CyberWire Daily - Tensions between Russia and Ukraine remain high as NATO offers Ukraine cyber, diplomatic, and other support. DDoS in the DPRK. DazzleSpy in the watering hole. TrickBot ups its game.
Episode Date: January 26, 2022Tensions between Russia and Ukraine remain high as NATO offers Ukraine cyber, diplomatic, and other support. North Korea gets DDoSed. DazzleSpy hits Hong Kong dissidents drawn to a watering hole. Tric...kBot ups its game. A quick look at ransomware trends. Microsoft’s Kevin Magee unpacks a recent World Economic Forum report. Our own Rick Howard speaks with Chriss Knisley from MITRE ATT&CK Defender on certifications. And Dame Fortune teaches Michiganders to throw caution to the winds. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/17 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Tensions between Russia and Ukraine remain high
as NATO offers Ukraine cyber, diplomatic and other support.
North Korea gets DDoSed.
Dazzle's spy hits Hong Kong dissidents drawn to a watering hole.
TrickBot ups its game.
A quick look at ransomware trends.
Microsoft's Kevin McGee unpacks a recent World Economic Forum report.
Our own Rick Howard speaks with Chris Nicely from MITRE Attack Defender on certifications.
And Dame Fortune teaches Michiganders to throw caution to the winds. Our own Rick Howard speaks with Chris Nicely from MITRE Attack Defender on certifications.
And Dame Fortune teaches Michiganders to throw caution to the winds.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, January 26, 2022.
Russian forces near the Ukrainian border, now estimated in media reports as having stabilized around a troop strength of 100,000, remain in position as NATO increases its own readiness in the region,
although forward-deployed NATO troops number far less than the Russian forces on the other side.
Ukraine has maintained its own forces in a state of alert, but Kiev has also,
Military Times reports,
sought to reassure the public that a Russian invasion, while a serious threat, is neither
imminent nor inevitable. A high state of military readiness is nothing new for the country's eastern
provinces, which have seen Russian-backed separatist activity since 2014. Fighting, as the AP reports, has continued at a sporadic
low level. Ukrainian military capabilities aren't negligible, resembling as they do a somewhat
smaller version of Russia's. And an analysis in the Washington Post offers reason to expect that
any large-scale combat would be both protracted and painful. The New Atlanticist has an overview of
the current state of play in the Donbass region. Quote, bolstering discussions about Donetsk and
Luhansk independence may be aimed at putting additional pressures on Ukraine to make concessions
to Russia. If Putin decides to recognize these regions as sovereign states, it would put an end to the 2014 and 2015 Minsk peace agreements
in which Russia participated as a mediator between Ukrainian government authorities
and the self-proclaimed republics.
Recognition of the two breakaway regions could also lay the groundwork
for Russia to deploy additional military troops there.
The Ukrainian Defense
Ministry estimates that there are currently 35,000 separatist fighters and 2,000 Russian
regular forces in Donetsk and Luhansk, according to Reuters, though Russia disputes those tallies.
Recognition of these territories would also trigger additional Western sanctions against Russia.
President Putin has said that Ukraine's efforts to restore authority over the area
resembles genocide, the New York Times reports,
and for all the Russian media attempts to characterize Ukraine as moving toward Nazism,
they have convinced few abroad,
but they're likely to remain a staple of Moscow's influence campaign.
The crisis, as Moscow says it sees it, but they're likely to remain a staple of Moscow's influence campaign.
The crisis, as Moscow says it sees it, has been made in Washington and Brussels,
where a mixture of calculation and hysteria have convinced Western governments that Russia is a threat to Ukraine.
Russian television news outlets have been particularly active in distributing this particular line, Reuters reports. A correspondent for Vesti said in a representative interview,
as far as any Russian threat to Ukraine is concerned,
quote, they've invented it.
The Americans have been scaring themselves about a Russian invasion for months, end quote.
In the present phase of the conflict,
deniable gray zone cyber operations are generally regarded as likely.
NATO has reaffirmed what it characterizes as its long-standing commitment to Ukrainian cyber
defense. A statement from the alliance said, quote, NATO has been working with Ukraine for
years to increase its cyber defenses and will continue to do so at pace, end quote. The same
statement also quoted Deputy Secretary General
Mircea Joana on the current crisis in NATO's eastern flank, quote, the use of hybrid attacks
against Ukraine, including cyber attacks and disinformation, as well as the massing of advanced
weapons on its borders, underlines the key role of advanced technology in modern warfare, end quote.
underlines the key role of advanced technology in modern warfare.
