CyberWire Daily - The UN Security Council will take up Russia’s hybrid war against Ukraine as Western powers prepare sanctions. Other ransomware and social engineering campaigns.
Episode Date: January 31, 2022The US takes Russia to the UN Security Council over its threat to Ukraine, and, while Russian forces remain in assembly areas, a campaign of cyberattack and influence operations continues. Western pow...ers, notably the UK and the US, are preparing sanctions against Russia. Elsewhere, ongoing ransomware and social engineering. Dinah Davis from Arctic Wolf on Linux malware via IoT devices. Rick Howard shares his favorite sources for keeping up to date. And there’s a pair of decisions in a long-running case involving HP Enterprise’s purchase of Autonomy. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/20 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. takes Russia to the U.N. Security Council over its threat to Ukraine,
and while Russian forces remain in assembly areas,
a campaign of cyber attack and influence operations continues.
Western powers, notably the U.K. and the U.S., are preparing sanctions against Russia.
Elsewhere, ongoing ransomware and social engineering.
Dinah Davis from Arctic Wolf on Linux malware via IoT devices.
Rick Howard shares his favorite sources for keeping up to date. Thank you. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, January 31, 2022. The United Nations Security Council is meeting today to discuss Russia's actions against Ukraine,
the Washington Post reports.
China voted with Russia against the meeting, but the U.S. proposal to meet passed nonetheless.
The U.S. fully intends to put Russia on the defensive during the sessions, the AP reports.
Russia is of course unhappy that the meeting's being called at all.
Moscow's Deputy UN Ambassador Dmitry Polyansky tweeted a response,
I can't recall another occasion when a Security Council member proposed to discuss its own baseless allegations and assumptions as a threat to international order from someone else. For all China's comments at the UN of the importance of quiet diplomacy
and seeking a peaceful reduction of tension,
Chinese social media operators, Beijing's wolf warriors,
have been taking opportunistic advantage of the crisis,
trolling the U.S. and the EU, foreign policy reports.
Bilateral diplomacy also continues.
According to Bloomberg, U.S. Secretary of State Blinken
and Russian Foreign Minister Lavrov plan a phone call over the crisis tomorrow.
On Friday, we heard about CrowdStrike's analysis of cyberattacks against Ukrainian targets by
VoodooBear, a unit operating under the direction of Russia's GRU military intelligence service
that has a long history of operations against Ukraine that goes back to 2014,
a long history of operations against Ukraine that goes back to 2014, the year Russia seized and annexed Crimea. As this week opens, we hear that other Russian services appear to have been
active as well. Researchers at Symantec ascribe recent attacks to the threat group they track as
Shuckworm, and that's otherwise known as Primitive Bear, Armegadon, or most commonly, Gameradon.
Quote,
Active since at least 2013,
Shuckworm specializes in cyber espionage campaigns mainly against entities in Ukraine.
The group is known to use phishing emails to distribute either freely available remote access tools,
including remote manipulator systems and UltraVNC,
or customized malware called Terrado-Teradon to targets.
A recent report published by the Security Service of Ukraine noted that Shuckworm's attacks have grown in sophistication in recent times,
with attackers now using living-off-the-land tools to steal credentials and move laterally on victim networks.
Recent activity seen by Symantec is consistent with that documented by SSU. off the land tools to steal credentials and move laterally on victim networks.
Recent activity seen by Symantec is consistent with that documented by SSU.
Ukraine's SSU security service this past November connected the group to Russia's FSB,
and the group certainly has a record of carrying out operations in the furtherance of Russian interests.
At the time, the SSU described the group, their preferred name for it is Armegadon, as follows,
quote,
The Armegadon hacker group is an FSB special project which specifically targeted Ukraine.
This line of work is coordinated by the FSB's 18th Center,
Information Security Center, based in Moscow. Since the Russian aggression in 2014,
this unit has carried out over 5,000 cyberattacks and attempted to infect over 1,500 government
computer systems. The attackers' goals were control over critical infrastructure,
theft and collection of intelligence, including information with restricted access,
informational and psychological influence, and blocking information systems.
