CyberWire Daily - The US and EU seek to shore up cybersecurity as Russo-Ukraininan tensions run high. NIST updates secure system standards. Ransomware exploits Log4shell. Dog bites man: fraud in social media.
Episode Date: January 12, 2022The US issues an alert over the prospect of Russian cyberattacks, and the EU begins a series of stress tests, both in apparent response to concerns over the prospect of a Russian attack on Ukraine. NI...ST updates its guidance on Engineering Trustworthy Secure Systems. NIght Sky ransomware exploits Log4shell. Phishing afflicts a hotel chain. Carole Theriault examines international efforts to stop digital fraud. Ben Yelin fon Seattle Police Faking Radio Chatter. And we’re shocked, shocked, to learn of fraud and piracy on a social media platform. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/8 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. issues an alert over the prospect of Russian cyberattacks,
and the EU begins a series of stress tests.
NIST updates its guidance on engineering trustworthy secure systems.
Night Sky Ransomware exploits log for shell.
Phishing affects a hotel chain.
Corralterio examines international efforts to stop digital fraud.
Ben Yellen on the Seattle police faking radio chatter.
digital fraud, Ben Yellen on the Seattle police faking radio chatter, and we're shocked, shocked to learn of fraud and piracy on a social media platform.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday,
January 12, 2022.
Tensions between Russia and Ukraine have prompted authorities in both the European Union and the United States
to take steps to shore up their cybersecurity in anticipation of possible conflict.
We'll take up the U.S. measures first.
Yesterday afternoon, the U.S. Cybersecurity and Infrastructure Security Agency
issued a joint warning with the FBI and NSA.
Alert AA-22-011A, Understanding and Mitigating Russian State-Sponsored Cyber Threats
to U.S. Critical Infrastructure. CISA Director Jen Easterly tweeted a brief commendation of the
joint advisory her agency issued yesterday in conjunction with the FBI and NSA, quote,
Russian state-sponsored malicious cyber activity is a continuing threat to our critical
infrastructure. Why we're working closely with public and private sector partners to reinforce
the importance of vigilance against these threats. Read our latest advisory, end quote.
Stressing vigilance, NSA Cyber Security Director Rob Joyce emphasized in this tweet,
logging is key. With Russian focus on persistent access to compromised networks,
you need robust logs and focused effort to hunt, find, and kick them out.
The alert doesn't call out the threat of Russian military operations against Ukraine
as the proximate cause of the warning, but its timing seems hardly coincidental,
and the trade press isn't reading it as coincidental either. The summary says, quote, this CSA provides an overview
of Russian state-sponsored cyber operations, commonly observed tactics, techniques, and
procedures, detection actions, incident response guidance, and mitigations. This overview is
intended to
help the cybersecurity community reduce the risk presented by these threats.
The alert is directed toward critical infrastructure providers, but its recommendations
have broad application to any organization that faces a risk of cyber attack. At a high level,
those recommendations are summarized as follows. Patch all systems, prioritize patching known exploited vulnerabilities, implement multi-factor authentication, use antivirus software, and develop internal contact lists and surge support.
have provided at the very least a detailed overview of past Russian cyberattacks,
and there's no ambiguity in the alert's attributions,
as well as advice on the tactics, techniques, and procedures organizations can use to help secure themselves.
Those responsible for cybersecurity anywhere and in any kind of organization
should give this alert close attention.
should give this alert close attention.
Reports of U.S. and NATO talks with Russia over Russian preparations to invade Ukraine are not optimistic.
The Moscow Times' coverage is representative, as is the AP's, and it seems worth noting that most of that negative assessment comes from the Russian side.
Russia is concerned about NATO encroachment into what
it regards as its proper security sphere of influence. NATO and the U.S. are concerned
over an expansion of Russian aggression against its neighbor. That aggression is conventionally
held to have begun with the Russian annexation of Crimea in 2014. Western powers have offered Ukraine various forms of support.
The New York Times has reported that the U.S. and U.K. have lent expertise to Ukraine intended to
shore up that country's power grid against disabling cyberattacks of the kind Russia
has mounted before. The U.S. has also, according to CNN, allocated some $200 million in security assistance for Kiev,
which has said, according to Reuters, that it's united with Washington against Moscow.
Both Russian and Ukrainian forces remain in a high state of readiness.
Since cyber operations in wartime amount to combat support,
the increased risk of kinetic war carries with it an increased
risk of action in cyberspace. To turn to the EU, it's begun a series of exercises designed to
assess its ability to withstand cyber attacks. Bloomberg reports that the EU's member states
are holding a series of cyber stress tests this week designed to check Europe's resiliency
to attacks on supply chains and to give them the ability to redress any shortfalls they discover.
Quote, the exercise will be structured around a gradual escalation toward a major crisis that
culminates in an attack that could qualify as an armed aggression under the United Nations Charter,
according to Bloomberg.
The exercises were proposed by France.