The Deputy Secretary General delivering a keynote yesterday at CyberSec Global 2022 described the situation with respect to Ukraine as grave
and called upon Russia to return to negotiations with the Atlantic Alliance.
Of course, we are all very much focused on the tensions created by Russia in and around
Ukraine. And Russia, with neither provocation nor necessity, has messed over 100,000 troops
and advanced weapons to the borders of Ukraine. Although we do not know for sure the intentions
of the leadership in Moscow, the potential of invasion in the coming days and
weeks is real.
At the meeting of the NATO-Russia Council on January 12th, all Allies spoke with a single
voice.
They called on Russia to immediately de-escalate the situation and to respect the sovereignty
and territorial integrity of its neighbors.
They called on Russia to end its aggressive posturing and to stop its
malign activities aimed at allies and partners. And the Secretary General, Jens Stoltenberg,
has proposed further meetings with Russia, and there are many concrete areas where we can make
progress, and we are interested here to give diplomacy a chance. He emphasized NATO's
willingness to seek a diplomatic solution
to a crisis he described as being of Russia's own making,
but also said that any acceptable solution
would have to be consistent with NATO's core principles.
NATO and NATO allies are ready to engage and listen to Russia's concerns,
but will not compromise on core principles,
on the right of each nation to choose its own path,
and on NATO's ability to protect and defend all allies.
Finally, he described NATO's response to the recent cyberattacks
against Ukrainian government resources.
We've seen the massive cyberattacks against Ukrainian public institutions.
It is for the Ukrainian authorities to investigate and attribute what happened,
but we all wholeheartedly condemn this attack on the Ukrainian government.
The morning of the attack, NATO cyber experts in Brussels were immediately in touch with their Ukrainian counterparts,
exchanging information and offering their assistance.
Allied experts in-country are also supporting the Ukrainian authorities on the ground.
NATO has been working with Ukraine for years to increase its cyber defenses,
and we will continue to do so at pace.
These clips are all from NATO's website.
The cyber attack against Global Affairs Canada remains under investigation, the CBC reports.
Ottawa has said the incident was contained and that while services haven't been fully restored,
no other government agencies or services were affected.
The government hasn't said much about the nature of the incident, nor has it offered any attribution.
An official statement said, quote,
There is no indication that any other
government departments have been impacted by this incident. This investigation is ongoing.
We are unable to comment further on any specific details for operational reasons, end quote.
The timing of the incident, coming as it did as Canadian security services were warning of the
possibility of Russian cyber attacks during the crisis over Ukraine
prompted much informed speculation to the effect that Russian organs were responsible,
and CBC has an extensive summary of the reasons for thinking so. But, that said,
attribution remains unclear, and coincidence remains a real possibility.
The U.S. has devoted considerable attention to the sanctions it might bring against Russia
should Moscow carry out its threat against Ukraine.
Some of those resemble the U.S. measures against Huawei, but writ large,
and are designed to cover broad stretches of the Russian economy
as opposed to one or a handful of companies.
The U.S. is also considering, according to Bloomberg,
sanctions directed specifically against Russian President Vladimir Putin.
A recent example of what such sanctions might look like
is afforded by last week's U.S. Treasury Department action
against four Ukrainian nationals accused of working as Russian agents of influence
against the government in Kiev.
Elsewhere in the world,
Reuters reports that North Korea's already closely controlled and tightly limited internet has been disrupted by a significant distributed denial of service incident for the second time
in two weeks. Little information, still less any attribution, is available, but Reuters notes that
the timing of the outages may be significant.
They've occurred around Pyongyang's recent tests of long-range missiles.
Security firm ESET has found that the compromised website of a pro-democracy,
which is to say objectively anti-Beijing, radio station in Hong Kong,
has been serving as a watering hole.
Visitors to the site are served a WebKit exploit, DazzleSpy,
that's designed for use against macOS systems.
It's not the first time such activity has been observed.
Google's threat analysis group described watering hole activity back in November,
and Sequoia.io researchers tweeted at about the same time
that an inauthentic site
catering to dissidents in Hong Kong had been designed from the outset with that purpose in
mind. Which threat actor specifically is behind the campaigns, ESET isn't yet prepared to conclude,
but it does say that, quote, given the complexity of the exploits used in this campaign,
we assess that the group behind this operation has strong technical capabilities.
