CyberWire Daily - Russia and Belarus exchange cyber operations with Ukraine. The US announces Task Force KleptoCapture. Vulnerable infusion pumps. TCP middlebox reflection. Notes on sanctions.
Episode Date: March 3, 2022The UN condemns Russia’s war in Ukraine. Ukraine’s cyber volunteers appear to be operating under the direction of Kyiv’s Ministry of Defense, and may be targeting Russian infrastructure. Belarus...ian cyber operators are phishing with stolen Ukrainian credentials in a cyberespionage campaign. Task Force KleptoCapture. Infusion pumps found vulnerable to cyberattack. TeaBot is found in the Play Store. TCP middlebox reflection. Dan Prince from Lancaster University on trustworthy autonomous systems. Our guest is John Shegerian from ERI on the security angle of e-recycling. And no more Harleys for Mr. Putin. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/42 Selected reading. Cyber Realism in a Time of War Russian Hybrid War Report: Social platforms crack down on Kremlin media as Kremlin demands compliance Russia's war spurs corporate exodus, exposes business risks Using DDoS, DanaBot targets Ukrainian Ministry of Defense Asylum Ambuscade: State Actor Uses Compromised Private Ukrainian Military Emails to Target European Governments and Refugee Movement Phishing campaign targets European officials assisting in refugee operations Anonymous vs. Russia: Hackers Say Space Agency Breached, More Than 1,500 Websites Hit Conti Ransomware Source Code Leaked Hacker Group Anonymous Vows to Disrupt Russia's Internet — RT Websites Become 'Subject of Massive DDoS Attacks' Ukrainian cyber resistance group targets Russian power grid, railways Army of Cyber Hackers Rise Up to Back Ukraine U.S. Officials Detail Efforts to Enforce Raft of New Russia Rules TCP Middlebox Reflection: Coming to a DDoS Near You TeaBot Android Banking Malware Spreads Again Through Google Play Store Apps Infusion Pump Vulnerabilities: Common Security Gaps Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The UN condemns Russia's war on Ukraine.
Ukraine's cyber volunteers may be targeting Russian infrastructure.
Belarusian cyber operators are fishing with stolen Ukrainian credentials.
Task force klepto-capture.
Infusion pumps are found vulnerable to cyber attack.
T-Bot is found in the Play Store.
TCP middle box reflection.
Daniel Prince from Lancaster University on Trustworthy Autonomous Systems.
Our guest is John Chigarian from ERI on the security angle of e-recycling.
And no more Harleys for Mr. Putin.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, March 3rd, 2022. Russian forces have intensified their conventional and in practice indiscriminate bombardments of Ukrainian cities.
The Black Sea port of Kherson has fallen, the first Ukrainian city of any size to be taken by Russian forces,
but the assault on Kyiv remains more stalled than ever, the BBC reports.
The UK's Ministry of Defence, in its daily public appreciation of the situation,
says the Russian column advancing on Kyiv has made little discernible progress in over three days.
The MOD puts this down to Ukrainian resistance, but also to congestion and mechanical breakdown.
The UN General Assembly voted yesterday to condemn Russia's invasion of Ukraine.
In its official statement, the UN wrote,
"...deploring in the strongest terms its aggression against Ukraine
in violation of the Charter of the United Nations.
The Assembly also demanded the Russian Federation immediately and unconditionally reverse
its 21 February decision related to the status of certain areas of the
Donetsk and Luhansk regions of Ukraine, end quote. Thus, not only the invasion itself was condemned,
but so was the Russian recognition of the independence of the regions,
its styles, the People's Republics of Donetsk and Luhansk. The resolution of condemnation had been introduced by Ukraine. The vote was 141 in
favor of the resolution to five opposed with 35 abstentions. The UN called the vote a clear
reaffirmation of the 193-member world body's commitment to Ukraine's sovereignty, independence,
unity, and territorial integrity. The list of countries who voted nay
is instructive. Belarus, North Korea, Eritrea, Syria, and of course, Russia.
Ukraine's Ministry of Defense has recruited private operators to help wage a cyber war
against Russia. That recruitment isn't principally designed to provoke a cyber rave or cyber riot on
that part of outraged sympathizers freelancing as volunteer militia, although that's also happened,
certainly in the case of website defacements and service interruptions conducted by Anonymous and
others. There are reports that the ministry has asked a local cybersecurity expert and businessman, Igor Oshev, to organize
a cyber offensive that would go beyond DDoS and defacement and seek to cripple Russian
infrastructure, with particular attention to railroads and the power grid. Ukrainian
officials declined a request for comment by Reuters. The hacktivists continue to claim
that they're counting coup against Russia and some of their efforts may, and we stress may, go beyond vandalism and nuisance hacks.
