CyberWire Daily - Renewed Five Eyes’ warning about potential Russian cyberattacks. FBI warns of the threat of ransomware attacks against the agriculture sector. REvil may be back in business.
Episode Date: April 21, 2022A renewed Five Eyes’ warning about potential Russian cyberattacks. The FBI warns of the threat of ransomware attacks against the agriculture sector. REvil may be back in business. Carole Theriault s...hares insights on bug bounty programs. Our own Rick Howard checks in with Zack Barack from Coralogix on where things stand with XDR. And beware of threats of Facebook account suspension. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/77 Selected reading. Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure US and allies warn of Russian hacking threat to critical infrastructure REvil's TOR sites come alive to redirect to new ransomware operation ( FBI Warns of Ransomware Attacks on Farming Co-ops During Planting, Harvest Seasons ( Phishing Site on Facebook Domain Used to Steal Credentials Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A renewed Five Eyes warning about potential Russian cyber attacks.
The FBI warns of the threat of ransomware attacks against the agriculture sector. A renewed Five Eyes warning about potential Russian cyber attacks.
The FBI warns of the threat of ransomware attacks against the agriculture sector.
Our evil may be back in business.
Carol Terrio shares insights on bug bounty programs. Our own Rick Howard checks in with Zach Barak from CoreLogix on where things stand with XDR.
And beware of threats of Facebook account suspension.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 21st, 2022. The cyber authorities of the Five Eyes, that is Australia, Canada, New Zealand, the United
Kingdom, and the United States, have issued a joint cybersecurity advisory warning that there are indications of Russian preparations and intent to conduct significant cyberattacks
against critical infrastructure in countries who have sanctioned Russia or otherwise supported Ukraine.
In specificity and detail, the advisory goes well beyond the normal run of government alerts.
goes well beyond the normal run of government alerts.
The Five Eyes agency's warning is based on actual intelligence and not merely on grounds of a priori possibility.
They say,
Evolving intelligence indicates that the Russian government
is exploring options for potential cyberattacks.
Recent Russian state-sponsored cyber operations
have included distributed denial-of-service attacks,
and older operations have included deployment of destructive malware against Ukrainian government and critical infrastructure organizations.
Additionally, some cybercrime groups have recently publicly pledged support for the Russian government. These Russian-aligned cybercrime groups have threatened to conduct
cyber operations in retaliation for perceived cyber offenses against the Russian government
or the Russian people. Some groups have also threatened to conduct cyber operations against
countries and organizations providing material support to Ukraine. Other cybercrime groups have
recently conducted disruptive attacks against Ukrainian websites,
likely in support of the Russian military offensive.
The explicit notice taken of Russophone criminal gangs suggests that privateering remains a prominent component of Russia's cyber capabilities.
The advisory includes a summary of risk reduction measures infrastructure operators should consider taking against the eventuality of Russian cyber attack.
It also contains a summary overview of the various Russian government organizations known to engage in offensive cyber operations.
R-Evil, the ransomware gang that sustained the arrest of 14 members by Russia's FSB back in January,
appears to be back in business, maybe or maybe not, under new management.
Leaping Computer reports that Areval's Tor sites are again in operation
and that security researchers have found in particular
that the gang's new leak site, RuTor,
is being advertised in Russophone criminal-to-criminal markets.
The U.S. FBI has issued a private industry notification warning of the threat of ransomware attacks
against agricultural organizations during the planting and harvest seasons, Security Week reports.
The Bureau notes that six grain cooperatives were hit by ransomware during last fall's harvest season,
six grain cooperatives were hit by ransomware during last fall's harvest season, and two more were attacked in early 2022, which could disrupt the planting season. The FBI points out,
a significant disruption of grain production could impact the entire food chain, since grain is not
only consumed by humans but also used for animal feed. In addition, a significant disruption of grain and corn
production could impact commodities trading and stocks. An attack that disrupts processing at a
protein or dairy facility can quickly result in spoiled products and have cascading effects down
to the farm level as animals cannot be processed. And finally, abnormalnormal Security has released the results of research into a credential phishing campaign underway
that uses a phishing site on Facebook as part of an effort to induce users to give up their login information.
As usual, the phishing appeal relies on urgency to induce credulity into its prospective victims.
They're told that their Facebook account is about
to be disabled because they've been reported for posting inappropriate content, but that
they can appeal their suspension at the link provided.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Thank you. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
The Cyber Wire's Rick Howard recently spoke with experts at Coralogix
for their insights on Extended Detection and Response, XDR.
Here's Rick. I'm joined by Zach Barak. He's from
CoreLogic. Thanks for coming on the show. Hi, great being here. So Zach, Gartner defines XDR
as, quote, a unified security incident detection and response platform that automatically centralizes
and correlates data from many proprietary security elements, end quote. But the real power behind XDR is the ability to use APIs to connect to any tool,
not just security tools, but any tool that you want that we all might have in our security stack
or in our environments. We collect the telemetry across the intrusion kill chain and run machine
learning algorithms on it to find the previously unidentified bad guy activity.
So if I'm a potential buyer of XDR services, the two things I should be looking for then
is, number one, does my vendor know how to connect to all the tools in my stack, my technology
stack?
And number two, how good are the machine learning algorithms?
So do you agree with me that's the two things we should be looking for?
Or is it something different?
No, no, I agree because
integration is always a challenge and you're always going to get
new services. Definitely in the cloud you can see
today that every day you get a new, let's say,
SaaS service that is integrated into the core of the organization and is
using the additional applications
or even the identity provider
of the organization. And each one of those applications
can make an organization vulnerable
because you are as weak as your weakest link.
So in that aspect, you are correct.
