CyberWire Daily - Russia here, Russia there, Russia everywhere.
Episode Date: December 8, 2023Legal action against Star Blizzard's FSB operators. A critical Bluetooth vulnerability has been discovered. How the GRU faked celebrity videos in its Doppelgänger campaign. The persistence of Log4j v...ulnerabilities. Lack of encryption as a contributor to data loss. Supply chain breaches plague the energy sector. Our guest is Allan Liska, creator of a new comic book featuring the adventures of Johnny Dollar, a hard-nosed cyber insurance investigator. And Russian activists make clever use of QR codes. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Allan Liska, creator of Green Archer Comics, shares the first installment in a new comic book series: "Yours Truly, Johnny Dollar #1." The series follows the adventures of Johnny Dollar, a hard-nosed cyber insurance investigator, as he takes on ransomware attacks, insider threats and more. The series is based on a popular radio serial of the same name that ran from 1949 through 1962, now reimagined for the digital age. Selected Reading Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns (CISA) The cyberattacks also allegedly took aim at U.S. energy networks and American spies. (Wall Street Journal) Russian Star Blizzard hackers linked to efforts to hamper war crimes investigation (The Guardian) U.S. Takes Action to Further Disrupt Russian Cyber Activities (US Department of State) Rewards for Justice (Rewards for Justice) Two Russian Nationals Working with Russia’s Federal Security Service Charged with Global Computer Intrusion Campaign (US Department of Justice) United States and the United Kingdom Sanction Members of Russian State Intelligence-Sponsored Advanced Persistent Threat Group (US Department of Treasury) Critical Bluetooth Flaw Exposes Android, Apple & Linux Devices to Takeover (DarkReading) Obfuscation and AI Content in the Russian Influence Network “Doppelgänger” Signals Evolving Tactics (Recorded Future) Russian influence and cyber operations adapt for long haul and exploit war fatigue (Microsoft) State of Log4j Vulnerabilities: How Much Did Log4Shell Change? (Veracode) ESG Report Operationalizing Encryption and Key Management (Fortanix) Russian opposition activists use QR codes to spread anti-Putin messages (The Record) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our 5 question survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Legal action against Star Blizzard's FSB operators.
A critical Bluetooth vulnerability has been discovered.
How the GRU faked celebrity videos in its doppelganger campaign.
The persistence of log4j vulnerabilities.
Lack of encryption as a contributor to data loss.
Supply chain breaches plague the energy sector.
Our guest is Alan Liska, creator of a new comic book featuring the adventures of Johnny Dollar, a hard-nosed cyber insurance investigator.
And Russian activists make clever use of QR codes.
It's Friday, December 8th, 2023. I'm Dave Bittner, and this is your CyberWire Intel Briefing. The Five Eyes Intelligence Alliance has issued a comprehensive cybersecurity advisory
about a sophisticated spear phishing campaign run by a Russian FSB operation named Star Blizzard.
Known by various aliases like Cyborgium and Callisto Group,
Star Blizzard is considered to be part of the FSB's Center 18. The advisory
highlights Star Blizzard's tactics, which include targeting personal email addresses for their
perceived weaker security compared to organizational ones. The emails start with innocuous content
tailored to the recipient's interests and gradually build trust before directing the target to an FSB-controlled
server that mimics a legitimate service where credentials are harvested. Active since 2019,
Star Blizzard primarily focuses on the UK and the US, alongside other NATO countries and nations
close to Russia. The group's interests lie in academia, defense, governmental organizations,
NGOs, think tanks, and politicians engaging in hack-and-leak operations aimed at discrediting
specific targets. The operation is also believed to be involved in disrupting investigations into
Russian war crimes in Ukraine. The U.S. State Department responding to these threats
has offered up to $10 million for information
leading to the identification or location
of individuals engaged in malicious activities
against U.S. critical infrastructure,
particularly those directed by a foreign government.
This includes FSB personnel recently indicted
by a federal grand jury in San Francisco for hacking into networks in the U.S., U.K., NATO countries, and Ukraine.
The indicted individuals, Ruslan Alexandrovich Peretatkyo and Andrei Stanislavich Koronets, face significant prison sentences if convicted, although they are currently out of reach.
