CyberWire Daily - Someone’s engaged in provocation in the Donbas. Ukraine sees a Russian influence operation in recent DDoS attacks. Ice phishing as a threat made for a decentralized web.
Episode Date: February 17, 2022Provocation may have begun in Ukraine, and no one but Russia can see any signs of a Russian withdrawal of troops to garrison. Recent DDoS attacks in Ukraine are seen as an influence operation. The com...promise of International Red Cross data has been tentatively attributed to an unnamed state actor. Johannes Ullirch from SANs shares a fancy phish. Our guests are Mike Theis and Stacy Hadeka from Hogan Lovells to discuss the cyber aspects of the False Claims Act. And Microsoft describes ice phishing: social engineering for a decentralized web3. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/33 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Provocation may have begun in Ukraine,
and no one but Russia can see any signs of a Russian withdrawal of troops.
Recent DDoS attacks in Ukraine are seen as an influence operation.
The compromise of international Red Cross data has been tentatively attributed to an unnamed state actor.
Johannes Ulrich from SANS shares a fancy fish.
Our guests are Mike Tice and Stacey Haddika from Hogan Lovells to discuss the cyber aspects of the False Claims Act and Microsoft Describes Ice Fishing.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Thursday, February 17, 2022.
Russian forces near Ukraine appear to have been augmented,
and NATO governments see no signs of the withdrawal Moscow said was in progress.
And by all indications, recent cyber operations seem to have been more information warfare than sabotage.
Organization for Security and Cooperation in Europe monitors reported multiple shelling incidents in eastern Ukraine.
shelling incidents in eastern Ukraine. Accounts in The Guardian and elsewhere have focused on a children's school, variously described as a kindergarten or a nursery school, that was hit
by shell fire said to have injured three people. Ukrainian authorities accused Russian-led
nominally separatist forces of artillery attacks in the Donbass this morning.
The separatists, CBS reports, blame Ukrainian forces.
In any case, artillery fire hitting a kindergarten is difficult to improve upon as a false flag
provocation. It's an almost paradigms story of outrage. That's how Ukrainian President
Zelensky has characterized the incident, and NATO governments are tending to agree.
has characterized the incident, and NATO governments are tending to agree.
Far from confirming Russian claims that the forces it's maintained on high alert in forward assembly areas near Ukraine are now beginning to return to their garrisons, the New York Times
reports that both U.S. and U.K. sources say the withdrawal isn't happening. British Foreign
Secretary Liz Truss was among the senior officials
to publicly dispute Russian withdrawal claims. In fact, Russia seems instead to have deployed
an additional 7,000 troops to border areas. Forbes cites a U.S. official to the effect that the 7,000
represent a further augmentation to the 150,000 troops already in a high state of readiness near Ukraine.
Quote, Russia keeps saying it wants to pursue a diplomatic solution,
the unnamed senior administration official said.
Their actions indicate otherwise.
We hope they will change course before starting a war
that will bring catastrophic death and destruction.
End quote.
Ukrainian military intelligence is said to have
assessed that Russia's assembly of combat power, disturbing as it is, remains insufficient for a
full-scale invasion. If one accepts at face value the traditional military wisdom that an attacker
needs a three-to-one advantage over the defender to have a reasonable chance of success, and if one
simply counts troops in the theater, that's probably correct. But local superiority can be
achieved. You fight the forces you find on the ground in front of you, not the ones in other
parts of the country, and the troop build-up is certainly sufficient for offenses with objectives
short of the conquest and subjugation
of the entire country. Estonian intelligence services think that such limited offenses are
more probable. This week's distributed denial of service attack against two large Ukrainian banks
and the country's public-facing Ministry of Defense sites are now being attributed to Russia. The goal being imputed to them is influence.
