CyberWire Daily - Taking down bot farms. Cyber aggression. Kinetic influence ops, Spamming yourself? CS control system advisories. Sanctions are also biting Russian cyber gangs.
Episode Date: March 30, 2022Taking down bot farms. Russia says the US is the aggressor in cyberspace. Influence operations, arriving at Mach 10. The call is coming from inside the house! Cyber incidents affect aviation services.... CISA posts ICS control system advisories. I welcome Tim Eades from the Cyber Mentor Fund. Our guest is Alex Holland from HP Wolf Security describing a new wave of attacks. And Sanctions are also biting Russian cyber gangs. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/61 Selected reading. Ukraine dismantles 5 disinformation bot farms, seizes 10,000 SIM cards (BleepingComputer) Russia accuses U.S. of massive 'cyber aggression' (Reuters) Russia Has Fired 'Multiple' Hypersonic Missiles Into Ukraine, US General Confirms (Defense One) BREAKING: Russian Aviation Authority Suffers Cyberattack (Mentour Pilot) Bradley Airport Website Suffers Cyber Attack (NBC Connecticut) Philips e-Alert (CISA) Rockwell Automation ISaGRAF (CISA) Omron CX-Position (CISA) Hitachi Energy LinkOne WebView (CISA) Modbus Tools Modbus Slave (CISA) Delta Electronics DIAEnergie (CISA) “Your rubles will only be good for lighting a fire”: Cybercriminals reel from impact of sanctions (Digital Shadows) Sanctions Hitting Russian Cyber-Criminals Hard (Infosecurity Magazine) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Taking down bot farms, Russia says the U.S. is the aggressor in cyberspace.
Influence operations arriving at Mach 10.
The call is coming from inside the house.
Cyber incidents affect aviation services.
CISA posts ICS control system advisories.
I welcome Tim Eades from the Cyber Mentor Fund.
Our guest is Alex Holland from HP Wolf Security, describing a new wave of attacks and sanctions are also biting Russian cyber gangs.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, March 30th, 2022.
Bleeping Computer reports that Ukrainian authorities have taken down five bot farms
that were operating tens of thousands of inauthentic social media accounts.
The messaging was coordinated and consistent
with disinformation about the progress of the war
aimed at discouraging further Ukrainian resistance.
The items seized in the raids included 100 sets of GSM gateways,
10,000 SIM cards for various mobile operators to disguise the fraudulent
activity, and laptops and computers used for controlling and coordinating the bots.
Reuters, citing stories in Russian official media, reports that Kremlin officials are
pointing with concern at cyberattacks they say the U.S. is conducting against Russia.
The cyberattacks are said to
amount to hundreds of thousands every day. Kremlin representatives said the sources of
attacks will be identified and the attackers will inevitably be held accountable for their actions
in accordance with the law. Moscow appears to view Ukraine's semi-official part-hacktivist,
part-volunteer, and part-contractor IT army as an American cat's paw.
Have you heard about those hypersonic missiles Russia's been firing in Ukraine?
They're very fast, and no, in Ukraine they don't seem to really matter much to the battlefield.
You might wonder what this has to do with cyber.
After all, why are we interested in hypersonic weapons?
Well, they're being deployed for their influence value, for mind share, and not target destruction,
which makes them first cousin to disinformation.
Russian sources have said, and Western sources confirmed,
that Russia has been using hypersonic missiles against Ukraine.
Defense One has an account of the missile's use,
which the publication sees as a gesture intended to influence and intimidate.
The article quotes the head of U.S. European Command,
U.S. Air Force General Todd Wolters, as saying,
I think it was to demonstrate the capability
and attempt to put fears in the hearts of the enemy,
and I don't think they were successful.
and attempt to put fears in the hearts of the enemy,
and I don't think they were successful.
The air-launched Kinzhal, or dagger, missiles are said to have been used against a Ukrainian ammunition storage site.
Hypersonic missiles are extremely fast, moving at Mach 5 or more,
and are also designed to be highly maneuverable.
Russia claims the Kinzhal is capable of Mach 10,
or just over 7,600 miles per hour.
Hypersonic missiles are built for use against well-defended targets, like warships armed with
point missile defense systems. So why use them against big, stationary, poorly defended targets
like the one said to have been struck in Ukraine? There's no real tactical reason. You might want a missile
that could boogaloo like the Kinzhal if you were up against, say, an aircraft carrier battle group.
But if you're striking ammunition bunkers or apartment buildings, schools, hospitals, theaters,
and so on, a Kinzhal is more than 7,000 miles per hour of excess force. General Walters probably has it right.
This is propaganda of the deed, not fire support.
It's an information op that tries to persuade through kinetic effect.
It also represents the expenditure of some pricey ordinance.