End quote.
TrickBot, malware traded in criminal-to-criminal markets
and used in a wide range of cybercrime, especially bank fraud,
has received an upgrade that renders it more resistant to analysis,
bleeping computer reports.
IBM trustee researchers report rising rates of
infestation and effective man-in-the-browser injections.
Ivanti today released the results of its Ransomware Spotlight year-end report,
an overview of trends in ransomware the security firm observed over the course of 2021.
The company found 32 new ransomware families in 2021,
which brings the total they're tracking to 157.
That represents a 26% increase over 2020.
Unpatched vulnerabilities continue to offer the criminals their principal entree,
but the gangs also showed an ability to find and exploit zero-days.
The criminals took a greater interest
in the software supply chains during 2021, and of course, the C2C market continues to mature,
with ransomware-as-a-service mimicking the growth of the legitimate software-as-a-service market.
And finally, hey, you've won the lottery, says an email. Yeah, yeah, sure, you say, and you think, ha, tell it to my
great aunt, the widow of Prince Mokele Mobembe, because you weren't born like yesterday, and you
bong that email over to the bozo list. But wait, no, really, you actually did win the lottery. That was the
recent experience of a woman in Oakland County, Michigan, U.S. of A. The Michigan Lottery explains
that one lottery player, we redact her name and age to preserve her privacy, matched the five
white balls, 02, 05, 30, 46, 61, in the December 31st, 2021 drawing to win a $1 million prize.
And how about this? Because she bought her winning ticket online at michiganlottery.com,
the Megaplier, we're not sure what that is, but it sounds pretty good,
the Megaplier, we say, automatically jumped her prize up threefold
to a cool $3 million.
It gets better.
She found the email in her spam folder,
where, in truth, any one of us would have sent it. So there you go. Sometimes it seems too good to be true, except in fact,
it turns out to be true. So congratulations to the newest millionaire in Oakland County,
but please don't use her experience as an excuse to let your guard down.
We hate it when Lady Luck teaches bad lessons.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com
slash cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Our own Rick Howard recently spoke with Chris Nicely from MITRE Attack Defender. For the latest on their ingenuity curriculum certifications, Rick Howard files this report.
I'm joined by Chris Nicely. He's the general manager for the MITRE Attack Defender program.
Chris, welcome to the show.
For our listeners who don't know, can you walk us through just exactly what is the MITRE ATT&CK Defender Program?
As you may be aware, MITRE developed the MITRE ATT&CK framework a few years back and really provides that common adversary behavior language across vendors and tools and different teams within an organization.
behavior, language across vendors and tools and different teams within an organization.
Looking at how that was being used across the industry about a year and a half ago and really saw a gap in the skills of people actually being able to employ it in practical ways.
I really wanted to change that. So we launched MITRE ATT&CK Defender,
MAD, as a training and certification platform to try to change the game and how people were using ATT&CK and threat-informed defense.
So I agree with you that the MITRE ATT&CK framework
really hasn't been operationalized by most network defenders out there.
And I'm always aghast at why I think it's the greatest thing since sliced bread.
But your program, the certification program you have with MAD
is going to help people learn about it so they can deploy it better?
Yeah, that's exactly it.
We saw this gap of people not using it the way the attack team thought it could be used.
And then we also were looking at one of the challenges that we saw just looking at the cyber landscape was the skills gap that everybody talks about, right, Is massive in this, you're just trying to fill it
and then find ways to validate skills.
I talked to tons of CISOs or organizations
on a regular basis and almost to a T,
every single one of them says,
the certifications that are out there suck.
The fact that I got a certification five years ago
and it's still valid doesn't tell me
anything. And at best, when I got it, I memorized a book and I was able to just go and sit down for
a four-hour exam and write down what I memorized and pass the exam. So we wanted to change those
two things along with providing the ATT&CK knowledge. So what makes the MAD program,
the MITRE ATT&CK Defender program, different?
What are you guys trying to do to change all that?
The first is all of the training is free.
Wow.
So just come and sign up for a MAD account,
and you can access, I forget the total number,
but it's somewhere over 60 videos now.
They're all designed to be bite-sized,
so you can fit them in during
the day across ATT&CK Fundamentals, ATT&CK Cyber Threat Intelligence, and ATT&CK SOC Assessments.
