CyberWire Daily - Threats to US elections. Lazarus Group targeting energy companies. Gaming-related threats.
Episode Date: September 9, 2022Nation-states are expected to target the US midterm elections. North Korea’s Lazarus Group is targeting energy companies. The Ukraine’s Ministry of Digital Transformation on cyber lessons learned ...from Russia’s hybrid war against Ukraine. CISA flags twelve known exploited vulnerabilities for attention and remediation. Vulnerable anti-cheat engines used for malicious purposes. Steve Carter from Nucleus Security has thoughts on AI in cybersecurity. Roland Cloutier, former CSO of TikTok, discusses working around the changing career field, needs, and how enterprise executives are developing and finding talent. And a look at top gaming-related malware lures. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/174 Selected reading. Mandiant ‘highly confident’ foreign cyberspies will target US midterm elections (The Register) What to Expect When You’re Electing: Preparing for Cyber Threats to the 2022 U.S. Midterm Elections (Mandiant) North Korea’s Lazarus hackers are exploiting Log4j flaw to hack US energy companies (TechCrunch) Lazarus and the tale of three RATs (Cisco Talos) How Gaming Cheats Are Cashing in Below the Operating System (Eclypsium) Good game, well played: an overview of gaming-related cyberthreats in 2022 (Securelist) Cybercriminals target games popular with kids to distribute malware (The Register) CISA Adds Twelve Known Exploited Vulnerabilities to Catalog (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Nation states are expected to target the U.S. midterm elections.
North Korea's Lazarus Group is
targeting energy companies. The Ukraine Ministry of Digital Transformation on cyber lessons learned
from Russia's hybrid war. CISA flags 12 known exploited vulnerabilities for attention and
remediation. Vulnerable anti-cheat engines are used for malicious purposes. Steve Carter from
Nucleus Security has thoughts on AI in cybersecurity.
Roland Cloutier, former CSO of TikTok, discusses working around the changing career field, needs, and how enterprise executives are developing and finding talent.
And a look at the top gaming-related malware lures. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, September 9th, 2022. The Register reports that Mandiant says that they are highly confident that cyber spies from other nations may target U.S. elections this year.
We have tracked activity from groups associated with Russia, China, Iran, North Korea,
and other nations targeting organizations and individuals related to elections in the U.S. and or other nations, with apparent goals ranging from information collection and establishing footholds,
or stealing data for later activity, to one known case of a destructive attack against critical election infrastructure.
to one known case of a destructive attack against critical election infrastructure.
Mandiant also said that they believe with moderate confidence that DDoS attacks,
ransomware and other disruptive attacks will impact elections, however compromising actual voting machines and the like is unlikely.
The North Korean Lazarus Group has been found to be targeting U.S., Canadian, and Japanese energy providers, TechCrunch reports.
The Cisco Talos Group observed Lazarus using a Log4J vulnerability, known as Log4Shell, to compromise VMware Horizon servers.
They then deploy vSingle or Yamabot malware to maintain long-term access.
Talos researchers said,
the main goal of these attacks was likely to establish long-term access into victim networks
to conduct espionage operations in support of North Korean government objectives.
This activity aligns with historical Lazarus intrusions
targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.
The third and final day of the annual Billington Cybersecurity Summit met in Washington, D.C. on
Friday, September 9, 2022. The day opened with a long session, partly in person, partly by video, on lessons learned so far during Russia's hybrid war against Ukraine.
Mikhail Fyodorov, Vice Prime Minister, Minister of Digital Transformation of Ukraine, opened the discussion with a video that gave his perspective on the war.
Ukraine, he said, has been fighting for both democracy and its survival as a
nation. The war began in cyberspace before Russia's full-scale invasion, and Fedorov thinks that the
first lesson to be learned is about the reality of Russian power. It's been generally overestimated.
Both Russia's kinetic power and its cyber capabilities were believed to be greater than the war has revealed them to be.