Homeland Security Today reports that Anonymous is crowing high over an effort directed against Russian space surveillance and reconnaissance systems, quoting the Anonymous-affiliated group NB-65 as follows,
quote,
and the server is shut down.
Network Battalion isn't going to give you the IP.
That would be too easy, now wouldn't it?
Have a nice Monday fixing your spying tech.
Glory to Ukraine. We won't stop until you stop dropping bombs,
killing civilians, and trying to invade.
Go the F back to Russia.
End quote.
Russia's cyber operations against Ukraine
may be continuing to take advantage of services offered in the criminal-to-criminal market.
Zscaler describes the way in which the malware-as-a-service platform Danabot
is being used to run a distributed denial-of-service attack against the Ukrainian Ministry of Defense.
Zscaler's research report stops short of attribution.
Taylor's research report stops short of attribution.
Quote,
It is unclear whether this is an act of individual hacktivism,
state-sponsored, or possibly a false flag operation.
End quote.
Proofpoint has published a report on a phishing campaign it's calling Asylum Ambuscade,
in which it links to UNC-1151,
which Proofpoint associates with the Belarusian threat actor
ITRAX as TA-445.
That group is most familiar in its ghostwriter guise, in which throughout 2021 it mounted
influence campaigns against European targets, especially in Latvia, Lithuania, and Poland.
Proofpoint summarizes its key takeaways as follows, Proofpoint has identified a likely nation-state-sponsored phishing campaign
using a possible compromised Ukrainian armed service member's email account
to target European government personnel involved in managing the logistics of refugees fleeing Ukraine.
The email included a malicious macro-attachment which attempted to download a malware dubbed Sunseed. The infection
chain used in this campaign bears significant similarities to a historic campaign Proofpoint
observed in July 2021, making it likely the same threat actor is behind both clusters of activity.
Proofpoint is releasing this report in an effort to balance accuracy with responsibility
to disclose actionable intelligence during a time of high-tempo conflict.
End quote.
Asylum Ambuscade represents an intelligence collection effort.
It shows signs of being particularly interested in the movement of refugees around and out of Ukraine
and is, the record reports, paying particular attention to targeting European officials involved in refugee relief.
The U.S. Department of Justice has formed an interagency task force, KleptoCapture,
designed to investigate and prosecute white-collar crime, with special attention to finding and
denying the assets of Russian oligarchs, the Wall Street Journal reports.
It has two objectives, sanctions enforcement,
which will include educating companies who trade with Russia
on the sanctions' scope and implications,
and tracking down illicit assets,
especially those useful in money laundering,
with special attention to cryptocurrency holdings and transactions.
Recent U.S. enforcement actions against domestic money laundering
operations, notably the indictment of Razul Khan and her consort, have shown that cryptocurrency
wallets and transactions are not immune to tracking and confiscation. EU and U.S. policy
toward Russia's oligarchs is now decidedly punitive, according to the Washington Post.
The article's deck
summarizes, quote, Western allies plan to confiscate yachts, jets, luxury apartments
from Russian elites in hopes of undercutting Moscow over invasion, end quote. Punishing the
oligarchs was one of the talking points in U.S. President Biden's State of the Union speech this
week, quote, Tonight I say the Russian oligarchs and the corrupt leaders
who built billions off this violent regime, no more, he said.
We're coming for your ill-begotten gains.
End quote.
Task Force klepto-capture represents an early step in that approach.
Not all the scary news is from Eastern Europe,
even in these dark days of war.
Palo Alto Network's Unit 42 has published a report on vulnerabilities affecting medical infusion pumps,
analyzing more than 200,000 pumps from seven different vendors.
The research identified, quote,
over 40 different vulnerabilities and over 70 different security alerts among the devices,
with one or more affecting 75% of the inf pumps were affected by CVE-2019-12-255,
a buffer overflow vulnerability with a severity score of 9.8.
Researchers at Cleafee warned that the T-Bot Android banking trojan has been
distributed via the Google Play Store. The researchers stated, quote, On February 21,
2022, the Cleafee threat intelligence and incident response team was able to discover an application
published on the official Google Play Store, which was acting as a dropper application delivering T-Bot with a fake update procedure.
