CyberWire Daily - Slow-motion brutality against Ukraine as sanctions begin to bite Russia. Big Tech takes sides. Ransomware continues to bother major corporations.
Episode Date: March 2, 2022Russia’s invasion in Ukraine is still slow, but it’s grown more brutal. Sanctions are beginning to hit Russia hard. The cyber phase of this hybrid war seems more informational than destructive, wh...ich is surprising. Big Tech has taken Ukraine’s side, and some Russian companies face a tough balancing act. Our guest is Lavi Lazarovitz from CyberArk with predictions on supply chain security. Malek Ben Salem from Accenture on deploying effective deception systems. And ransomware continues to pester major corporations. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/41 Selected reading. Ukraine at D+6: Shocking and awful. (The CyberWire) The Fog of Cyberwar Descends on Ukraine and Russia (Bloomberg) Russian Electric Vehicle Chargers Hacked, Tell Users ‘PUTIN IS A DICKHEAD’ (Vice) Western Sanctions Bite Russian Economy, but Pose Unpredictable Risks (Wall Street Journal) Targeted APT Activity: BABYSHARK Is Out for Blood (Huntress) 5 New Vulnerabilities Discovered in PJSIP Open Source Library (JFrog) Nvidia says hackers are leaking company data after ransomware attack (TechCrunch) Insurer Aon falls victim to a cyber attack (Computing) Toyota to restart Japan production after cyberattack on supplier triggers one-day halt (The Edge Markets) Cyberattack on Toyota's supply chain shuts all its factories in Japan for 24 hours (CNN) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Russia's invasion in Ukraine is still slow, but it's grown more brutal.
Sanctions are beginning to hit Russia hard.
The cyber phase of this hybrid war seems more informational than destructive.
Big tech has taken Ukraine's side, and some Russian companies face a tough balancing act.
Our guest is Lavi Lazarevits from CyberArk with predictions on supply chain security.
Malek Benslam from Accenture on deploying effective deception systems.
And ransomware continues to pester major corporations.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Wednesday, March 2nd, 2022.
Russia's invasion of Ukraine has proceeded at a slower pace than Russia had expected.
While Russia's operations enter a new,
more brutal phase in which cities and their civilian populations are subjected to heavy fire,
its forces have shown themselves unable to achieve and sustain the operational tempo
necessary to quick victory. Defense News suggests there are five basic reasons for this.
Poor communications of the commander's intent, that is, President Putin,
seems not to have shared his goals with his field commanders.
Failure to fight as the Russian army had trained.
Overconfidence, they expected a walkover to be greeted as liberators.
Ineffectual use of air power.
And finally, the surprising unanimity of the European
governments in their negative response to the Russian action. The Moscow Stock Exchange remains
closed in the longest shutdown since 1998. Bloomberg reports that the exchange closed over
the weekend and has yet to resume trading as sanctions bite ever deeper into the Russian
economy. The ruble itself has cratered under the effect of sanctions.
According to Business Insider, one Russian ruble is currently worth less than one U.S. cent.
Microsoft, as we've heard, found that the malware it called Foxblade,
and that others have called Hermetic Wiper,
was staged and deployed hours before
Russian troops crossed their lines of departure and invaded Ukraine. Security Week has an update
on ESET's research into those Russian cyberattacks against Ukrainian targets. The company says it's
detected a worm, Hermetic Wizard, that's spreading Hermetic Wiper, which, as its name suggests, is data-erasing malware.
ESET has also found Hermetic Ransom in the wild, which adds a capability for extortion to the
campaign. CrowdStrike has also detected the Go-based ransomware, which it's calling Party
Ticket, but which it confirms is the same malware as Hermetic Ransom. Kaspersky assesses the ransomware as misdirection for the Wiper campaign,
which would be consistent with Russian practice at the outset of the war against Ukraine.
There are reports of local Russian jamming of GPS in and around Ukraine,
but so far, breaking defense reports, their effect seems relatively contained.
U.S. support operations in particular are said to be unaffected.
Ukraine has shown some ability to attract hacktivists and volunteer hackers to its cause,
the Wall Street Journal reports, and Vice describes some of their activities,
many of which have taken the familiar form of vandalism, defacing websites and performing other mischief.