So that's what we've got today. And actually, probably by the time your listeners hear this,
we'll have launched ATT&CK Adversary Emulation, the first set of modules there as well.
This is a fantastic resource.
Let me just restate the wow factor here.
The training for the MITRE ATT&CK framework
called the MITRE ATT&CK Defender Program,
or MAD for short, spelled M-A-D,
the how-to instructions to make the ATT&CK framework work
for your organization is completely free.
That's amazing.
Now, MITRE Ingenuity, the commercial arm for MITRE,
has to make money somewhere,
so they charge for certifications,
and I think that's totally fair.
Do the training for free,
and if you want to be a certified MAD,
pay for the badge.
We should all be taking advantage of this program.
And I want to thank Chris Nicely,
the general manager for the MAD program,
for coming on the show and explaining it to us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant. And I'm pleased to be joined once again by Kevin McGee.
He is the chief security officer at Microsoft Canada.
Kevin, it's always great to have you back on the show.
You know, I saw a recent report come out from the World Economic Forum,
and it struck me that among the sort of economic news that they put out there
when it comes to the global economy does not exist in a vacuum. and that affects those of us who are fighting the good fight in cybersecurity every day.
I wanted to check in with you for your insights on that specific notion.
Well, Davey, you know I love a good report, and as a chief security officer, the Global Risk Report is a real page-turner for me.
It comes in 117 pages, so it's not a light read. But I like
to read it as a cybersecurity professional, and I think we need to do this, step back and see what's
coming, see what the global perspective is, what the geopolitical risks are, what the social
economical changes are, what environmental risks are really weighing on us as humans and as a global community, and then start to translate to
that down the future. What will be the consequences that I will need to think about and prepare for
as a security professional and a chief security officer? Again, even climate change can have
effects on cybersecurity in ways that we don't even conceive about until we start to really think through the ramifications of power lines being cut or natural disasters taking out data centers and
whatnot. We do that in disaster recovery, but there are security ramifications as well, too,
if we start to think that way. Can we go through some examples of the things that catch your eye
in a report like this? Yeah, what I found interesting in this year's report is really this theme of divergence. There are
nations that are becoming fully vaccinated, some that are not. Some that have
accelerated digital transformation, some that are not.
Social and economical divergence that the pandemic
has really brought about. So we're seeing these divides
becoming even wider,
which the best way to find vulnerabilities if you're an attacker is to look for a place to put
a wedge in and either create disinformation campaigns if it's a nation state actor or
find social economical challenges to leverage as well too. So these are the type of things we need
to look at as security professionals to think of how are the cyber criminals, how are the nation state actors going to respond?
Because often we see real-time responses to things that are happening in the news and threat actors
taking advantage of what happens in the news. So the more we can look down to what's coming in the
future, the better we can start to prepare for ourselves and our organizations to protect against these challenges.
How do you take a report like that and turn it into proactive actions?
I think one of the best things is to do thought experiments.
And one of the areas that the report really looks at is space and what's going on in space now.
We're seeing commercial satellites launch.
We're seeing a lot more friction.
We're seeing a lot of turf wars beginning to happen in space.
What ramifications will have that on my organization? When I was talking to a financial services company, they felt, you know, the satellites were taken out, there was no effect
to their business. But it turned out a good portion of their ATM fleet was actually managed
by satellites. So there are ramifications and security problems that can come out of some of
these areas. So thought exercises
of, you know, what could happen down the line, and then teasing out what effect would that have
on my organization. And you start to find new vulnerabilities that would have never occurred to
you as in the past. And as we rely more and more on technology, and our countries are ones that have
really accelerated digital
transformation we're going to to do we need to do much more of this because these vulnerabilities
will hit us faster and more often and in from sectors or areas of technology or the globe where
we never really thought there could be uh cybersecurity challenges before so again thought
exercise is stepping back not focusing on the
individual attack vectors and whatnot, which we like to do the technology, but getting to the
layer eight level of security and really understanding what's driving some of these
tensions. What are the opportunities being created for cyber criminals or nation states to exploit?
And then what does that look like six months out, 18 months out,
three years out?
And how can I start to prepare now to start to close some of these gaps?
Well, Kevin McGee, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester,
Brandon Karpf, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here
tomorrow. Thank you.