CyberWire Daily - Swapping small attacks in cyberspace. What Lapsus$ internal chatter reveals. Costa Rica won’t pay Conti’s ransom. No farms, no future. Locked Shields wraps up.
Episode Date: April 25, 2022Anonymous counts coup with their #OpRussia campaign. Alternative energy suppliers in Europe sustain cyberattacks. What Lapsus$ internal chatter reveals. Costa Rica won’t pay Conti’s ransom. Rick H...oward hits the history books. Our guest is Paul Giorgi of XM Cyber with a look at multi-cloud hopping. Locked Shields wraps up. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/79 Selected reading. Ukraine's Postal Service DDOS'd After Printing Moskova Stamps (Gizmodo) Since declaring cyber war on Russia Anonymous leaked 5.8 TB of Russian data (Security Affairs) European Wind-Energy Sector Hit in Wave of Hacks (Wall Street Journal) Schneider Electric says no evidence that Incontroller/Pipedream malware exploits vulnerabilities (MarketScreener) Aid groups helping Ukraine face both cyber and physical threats (CNN) Leaked Chats Show LAPSUS$ Stole T-Mobile Source Code (KrebsOnSecurity) Lapsus$ hackers breached T-Mobile’s systems and stole its source code (The Verge) Lapsus$ hackers targeted T-Mobile (TechCrunch) FBI Warns of Targeted Cyberattacks on Food Plants Amid Heightened Coverage of Fires (NTD) Ransomware Attacks on Agricultural Cooperatives Potentially Timed to Critical Seasons (IC3) Cyberattack causes chaos in Costa Rica government systems (ABC News) Finland wins NATO cyber defense competition (C4ISRNet) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Anonymous counts coup with their OpRussia campaign.
Alternative energy suppliers in Europe sustain cyber attacks.
What lapsus internal chatter reveals?
Costa Rica won't pay Conti's ransom.
Rick Howard hits the history books.
Our guest is Paul Georgi from XM Cyber with a look at multi-cloud hopping.
And Locked Shields wraps up.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Monday, April 25th, 2022.
The Anonymous Hacktivist Collective has tweeted its tally of recent successes claimed against Russian organizations. They're calling it OpRussia, and they say, since declaring cyber war on Kremlin's
criminal regime, the Anonymous Collective has now published approximately 5.8 terabytes of Russian
data via DDoS secrets. Anonymous vows to release more data belonging to Russian entities and
government, including a commercial bank. On Sunday, Security Affairs published the results of its sifting through the documents
Anonymous had leaked over the last three days
and found that files were taken from four commercial businesses,
Enerpred, Accent Capital, Sawatsky, and Worldwide Invest.
It seems beyond dispute that OpRussia represents a successful hacktivist action,
but its achievements also seem to confirm, again,
that hacktivism in this ongoing hybrid war has yet to rise above nuisance levels.
The nuisance is real, but it remains exactly that, a nuisance.
Anonymous has been operating in the Ukrainian interest.
There has been evidence of hacktivism in the Russian interest as well,
although in that case it's difficult to distinguish from opportunistic cybercrime
that exploits sympathy for Ukrainian suffering, gangland privateering, and direct state action.
CNN reports that humanitarian organizations working on Ukrainian relief
have been the targets of phishing,
or as CNN puts it, malicious links and pornographic material on their cell phones.
Most aid groups are relatively poorly protected non-governmental organizations and in many cases have difficulty even recognizing that they're under attack,
still less able to respond to an attack quickly and effectively.
attack, still less able to respond to an attack quickly and effectively. CNN quotes Amazon Web Services as explaining that the attacks seem intended to spread confusion and cause disruption,
which seems particularly odious when the activities being disrupted are the distribution of food,
clothing, and medical supplies. The Wall Street Journal reports that three alternative energy companies in Europe
have sustained cyberattacks since Russia's invasion of Ukraine began. WindEurope, a wind
power industry group based in Brussels, says it believes the attacks originate with Russia.
Presumably, the goal is to make a shift from Russian oil and natural gas more difficult for European, especially German,
markets. Two German turbine manufacturers, Enercon and Nordex, and one turbine maintenance firm,
Windtechnik, have been affected. Krebson Security reports that internal Lapsus gang chatter
indicated that the gang had made multiple incursions into T-Mobile's systems.
For reasons that are unclear, Lapsus exhibited a strong interest in source code. They compromised
employee accounts either by social engineering or buying them from Russophone initial access brokers.
T-Mobile told Krebs on Security,
Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access told Krebs on Security, that the intruder was able to obtain anything of value. Our systems and processes worked as designed,
the intrusion was rapidly shut down and closed off,
and the compromised credentials used were rendered obsolete.