The intention appears to be inculcating the belief that Russian intelligence services can
work their will against a weak Ukrainian government, shown to be incapable of meeting
its core responsibilities of public safety. The Ukrainian Center for Strategic Communications
and Information Security posted,
The Guardian reports that Ukrainian authorities didn't specify a particular Russian organization as responsible,
which suggests the attribution
is circumstantial. So the operation retains a fig leaf of deniability. Ukrainian authorities
also described the incident as unusually large. Nonetheless, it fell far short of crippling either
the Ministry of Defense or financial services across the country. It would, however, represent a plausible effort
at sowing doubt and mistrust. The Telegraph reports that both the U.S. and U.K. have stepped
up their assistance to Ukraine's cyber defenders. Preparation is being used in several senses as
people discuss Russian pressure on Ukraine. There is, of course, the ordinary language sense of getting ready for
something. There's also strategic preparation aimed at sapping an adversary's capacity for
effective resistance. Influence operations designed to fragment civil society would often
serve that purpose, as would demonstrations intended to show that the adversary's cause
is hopeless. And that seems to have been the adversary's cause is hopeless,
and that seems to have been the point of this week's DDoS attacks against Kiev.
This is the sense in which observers are mostly talking about cyber preparations for a prospective Russian expansion of direct combat against Ukraine.
Forbes describes how such operations can serve as a precursor to a broader offensive.
There's also battle space preparation,
which usually means intelligence collection and analysis
in support of current operations.
And finally, there's preparation in the sense of an artillery preparation,
fires directed against enemy positions in advance of an attack by maneuver elements.
The fires in the Donbass this morning aren't an artillery preparation in the
proper sense. They're too random and indiscriminate for that, but they do serve well as a provocation.
A cyber preparation in this tactical sense has yet to be seen. One form it might take is an
attack on Ukraine's power grid, which would have an immediate effect on military operations.
which would have an immediate effect on military operations.
Russia conducted limited attacks against Ukraine's grid in 2016 and 2017.
Robert M. Lee, CEO of industrial cybersecurity firm Dragos,
commented in a media session yesterday that,
while Ukraine has probably improved its response capability since those attacks,
its ability to defend the grid is in all likelihood about where it was five years ago. The International Committee of the Red Cross, the ICRC, yesterday released an
update on the incident it sustained in which threat actors obtained sensitive information
about refugees and other vulnerable populations. The ICRC suspects state-sponsored actors. They are believed to have gained access to the ICRC's systems by exploiting an unpatched vulnerability in Zoho Manage Engine AD self-service.
Krebs on Security reports informed speculation that the incident was an Iranian influence operation.
Someone using the hacker name Sheriff in the Anglophone Raid Forums criminal market advertised sale of stolen Red Cross and Red Crescent data.
The offer was framed in a way that suggested it was part of an extortion campaign.
But Sheriff's email address has been seen before in an Iranian-based network of inauthentic news sites and social media accounts aimed at the United States.
It's a possibility only, at this stage more suggestive than dispositive, but interesting nonetheless. Microsoft describes a new style of blockchain-centric attack, ice fishing. Redmond
sees it as a threat made for the decentralized Web3. Microsoft researchers see this winter's Badger DAO phishing attack as representative,
a caper that netted the attackers about $121 million.
The goal of ice fishing is to obtain the victim's cryptographic keys.
Once the crooks have your key, they can move the contents of your wallet whither they wish.
In ice fishing, the criminals inveigle the victim into signing a transaction
that delegates approval of the user's tokens to the attacker.
That may sound sinister, but it's actually quite common as a way of enabling interactions with DeFi smart contracts,
permitting users to swap tokens.
smart contracts, permitting users to swap tokens.
Quote, in an ice fishing attack, the attacker merely needs to modify the spender address to attacker's address.
Once the approval transaction has been signed, submitted, and mined, the spender can access
the funds.
In case of an ice fishing attack, the attacker can accumulate approvals over a period of
time and then drain all victims' wallets quickly,
end quote. And that, says Microsoft, is what happened in the Badger DAO case.
Expect more of this should the internet move toward the decentralized model of Web3.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home. Black
Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
The False Claims Act is the U.S. federal government's primary legal tool to go after
organizations who have defrauded the federal government.
It goes back to the Civil War and is often referred to as the Lincoln Law.
Recently, the Department of Justice has been increasing their scrutiny on companies providing cybersecurity products and services to the federal government.