Of arguably more significance have been signs that Ukraine has been able to obtain and publish material from online Russian sources.
Ukrainska Pravda reports that the Center for Defense Strategies has acquired the names of 120,000 Russian servicemen who are fighting in Ukraine.
These have been posted online.
That's unlikely to have any immediate tactical effect,
but it can't be good for either Russian morale
or for Russian confidence in the security of its networks.
Wired reports that Ukrainian networks have proven more resilient than anticipated,
even under Russian cyber attack.
According to Space News, SpaceX has made a contribution in kind to a more resilient
Ukrainian internet, delivering, as promised, a number of Starlink terminals and the services
that go with them. Platformer gives the social networks generally favorable marks for being on
the side of the angels during
Russia's war against Ukraine. Here are some of the specific measures big tech has taken.
Apple is the latest big tech firm to shut out Russia. Quote, we are deeply concerned about the
Russian invasion of Ukraine and stand with all the people who are suffering as a result of the
violence. That's Reuters quoting an Apple representative as explaining,
We are supporting humanitarian efforts,
providing aid for the unfolding refugee crisis,
and doing all we can to support our teams in the region.
YouTube has banned Russian media outlets from its platform across Europe,
Politico reports.
Google Europe tweeted a terse explanation,
quote,
Due to the ongoing war in Ukraine, we're
blocking YouTube channels connected to RT and Sputnik across Europe, effective immediately.
It'll take time for our systems to fully ramp up. Our teams continue to monitor the situation
around the clock to take swift action, end quote. Facebook's corporate parent Meta has taken two steps.
It's both demoting Russian media content as probable disinformation,
and it's seeking to improve user safety with an encrypted Instagram messaging app.
According to Protocol, Meta's president of global affairs sees the second move as particularly important.
Quote,
We think it essential, as long as this continues,
that the ordinary Russians can use our services to express themselves, organize and protest and reach out to family and friends
in the wider community, end quote. The downgrading of Russian media principally affects RT and Sputnik,
which have generally come to be seen, particularly in Ukraine and the EU, as the most prominent vectors of Russian disinformation.
No one is really buying the Russian line that the war was necessary to denazify a genocidal Ukrainian fascist junta
that was itself bent on Russia's destruction, and it's difficult to find much conviction anymore
in the routine Russian diplomatic assertions repeated on Russian domestic media that, no, really, that's what's going on here.
One well-known Russian company, and a company that has customers abroad because it produces
a product that people actually want, is the cybersecurity firm Kaspersky. Kaspersky hasn't
been free of suspicion of Kremlin influence. Indeed, a few years ago, its antivirus products were excluded from U.S. government networks
on the grounds that they allegedly collected too much information about the networks they protected.
But in general, Kaspersky has achieved international status as a normal company.
Presently, according to Vice, Kaspersky is attempting a difficult balancing act.
It's a Russian business trying to occupy a neutral ground in Russia's war against Ukraine.
Founder Eugene Kaspersky's tweets include these,
We welcome the start of negotiations to resolve the current situation in Ukraine
and hope that they will lead to a cessation of hostilities and a compromise.
We believe that peaceful dialogue is the only possible instrument for resolving conflicts.
War isn't good for anyone.
End quote.
Also, quote, like the rest of the world, we are in shock regarding the recent events.
The main thing we can do in this situation is provide uninterrupted functioning of our products and services globally.
End quote.
Leaving Russia's war in Ukraine aside, we turn to some of the other developments in cyberspace.
Huntress has updated its research into an APT it associates with North Korea,
and which is generally being called Baby Shark.
The threat actor's operational practices are consistent with those Palo Alto
networks last month observed being used earlier against think tanks, and Huntress says the attack
it observed was significantly customized and tailored to the specific victim environment,
indicating a targeted attack. The initial infection vector was phishing. Huntress counsels that
preventative measures alone are insufficient for protection
and that organizations should make full use of logging, monitoring, and hunting.
Researchers at JFrog report finding five security vulnerabilities in PJSIP,
a widely used open-source multimedia communication library developed by Telu.
used open-source multimedia communication library developed by Telu. Toyota's suspension of production in Japan, which a cyber attack on a third-party supplier induced, is now over.