Additionally, the U.S. Department of the Treasury's Office of Foreign Assets Control
has sanctioned these men, requiring all their properties in the U.S. or controlled by U.S.
persons to be blocked and reported. This action, coordinated with U.K. partners,
prohibits all dealings involving the property of these
sanctioned individuals by U.S. persons or within the U.S. Despite these measures, the Russian
embassy in London has dismissed the advisory, calling it a poorly staged drama. A critical
Bluetooth vulnerability has been discovered by Mark Newlin of SkySafe, affecting macOS, iOS, Android, and
Linux devices. It allows attackers to remotely control devices by emulating a Bluetooth keyboard
connection. The flaw present in the Bluetooth protocol's implementation facilitates unauthorized
pairing without user consent. The exploit enables attackers to perform actions like installing apps
or executing commands, depending on the device's platform. It remained undetected due to its
simplicity and affects devices differently. For instance, Android devices are vulnerable when
Bluetooth is enabled. Nulin, who plans to release exploit scripts soon, has informed major tech companies and the Bluetooth special interest group
Most affected devices have patches, but some, including Apple's, remain vulnerable
This vulnerability underscores the need for robust cross-platform security measures in widely used protocols like Bluetooth. The Russian GRU's doppelganger campaign manipulated the Cameo video
service to produce content falsely portraying Ukrainian President Zelensky as a corrupt drug
addict. Cameo allows users to commission personalized videos from celebrities, which the GRU
exploited to create and distribute misleading messages.
These videos were addressed to a Vladimir, subtly hinting at Russian President Putin,
and were later edited with emojis, media logos, and circulated on social media to reinforce false claims about Zelensky's alleged substance abuse issues.
Microsoft highlighted this operation to illustrate
that Russian influence efforts persist beyond the death of Yevgeny Progoshin, a key figure
in Russian propaganda who owned the Wagner Group and the Internet Research Agency.
This indicates Russia's continued capability in executing sophisticated and wide-reaching
malign influence operations, showcasing the resilience
and adaptability of their propaganda and disinformation strategies. A report from Veracode
reveals concerning trends in application security. 38% of applications are using vulnerable versions
of Log4J, with nearly 3% still susceptible to Log4Shell vulnerabilities.
Alarmingly, 32% of applications employ Log4J version 1.2, an end-of-life version since 2015,
which no longer receives updates or patches. The core issue is not developers' skill set,
but a combination of insufficient information and resources, including time and staffing.
This scarcity significantly delays vulnerability fixes, up to 13.7 times longer to address half of them.
Additionally, developers lacking context about how a vulnerable library affects their application can take over seven months to resolve 50% of their vulnerability backlog.
Fortanix has published the results of a study conducted by Enterprise Strategy Group
looking at encryption and key management.
The primary finding is that the lack of encryption significantly contributes to sensitive data loss
despite high confidence
in cryptographic capabilities. Currently, on average, 51% of an organization's sensitive data
is stored in the cloud, projected to increase to 68% in two years. Notably, 36% of respondents
currently store over 60% of their sensitive data on public cloud services,
a figure expected to rise to 68% within 24 months. Surprisingly, 4% of organizations store all their
sensitive data in the cloud, a number anticipated to more than triple to 13% in the same time frame.
A study by Security Scorecard reveals that 90% of the world's 48 largest energy
companies experienced a supply chain data breach in the last year. This analysis covered the
cybersecurity posture of major coal, oil, natural gas, and electricity companies in the US, UK,
France, Germany, Italy, and their suppliers, spanning over 21,000 domains.
In the last 90 days, 264 breach incidents were identified linked to third-party compromises.
The U.S. fared the worst, with all top 10 energy companies suffering third-party breaches,
while U.K. firms had the highest average security rating. Despite only 4% of over 2,000
third-party vendors experiencing breaches, these incidents significantly impacted their clients.
The report also notes the prevalence of fourth-party breaches, with all US and UK
companies affected in the past year, and 92% of global energy firms exposed to such risks.
This growing concern for supplier breaches is emphasized by new SEC breach reporting guidelines
recognizing supplier risk as a material business risk. The report suggests that proactive and
systematic risk management strategies are essential to prevent the increasing trend
of supply chain attacks.