I recently spoke with Mike Tice and Stacey Hadeka, both attorneys at the law firm
Hogan Lovells and specialists on the False Claims Act. Cybersecurity requirements in terms of
software and defenses and other things that may be required by contract regulation or other law,
and to use the False Claims Act as the way of incentivizing companies to making sure that they comply.
The way that that works, as you may know, the False Claims Act does and has since the Civil War included provisions for private citizens to file suit.
The so-called Cuitam provisions of the False Claims Act created financial incentives for people to come forward and file suit on behalf of the United States. The United States
investigates and can either take over the case and handle it itself or can decline and let the
private citizen go forward with the suit. The False Claims Act was overhauled in 1986 to substantially enhance those private whistleblower provisions.
And since 1986, the Department of Justice has had a really extraordinary record of successes
in enforcement under the False Claims Act.
I was just going to mention that there's already been a few Cybersecurity False Claims Act
cases that we've seen. And of course, we think the government
certainly going to leverage as they pursue False Claims Act allegations and investigations going
forward. And two of those, one involved a leading IT company where a whistleblower actually alleged
vulnerabilities in certain computer systems that were furnished to the federal government. That case was ultimately dismissed, but there's currently an ongoing case
with respect to a leading defense contractor in the aerospace industry sector, also with respect
to whistleblower allegations. It was alleged that the company made false statements regarding
its compliance with respect to DOD and NASA cybersecurity requirements.
And so, again, we've already kind of seen a playbook laid out for some cases in this
area where DOJ, of course, can leverage as it moves forward with new investigations.
And the case I was mentioning with respect to the leading aerospace and defense contractor,
that's currently ongoing and survived a round of motions to dismiss and
then summary judgment motions and is moving forward onto the merits. So is it fair to say
that in terms of companies assessing how they need to approach this, that this is more of a
risk assessment exercise rather than a kind of a checkbox, black and white, hey, we did this and
now we're good sort of thing? Yeah, I think that's right. I think that this is, you know, something
else that needs to be added to the chief compliance officer's list of items to be auditing, checking
for, conducting internal investigations, especially before they get into a situation where there is an
intrusion or breach. In other words, this is part of the good business hygiene that companies in
this current environment have to engage in to make sure that they are taking appropriate steps to
guard against breaches and intrusions, that they are careful with the sensitive or
confidential data that they handle, and fulfilling the obligations that they have to deliver
cybersecurity to the United States government when they are contracting with them.
Department of Justice is very deliberately unleashing the forces of the private sector,
motivated by the financial incentives that are created by the Quisom provisions of the False Claims Act to get people to come forward and report these things.
And so individual employees of companies that do business with the federal government now have an open invitation to come forward and to report their companies.
an open invitation to come forward and to report their companies. And so chief compliance officers and legal and regulatory teams at companies that do business with the government should be looking
at what are we doing to make sure that we are living up to the expectations that the government
has in terms of software, cybersecurity defenses, taking steps to ensure
that we protect our data. Yeah, and following up on that too, I don't think there is a one-size-fits-all
approach here, especially because, as you noted, that there's some companies that may be providing
items that pose less risk to the federal government.
Of course, where I would recommend companies start is really with the contract itself and understanding what federal business and work it has. A lot of times, companies that are working
with the federal government have a small fraction of federal government work when it may have a larger commercial presence. And so taking what those
government contracts personnel, security personnel are saying, I think, is kind of a culture that
needs to be addressed from the top down. And so companies, as Mike was saying, in their compliance
regime need to ensure that they're understanding what government obligations they have and also recognizing
that they need to take these seriously.
There is much more to my conversation with Mike Tice and Stacey Hadeka, which you can
find on our Caveat podcast.
The Hogan Lovells Law Firm recently published a guide for cybersecurity companies in regard
to the False Claims Act, and you can find that on their website. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant.
And joining me once again is Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute.
But more important than any of that, he is the host of the ISC Stormcast podcast,
which, Johannes, you just celebrated 13 years and, what, over 5,000 episodes of that show.
Congratulations.
Thank you.
Yeah, it has been quite a ride. And well,
it's also always interesting to sort of listen in on these very old podcasts, sort of how they
sound, the topics being covered. Some things change, some things really haven't changed.
