CyberWire Daily - Russian cyber threats and NATO’s Article 5. Conti says it’s going to bring Cost Rica to its knees. BLE proof-of-concept hack. CISA warns of initial access methods. Thanos proprietor indicted.
Episode Date: May 17, 2022An assessment of the Russian cyber threat. NATO's Article 5 in cyberspace. Conti's ransomware attack against Costa Rica spreads, in scope and effect. Bluetooth vulnerabilities demonstrated in proof-of...-concept. CISA and its international partners urge following best practices to prevent threat actors from gaining initial access. Joe Carrigan looks at updates to the FIDO alliance. Rick Howard and Ben Rothke discuss author Andrew Stewart's book "A Vulnerable System: The History of Information Security in the Computer Age". And,the doctor was in, but wow, was he also way out of line. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/95 Selected reading. Russia Planned a Major Military Overhaul. Ukraine Shows the Result. (New York Times) The Cyberwar Against Pro-Ukrainian Countries is Real. Here’s What to Do (CSO Online) Collective cyber defence and attack: NATO’s Article 5 after the Ukraine conflict (European Leadership Network) Cyber attack on Costa Rica grows as more agencies hit, president says (Reuters) Ransomware gang threatens to ‘overthrow’ new Costa Rica government, raises demand to $20 million (The Record by Recorded Future) Hacker Shows Off a Way to Unlock Tesla Models, Start Cars (Bloomberg) NCC Group uncovers Bluetooth Low Energy (BLE) vulnerability that puts millions of cars, mobile devices and locking systems at risk (NCC Group) Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks (NCC Group Research) Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks (NCC Group Research) Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks (NCC Group Research) Alert (AA22-137A) Weak Security Controls and Practices Routinely Exploited for Initial Access (CISA) Hacker and Ransomware Designer Charged for Use and Sale of Ransomware, and Profit Sharing Arrangements with Cybercriminals (U.S. Attorney’s Office for the Eastern District of New York) US prosecutors allege Venezuelan doctor is ransomware mastermind (ZDNet) 'Multi-tasking doctor' was mastermind behind 'Thanos' ransomware builder, DOJ says (The Record by Recorded Future) U.S. Charges Venezuelan Doctor for Using and Selling Thanos Ransomware (The Hacker News) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
NATO's Article 5 in cyberspace,
Conti's ransomware attacks against Costa Rica spreads in scope and effect,
Bluetooth vulnerabilities are demonstrated in a proof of concept,
CISA and its international partners urge following best practices
to prevent threat actors from gaining initial access,
Joe Kerrigan looks at updates to the FIDO alliance,
Rick Howard and Ben Rothke discuss author Andrew Stewart's book, A Vulnerable System,
the history of information security in the computer age.
And the doctor was in, but wow, was he also way out of line.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, May 17th, 2022. An op-ed by Akamai in CSO warns that the cyber war against pro-Ukrainian countries is real,
and then goes on to describe the nature of those threats.
They are the sorts of activity that have been much in evidence recently.
Russian-aligned cybercriminal gangs engaged in ransomware,
and Russian-aligned hacktivist groups engaged in
distributed denial-of-service attacks. The author urges organizations to apply sound best practices
to protect themselves. Against ransomware, they recommend network segmentation. Against DDoS,
they recommend conducting service validations, confirming authorized mitigation service contacts, reviewing and
updating runbooks, performing operational readiness drills, and updating your emergency
methods of communication. With a hybrid war in progress and NATO directly adjacent to that war's
active theater of operations, the European Leadership Network has published an essay that
argues for greater
clarity in how the Atlantic Alliance will execute its commitment to collective defense
when the attack comes in cyberspace. The authors recommend clarity for the opposition in the form
of defined red lines, but most of their discussions look inward toward unity of command, toward
maintaining an accurate picture of the
friendly situation in cyberspace, toward regular collection and reporting of cyber intelligence,
and, of course, toward a clear understanding of the legal constraints on cyber activity.
Reuters reports that the number of Costa Rican organizations affected by Conti's ransomware
attack has now grown to 27.
Recently elected President Rodrigo Chavez has said that nine institutions, most of them
governmental, were heavily affected and that the attacks were having an enormous impact on
foreign trade and tax collection. The governments of Israel, the United States, and Spain are all
providing Costa Rica with assistance in recovery and remediation,
but a lot of work remains to be done.
Conti has been crowing large over its malign intentions for the Central American country,
and it's worth remembering that the ransomware gang operates from Russia
and with the effective protection of the Russian government.
