CyberWire Daily - Swapping propaganda shots. ICANN will not block the Internet in Russia. Hacktivists achieve a nuisance-level of success. NVIDIA gets a most curious demand. And there’s no US draft.
Episode Date: March 4, 2022Propaganda engagements in Russia’s hybrid war against Ukraine. ICANN will not block the Internet in Russia. Hacktivists, real and pretended, achieve a nuisance-level of success in Russia’s war. Sc...ams and misinformation circulate in Telegram. NVIDIA gets a most curious demand from a cyber gang. CISA’s ICS advisories. Johannes Ullrich looks at phishing pages on innocent websites. Our guest is Chase Snyder from ExtraHop to discuss implications of the cyber talent shortage. And, hey, newsflash, no matter what the texts on your phone might say, there’s no military draft in the US. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/43 Selected readings. Putin Thought Ukraine Would Fall Quickly. An Airport Battle Proved Him Wrong (Wall Street Journal) Russia's chaotic and confusing invasion of Ukraine is baffling military analysts (CNBC) Last Vestiges of Russia’s Free Press Fall Under Kremlin Pressure (New York Times) Don’t mention the war: Russian state media sells the lie of Ukrainians shelling their own cities (The Telegraph) Russian troops in disarray and ‘crying’ in combat, radio messages reveal (The Telegraph) Demoralised Russian soldiers tell of anger at being ‘duped’ into war (the Guardian) The propaganda war has eclipsed cyberwar in Ukraine (MIT Technology Review) Ukraine's request to cut off Russia from the global internet has been rejected (CNN) No, the Army isn’t sending Ukraine draft notices via text (Army Times) Hackers Who Broke Into NVIDIA's Network Leak DLSS Source Code Online (Hacker News) Hackers warn Nvidia to open-source their GPU drivers or face data leak (Computing) Cybercriminals who breached Nvidia issue one of the most unusual demands ever (Ars Technica) BD Pyxis (CISA) BD Viper LT (CISA) IPCOMM ipDIO (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Propaganda engagements in Russia's hybrid war against Ukraine.
ICANN will not block the Internet in Russia.
Activists, real and pretended, achieve a nuisance level of success in Russia's war.
Scams and misinformation circulate in Telegram.
NVIDIA gets a most curious demand from a cyber gang.
CISA's ICS advisories.
Johannes Ulrich looks at phishing pages on
innocent websites. Our guest is Chase Snyder from ExtraHop to discuss implications of the
cyber talent shortage. And hey, newsflash, no matter what the texts on your phone might say,
there's no military draft in the U.S.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, March 4th, 2022. We begin with a quick note on the situation on the ground in Russia's war against Ukraine.
Russia's army seems to be compensating for tactical and material incapacity with brutally intense and indiscriminate fires.
The big column approaching Kiev still appears to be both roadbound and stalled,
but Russia seems determined to push through and persevere
until it succeeds in disarming and neutralizing,
and probably partitioning, Ukraine.
Logistical planning and possibly training and command failures
may be responsible for the Russian army's lack of rapid success.
Russian and Ukrainian negotiators met again without much progress,
but certain corridors are said to remain open for the use of refugees.
President Zelensky offered to meet President Putin
and offered Mr. Putin a mildly insulting reinsurance, I don't bite.
Belarusian President Lukashenko said today
that his forces aren't participating in Russia's war and that he won't be sending them into combat.
MIT Technology Review sees the propaganda war as having eclipsed the cyber war.
Who's winning this phase? Military Times gives a clear edge to Ukraine,
This phase, Military Times gives a clear edge to Ukraine, whose messaging has held far more appeal than Russia's.
Some of Kiev's themes and memes are plausible.
Courageous old ladies giving Russian invaders pieces of their mind.
Old men volunteering for service.
Captured Russian conscripts asking for their mothers to come and bring them home.
Others are pretty dubious, like the cats who caught snipers.