Yeah, it's true. And I often brag about our own achievements here, but I have to say, 13 years and all those shows, you are the
undisputed marathon winner in the cybersecurity podcasting zone. So tip of the hat to you for that.
Thanks. Good to hear this coming from my second favorite daily podcast.
That's funny. Yours is my second favorite as well. What a coincidence.
Well, we got some good stuff to talk about today.
You have been tracking some interesting phishing techniques that have been going on using some
distributed web platforms. What's going on here? Yeah, so first of all, a little bit distributed
web. Sometimes people call it a part of that web three. Now, of course, that's a term that
some interpret a little bit different.
But the basic idea of these distributed web platforms is sort of the really nice idea of having sort of a sensor-free web.
But, of course, sensor-free also means it's hard to take things down, even outright malicious content like phishing pages.
So what exactly did you find here?
So in this particular example, the platform they're using is ciskai.net.
They call themselves Skynet,
so they play a little bit on that movie reference.
But what essentially allows you is,
like many platforms that are being abused for phishing,
it allows free web hosting.
You upload an html file they push back
a url that can now be used to reach that html file that html file of course can also contain
javascript that's where in this case gets a little bit more interesting so instead of just having a
simple static html page that impersonates one particular website, when they're sending you a link,
they're appending your email address to the end of the link. And well, if you receive one of those
emails, but always, of course, play with it, try a different email, see what happens. In this case,
what they're actually doing is they have a little JavaScript on the page that uses a service that
will create an image of a web page.
So they take the domain part of your email address, they use that service to then retrieve an image of your homepage, and use that as a background for the login box.
the page you're visiting, the phishing page,
looks exactly like your current homepage,
which of course may entice people to then enter their credentials.
They also pull in a logo that they add
to the login dialog box.
I've seen that before, haven't really seen
the complete copy of the page.
Sometimes this looks really awful, of course.
It may actually make people
less likely to enter their credentials. But, you know,
it depends really on the page. And it's yet another trick sort of in the Fisher's arsenal
here to come up dynamically with a more plausible page,
not sort of have a one-size-fits-all, like, you know, the standard
Outlook 365 phishing pages that you usually see.
Yeah, that's fascinating how they sort of render it on the fly there.
Are there any obvious red flags that tip their hand?
As sophisticated as this phishing page was, the email itself was, I think, pretty bad.
It was a DHL email.
Your shipment could not be delivered, one of those emails.
Now, I thought it looks pretty bad.
On the other hand, I'm using a little system
that removes all HTML markup from emails and such.
So emails usually look ugly if they're not important,
like all these commercial emails.
It's a little bit of a self-defense system here.
But I thought the phishing email was not really done very well.
And of course, the resolution of that background image
may not really match the resolution of your browser.
They use a fixed resolution for that image.
If any of the phishers are listening,
you could easily fix that by adding those parameters
based on JavaScript.
The data that you're submitting is then sent to a domain
that has sort of a crypto coin-ish name,
kind of staying with that Web3 theme a little bit.
What's also a little bit interesting here is
the Whois data is actually not anonymized.
99% of the time, when you're looking at a website like this,
or at any domain these days,
you're getting sort of anonymized, like, who is data?
Here, they do have actual information.
I assume it's fake, but the same name and email address
is used for a couple other suspicious websites.
The website itself doesn't really display any content, just an empty page.
So not really sure yet who is receiving the data.
It's a little bit better, and I think the main
issue here, it's different than
the other features, which of course makes
it more likely to be
not detected.
Takedown of it, so that's of course
one of the issues with these distributed web platforms.
CSky.net,
they do have an email address
you can send complaints to to have stuff taken down. Now, they do have an email address you can send complaints to
to have stuff taken down
now I send them an email
the site is still up
now it's three days later as we are recording this
not really sure where this is going
but of course the same may also happen
with a lot of these cloud hosting platforms
that are being abused
it often takes a few days
for malicious content to be removed.
It's certainly a clever, I suppose, implementation of
automation there. Johannes Elric, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. AI, and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.