They say, just pay before it's too late.
Your country was destroyed by two people.
We are determined to overthrow the government by means of a cyber attack.
We have already shown you all the strength and power.
You have introduced an emergency.
And, by the way, the ransom demand has gone up to $20 million,
and I suppose adding insult to injury,
they've referred to U.S. President Biden
as a terrorist. Costa Rica has refused to pay the ransom. NCC Group researchers have demonstrated
that Bluetooth low-energy systems are vulnerable to link-layer relay attack. The news has been
generally reported with headlines that point out that crooks could now open and start your Tesla without so much as a buy-your-leave, but the problem is more widespread than that.
proximity authentication to unlock millions of vehicles, residential smart locks, commercial building access control systems, smartphones, smart watches, laptops, and more. It's not the
kind of problem that can be resolved with a patch. Rather, NCC Group argues, it's the kind of issue
that arises when technologies are extended beyond their intended purpose, and BLE, they say, was never designed for use in critical systems.
The researchers offer three recommendations, two for manufacturers, one for users.
They say manufacturers can reduce risk by disabling proximity key functionality
when the user's phone or key fob has been stationary for a while.
They say system makers should give customers the option
of providing a second factor for authentication
or use presence attestation,
such as tapping an unlock button on an app on the phone.
And they say users of affected products
should disable passive unlock functionality
that does not require explicit user approval
or disable Bluetooth on mobile devices when it's not needed.
The U.S. Cybersecurity and Infrastructure Security Agency, that's CISA, and its partners in Canada,
the Netherlands, New Zealand, and the United Kingdom this morning issued Alert AA22-137A,
Weak Security Controls and Practices Routinely Exploited for Initial Access.
weak security controls and practices routinely exploited for initial access. The alert describes common weak security controls,
poor configurations, and poor security practices that are used for initial access,
and it recommends particular attention to seven best practices,
including control access, hardening credentials,
establishing centralized log management,
using antivirus solutions, employing detection tools,
operating services exposed on internet-accessible hosts with secure configurations,
and of course, keeping software updated.
And finally, there's the curious case of the crooked cardiologist,
a multitasking C2C ransomware purveyor who prided himself on good customer reviews,
but in other respects,
seems to be something of a case of arrested development.
The U.S. Attorney's Office for the Eastern District of New York yesterday announced that
it had charged Dr. Moises Luis Zagala-Gonzalez with attempted computer intrusions and conspiracy
to commit computer intrusions.
Breon Peace, the United States Attorney for the Eastern District of New York, explained,
As alleged, the multitasking doctor treated patients, created and named his cyber tool after death,
profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks,
trained the attackers about how to extort victims, and then boasted about
successful attacks, including by malicious actors associated with the government of Iran.
So, Dr. Zagala, when he wasn't using his stethoscope, was busy coding ransomware and
selling it in the C2C markets. His customers included, as the U.S. attorney said, Iran,
specifically the Muddy Water Threat Group, but many others as well.
He offered both licenses and an affiliate program.
His reviews in the dark web equivalent of Yelp were pretty good, too.
One satisfied crook said,
I bought the ransomware from Nosofaris and it's very powerful, and said he used the product to infect about 3,000 machines.
A happy Russophone customer wrote,
We have been working with this product for over a month now.
We have a good profit. Best support I've met.
Dr. Zagala offered advice in chat forums where he used the hacker name Nosophorus,
disease-bearing in Greek, and fun fact, the root of the vampire name Nosferatu. He's also evidently
a fan of the Marvel Universe because he called some of his wares Thanos. He's still at large
and living it up in the Ciudad Bolivar, Venezuela, so he's unlikely to face justice anytime soon,
but Thanos had better hope the FBI's New York field office doesn't find the
rest of the Infinity Stones, in which case they'd snap him into Club Fed.
Do you know the status of your compliance controls right now?
Like right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
You're listening to the theme song of the HBO long-running hit Game of Thrones,
the unofficial anthem for the Cybersecurity Canon Project,
the project designed to find the must-read books for all cybersecurity professionals because one of
the greatest characters of all time, Tyrion Lannister, had this to say about reading books.
Why'd you read so much?
Well, my brother has his sword, and I have my mind, and a mind needs books like a sword needs a whetstone.
That's why I read so much, Jon Snow.
Which means it's Cybersecurity Canon Week here at the Cyber Wire,
where we are interviewing all the Canon Hall of Fame inductee authors for the 2022 season.