Still others more myth than reporting, like the Ghost of Kiev, the Ukrainian fighter pilot who's downed six Russian aircraft to become the first European ace since 1945. But the Ghost sounds a
little like those bowmen of Agincourt who were sent to have succored the British Expeditionary
Force during its retreat in 2014
to the frankly debunked, like the video the Ministry of Defense displayed
that purported to be gun camera footage of a dogfight
but turned out to be from the video game Digital Combat Simulator.
The messages are feel-good stories that tell about good versus evil
and their effect has been augmented by President Zelensky's easy facility with the soundbite and the one-liner. I need ammunition, not a ride,
seems to have been particularly well-received, and the above-mentioned I don't bite will probably be
equally well-received. New America political scientist Peter Singer told Military Times,
quote, when even Switzerland is joining in the way, as a neutral account of the relative success of government propaganda campaigns,
not as approval of any official lying.
Russian propaganda has had much less success,
in part because of the lie's lack of their usual bodyguard of truth.
Moscow has had little success in convincing the world that President Zelensky's government represents a cabal of Nazis,
and clumsy attempts to blame Russian misconduct on Ukraine have fallen flat.
After extensive Russian bombardment of Kharkiv, for example, the Telegraph reports that NTV explained,
In expert opinion, it was the Ukrainian military who attacked the Kharkiv administration building
with a Smirch multiple rocket launcher or an Olka, its modern Ukrainian modification.
End quote.
This kind of story isn't flying, internationally at least.
Much of Russia's propaganda effort is inward-looking,
focused on maintaining domestic order and, if possible, active support for the war.
The Telegraph goes on to report that Russian authorities are relying on tight narrative control,
specifying in some detail how the war is to be reported.
If we were TASS or NTV, we'd be calling that war a
special military action. CNN reports that ICANN, the Internet Corporation for Assigned Names and
Numbers, has told the Ukrainian government that shutting down Russia's access to the Internet is
beyond its power, both technically and as a matter of policy. ICANN CAO Goran Marby wrote
authorities in Kyiv, quote, as you know, the internet is a decentralized system. No one actor
has the ability to control it or shut it down. Our mission does not extend to taking punitive actions,
issuing sanctions or restricting access against segments of the Internet, regardless of the provocations.
Blocking the Internet in Russia, even if it were easily possible, would be, many observers suggest,
an ambivalent move. Information about war does seem to be reaching Russian citizens,
even around the government's restrictions on the flow of information,
and there's arguably more benefit from that than
there would be from jamming. Distributed denial of service attacks and doxing seem to have been
the preferred modes of attack by both sides of the war, Checkpoint suggests. DDoS is easier to
confirm than are claims of breaches, and hacktivists in particular have been prone to exaggerate the
effects they've achieved, but it's undeniable that there have been nuisance-level successes.
Checkpoint Research has been watching telegram traffic during the war,
and it sees a mixed record.
They're observing three broad classes of activity.
First, cyber-attack groups against Russia that urge followers to attack Russian targets
in different tools and ways, mainly DDoS. Second, groups urging followers to support Ukraine by fundraising of doubtful
authenticity, often suspected to be fraud. And third, numerous news feed groups airing updated
and exclusive news reports about the conflict, bypassing mainstream news outlets. Much of the claimed hacktivism is bogus,
either deliberate scams or the self-aggrandizing fantasies
of those who wish to see themselves as self-importantly engaged.
What else are social media for?
Checkpoint urges people to be particularly cautious
when they're considering donating to an appeal for funds.
Fraudsters follow the news too, and they craft their fish bait accordingly.
Turning to a story that seems to have nothing to do with Russia's war against Ukraine,
there have been developments in this week's cyber incident at NVIDIA.
The chipmaker said this week that the attack did not appear to involve ransomware.