Costa Rica continues to work toward recovery from a ransomware campaign
that afflicted government sites during the country's presidential transition.
ABC has summarized the attack and the government's response.
The Conti gang has claimed responsibility for the campaign,
which appears to be a double extortion operation
in which data are both encrypted and stolen.
The Costa Rican government has refused to pay the ransom.
The FBI warned last week that agricultural cooperatives
should expect to become targets of ransomware operators during crucial seasonal inflection points, particularly around harvest and, right now, around planting times.
And finally, NATO's exercise Locked Shields has concluded.
The point of the exercise is training and self-criticism with a view to improvement,
but there's a competitive gamer dimension
here, as there is in most
military exercises.
So, congratulations to Finland,
whose team won the competitive
phase of Locked Shields.
We trust that recent global
events in your neck of the woods
have sharpened your skills.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
XM Cyber recently released research outlining security risks they've encountered on multiple customers' networks,
including multi-cloud hopping and third-party risk to Azure environments.
Paul Georgie is Director of Sales Engineering at XM Cyber, and I checked in with him for details on their findings.
So most organizations have a variation of multiple cloud services.
I think that if we look at what we see most commonly,
there's a mixture of maybe a little bit of Microsoft 365,
whether it's Azure Active Directory or maybe a couple of like just Exchange Online, but there's services within that environment.
And then maybe there's a little bit of the IaaS services
within AWS and maybe a little bit of GCP.
So these large organizations have multiple clouds
and it's not easy to replicate security posture
or security defenses around each one of these the same way.
So when we look at how maybe an Azure Active Directory account
could be the start of a breach,
and then within four or five stops,
end up reading data from an S3 bucket with an AWS,
there's not a lot of correlation of risk
from an Azure Active Directory account to an AWS S3 bucket.
And what we're finding in our results
is there is a lot of correlation.
It usually doesn't take a lot of steps. And a lot of organizations are dealing with this risk and
not even aware of it. So because we're aware that most organizations are some sort of multi-cloud
variant, but still assessing risk maybe just within their own individual clouds and not really
considering the risk of how one entity could impact another entity.
That was a really interesting finding for us,
making sure people were aware of these risks from multi-cloud
because most large organizations
are some sort of variation of multi-cloud
and need to start assessing risk holistically
across all the entities
and not just within those individual cloud environments.
And how do you propose they go about doing that?
Yeah, so that's really where attack path management comes in. Attack path management
assesses the telemetry, whether it's vulnerabilities, misconfigurations, or user activity,
and assessing that telemetry and then simulating what an attacker can do in that environment. And not just within laptops or servers or domain controllers, but how something like
a Lambda function could play a role within AWS to then provide additional privilege escalation
or additional assume role compromise capabilities within different environments.
So that really is the heart of attack path management, looking at all of your entities,
all the configuration, and then stringing together the realm of possibility from an
attacker's perspective, identifying things like choke points. If I know an entity's risk to all
the other assets in my environment, I can identify it as a choke point and remediate and prioritize
risks tied to that entity quicker than maybe an entity
that there may be a lot of risk tied to it, but the risk it introduces to my critical assets is
much smaller. So that's really the heart of attack path management is dealing with holistic entity
assessment and then stringing together the possibilities from an attacker's perspective.
And one of the other things you highlight in the report is risk to Azure environments,
particularly coming from third parties.
What did you find here?
Yeah, so we live in the world where third-party access is just, it's something that we have
to deal with.
Whether it is a partner, portal access, maybe sometimes it's a contractor doing development
work.
We know that we live in this world where there's going to be some sort of third-party access. Maybe sometimes it's a contractor doing development work. We know that we live in this world where there's going to be some sort of third-party access. But we're seeing these
risks start to manifest themselves within Colonial Pipeline, or is the contractor accessing VPN with
Kasaya? So we know that there are definitely these things that are coming up as risks that
are starting to play out in real attacks that we're seeing hit the news. But unfortunately,
what we're doing to address them is just doubling down on our old legacy processes.
More questionnaires. We're going to now start putting them in their own AWS account instead
of their own grouping. And that's not really the right approach. What we need to start assessing
is really the risk from those third parties and using this concept
of assumed breach. And that is something that we do at XM Cybers. Really, every breach point is
the starting point of an attack. And then assuming those third parties are an assumed breach entity,
maybe it is just a disgruntled employee from that third party or some sort of insider threat.
But we need to assess all of the ways that third party could potentially introduce risk to my critical assets.