Looking forward at the possible escalation of the conflict, Politico thinks that Russian operators would be unlikely to show the discrimination in targeting they've so far exhibited,
and that there's no reason to believe that the effects of destructive cyber
attacks would be confined within the borders of Ukraine. The Czech Republic has joined the UK,
Canada, and the U.S. in warning of the likelihood of Russian cyber attacks. The expat says that on
Friday, the Czech National Cyber and Information Security Agency warned that, quote,
attacks could constitute cyber-spying operations
orchestrated by foreign powers or attacks to harvest Czech data. The agency called attention
to 19 possible modes of attack and 14 frequently neglected vulnerabilities, end quote. Russian
disinformation in the service of influence operations designed to split Ukrainian society continues,
and the Atlantic Council's Digital Forensic Research Lab has done a commendable job
in tracking some of its characteristic themes.
Those themes exhibit some of the typical inconsistencies that have long marked Russian influence campaigns.
For example, on the one hand, NATO's provision of weapons, notably anti-armor rockets, to Ukraine
is an intolerable provocation and amounts to placing a dagger in the hands of Kiev,
which intends aggression against at the very least russophone populations, if not Russia itself.
But on the other hand, the weapons are junk and can't hit the broadside of a barn,
or even an old Soviet tank.
On a large scale, it seems that these efforts may have fallen short of their mark,
with pro-Russian sentiment sharply down in the large, predominantly Russian-speaking
city of Kharkiv, close to Ukraine's eastern border with Russia. Both the Wall Street Journal
and the Washington Post report the ongoing pressure
on Ukraine seems to have increased national unity, even in those regions that had shown
some ethnic and linguistic affinity with Russia. Both the U.S. and the U.K. are preparing new
sanctions against Russia should it not pull back from its threatening posture with respect to
Ukraine, Bloomberg reports. The most serious sanctions would be reserved as a response to an invasion.
This round of sanctions will in all likelihood be designed to have a strong effect on individuals.
British Foreign Secretary Liz Truss told the BBC that, quote,
we're going to be introducing new legislation so that we can hit targets,
including those who are key to the Kremlin's continuation and bill introduced in the Senate is consistent with earlier administration statements on sanctions.
According to the Wall Street Journal,
the legislation under negotiation among members of the Senate Foreign Relations Committee and others would target major Russian banks,
hit Russians' savings and pensions, and limit the market for Russia's sovereign debt, among other elements,
Chairman Senator Bob Menendez, Democrat from New Jersey, said Sunday.
North Korea's Lazarus Group has been actively prospecting marks by using phony job notices
that the threat actor represents as being from Lockheed Martin.
The attack, described late last week by Malwarebytes, begins with malicious
macros embedded in Word documents, and it abuses the Windows Update client to bypass security
detection mechanisms. The Black Cat ransomware-as-a-service gang, described in detail last
week by Palo Alto Network's Unit 42, is regarded as unusual for its way of using private access key tokens.
Krebs on Security has an interesting account of contacts with criminal actors
who may or may not be behind Black Cat.
It's a russophone group and a criminal group,
and there are a few suspects, but there's no definitive attribution.
Proofpoint describes a new malicious hybrid cloud
campaign named WeVaVoie. The campaign prospects board members and C-suites with hijacked Office
365 tenants and a varied array of social engineering ploys. Bleeping Computer reports
that Finland's National Cyber Security Center warns of an ongoing campaign to hijack Facebook accounts.
The attackers use social engineering in Facebook chats.
Victims receive messages from operators pretending to be online acquaintances
that ask for phone numbers and an SMS-delivered verification number.
Once the attackers have these, they establish control over the account
for use in further scams.
According to The Verge,
the decentralized finance platform
Qubit Finance was hit by thieves last week,
losing some $80 million
in the cryptocurrency it handled.
Qubit said that the attackers
abused the QBridge deposit function
on the Ethereum network. And in the courts, the long-running dispute between HP and former
Autonomy CEO Mike Lynch has reached two milestones. Bloomberg says that a judge in the UK has decided
against him in the civil fraud action HP brought in 2015 against Dr. Lynch
for what HP characterized as fraud in the sale of autonomy to HP Enterprise in 2011. HP asked for
$5 billion in damage. The judge acknowledged that any actual award would in all probability be
substantially less than that.