The dropper lies behind a common QR code and barcode scanner,
and, at the time of writing, it has been downloaded over 10,000 times.
All the reviews display the app as legitimate and well-functioning."
Once downloaded, the malware will request accessibility services permissions in order to view and control the screen and perform actions on the phone.
Akamai researchers have recently observed DDoS attacks using a new technique called TCP middle box reflection to amplify the amount of traffic they can send.
the amount of traffic they can send.
The researchers explain, quote,
this type of attack dangerously lowers the bar for DDoS attacks, as the attacker needs as little as one-seventy-fifth
the amount of bandwidth from a volumetric standpoint.
And finally, back to Russia for some economic and cultural news.
Western companies continue to exit the Russian market
as the country's financial system reels on the verge of collapse.
The AP reports that Russia has become a commercial pariah as the rest of the world increasingly refuses to do business there.
Tech companies are largely out and social media platforms have shuttered operations rather than accede to Moscow's insistence on censorship and positive control
of the content they distribute. One interesting business departure is that of Harley Davidson.
President Putin has been famously devoted to his hog, which he rides helmetless,
like he's some kind of a centerfold in Outlaw Biker or Iron Horse. Let those who ride decide,
we suppose, although the three-wheeler we've seen pictures of
him tooling around on looks sort of like what the Hells Angels would call a garbage wagon.
Anywho, no more Harleys for you, sir. Back to that old Ural gear-up. But bikes and beards say
it's a pretty unreliable ride, so bring your toolkit and some spare spark plugs. Do you know the status of your compliance
controls right now? Like, right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Most of us who've been in the industry for a while have a story or two about some old forgotten piece of equipment that through benign neglect ends up being improperly disposed of.
Years ago, I fished an old laptop out of the dumpster behind my office
and the personal information it contained on the non-profit CEO to whom it had once belonged was chilling.
And yet, end-of-life disposal of e-waste often remains an afterthought, and that has security implications.
John Chagarian is chairman and CEO and co-founder of ERI Electronic Recyclers International.
Recyclers International. So we all became very socialized to the wonderful shredded trucks that would cross this country in North America, showing up at our facilities, our companies,
and shredding the data on paper that came out of the companies or organizations we worked for.
on paper that came out of the companies or organizations we work for.
What we didn't think about is as the trend of paperless office was overtaking our work environments, who was thinking about the data that was embedded in and around our hardware.
And that has still not been addressed on a widespread basis yet in the United States
or around the world.
And in many cases, these issues of benign neglect have led to very dire consequences for the organizations that were victimized.
Can you give us an example? I mean, what sort of stories have you run into in the folks that you
deal with? Well, just recently, it was very publicly made aware that Morgan Stanley, years ago, had a very bad data breach that was due to the inappropriate disposal of some of their server equipment.
They got fined in Europe.
They got fined by numerous organizations for that mishandling of their servers and other hardware.
Other organizations which haven't made the cover of the Wall Street Journal or the New York Times that come to us for help. examples, federal agencies who found their employees unwittingly when their laptops or
other electronic devices came to their natural end of life, put these items up for sale on
eBay or Craigslist, putting at risk not only the agencies they work for, but in many instances, the homeland security
of our great country. Those examples are growing and been well documented.
Well, help me understand the spectrum of disposition and disposal that are available.
I mean, I think a lot of us imagine taking that old laptop out to the parking lot with a hammer
and having at it ourselves, but there's more to it than that.
Yeah, there's more to it.
A, unfortunately, electronics shouldn't be mishandled by anyone
because most of them contain arsenic, beryllium, lead, cadmium, mercury,
a whole host of trace hazardous materials that people don't want to get either into their own body or into the ecosystem,
which could then leach into ground, water supplies, our vegetation, our animals,
and then back into people because it gets
into our water supply and other things. So electronics, when they come to the end of life,
should be responsibly handled. Now, whether that means wiped, retested, and resold,
appropriately wiped, or fully destroyed is based on the organization or the level of risk that that person is engaged with.
So for instance, we have many organizations that come to us and say, hey, John,
we want you to wipe all the data and then we want you to put it in your shredders. We have the
world's largest shredders at our facilities and shred it. And then we know that all of your
commodities are sold and that
shredded material goes away into new products anyway. We're very happy with that. Others come
to us and say, listen, we're going to get you 10,000 used cell phones, laptops, tablets every
month. It's going to be consistent number. You're going to wipe them. You're going to retest them.