The disruption to the manufacturing lines lasted one day, Edge Markets reports. According to CNN,
14 factories were affected. TechCrunch reports that the cyber incident U.S. chip manufacturer
NVIDIA suffered was a ransomware attack and that the company has confirmed that the attackers have
begun to leak stolen information online. Some of the stolen data includes employee credentials.
A Form 8K that insurance giant Aon filed with the U.S. Securities and Exchange Commission
disclosed that the company was investigating a cyber incident it detected on February 25th,
computing reports. Aon says that its operations were unaffected, quote,
the incident has not had a significant impact on our operations. We remain focused on our
clients and our ability to serve them has not been impacted by this event, end quote.
and our ability to serve them has not been impacted by this event.
End quote.
Finally, we return to the Russian war against Ukraine.
People are asking what kinds of cyber action is permissible under the laws of armed conflict.
Consider the hacking of electric vehicle charging stations in Russia, which Vice reports have been displaying demotic assessments of Mr. Putin's leadership.
Are such defacements war crimes?
No, almost certainly not,
even though the laws of conflict in cyberspace
are still at what we might call an aspirational stage.
Website or device defacement that say, as they have,
in which we bleep because we're a family show,
Putin is a blank head, as have been observed in Russia.
Don't present any obvious criminal case, no more than claims that the Russian president has now
established himself as the world's most toxic man. Indeed, under some domestic legal systems,
they might not even constitute civil tort. Under U.S. law, to take one example, truth is an absolute defense to an accusation of slander.
Reflect on that in your Dasha, President Blankhead, or on your yacht, at least until it's seized by
Interpol, Blankhead.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Where open-source software meets supply chains, there's ample opportunity for vulnerabilities.
And given the recent focus on supply chains by threat actors, it's fair to say there's ample opportunity for vulnerabilities. And given the recent focus
on supply chains by threat actors, it's fair to say there's increased vigilance on the part
of developers. Lavi Lazarevits is head of research on CyberArk's labs team,
and I spoke with him on the topic of supply chains and open source software.
When we all, all organizations, all software vendors, suppliers use the same open source libraries, codes and packages, we also replicate vulnerabilities.
And this is why I think that this is the essence of the significant attack surface that is now being utilized by many threat actors.
that is now being utilized by many threat actors.
Moving on to mitigation, on what should be done to mitigate the risk,
the first thing that any organization, any software vendor needs to do is have a clear and visible list of the libraries that are used within its own software
and in the software that the organization uses,
the third-party applications and services.
And although it sounds pretty obvious and simple,
this is not the case.
Knowing what packages I'm using in my code,
code that I imported for my software
or the software that I developed is not a trivial task.
And there are a lot of tools out there that help with that. But this would be the first thing that
organizations should do. Because after you know what you have, then you can respond quickly.
You can look for common vulnerabilities in those packages that might be prone to severe vulnerabilities,
like authentication, authentication algorithm or mechanism.
So those would be, I would start from there.
You know, I've heard it said about open source software that one of the advantages
is that by its very nature, it has a lot of eyes on it.
There's a lot of, it makes, it's available for people from all over to take a look and make sure that it's secure.
In response to what we've seen from some of these supply chain attacks,
I've seen other folks say, you know, these days that might be a bit of a myth.
What's your take on that?
So we all know, and I really think that the old saying that there is no visible, when there is a vulnerability there,
it might explode and its impact would be enormous. And when you have a whole community looking into
the code, then huge mishaps, they have a potential to be detected a bit before the vulnerability causes some major exploitation or severe exploitation.
So my take on it is that OS, the visibility into the code is a clear advantage.
So you can also say, Dave, that, okay, so if the community has visibility, the threat actors have visibility as well.
But this is where I think that a large number plays a role.
The community is huge.
The dev community is huge,
and we can take advantage of that community for the good
and not just allow those threat actors
looking for specific vulnerability to reverse the code and find it for themselves,
maybe sell it for millions for offensive security vendors out there.
When it's closed source, I tend to think that threat actors
might have an advantage here.
Automation here is a huge advantage,
making the development process, pushes it to a huge advantage, making developing or the development process
pushes it to a higher velocity,
but also it comes with a lot of risk.