More of the CyberWire's coverage of Russo-Ukrainian tension
can be found on the CyberWire website. Routine government work on cybersecurity has
continued during the current period of rising tension. CISA yesterday published an industrial
control system advisory on Johnson Control's VideoEdge. And the U.S. National Institute of Standards and Technology
has issued a revision to its cybersecurity guidance,
Engineering Trustworthy Secure Systems.
NIST says in its introduction,
quote,
With the continuing frequency, intensity, and adverse consequences of cyberattacks,
disruptions, hazards, and other threats to federal, state, and local governments,
as well as private sector organizations, the need for trustworthy, secure systems has never
been more important to the long-term economic and national security interests of the United States.
The 207-page document builds upon earlier standards documents, and NIST has asked for comment.
The objective, NIST explains, is to address security issues from a stakeholder protection needs, concerns, and requirements perspective and to use established engineering procedures
to help ensure that such needs, concerns, and requirements are addressed with appropriate
fidelity and rigor throughout the system lifecycle.
End quote.
Bleeping Computer reports that the Night Sky gang,
whose malware is held to be a fork of Rook,
has been exploiting the log4shell vulnerability in exposed VMware Horizon systems
to conduct ransomware attacks against its victims.
Microsoft has a detailed account of the exploitation,
which it attributes to the China-based group it tracks as DEV0401.
The investigation into the ransomware double extortion attack against the Nordic Choice hotel chain, now more than five weeks old, has determined that the criminals got into the
chain's systems through a successful phishing email.
The Wall Street Journal reports that Nordic Choice continues to recover from effects of the attack's data breach.
And finally, we see again the usual human propensity to abuse whatever it can on full display in social media.
Security firm Tenable this morning reported that YouTube Shorts, Google's short-form vlogging platform that competes with TikTok, is being used for a variety of fraudulent purposes.
As Tenable rather primly but aptly observes, YouTube Shorts has become a haven for adult
dating scams and the promotion of dubious products, mostly bogus diet aids. It has also
been used as a shortcut to increase online social currency, such as subscribers and video views,
Tenable says in an interesting, if dispiriting, account of what it found.
So it's basically TikTok, right? I mean, no one is going to confuse any TikTok content with, oh, say, Plato's Dialogues,
not even the Symposium.
So, fraud and sleaze are par for the course,
but this case piles injury upon injury
because much of that sleazy content is pirated from TikTok itself.
The piracy and fraud are, of course, the work of users, not Google,
which can be accused, at worst, of being lax in policing content on the platform.
We confidently await the arrival of content flacking colloidal silver or
one weird trick to, well, you get the picture.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
International agencies around the world are stepping up their efforts to combat online fraud,
increasing their collaboration and information sharing.
Our UK correspondent Carol Theriault has the story.
Sometimes in the world of cyber and security and privacy and scams,
we need a good news story, something to make us feel like the good guys are
getting ahead sometimes. So we're celebrating Interpol, the international policing agency.
They have had a hand in more than a thousand cyber criminals getting arrested. Better yet,
they recovered 27 million US dollars in legal proceeds. The crackdown saw law agencies across 20 different
countries close 1,600 cases and blocked more than 2,000 bank accounts tied to fraudulent illicit
funds. This is things garnered through romance scams or financial scams. And they did all this
in just four months, from June 2021 to September 21.
The reason they had their international crackdown skates on was because coronavirus brought with it a surge of online nasties.
Interpol's Secretary General Juergen Stock said it showed no signs of waning.
In a single case in Colombia, explains Interpol's press release. A prominent textiles company found itself defrauded of more than 8 million US dollars
through a sophisticated business email compromise scam, what we call BEC.
The perpetrators impersonated the legal representative of the company,
giving the order to transfer more than 16 million to two Chinese bank accounts.
Half of the money was transferred
before the company uncovered the fraud and alerted Colombian judicial authorities,
who quickly contacted Interpol's financial crime unit through their national central bureau.
This is where international police cooperation was activated between Interpol bureaus in Beijing,
was activated between Interpol bureaus in Beijing,
Bogota, and Hong Kong to freeze the transferred funds.
Over 94% of the money was intercepted in record time,
saving the Colombian company from bankruptcy.
In another case, a company in Slovenia was duped into transferring more than $800,000
to money mule accounts in China.
Again, the Slovenian criminal police opened an investigation
and reached out to their foreign counterparts through Interpol.
The National Crime Bureau in Beijing allowed local authorities
to successfully intercept and return the stolen funds to Slovenia in full.
So what's behind all this?
Well, it's technology.
The operation saw Interpol officials pilot test a new global stop payment mechanism called the Anti-Money Laundering Rapid Response Protocol, or ARRP.
And this tool proved critical to successfully intercepting funds before they disappeared into crypto or wherever.
General Stock said it also underlines the essential and unique role played by Interpol in assisting member countries combat a crime which is borderless by nature. Only through this level
of global cooperation and coordination can national law enforcement effectively tackle what is a
parallel cybercrime pandemic. Huh, who knew that cooperation could work well Interpol is looking to officially launch
its ARRP tool in 2022 and based on the success shown in just four months we could see life
getting a little more difficult for scammers and thieves who have basically gotten away with tons
of stuff simply because they're located in another geography. So there you go, a happy news story.