It does appear, Hacker News reports,
to involve a different kind of extortion. Dark Tracer says the Lapsus gang has employee credentials
and about a terabyte of other data. Lapsus also issued what Ars Technica calls one of the most
unusual demands ever. Quote, we request that NVIDIA commits to completely open source and distribute under a FOSS license their GPU drivers for Windows, macOS, and Linux from now on and forever.
Lapsus claims an altruistic motive.
Quote, we decided to help mining and gaming community.
We want NVIDIA to push an update for all 30 series firmware that firmware that remove every LHR limitations, otherwise we will leak HW folder.
If they remove the LHR, we will forget about HW folder. It's a big folder.
We both know LHR impact mining and gaming.
What they really appear interested in doing is making it easier to mine altcoin.
LHR blocks many forms of mining, and apparently Lapsus would like to be able to find coins in them their GPUs.
CISA yesterday issued three industrial control system advisories.
Two of them affected medical systems.
The third advisory involves a telecontrol communication device.
And finally, American youths. Have you received a text telling you that the U.S. Army is drafting
you to fight in Ukraine? It's a scam, Army Times reassures everyone. The U.S. Army wouldn't text
something like that, and besides, as the army points out, there's no draft and it
would take an act of Congress to establish one. So fraudsters follow the news, but they also have
a good sense of when their marks really aren't paying attention. So friends, there's no draft
and it's not the 1960s anymore. We've seen civil war reenactors. Will the 2020s see a wave of draft
resistance reenactors?
Probably not.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
cloak.io. It's commonly accepted that there's a talent shortage in cybersecurity, and in response to that, many organizations are embracing security operations automation, or SecOps,
as a way of closing the gap and making the most of the talent they have. Chase Snyder is Senior Manager of Security at ExtraHop,
and he thinks the emphasis on SecOps makes sense,
but also deserves thoughtful consideration.
For one thing, people believe that there is a technological answer to the problem,
that by embracing automation and AI,
they can get more efficiency out of their security operations
and that they can get
a better sort of outcome
without having to solve
this seemingly intractable problem
of staffing.
There's some truth to that,
but it's a little bit more nuanced.
But by embracing security operations,
companies feel that there's a sense
that there is a path forward
in this extremely challenging both global remote work landscape and also rapidly evolving threat
landscape where the cyber attackers are getting more and more sophisticated at how they intrude
upon their targets. And the field of security operations and the growth and innovation that's
happening there offers sort of a beacon of hope
that there might be an answer that businesses can continue to operate in these circumstances.
And what is the typical pathway here for organizations who are looking to
sort of formalize their journey into security operations? What does that look like?
security operations. What does that look like? Well, starting up a security operations center is a pretty big ask, but I think there's a sort of mixed bag happening now where many organizations
are having some in-house staff for security and they're splitting off so that it's not just the
IT operations team or the CIO who's running the security team kind of on the side. Having it be a separate,
dedicated organization within the business is a big part of it. And then figuring out what you
can handle on in-house and what you have to outsource to a managed service provider or what
you need to rely on some other sort of service for. Do you have any tips for organizations that are considering that journey?
I mean, are there common places where people trip up
or find themselves challenged?
I'd say for organizations that are just starting
their security operations journey,
going from not having a security team to having it,
there's a huge landscape of technology
and a huge landscape of services out
there, but where you really need to start is examining your own risk posture and what is
business critical for you. So when an organization is trying to get started in security, they have
to know what it is that they are trying to secure and really introspect quite a bit
about why they're even considering
moving towards having security operations
as part of their organization.
What's the value proposition here?
I mean, if I'm the person
who's making the case to my board,
I'm walking in and saying,
hey, this is the direction we want to go in.
What should I lead with?
What should that conversation look like?
If you're saying that you want to start up
a security operations team within your organization
when there isn't already one,
I think pointing to the growing scope
of the type of attacks that we're seeing,
there are a constant barrage of headlines
about the massive increase in ransomware demands
and supply chain attacks that sneak in and cause enormous damage,
enormous financial damage, brand damage, and even shut down the business.