You may not be interested in the hypersonic missiles, Moscow might say,
but the hypersonic missiles are interested in you.
Some Verizon customers have been receiving spam texts that include a link to a Russian
television provider. Free message, the spam begins. Your bill is paid for March. Thanks,
here's a little gift for you. And the fishhook is a shortened URL that directs those who click
to content provided by Russia's OneTV,
a channel whose majority owner is the Russian state.
The spam is interesting in that it seems to come from the recipient's own number.
Verizon says, according to The Verge, that bad actors are responsible
and that it's cooperating with law enforcement investigation.
Why it's happening is unclear.
It could be an information operation, or it could just be some hackers in it for the lulz.
Russia's aviation authority, Rosaviatia, is reported to have lost some 65 terabytes of data
in an incident it sustained this week, Mentor Pilot reports.
Business systems and records, including aircraft registration records,
are said to have been affected.
It's not clear exactly what the incident was
or whether it was a cyber attack or an accident.
Some sources in Russia are connecting the incident to IT problems
induced by a recent change in agency leadership.
Another aviation target was hit, this one in the U.S. state of Connecticut.
Bradley International Airport, which serves Hartford,
was affected by a distributed denial-of-service attack against its public website.
In neither the Russian nor the U.S. incident was safety of flight at risk.
CISA yesterday released six industrial control system advisories.
And finally, Digital Shadows has been keeping an eye on cybergangs' chatter in the dark web,
and the word on that particular street is that the hoods are taking a financial bath
as the ruble collapses under sanctions. With transfers of money blocked and with extensive
restrictions on banking in place,
criminals are finding it difficult to cash out cryptocurrencies and are having trouble getting
hard currency. Digital Shadows describes the underworld's difficulty deciding what to do.
They said, one user advised simply leaving the money where it was for six months if the
questioner did not need to use it urgently for other purposes.
A different user mocked this suggestion, writing,
I hope you were joking about half a year?
After half a year, your rubles will only be good for lighting a fire,
and they will not be good for anything else.
The user also questioned whether the Russian state could be trusted
to allow the purchase of dollars after six months
and worried that many Russian banks would go bankrupt.
Other forum members considered the advisability of buying gold,
although some noted that this method would incur losses due to the high trade fees and storage costs
and would involve an expensive examination during the transaction process.
Infosecurity magazine points out two interesting
results of Digital Shadow's investigation. First, carters, as one might expect, are particularly
affected. And second, spare a thought for your poor local criminal. Maybe. It turns out a lot
of them are just moonlighting, that they all hold legit jobs in the straight world that they rely on to put food on the table. Those legitimate businesses are also being affected
by sanctions, and they're feeling the pinch too.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
HP Wolf Security recently released their latest quarterly threat insights report,
which highlighted shifting tactics they've been tracking of attackers using features in Microsoft Excel to bypass detection.
Alex Holland is a malware analyst with HP.
We saw a near six-fold increase in the volume of Microsoft Excel add-in files being used to deliver malware.
And we saw these files being used to deliver seven families of malware, everything from kind of crimeware,
including Drydex and ISDID,
all the way down to commodity remote access Trojans.
And why we think this is significant
is because it's part of a wider trend
of attackers responding to Microsoft blocking features
in Microsoft Office that have historically been abused by attackers to deliver malware.
So is this, in response to Microsoft, making macros disabled by default?
You're right on the money, yes.
I'd say that this started in October last year,
where Microsoft announced that they would be disabling Excel 4.0 macros by default
by the end of 2021, which is an older macro technology that was first introduced in 1992.
So it's been around for a long while.
This trend has continued with the announcement last month
of Microsoft's plan to block VBA macros in documents
that have originated from the web from April this year onwards.
So we think this surge in Excel add-in malware
is evidence of attackers responding essentially
to the slow death of malicious macros
by experimenting with different techniques to deliver malware
that aren't reliant on these technologies, which are quickly being blocked.
For folks who aren't familiar with exactly what Microsoft Excel add-in files are,
can you explain to us how they work?
I describe them as macros on steroids.
Essentially, what they allow you to do is for developers to write high-performance functions
that can extend the functionality of Excel
way beyond what other macro languages,
high-level macro languages can let you do.
For example, VBA.
For instance, Excel add-ins can support things like
multi-threading, which VBA cannot.
Is there any sense for how effective this pivot has been for the thread actors?
In other words, moving to these add-in files,
is their ability comparable to what they had when macros were enabled,
or is this really hamstringing them?
I would say that in the short term,
when we're analyzing threats,
we split threats into two kind of attributes.
The first is intent,
by which we mean an attacker's desire and expectation
for an attack to succeed.
And the second attribute is capability.
And we're talking about knowledge and their resources
to actually conduct an attack and execute it.