Of perhaps greater concern to Dr. Lynch is the Home Secretary's decision to extradite
him to the U.S., where he faces criminal charges related to the alleged fraud. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And it's always my pleasure to welcome back to the show, Rick Howard, the CyberWire's
Chief Security Officer and Chief Analyst. Rick, always good to have you back.
Hey, Dave.
So last week on CSO Perspectives, you gave us a review on some of the sources of InfoSec content
that you find valuable and would recommend for our audience to check out in 2022.
Now, I know that your stuff always generates a lot of feedback,
and I'm curious if you heard from any of our
listeners about any of your recommendations and specifically, did anybody suggest sources that
you hadn't considered? Well, of course, that's what's great about this show, Dave. Our listeners
always have great ideas and perspectives and by the way, aren't afraid to share their thoughts
with us, which, you know, I really appreciate. And as I said last week, I get my InfoSec information from all kinds of sources.
But my go-to's are podcasts and audiobooks because I just like the convenience of it.
But as our listeners pointed out, there are many other sources that they prefer.
Yeah.
You know, after you and I wrapped up our conversation last week, I was thinking and I realized that one thing you didn't mention was movies and documentaries as well.
Anything from our listeners from those two sources?
Well, it's funny you should think about that.
I got multiple listener recommendations about two HBO documentaries, right?
And the first one's called The Perfect Weapon.
And I can't believe I left
this one off my list last week. It's a documentary based on a book, a Cybersecurity Canon Hall of
Fame winner, by the way, written by New York Times journalist David Sanger, which I highly recommend.
It's about the evolution of what he calls continuous low-level cyber conflict between
the big five nations, the U.S., Russia, China, North Korea,
and Iran. And with the things going on today between Russia and Ukraine, this book seems
especially relevant. But if you don't have time to listen to 12 hours from the recorded audiobook
like I did, this little 90-minute documentary from HBO is an excellent Reader's Digest version.
You talked to Sanger last year when he wrote the book, right, Dan?
Yeah, yeah, absolutely.
No, he's always a good guest to have.
And as you mentioned, a great book.
So the second HBO documentary is called Kill Chain,
the Cyber War on America's Elections.
It was released in May 2020, just prior to the U.S. presidential elections.
And if you were worried about the integrity of the U.S. elections apparatus
before the presidential election,
this documentary will make you aware of just how fragile
the entire system is for the next congressional elections coming up in 2022.
Not from hacking per se, but attacks from within the country,
from our own national and local politicians who are trying to limit the franchise.
It's really pretty scary. So for this next CSO Perspectives episode, we sit down at the hash table with a
couple of subject matter experts to discuss these documentaries and another complete set of sources
that you might find valuable in 2022. All right. Sounds interesting. You know, I remember the last RSA that you and I were at, which was, I think, the last RSA, the last pre-COVID RSA conference in San Francisco when COVID was just starting to sort of make its way around.
We were just trying to think, should we stay home or should we do something else? Yeah, we were right there. Right, but that was right before the elections as well.
And I spoke to a couple folks from the FBI there who were hot and heavy into a lot of that election stuff.
And it was interesting to pull them aside and kind of say, hey, listen, I'm in Maryland.
You know, how—
Yeah, what's the deal?
And he was like—and the guy I spoke with, he was like, yeah, Maryland's good.
Maryland's good.
And the guy I spoke with, he was like, yeah, Maryland's good.
Maryland's good.
Well, I just want to say up front, the government did fantastic about protecting the election from hacking and those kinds of things.
They did a phenomenal job.
What we're talking about here is really attacks against the idea of the franchise, which is at a whole other level.
No, it's a whole different thing.
Well, do check it out.
It is CSO Perspectives, and that is part of CyberWire Pro.
You can learn all about that on our website, thecyberwire.com.
Rick Howard, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge it's a necessity that's why we're thrilled to partner with threat locker the cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. And I'm pleased to be joined once again by Dinah Davis.