The good guys get a win.
Love it.
This was Carol Theriault for The Cyber Wire.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant. And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security
and also my co-host over on the Caveat podcast.
Hello, Ben.
Hello, Dave.
Interesting story caught my eye here.
This is from the Seattle Times, an article written by
Daniel Beekman, and it's titled Seattle Police Faked Radio Chatter About Proud Boys As CHOP
Formed in 2020 Investigation Finds. Unpack this, Ben, for me here. What's going on?
So during the 2020 post-George Floyd racial justice protests, you know, this was a very
anxious time. There were
a lot of anxieties in cities across the country. Certain protests turned violent. So, you know,
we were in a pretty precarious moment. And what happened in Seattle is members of the Seattle
Police Department started a ruse on police radio claiming that members of the far-right group Proud Boys were present in the area,
were armed, and were going to be threatening people in the CHOP,
what was the Capitol Hill Organized Protest.
This feels like a long time ago now, but that was the area that protesters had occupied.
And so people were listening to police radio, people who were part of these
racial justice protests, and they were very alarmed at what they heard saying, you know,
we're going to have these violent armed Proud Boys people coming in and that's going to be,
you know, causing a lot of anxiety and potentially adding fuel to the fire.
It turns out that this was part of a approved police operation, a misinformation effort
to kind of lure people to the area and, you know, make arrests of people who were seeking
confrontation.
You know, generally, this is legal.
Police have a lot of leeway in conducting investigations. You know, if you're
detained, they can generally lie to you that. Right. I was going to say they're, they're allowed
to lie. Yeah. You know, your co-conspirator just, just ratted you out. So, you know, and they can
say that even if it's not true. So they do have a lot of leeway here. This seems rather unethical,
I would say, even if it's not illegal. And I think we've seen some pushback from the Seattle City Council and other stakeholders within the city of Seattle that the police should not be causing additional harm on top of what was already a very tense situation. Well, the thing that struck me about this story additionally is something you
and I have spoken about on Caveat before is how many police organizations are looking to encrypt
their communications. They're looking to take away the public's ability to monitor these
communications. That would be contrary to this particular effort here.
Right.
You wouldn't be able to propagate this ruse if your communications were encrypted,
unless we get a situation that without anybody knowing,
the real police communications are encrypted.
And then what's supposedly the public police channel or the blotter or whatever is actually all a ruse intended to deceive the public.
But you're right. I mean, law enforcement has done things like this in the past and they wouldn't be
able to do so if the public wasn't able to access those lines of real-time communications.
Would the police be within their bounds to release a press release ahead of an event that said, you know, we've been
notified that, you know, the Proud Boys or some other group is going to be at this event. And
even if that were not true, is that, I'm just trying to extend this, you know, beyond the
sort of that real-time radio communications realm. I don't really know from a legal perspective,
but I feel like that, you know,
a press release has to be approved by the higher-ups,
probably a politically appointed police chief.
And I just don't think you could get away with that.
Whereas when you're propagating a ruse over radio channels
that's intended to lure a certain subset of protesters,
that's something that's a little more, you know, away from the public eye, at least in real time.
You know, so I don't know if there are any legal limits on doing that. Usually police departments
are not held accountable for even instances that really seem like entrapment. So there was this
incident in 2020 where there was a plot in Michigan,
or supposedly among people who were radicals,
radical right-wing extremists,
threatening the governor of Michigan, Gretchen Whitmer, with violence.
And we later found out that that was largely coordinated
by people who were undercover agents.
It wasn't entrapment, because there were still people
who were willingly participating in it who were undercover agents. It wasn't entrapment, because there were still people who were willingly participating in it who were not agents,
but it was awfully close to entrapment.
So I think it really is a fine line, both legally and ethically,
in terms of how much you're using a ruse to try and prevent crime
and how much you're just kind of causing crime to happen in the first place.
Right. And I suppose reporting you know, reporting like this from
Daniel Beekman of the Seattle Times is important to both put the police force on notice that this
sort of thing will be reported on, but also future protesters will know to take radio communications
with a grain of salt. Right. Yeah. Don't always take them literally,
just as everything they tell you in an interrogation room.
Can't take that literally either.
And again, sometimes that's part of really good,
important law enforcement work.
I think in this circumstances,
to me it just doesn't seem justified
because the person who came up
with this idea said that he did it because he knew people were monitoring police radio
transmissions and he wanted to give people the impression that, quote, we had more officers
out there doing regular stuff. I don't know that that goal really justifies propagating this route in my opinion all right
well the uh story is from the seattle times again it's titled seattle police faked radio
chatter about proud boys as chop formed in 2020 investigation finds ben yellen thanks for joining
us And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies. We'll see you back here tomorrow. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.