You're going to check them for data again. Then you're going to repackage them and resell them. So there's lots
of protocols that can be done. But the whole essence of the matter, David, is that people
need to choose a responsible company, just like Shred It and Iron Mountain and other responsible brands shred data on paper, the same thing goes for when
people choose vendors to shred data that's embedded in hardware.
And whether the hardware means their wearables or the other gadgets in their homes that are
now collecting data, such as Ring and Nest and other things that should be destroyed
at some point when they come to the end of life, or just their old hard drives, desktops,
laptops, tablets, or server farms, a responsible party, a responsible vendor, one that's NAID
certified.
NAID stands for National Association of Information Destruction.
certified. NAID stands for National Association of Information Destruction. That's the platinum standard that any vendor that handles your old electronics should be certified to. And if they're
not certified to that, that goes for both data on paper and data and hardware. And if they're not
certified for that, they shouldn't be handling your data materials that are on paper or in hardware.
That's John Chigarian from ERI, Electronic Recyclers International.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Daniel Prince.
He's a senior lecturer in security and protection science at Lancaster University.
Daniel, always great to welcome you back to the show.
I know a topic that you have been working on there at Lancaster
is this notion of trustworthy autonomous systems and complexity in the network stack. Can you share
with us what sort of things are you all working on there? So I'm part of a project here funded
by the EPSRC that's looking specifically at trustworthy autonomous systems. It's one of a
number of projects that are research nodes within the UK.
And the part of work, the work that I'm looking at,
is really the role of the network stack within these autonomous systems
and how the network stack, so IP communications and so on,
form part of this autonomous system
and work towards the trustworthy nature of
that autonomous system.
Specifically, obviously, the network stack is the way that the autonomous systems communicate
with each other.
And so if we can disrupt the way they communicate, can we also understand how that affects their
decision-making capability and their trustworthiness
as an autonomous system. And one of the things that we're looking at and trying to understand
is that if, you know, at the operational plane at the higher levels, you've got things like AI and
machine learning making decisions for the autonomy of the overall system, say, for example, a,
you know, a swarm of drones or a fleet of self-driving cars, what are the aspects
of the network stack that actually go into influencing the decision-making elements of
the machine learning or the autonomous system that we might not be aware of? So, for example,
are there specific network delays aspects of jitter
in the way the packets are delivered that we're not aware of that that have become implicit features
in the data sets that the autonomous systems are using to make decisions and if we have a better
understanding of that then we can understand more the robustness of the net what the network stack
needs to be the level of robustness required
for autonomous systems to be able to make trustworthy decisions.
Are those elements in the network stack, like you mentioned, things like delays, because
those are elements of the systems themselves rather than part of the software that the
developers are creating.
Does that create a bit of a blind spot for the folks who are building these autonomous systems?
Well, I mean, that's one of the things that we're really trying to investigate.
In some ways, it's going back to classic quality of service in networks
and understanding the implications of the quality of service on the roles of the applications.
Now, the autonomous system that's laid on top of that
is a decision-making application,
and it's using features of the network
in terms of its quality service,
or that's how we're perceiving it,
to be able to make those decisions.
At the moment, what we're trying to understand
is how much of that quality
of service features, if you like, are implicitly part of the data set that the autonomous system
is using to make decisions. And so what we're trying to understand is, instead of targeting
or perhaps attacking the data that's being transmitted around the network for the autonomous system to be able to make the decisions,
other elements of the way that the network is working that we could disrupt,
which would disrupt the trustworthiness of the decision-making within an autonomous system.
And if we can understand that, then we'll be able to make more robust systems to be able to make decisions within the
kind of networks that we're looking at. So the peer-to-peer kind of drone networks or self-driving
cars. Sort of a fail-safe system built in? Yeah. So one of the things, if we know that
the limits of the autonomous system are within these, say, for example, quality of service parameters,
then what we can say is that if those parameters are breached,
the composition of that network is breached beyond the safe operating parameters of the autonomous system,
of the autonomous system, then we can put in these fail-safes, as you say, so that, again, the operators will have trust
in the system that it can be used in a safe way
and respond to any potential disruption that might occur
either accidentally because of the operating environment
or maliciously if there is an attacker that goes after the fleet of drones
delivering your parcels or shopping.
All right. Interesting stuff for sure.
Daniel Prince, thanks for joining us. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Bilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.