And so this change, we think, affects their ability,
their knowledge, their know-how,
in order to execute attacks properly.
This is only a short-term change.
And in fact, we saw on underground forums
tools and services advertising
Excel add-in malware
that delivers and automates delivery of malware.
So people are already coming up with new tooling
to get around macros being disabled.
That's Alex Holland from HP Wolf Security.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant. And I'm pleased to welcome to the show Tim Eads.
He is the CEO at vArmor and co-founder of the Cyber Mentor Fund.
Tim, it is great to welcome you to the Cyber Wire.
I want to start off introducing you to our audience.
Can you give us a quick little version of your bio?
Yeah, sure.
Absolutely wonderful to be here, Dave.
Love Cyber Wire.
Just absolutely awesome read for everybody and listen.
Everybody should get this every day, but certainly I do.
So I'm the CEO of Yama, a serial entrepreneur.
This is my third company I'm running.
I'm on the board of a few others.
And just love to be in the cybersecurity world because I think it's a mission that I really believe in,
to try and secure the country, try and secure the enterprises.
And it's a mission that never goes away, but it's one that you can always aspire to do better in.
And then I'm also the co-founder, very fortunate to be the co-founder of a thing called Cyber Mental Fund, which is a very early seed and series A venture capital fund where we partner with the VCs, but we really partner hardcore with the entrepreneurs.
Our job is to help them, give them a better chance of success by sharing wisdom and partnering with them, whether it comes from architecture to fundraising to understand financials, to understanding the climate and even getting feedback from the early adopter customers. So two parts of my life, but with the same mission, basically secure the enterprise and secure the country.
Well, let's dig into some of the details about the Cyber Mentor Fund.
I mean, first of all, fundamentally, what differentiates a mentorship fund from some of the other avenues of funding that companies might have available to them?
Yeah, so the Cyber Mentor Fund really does go early.
I mean, it's two guys and an idea.
And where they turn around and they're like, hey, I think I can do this.
What do you think?
Is this ever going to happen?
On occasions, you know, we will even go interview customers
and come back with architectural diagrams with them.
On occasion, literally set up the URL, help the lawyers, set up the LLC.
We partnered with some great law firms on that, like Cooley.
And from that, they started to shape literally the LLC. We partnered with some great law firms on that, like Cooley. And from that,
they started to shape the, literally the company.
And,
you know,
we have a little marketing services arm that helps them launch the
company.
So it's all the way of the early staff.
And so,
and because we're not the largest check,
we partner with wonderful people like Jay leak at sin ventures.
We partner with Matt biggie at cross link.
We partnered with Charles Beeler, all the early stage guys.
We kind of partner with them.
And young early stage startups are like kids, right?
When they're young, they need you all the time and everything else.
But when they get older, they only call you if they've crashed their car,
they need money, or they're going through a divorce or something.
So early on, you can do this real mentorship.
But then they grow up and become a wonderful company.
But those early formative stages where we specialize,
just because that's where they need the most help.
And I think from there, that's what we do really, really well.
What attracts you to that particular stage of a company's development?
I'm attracted by it.
And I know the team at CyberMentor Fund is attracted by it.
It's because the sense of accomplishment and the curiosity that you get by some of these entrepreneurs is amazing.
There's a great one with Sin Saber, right, where Yuri and Ron come to us and say, hey, I think I could do this.
And we helped them.
We guided them.
They're getting their first few customers at the moment.
And now they got funded by the venture community.
And again, I'm off the running,
but your ability to the sense of accomplishment and the sense of shaping and partnership is great.
It's not for everyone because sometimes
you really have to lean in.
They have to be curious.
They have to be kind.
They have to be really good at communicating.
And so I think Cybermental Fund's done 28 investments
over the last three years at four exits.
Just about everything is marked up
because we come in so early.
I suspect you find yourself being a bit of a matchmaker as well.
Yes?
A matchmaker across the board.
A matchmaker with some of the early stage employees
because we help them with that.
Matchmaker with the law firms that they need to choose,
which is really important.
Sometimes some financial, some outsourced financial help on doing that.
All the way through to the venture guys that we partner with,
which has been really, really rewarding to see how that works.
And then, you know, like I said, we've sold four.
I've been in the cybersecurity industry a very long time now,
multiple decades.
And so we tend to know the CEOs of all the large companies,
whether it's Gary Steele, who's now over at Proofpoint,
or, you know, Peter Bauer at Mimecast or wherever it is.
You know, and so we can, if there is an exit on the horizon
or a decision on the horizon, our ability to actually have a conversation with
a potential acquirer and do it in a non-crazy way,
just do it in a very kind way. Say, hey, this company is going to look to exit.
Is this something that you should be looking towards?
All right. Well, Tim Eades, thanks so much for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Fen Yellen, Nick Bilecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.