I'm Rick Howard, the Chief Security Officer, Chief Analyst, and Senior Fellow here at the Cyber Wire,
and today's book is called A Vulnerable System,
The History of Information Security in the Computer Age by Andrew Stewart.
Enjoy.
I'm joined by Ben Rothke, a very old friend of mine,
one of the original members of the Cybersecurity Canon Committee,
a Senior Information Security Manager at TAPAD, and how do I say this, Ben? A voracious reader.
Thanks for coming on the show. My pleasure. Thanks for spearheading things and starting it.
So today we're talking about the latest entry into the Cybersecurity Canon Hall of Fame,
a book called A Vulnerable System, The History of Information Security in
the Computer Age by Andrew J. Stewart and published by Cornell University Press in September 2021.
And Ben, you know Andrew, right? Yeah, I mean, it's one of those sort of internet friends we've
never met in person, but yeah, actually go back, you know, a number of years, actually, I was an advanced reader of the book.
So, yeah, I enjoyed it from before it was publicly available.
So, you wrote the original review for this, for the Canon project.
So, why is this a Cybersecurity Canon Hall of Fame inductee?
For a lot of reasons.
Those getting into, you know, whether technology or anything generally or information security specifically,
it's often you can just jump in and, you know, start doing things.
But, you know, Santiana said those who don't learn history are doomed to repeat it.
So this is in large part a history of information security.
As Isaac Newton said, if I've seen further, it's by standing on the shoulders of giants. I think this really shows the context of information security, its history,
where it's coming from, you know, how we got here today, how, you know, some of the issues are
inherent in the design of, you know, the first computers and some of the trajectories which were
computers and some of the trajectories which were mistaken, you know, plague us today.
So I think it really is a fundamental text because really you can't just do information security.
You have to, you know, understand its history.
I mean, sure, you know, someone can be a firewall administrator.
You could, you know, you could harden Linux boxes.
So that's in a very limited sense.
But if you're working at the enterprise level
in the big picture
and understand what this thing called security is,
having this understanding of how we got here today
really can be a good linchpin
to how are you going to move forward.
I thought the section of the book
about the early history was fascinating.
He covers the period of mainframe computers from the beginning of the digital age.
I mean, this is way back to the 1940s in the incipient research of how to secure them.
And he makes the case that early researchers tried to design a secure computing system,
but never really attained that goal.
And so I love that little, you know,
storytelling there. Did you have a favorite part of the history that you liked?
Security is all about trade-offs and, you know, we could never build a perfect system. And when
you've got complex programs with hundreds of thousands, you know, or millions of lines of code,
bugs are, you know, inherent and it's impossible to certify and prove security.
And I think that's, from an academic perspective, it's almost impossible to build any system that's
provably secure. But once again, you need to know that going in the real world is that everything
really is a trade-off. That's really a good point, yeah. Once again, if you're in a small auto body shop,
then security means one thing.
If you're at a brokerage and you're making billion-dollar trades,
obviously you need a lot more security there.
I mean, he talked about the economics of security,
the psychology of security.
That drives everything.
That's Ben Rothke, the Senior Manager at Tap-In,
and the book is called A Vulnerable System,
The History of Information Security in the Computer Age
by Andrew Stewart.
And it's the latest addition into the Cybersecurity
Canon Hall of Fame.
For more information on the project, go to your favorite
search engine and look up Cybersecurity Canon.
That's Canon with one N, as in Canon of Literature, not two Ns where you blow stuff up.
And Ohio State University, the project's official sponsor.
If you like what you hear and want to hear the full interview,
subscribe to CyberWire Pro today to get access to the latest episodes of CSO Perspectives,
plus much more.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
We were talking over on Hacking Humans about a press release, actually, that came from
the FIDO Alliance.
FIDO stands for?
Fast Identity Online.
There you go.
I'll never forget it again, Dave.
So the FIDO Alliance, they are in the business of trying to make authentication better, more convenient, all while keeping it secure.
Yes.
And they have some interesting news here.
A bunch of big names have gotten on board to try to push some of these efforts forward.
What's going on here, Joe?
So apparently, Google, Apple, and Microsoft have committed to expanded support for the FIDO Alliance standard.
Okay.
FIDO has worked with tech companies over the years to build a standard.
Yeah.
That is essentially public private key authentication.
Okay.
Right?
And this standard can be implemented in a number of different ways.
The most common way you see it implemented is with some kind of hardware token.
Right.
Right. Right. So my YubiKey.
Exactly. YubiKey, Google Titan. There are tons of devices out there that use this standard.