And so pointing to those things and saying,
we know that prevention doesn't work and we know that this is an area of growing concern,
we can see what's happening to our peers.
We need to have the ability to address this from inside the house.
That's Chase Snyder from ExtraHop.
There's a lot more to this conversation. If you want to hear the full interview,
head on over to CyberWire Pro and sign up for Interview Selects,
where you'll get access to this and many more extended interviews.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute,
also the host of the ISE Stormcast podcast.
Johannes, it's great to have you back.
You have been tracking some interesting techniques
that attackers are using to upload phishing pages
to some websites here.
What's going on?
Yeah, so the way we figured this out is we do run this Honeypot network that emulates
web applications.
And if you go to our website, we sort of have a page where we basically display everything
we have seen that's new that this network has detected.
And recently, we found a number of hits for something called EL Finder.
And we're trying to figure out what was this about. So EL Finder is a tool that allows you to
manage content on your web server. If you, for some reason, don't like SSH and the command line
in order to connect to your web server and move files around and upload files.
You can use EL Finder.
It gives you a nice web-based interface.
The name Finder sort of comes from the macOS Finder
that they are trying to emulate here.
Fancy tools have fancy vulnerabilities.
I need that on a t-shirt.
I need that on a t-shirt.
Turns out last year, July, EL Finder had a couple of vulnerabilities where it is possible for anybody to upload arbitrary files to your system.
And it looks like phishing actors have caught on to this
and are now actively looking for EL Finder where the tricky part is
with you know all of these components of that these days people like to call it supply chain
issue sort of catches that again here EL Finder is a component that may be part of a plugin that
you then run as part of a content management system like WordPress and such. So you have these multiple levels of redirection here
until you actually realize that you're operating using this malicious,
or not malicious, I should say, vulnerable component.
So in this case, is it a matter of making sure that your copy of EL Finder is up to date?
Definitely make sure it's up to date.
That's the first thing to do.
And with any admin interface, admin feature like this,
I would always recommend some additional layer of authentication.
In your web server, you can usually configure something called
basic or digest authentication.
It's not super strong, but it sort of provides this additional layer of protection
to components like this, which sadly tend to have a lot of vulnerabilities.
In particular, if it's only maybe you and someone else or so
who needs to really access that component to upload files
and manage the content on your website.
A colleague of mine does a lot of WordPress development,
and they use
one of the popular WordPress hosting platforms and it costs a little bit more. But one of the
advantages there is that that hosting platform for WordPress also keeps an eye on some of these
vulnerabilities and make sure that you're informed and that the things that they can keep up to date
are kept up to date. And I think that's noteworthy if you're someone who that the things that they can keep up to date are kept up to date.
I think that's noteworthy if you're someone who's running a WordPress site.
No, I definitely recommend that to people.
You don't really want to bother with all the plumbing around WordPress.
WordPress has always put out here, because it's somewhat the biggest one,
but all these other Drupal and such have similar issues.
I heard someone once saying that WordPress' business model
is that they make it so hard to patch
that you have to sign up for pay service.
But the price is not really that bad,
so it's definitely worthwhile considering.
Because pretty much whenever I look at a phishing website
these days, it's either WordPress that got compromised or it is some kind of free cloud hosting service that's being used.
That's really sort of where a lot of phishing comes from.
So you don't want to be part of the problem and talking to sometimes to people who got compromised.
It's actually a fun thing that you should do at times.
It's actually a fun thing that you should do at times.
It's usually a church, it's a small business that has someone who years ago put together the site for them.
They really don't have any talent,
really can't afford anybody that would sort of really manage the site for them
other than updating a couple of pages here and there.
All right, well, good advice as always. Johannes Ulrich, thanks for joining us.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday in my conversation with Mike Benjamin from Fastly.
We're discussing open redirects, real-world abuse, and recommendations.
That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, Check it out. Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.