Russia's failure to achieve significant strategic effects in cyberspace can be attributed in significant part, Fedorov believes, to Ukrainian defenses, which succeed in thwarting some 98% of cyber attacks daily he strongly commended the it army of ukraine which he
characterized as enthusiastic volunteers eager to defend ukraine's borders in cyberspace
he introduced a video that presented kiev's view of how things are going in cyberspace
interestingly that video made the case that the main contribution the IT army had made was in fighting disinformation
and propaganda, and a great deal of that fight has been carried to Russian media.
The panelists who appeared in person, James Lewis, Senior Vice President and Director of
Strategic Technology Program at the Center for Strategic International Studies, Dmitry Alperovich,
co-founder and chairman of the
Silverado Policy Accelerator, and Yorgi Dubinsky, Ukraine's deputy minister, Ministry of Digital
Transformation, also discussed lessons from Russia's hybrid war, but with the reservation,
as Alperovitch pointed out, that it was premature to speak with great confidence of lessons learned.
This war is still in its early stages.
Dobinsky said that the situation on the ground was difficult,
but that we are doing our best to drive Russia from our territory.
Alperovich said, the Russians have obviously made tremendous blunders.
The Russian intelligence services have not been able to achieve significant successes
after the first days of the war. He sees one early lesson is that it's possible to prevent the enemy from
achieving strategic effects in cyberspace, and he would go on to add that it was, in any case,
overly optimistic to imagine that it would be easy to achieve such effects.
Ukraine has been preparing for this war, in Dubinsky's view, since Russia invaded Crimea.
Ukraine had seen Russian preparations as early as October of 2021,
but had been reluctant to fully credit Western intelligence warnings,
especially from the U.S., that an invasion was in the offing.
Dubinsky said,
in the offing. Dubinsky said, but we saw preparations as early as October and November.
The Russians began trying to enroll hackers that early, GRU, SVR, and especially FSB. It was important, too, to make some friends. We didn't believe war would come, but we were a little bit
ready. It was in the first hours of the war that Russia enjoyed its most significant cyber success,
notably in its attack on Vyazat.
Some of what the Russians did was impactful.
Russia's ability to shut down Vyazat modems in Eastern Europe
temporarily downed Ukrainian military communications,
but those communications were relatively quickly restored as Western companies provided alternatives.
Alperovitch also noted the importance of information operations, stating,
I was surprised there wasn't more of an attempt to shut down the Ukrainian Internet.
That Ukraine has been able to tell its story has been an enormous failure on the part of the Russians.
has been an enormous failure on the part of the Russians.
It's also been remarkable to watch how Ukraine has been able to continue rapid digital modernization during wartime.
If there were one secret ingredient in Ukraine's ability to defend itself in cyberspace,
Dubinsky would identify it as the IT Army.
While often characterized as hacktivists,
a notoriously gnarly crew, as Lewis pointed out,
the IT Army was also significantly formed from among IT professionals who wanted to contribute
to the war effort. Dubinsky said, people just came voluntarily on the street and asked to be
given weapons, and people from the IT community also volunteered. We need active defense. We need to keep this guy busy.
These are professional IT experts.
They receive their targets through the Telegram channel openly.
Those targets were official sites and particularly propaganda sites.
The IT army filled a gap left by Ukraine's failure to develop an offensive cyber capability.
Dubinsky offered some final thoughts.
He emphasized the necessity of strengthened digital resilience,
of close cooperation with friendly countries,
engagement with big tech,
and getting the media involved in countering disinformation.
He offered,
do not allow yourselves to be threatened by Russia,
and be brave.
The U.S. Cybersecurity and Infrastructure Security Agency has added 12 vulnerabilities
to its known exploited vulnerabilities catalog. In accordance with Binding Operational Directive
22-01, federal civilian executive agencies whose security CISA oversees have until September 29, 2022,
to take action to remediate. Eclipsium warns that attackers are targeting gaming anti-cheat engines
to reach below a device's operating system and disable antivirus programs. Many modern game
cheats are developed at the UEFI firmware level in order to avoid detection,
and anti-cheat systems are increasingly being granted kernel-level privileges to combat them.
