one of the, I don't know, overlooked elements of critical infrastructure, and that's the rail industry.
I know this is an area that you and your colleagues have been focused on lately.
What can you share with us today?
Yeah, Dave, I think you're right.
I mean, this is definitely an overlooked industry from a critical infrastructure standpoint.
And I had a great conversation with Anthony Wilson on this the other day.
And the rail industry really industry really presents a very unique
convergence of things like not only critical infrastructure, but the role in
defense. But they also have a lot of really interconnected
IT, OT, IoT types of technology.
This is just continuing to grow.
You look at network signaling, switching routing, and all the different control systems that provide a very unique attack surface for threats to exploit, but also collect intelligence against.
What sort of things are we seeing out there?
I mean, are the bad guys actively, you know, banging against the rail industry's infrastructure?
Yeah, I mean, we've seen, you know, a few specific types of examples, you know, around ticketing and IT scheduling systems.
I mean, these obviously represent very significant targets, which not only can cause, you know, significant disruption,
but, you know, a financially motivated actor can take advantage of this as well.
But I really want to kind of hone in on the defense kind of aspect on this
and maybe even the nation state.
And this is something that I think has obviously gotten the attention
of many governments, especially the U.S. government,
as Ann Neuberger, I think, is going to be hosting a bunch of CEOs from the rail industry
to really kind of talk through a comprehensive approach about, you know, securing this privately
owned and operating infrastructure. But, you know, there are some, I think, some really specific things that, you know, we wanted to make sure that, you know, the Cyber Wire folks, you know, understood, but some key
takeaways, I think, for CEOs or chief risk officers kind of going, potentially even going into that
meeting. Well, let's go through it together. What sort of things do you think deserve our attention here? Well, I mean, this might be probably just, you know, a Captain Obvious statement, but
thinking about it through an adversary mindset and understanding, you know, that your stock,
the things that you have are of very much interest to, say, nation state types of actors,
right? So the things that you are moving across your rail inherently makes you of interest to those
types of actors.
And you look at even the Indian Railway, where they are classified as a national defense
asset because of the critical nature that they have as far as moving troops and defense-related
types of equipment.
far as moving troops and defense-related types of equipment.
Another thing I think, just kind of that convergence that I spoke about before, as far as the interconnectivity between IT and OT systems, you know, really does make them vulnerable,
right?
And this is something that continues to need more segmentation, as well as, you know, monitoring
across, you know, those types of systems.
And, you know, don't forget those ticketing and scheduling systems because they don't have to necessarily
target the OT system to really disrupt your organization.
And then I'd also say, and this kind of comes from maybe a non-traditional way of looking at kind of the volumes of traffic for spikes in the system
that might, you know, indicate some type of malicious types of activity in your network.
And really, it's kind of using a SIGINT type of technique to really kind of determine patterns
across your network to help determine if you have a malicious actor that is potentially latent in your network.
But the last thing I think, and really the one to kind of foot stomp, is there is a direct
connection between the type of rail that you ship and move and nation state motivations.
And this is very specific as it relates to understanding kind of where those assets are
moving and the type of intel that can be gained from a nation state actor,
especially when you're thinking about things from a defense standpoint.
Do you have a sense for where we stand in terms of, you know,
is the rail industry keeping up with this or are they behind?
Are they ahead of the game? Any thoughts there?
Well, you know, I think that they, like all industries, you know, are trying to keep pace, you know, and operate at the speed of the threat.
But, you know, when you're talking about critical infrastructure, all forms of critical infrastructure, you know, kind of need to continue to understand their role as it relates to kind of, you know, the broader economic impact, the broader impact
to defense and society as a whole.
And I think, you know, this public-private partnership approach is incredibly important
in understanding not only the threat landscape, but, you know, what specifically can you do
to defend your organization?
what specifically can you do to defend your organization?
And I really can't stress enough that, you know, the importance of, you know, the rail in our industry,
in our, you know, economic well-being is kind of being one of those things
that while it's often, you know, maybe forgotten,
it is incredibly important to make sure that we secure those,
that critical infrastructure.
All right. Well, Josh Ray, thanks for joining us.
Thank you, Dave. Appreciate the opportunity.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday
and my conversation with Ryan Kovar from Splunk.
We'll be discussing their findings, truth in malvertising,
which contradict the LockBit Group's encryption speed claims.
That's Research Saturday. Check it out.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Thanks for listening. We'll see you back here next week. Thank you. and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.