Coming up after the break, my conversation with Alan Liska, creator of a new comic book
featuring the adventures of Johnny Dollar, a hard-nosed cyber insurance investigator.
Stick around.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io. Alan Liska is a well-known and respected cybersecurity researcher.
He's also a fan of both comic books and classic radio serials,
and combining all of those interests led him to the creation of a new comic book titled Yours Truly, Johnny Dollar.
I grew up in the D.C. area, and every Sunday night, our local NPR station has a thing that they've had for decades now called the Big Radio Broadcast, where they replay old radio serials.
And my favorite—oh, you're familiar. Okay.
Oh, I, oh, oh yes. I, I, you know, if you hadn't brought that up, I was going to bring it up
myself. I, I too was a regular listener of that show. My favorite of all of the radio serials was
yours truly Johnny Dollar. Um, and you know, for people who don't know Johnny, you're truly Johnny Dollar. Johnny Dollar is a freelance cyber insurance investigator, and his tagline is the man with the action-packed expense account.
Yes.
To be fair, the original Johnny Dollar had nothing to do with cyber because back when the original Johnny Dollar ran, there was no cyber. But I don't know if, like you, I was both intrigued,
excited, and also a little confused about the notion of an insurance investigator
with an action-packed expense account. Right. When I was a teenager, I had no idea
what an expense account is. Now I'm painfully familiar with the concept.
But the funny thing is, as I kind of grew and matured in my security
career, I met other people who loved Johnny Dollar as well. And the tagline in particular,
the action-packed expense account, became a running joke among a lot of especially incident
responders. Because yeah, you spend your life on the road going from incident to incident,
much like Johnny Dollar.
Not nearly as exciting most of the time,
but still, it's kind of a fun tagline.
Yeah.
So what led you to the update here of turning Johnny Dollar to cybersecurity?
What I found out was that Johnny Dollar's in the public domain. He'd make a really good
comic book character, but I only know about fighting ransomware. And then I'm like, well,
yeah, that's what he would be doing now, right? I mean, back then he was fighting gangsters and
corrupt bankers and so on.
Well, the modern equivalent of that are these ransomware groups.
And so why not turn it into a cyber insurance investigator?
And I kind of threw the idea out on Twitter and a bunch of people were like, oh, yeah, I definitely would back that.
And so we we started a Kickstarter.
And so you successfully raise your goal.
In fact, you exceeded your goal.
You got like three times the amount that you had set out to do.
What were some of the challenges here of updating Johnny Dollar for the modern age?
So there's two separate challenges.
There's, as you say, updating him for the modern age, but keeping the core of the character the same, right?
And that's a challenge because you could go with a man-out-of-time theme where he kind of looks like a bit of a buffoon.
Think Inspector Gadget or something where it's really the niece that is actually the brains behind everything.
But I didn't want that because Johnny Dollar's always been competent.
I wanted him to continue to be competent.
And so writing him so that he has the feel of the 50s character,
but understands technology, understands what's going on,
and still keeps that sort of cutting edge for him.
And then, of course, the other challenge is most incident response cases don't involve fistfights
or Johnny getting bonked on the head or gunfights or anything like that. So there's some embellishment
that has to go on here in order for this to be an effective comic book medium because him sitting at a computer typing
for two weeks straight
while he's in the middle of an instant response
is not going to be a good comic book.
Right.
And then there's the challenge itself
of putting together the comic book.
And that's a whole other separate set of challenges
as somebody who's never done a book.
Yeah.
Well, give us some insight on that.
Who did you bring in as your collaborators here? did the cover work for me and really captured the noir feel of Johnny Dollar in the cover.
And then we found this amazing letterer, Seda, who has done lettering for Marvel and DC and all of
these great comic books that I absolutely love. And I'm like, oh, wow, that's fantastic.
But then I had to find an editor as well because I'd never written a comic book script.
So I wrote the script and then I brought in a comic book editor to come in and edit everything to make sure that it actually flowed.
And even then we ran into some problems where I tended to be too wordy and we had to narrow it down so it would fit into the panels.
and we had to narrow it down so it would fit into the panels.