And I think that the XDRs, one of
their, let's say, challenges
is to integrate as fast as possible to new technologies, meaning that they have to have
tools that are accessible by user in order to parse logs that are coming in and have
meaningful alerts set up not in days but in minutes.
In terms of machine learning, that's a big thing
because I think that we saw it over the past few years
that machine learning really helped a lot of organizations.
And in security, I've got the feeling
that it didn't deliver as expected.
Machine learning generated quite a lot of,
let's say, false positives.
And when you have a false positive for security,
the only thing that you can do is eventually
you will ignore the system as a whole.
So I do think that machine learning is very powerful
and I think that thresholds should be set in terms
of machine learning. I'll give you two examples.
One is, for instance, domain name scoring,
which is, is the domain human-generated domain
or is it something that was generated by a computer
and maybe a hacker or an attacker is trying to utilize it
in order to connect his agent to a command and control.
This is machine learning.
And something machine learning algorithms
are really good at doing, you know,
deciding which is which. I mean, that's a perfect application for machine learning. And something machine learning algorithms are really good at doing, you know, deciding which is which.
I mean, that's a perfect application for machine learning.
Yes, so in that terms,
machine learning is great.
So if I'm already deeply invested
in SIEM and SOAR tools or both,
does XDR replace them somehow?
I think that XDR is, let's say,
the natural evolution of legacy SIEM
that were based on security logs.
SIEMs are really good at storing lots of telemetry, right?
Not so good at automating responses to it,
but pretty good at storing lots of stuff.
SOAR tools came along and gave us the ability
to interact with SIEMs and automate responses to it.
So are you saying XDR also comes with storage
or are we going to use the SIMs to store everything
and just use APIs to do, how does that work?
So as we see it, the XDR uses its own storage
and it is basically the next generation SIM.
We should have a very powerful backend
that can parse and enrich the data
and store it in different storage tiers
and do it on the fly and do it very quickly on one hand
and give you the ability, if you have an investigation,
to have all the logs available for the investigation itself.
That's on one hand.
In terms of SOAR, I think that's like a different field altogether,
meaning that let's say that you do have alert.
So then you can use the SOAR to have an automated response.
But as I see it, these are two solutions that can complement each other,
but are not necessarily related.
Well, the one thing you can say is that the security community,
there's always something exciting happening.
It's always changing, but we're going
to have to leave it there. So that's Zach Barak from CoraLogic. Zach, thanks for coming on the show.
Thank you for having me.
Thank you. solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant. Our UK correspondent Carol Terrio has been pondering the utility of bug bounty programs.
She files this report.
So this might be surprising to some of you,
but technology companies sometimes like to play ostrich,
hiding away from glaring oversights.
Here's what I mean.
So imagine a technology company
that was made aware of a vulnerability in their software.
Those outside the industry might think
that any company would jump with joy at this discovery
and quickly rejig
their schedules to get the problem resolved. You might even think that they would count their lucky
stars that it was never a point of unauthorized entry. But I have directly worked for more than
a handful of tech firms out there that did not appropriate this approach. Instead, they might groan,
schedule the fix with low priority, and just carry on like nothing happened. Sometimes the
flaw would not get rectified unless someone outside made a stink, forcing them, well,
to do the right thing. Now, of course, this is not all technology companies. Some offer their
very own bug bounty programs, inviting researchers
and ethical hackers to hammer their systems or services in exchange for a fee, sometimes a few
hundreds, sometimes many thousands. Typically, well-known firms that do this are the big players.
So you have Apple Security Bounty, Microsoft Bug Bounty Program, and Google Bug Hunters.
Security Bounty, Microsoft Bug Bounty Program, and Google Bug Hunters.
We also have what I call bug bounty brokers, such as HackerOne, BugCrowd, or Synac.
This is a place where security researchers can log bugs or vulnerabilities they have found in third-party software and use this intermediary service to negotiate terms, providing the research to the affected firm in
exchange for a payout. However the negotiation takes place, I guess my question is whether it
should include a commitment by the organization to fix the flaw. Take this example. In July 2019,
Take this example. In July 2019, Jonathan Leitsche found a pretty horrific security vulnerability in Zoom.
Now, through BugCrowd, they approached Zoom with information on the vulnerability.
Leitsche was offered some form of payment, but it was attached to a non-disclosure agreement.
Now, reading between the lines, I suspect this NDA said, you can't talk about your discovery of this flaw to anybody, whether we fix it or not. The stakes were really
high. The security flaw affected millions of Mac users. And in this instance, the security researcher
cared that the vulnerability be addressed and rectified. So what does he do? He declines the
bounty payment because of the bug crowd NDA gag and gave Zoom an industry standard 90-day embargo
to ship a patch. Zoom unfortunately failed to do so. So after waiting the 90 days,
Leitsche published his research. Can you guess what happened then? As CSO Online writes,
cue fireworks. Zoom gets tons of negative media attention and ends up fixing the security flaw.
It's like they needed to be strong-armed to do it. But here is the big cost. If the researcher
has perhaps more malleable ethics, the vulnerability they find on your software
could make them a ton more money on the black market. For example, in 2020, a vulnerability
found in the Zoom video conferencing platform was on sale for 500,000 pounds. This was a full year after the 2019 Zoom snafu that we've been discussing.
Perhaps this is what spurred Zoom to build its own bug bounty program.
And today you can find that at zoominfo.com.
But boy, did they go through a lot of pain to get there.
So if you have a company that provides the technology that would benefit from hundreds of
researchers around the world trying to poke holes in order for you to make it more resilient for
your customers, a bug bounty program may just be the way to go. But be careful low-balling
researchers or forcing them to sign an NDA because they may just publish their research anyway
or worse, go to the black market to get a fair price.
This was Carol Theriault for The Cyber Wire.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.