So I got to say there is no silver bullet here.
I would start from assuming breach
and try to reduce the attack surface
or contain the attack
while assuming the threat hacker is on my machine
and then work back to make sure that
I am aware what code I'm using. So when something big comes up, I know what I have and I know if I
need to respond or not. And lastly, I would be also subscribing to get notification when new updates
come in. So I would either review them first and then have them integrated into my code.
That's Lavi Lazarevits from CyberArk's labs team.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Malek Ben-Salem.
She is the Technology Research Director of Security at Accenture.
Malek, it is always great to have you back.
We are talking today about this notion of deception systems for software resilience.
An interesting topic. What do you have to share with us?
You know, deception has been historically used as a technique by the information security community to detect attackers or to detect attacks, right?
We are familiar with the concept of honeypots, honeynets, honeyfiles, honeytokens.
But today I'm here to call for rethinking how we might use deception systems
and to expand the users or the communities using deception systems.
Basically, I think that there is a huge opportunity for application teams to leverage deception systems in order to develop more resilient and secure software.
So imagine a world in which developers and operators of systems exploit attackers as much as attackers exploit us, the defenders, right? Imagine a world where
they can capture or gather information about how those attackers behave, how they attack a system.
When they have access to that type of information, they should be able to design systems that are
much more resilient, that can predict how attackers would behave or learn how
attackers would behave as opposed to predict how they would behave based on our own mental models
of attackers. Well, can you give us an example of how this sort of thing would play out?
Basically, this would require the improvement of the deception systems that we have available to us today.
But once we deploy a deception system that is very believable, that is very similar to a real-world implementation of a real system, and we allow attackers to interact with it,
to interact with it, and we have the right logging and monitoring tools within that environment to observe what the attackers are doing, then we can gather that right information.
And then we can use that information asymmetry to our advantage as we design new systems.
So how does this differ from a traditional honeypot?
So the traditional honeypot has been typically isolated from real-world environments,
right? It's very separate. We deploy it in a different system, deploy it perhaps on a different
network. It does not exhibit believ, for the adversary, for the attacker.
What we need is more systems that are very similar to what a real world system would look like, that have that high fidelity, if you will.
And they may not necessarily be fully isolated from the real world system.
And they may not necessarily be fully isolated from the real world system.
You know, they look believable to the attacker so that, you know, the amount of information that we gather from them can inform the design of these systems and can inform how real attackers behave. The ones we have today have the honey tokens or honey files that we have today are not interactive enough
right for the most part they are static in some cases they may have some traffic that looks
realistic but but there's no way for the attacker let's say to pivot from one system to another to
explore a network they don't provide that capability for
the attacker to experiment and to showcase their TTPs, right? Their tactics, techniques, and
procedures. And if the attacker doesn't know or doesn't use those TTPs, obviously, we are not
collecting them. We're not observing them. So where do we stand right now that this sort of thing is practical?
Yeah, I think we're at a point where we can leverage existing technology to deploy these more realistic and believable deception systems.
First of all, cloud computing enables us or gives us the ability to provision fully isolated infrastructure with little expense.
With that ability to automatically deploy, we can easily leverage this technology to our advantage.
The virtualization advancements that we've seen recently,
the widespread availability of nested virtualization that has been mature, the hardened virtualization technologies today all inspire confidence that attackers are isolated from production.
So I think we're at a point where we can leverage those advancements to deploy these more realistic deception systems. And obviously also, you know, SDN, software-defined networking, proliferation of SDN, the widespread
use of SDN, and the ability to define networks programmatically also helps with the deployment
of these deception systems.
So I think a combination of these technologies available to us would help us
be able to deploy deception systems, you know, through code, right? Using infrastructure as
codes, we should be able to have more of these systems available to us.
All right. Well, Malik Ben-Salem, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios
of Data Tribe,
where they're co-building
the next generation
of cybersecurity teams
and technologies.
Our amazing Cyber Wire team
is Elliot Peltzman,
Trey Hester,
Brandon Karpf,
Eliana White,
Guru Prakash,
Justin Sabey,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Volecki,
Gina Johnson,
Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.