So they conform to the Fido Alliance. To the Fido Alliance standard. Exactly. Yep. The way it works is it has a secret on it, right? That secret is combined with the domain of the website that is requesting
the authentication, right? And the combination of the secret and the domain are used in the
generation of a private key. And it's generated on the fly, so it actually doesn't even need to
be stored. The only thing that needs to be stored is the secret.
Yeah.
So when you register, you actually do have to register your device,
your hardware device, with the service you're going to use to authenticate it.
Right now, it's used as multi-factor authentication, right?
So you would enter your username and your password,
and then you'd push a button on your hardware device that says, I'm ready to do the work, ready to do the cryptographic
work here. But when you register the key, you actually give them a public key that is unique
to that website. So, let's say you're going to register with Google, which you can do, by the way. And if you have a YubiKey,
you should absolutely use a YubiKey
to register YubiKey with Google for authentication.
And I will say this, get two of them, right?
Get two of them and register both of them.
You can register both of them.
Yeah.
You know from experience.
I don't know this from experience,
but I can see the problem coming down the road. I do. Right. I do. I do. Because you're going to be carrying around
one of these YubiKeys with you. Yeah. And I keep mine on my backpack, but they have little holes
in them to keep with their keys. They're going to get treated roughly. They're going to be with
something you lose. You know, like my backpack is actually a target for theft, right? Nobody's
strong enough to run off with your backpack, Joe.
My backpack is very heavy. They will be going sufficiently slower,
hopefully slow enough that I'll be able to catch them.
That's right.
But that's not likely. I'm way too old and I really hate running after people.
It's just like, meh, you can keep it.
Right.
But so if that happens, then you're not going to be able to authenticate to your accounts anymore.
So you need a second one.
Yeah.
That you just keep at home or keep safe.
Yeah.
Right.
Let's talk about what they're pushing forward here that these organizations have agreed to roll out over the course of the rest of this year.
Well, one of the things that they're looking forward to or they're actually looking at is because this is a public-private key exchange, right?
And it's essentially public key, private key authentication. It's better than the password,
right? So they're actually moving towards passwordless authentication. And that's what
these three companies have agreed to. This is Google, Microsoft, and Apple are agreed to it. So there are two big
tech names who are notably missing here, those being Facebook and Amazon. Although I will say,
I do have my YubiKeys registered with my Facebook account. So Facebook's already on board, I think,
at least with the FIDO Alliance standard. So two main things they're announcing here
that are going to be rolled out this year.
And what are those?
One is they're going to allow users
to automatically access their FIDO signing credentials,
which they call a passkey,
on many of their same devices,
even new ones,
without having to re-enroll every account.
Ah, okay.
More convenient.
Yes.
And another one is they're going to enable users to use FIDO authentication on their mobile device
to sign in to an app or website on a nearby device,
regardless of the OS platform or browser that they're running.
Oh, I see.
So they're going to implement a software version of the FIDO stuff.
So you can use your mobile device with your, let's say desktop computer for authentication.
Yes. Again, making that more seamless, reducing friction, which I submit will accelerate adoption.
I agree 100%. I think if you can just get away from passwords and come up with a good,
secure way to do private key management, And all these authentication sites are storing,
instead of storing password hashes or anything like that,
they're storing just public keys.
If those are ever breached,
those are absolutely useless to an attacker.
Yeah.
They have no value at all.
Right.
First off, they're going to be different
for every single site you go to, right?
So it's going to be difficult to associate you
across multiple sites
unless you use the same username or other information. I mean, then it's going to be
the same old standard stuff. But it's not like a password hash. A password hash is a, you can think
of it as an encrypted way of storing your password. It's really not. I mean, I guess it is encrypted,
but you can't ever decrypt it. But one thing you can do
is take a bunch of guesses
and see if you get a match.
Right?
That is useless
against public private key cryptography.
You can't do that.
I see.
You just have to start guessing
the private key space,
and that space is huge.
Right.
You'll never finish.
Right.
All right.
Well, I think good news here,
especially that we've got these three heavy hitters on board.
Yes.
Hopefully, we're accelerating our journey in that direction of a passwordless future.
I think it's coming.
You remember six years ago when we started doing this, I started appearing on this show?
Yeah.
We were talking about passwordless logins, getting rid of passwords, And I was like, I don't know what that looks like.
Yeah.
Well, here, this is what it looks like.
Fair enough.
Right.
All right.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is is... Thanks for listening.
We'll see you back here tomorrow. Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.