And still we start looking at all the different ways that that could happen.
I think we're going to just start seeing this more and more commonly appear in the news through these manifestations of public breaches like we've seen unfortunately last year or so.
I mean, is that really sort of the through line through the things that this research has uncovered? Is this that folks need to really take a look at how they're assessing risk?
Yeah, I think that that is the main point of this document. We call it the Attack Path Management
Impact Report. We're going to start releasing this pretty regularly, but it is like our perspective
that we're sharing with every organization. And hopefully people start realizing that the way that we're doing things, whether it's
just legacy vulnerability management scanning, whether it's assessing risk within the cloud,
it's not working. And we need to holistically address our risk and assess all of the entities
within our organization and then string together those realms of possibilities from an attacker's
perspective. So while we hope this report is informational and makes people more aware of
what's going on, we also like to introduce people to attack path management because
I get the pleasure of doing a lot of POCs and demos and you wouldn't believe how many people
have never heard of attack path management. And from my perspective, I think that it's something that it seems so obvious and organizations have been doing in old ways like pen tests and stringing
together what happened during a breach and learning from those exercises, but never proactively
running through those exercises to determine how they could better defend or architect better
defenses and respond more efficiently when they actually arise.
That's Paul Georgie from XM Cyber.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And it's always my pleasure to welcome back to the show Rick Howard.
He is the CyberWire's chief security officer, also our chief analyst.
Rick, great to have you back.
Hey, Dave.
I am happy to report that your coming on the Daily Podcast today means one thing, and that means that your podcast, CSO Perspectives,
which is over on the CyberWire Pro side, is back.
Yes, indeed.
Our long national nightmare is over.
You're starting with Season 9 this week, so give us a preview here.
What have you got in store for us? Well, that's right, Dave, and it's great to be back.
And along with my army of crack interns, okay, we've had a blast working on these episodes.
I've had them all locked up in the past few weeks deep in the sub-basements of the CyberWire
secret Sanctum Sanctorum studios located underwater somewhere along the Patapsco River
near Baltimore Harbor. And I've been really pleased with their efforts this week.
Yes, I do enjoy our new underwater lair.
It's delightfully soundproof.
But have you tried the new espresso machine?
I have, and you're right.
I think it's that Patapsco River water that really puts the icing on the cake.
Yeah, it really does.
Well, we've cranked out some really interesting content for this season.
We have a few Rick
the Toolman episodes this season on
software bill of materials,
single sign-on, two-factor authentication,
software-defined perimeter,
and intelligent sharing.
We're going to do a case study on the Netflix
resiliency system called Chaos
Monkey. I love that name. Oh, yeah. Isn't that great? And we're going to do a case study on the Netflix resiliency system called Chaos Monkey. I love that name.
Oh, yeah.
Isn't that great?
And we're going to do one cyber sand table exercise, this time on the Colonial Pipeline attacks of 2019.
But for this first episode, we're going to break out the Wayback Machine and cover the history of InfoSec
from the invention of the password back in the 1960s all the way to the next extensions to the intrusion kill chain prevention strategy in 2020.
Wow.
You know, in preparation for our conversation today, I was trying to remember what my first password was ever.
And I couldn't remember.
You know, this is back, for me, it was probably around 1980 or so when I first started getting into computers.
You know, 8-bit computers, TRS-80s and that sort of thing.
And it was BBS systems, right?
It was the first time that I was required to use a password for anything.
But for the life of me, I don't remember what it was.
You know, it was probably, you know, I was, what, 11.
So it was probably something crass and inappropriate.
I'm sure.
Those are my best passwords.
Do you have any recollection for yourself?
I don't remember my first password, but I know I am stuck with my first ever username, you know, because, you know, you think, oh, I'm just going to pick a username.
And I picked, you know, an old cartoon character from my past, Race Bannon from the old Johnny Quest show.
But now I can't get rid of that thing because, you know,
I've used it for Twitter and LinkedIn and all that stuff.
And so everybody knows me as a cartoon character.
So I got that going for me.
Well, my first alias on a BBS system was Ziggy Stardust.
So really not terribly original. But again, I was like 12. alias on a BBS system was Ziggy Stardust. Well, there you go.
Not terribly original, but again, I was like 12,
so I thought it was pretty cool at the time.
Yeah, that's what I thought too.
All right, well, CSO Perspectives is part of CyberWire Pro,
so do check that out.
That is on our website, thecyberwire.com.
Rick Howard, thanks for joining us. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment called Security Ha!
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Urban, Elliot Peltzman, Trey Hester, Brandon Karpf,
Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Thank you. you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.