She is the VP of R&D Operations at Arctic Wolf and also the founder of Code Like a Girl.
Dinah, always great to have you back.
Thank you.
You know, you and I were recently talking
about smart speakers,
and that got me thinking about IoT devices
and some of the things that folks need to be concerned about
as we pepper our homes, our places of work,
and beyond with these devices.
I know this is something you've had your eye on.
What can you share with us today?
Yeah, so I was interested to
see that, you know, Linux malware has seen a 35% growth during 2021. And it's mostly because of
IoT devices. I was like, oh, yeah, okay, I mean, Linux malware is increasing. I'm like, well, okay,
they're probably going to start going up. But it's because of IoT devices. That's really interesting, right? It's because it's common to recruit IoT devices
for distributed denial of service attacks.
We all know what a denial of service attack
is basically flooding a website
or something to make it impossible
for it to actually compute.
And now what they're doing
is trying to leverage all of these various IoT devices from
different parts to do that. And that was actually an attack on some major websites a few years ago,
was run exactly that way from doing a distributed denial of service attack from webcams.
With the Internet of Things, they're typically, you know, underpowered smart devices, right?
So they're running various different Linux distributions.
They don't have anything more than that on them because they're trying to go, you know, pretty cheap and basic and all of that stuff.
Because these are just like small things and then they limit the functionality, right?
The attackers basically take all of these systems together and launch stuff to do these either distributed denial of service attacks or things like mining cryptocurrency.
Right.
That's high compute. tiny IoT devices, they can leverage that to mine cryptocurrency or facilitate like spam,
mail campaigns, even sometimes act as command and control servers. The last one is kind of the worst,
you know, act as an entry point to corporate networks, right? These IoT devices, especially if they're connected to your main network. So do you have any connected devices in your house, Dave?
Oh, it's easier to list the devices I don't have
that are connected in my house, Dinah.
Yes, yes.
My understanding is that the devices continue to function
their primary function.
So that security camera is going to,
it's just still functioning up there being a security camera, but it's using those excess process or cycles that are available to do the
alternate things that the hackers have come in to get it to do. Yeah. And you have no idea.
You have no idea. Right. Yeah. Right. So what's to be done here? Yep. So a few basic things,
change the default passwords and settings, right? So a lot of the time,
you know, they're going to go for the path of least resistance here. And oftentimes they're
just looking for the IoT devices that are still in their original state. Like it might have some
security and password, but it'll be the manufacturer's default. So always, always
change that. That's going to go a really big way to protecting you from this.
Use strong passwords as well.
That's always, I mean, I feel like that's just on repeat all the time.
Use strong passwords.
So avoid using public Wi-Fi when you're accessing your IoT network.
So let's say you're like on a trip
and you're coming home
and you want your Nest to warm up your house, right?
Right.
And don't use the airport open Wi-Fi
to then do that because you're opening it up.
Like you're making connections back home
from this open Wi-Fi.
I mean, in general, I would have to say, do not this open Wi-Fi. I mean, in general,
I would have to say, do not use open Wi-Fi. It's not a good idea at all, ever. It's a last resort.
So just pop off that, use your cell data or a trusted network before you, you know,
talk to anything in your home network. And use guest networks at home. So make sure you're using it for any
visitors that come in. Don't let them come on your regular network that has all of your own
family's things in it and use it for as many of your IOT devices as possible. That way,
if one of the IOT devices is compromised and it goes searching for other devices on the network,
it's not getting any of your important things, right?
And then always use strong encryption
for your Wi-Fi access at home.
And take special care to secure the top level controls
of your IoT network.
So if you've got a larger network
and you've got things connected,
make sure you have strong password,
two-factor authentication to get into the places where it's going to manage them, right? Especially around if you have a
security system or anything like that. So there's a lot of good reasons to sometimes have IoT in
your house. You just need to, you know, treat it with respect and know that, you know, you have to
secure it properly. All right. Well, good advice as always. Dinah Davis, thanks for joining us.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security.
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
where all the fine podcasts are listed.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Thanks for listening.
We'll see you back here tomorrow. Thank you. practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.