And then understanding the way action has to flow in a comic.
The typical new comic book writer mistakes of thinking of it like a television show where Johnny does this, this, and this.
Well, he can't do all that in the same panel, right?
It has to be separate panels, but you don't want 12 panels on a page because then it becomes unreadable.
So it's a lot of work, and I really appreciate everybody who collaborated on this project kind of holding my hand and walking me through and telling me what worked and didn't work and making and improving a better script and then a better book.
Can you give us a little bit of a preview here,
a tease of the kinds of things that Johnny Dollar finds himself up against?
Yeah.
So actually, we have a four-story arc planned.
The first story, he goes to Johnstown, Pennsylvania,
which is where my parents are from,
to deal with a ransomware attack at a steel mill
and deal with an insider threat.
So the ransomware actor is kind of bribing somebody.
And it's more of a whodunit,
as he has to figure out who the insider is as part of it.
In the meantime, he meets up with some Russian gangsters.
And if you're thinking that's weird in the middle of Johnstown,
read the book and you understand it. And so there's some fighting that goes on and so on. The next issue, the one that
we're working on now, in fact, we're almost finished with it. He flies to Milan, Italy
with a ransomware attack against a water plant there. And now Johnny's really angered the ransomware actors,
and so they actually hire a hitman to come after him.
And so Johnny has to fight with a hitman
as well as stop the ransomware actors
from poisoning the water supply in Milan.
So that's much more adventure-packed than the first issue. And a fellow Johnny Dollar
fan and cybersecurity person, Dr. Anjali Shear, who I actually met during one of the Share the
Mic in Cyber events, she took the lead on writing that issue. Stays true to the character, but you
get a very different story, which I really love.
And I want to be very clear. Johnny Dollar is not me. It's not based on me, except there's one fight scene where Johnny uses a wine bottle to attack one of the people coming after him.
And I'm like, okay, that part could be me, but the rest of it's very much not.
It would be a very fine vintage of wine. Or perhaps
he would use the cheaper stuff, because it's more disposable. Right. You always use the cheap
bottle to take out the bad guys. There you go. Well, congratulations, Alan. Like I say, this is
a real joy here. Who's your target audience? Who do you hope this finds? It's actually really funny,
joy here. Who's your target audience? Who do you hope this finds? It's actually really funny because that's a question that people ask new comic book artists and everybody else apparently
says, oh, well, you know, people who love comic books. My target audience is cybersecurity
professionals and people who love Johnny Dollar. So two very niche markets, but are apparently
completely underserved by the comic book community.
So I'm hoping that we can make some inroads.
And especially for people who really love the original Johnny Dollar,
I hope that they see that we really did our best to stay true to the character
while updating him for a cybersecurity age.
That's Alan Liska, creator of Green Archer Comics, and yours truly, Johnny Dollar.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company And finally, the record reports that Russian opposition activists,
affiliated with imprisoned leader Alexei Navalny,
have initiated an anti-Putin campaign using QR codes on billboards in major cities.
These QR codes, originally linked to a creative competition,
were covertly redirected to the Russia Without Putin website. The billboards,
bearing non-political messages like Happy New Year, Russia, aim to subtly encourage people
to vote against Putin in the upcoming March election. This digital approach, including a telegram bot
disseminating anti-Putin content, is a response to the ban on open anti-regime rallies in Russia.
Authorities in St. Petersburg and Moscow have started removing the billboards.
Navalny's team acknowledges the likelihood of election result manipulation by Putin,
but asserts their goal is to highlight
the nation's desire for change.
The campaign's effectiveness and impact remain uncertain,
especially considering Russia's history
of penalizing online dissent.
So, in Russia, billboards don't just sell products,
they host revolutions, one QR scan at a time.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Dana Belling, researcher at Carbon Black, sharing their work on hunting vulnerable kernel drivers.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com.
N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin. Our mixer is
Trey Hester with original music by Elliot Peltzman. Our executive producers are Jennifer Iben and
Brandon Karp. Our executive editor is Peter Kilby and I'm Dave Bittner. Thanks for listening. We'll
see you back here next week. Thank you. platform comes in. With Domo, you can channel AI and data into innovative uses that deliver
measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.