Eclipsium explains,
used to protect more traditional applications.
This is because games have more vigorous requirements.
Any manipulation of game data, such as modifying player stats, health, or inventory,
can fundamentally change the game.
Just in the past few weeks, researchers have uncovered ransomware operators using vulnerable anti-cheat drivers from the popular game Genshin Impact.
In this case, the attackers were able to use
the anti-cheat drivers in order to disable antivirus service on a compromised host.
And finally, researchers at Kaspersky have found that Minecraft and Roblox are the most popular
games used as lures for malware distribution, the Register reports. Kaspersky notes that both of these games
are popular with children
who are more susceptible to fall for the attacks.
After the break, Steve Carter from Nucleus Security
has thoughts on artificial intelligence
and Roland Cloutier, former CSO of TikTok, After the break, Steve Carter from Nucleus Security has thoughts on artificial intelligence.
And Roland Cloutier, former CSO of TikTok, discusses working around the changing career fields and how enterprise executives are developing and finding talent.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home. Black
Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Steve Carter is CEO and co-founder of vulnerability platform provider Nucleus Security.
I checked in with him for a bit of a reality check on where we stand when it comes to artificial intelligence and machine learning.
So we see AI in cybersecurity all over the place.
Just about every product vendor out there is touting AI in their product. I just got back from Black Hat in Las Vegas,
and every booth you stop at talks about how they're using AI in their technology. So I'm
sure that's not just cybersecurity, but that's where we're at today. And that's why I kind of
have these thoughts on how it might be a bit overhyped. Can we start with some basics here? I think there really isn't a standard, as far as I can see, as to what is considered AI and what is not. I guess it's a malleable term, particularly when you put it in the hands of the marketing crew.
see, at least in the cybersecurity so far, is probably best referred to as machine learning,
which is really just a subset of artificial intelligence that helps us teach computers how to make specific decisions and perform very specific tasks well using training data.
And it's worth mentioning that because machine learning has been around since the 1950s and 60s.
And personally, I took a course on machine learning in the late 90s in college.
And so what's interesting is that those same machine learning algorithms from decades ago
are still what's in use today, right?
The big difference is that now software developers have really easy access to libraries and tools that implement these machine learning algorithms.
And those libraries and tools really didn't exist 20 years ago.
So that's really the big difference.
So it's a matter of accessibility then, and I suppose also the great leaps we've seen in processor power and, of course, the move to the cloud.
Yeah, 100%. These days, it's really easy to download a Python library
and within 30 minutes, if you're a developer,
you can have some basic machine learning functionality
in an application.
And you just didn't have that ability years ago.
And like you mentioned, along with the cloud
and accessibility there, that's really been the big change.
And then in terms of marketing, I think that there's maybe some perception out there by marketing teams that if you're not using AI or machine learning, that you're going to be perceived as legacy or old or maybe not innovating, which I think is a terrible way to look at
technology in general and completely false.
So in terms of folks who are out there shopping around for this stuff, how do you cut through
that marketing hype?
Are there particular questions that you should be asking?
Yeah, I mean, I think if you're really interested in the product and its AI capabilities,
you really have to ask questions to the engineering teams behind those products around
what specific functionality do they have that's using artificial intelligence. Because
one of the things that companies do, and again, this is kind of pushed by marketing teams to an extent, they'll build, you know, a small bit of functionality in a product that leverages, let's say, a machine learning algorithm.
And then they'll advertise their product as using AI, which is technically not false.
You know, they're kind of just checking a box.
But to your point, I think that you can have a conversation with the technical folks behind the product to really get an understanding to what degree is AI used and what functionality in the product, because it's generally not very clear.
Where do you suppose we're headed?
You know, as we look towards the future, where do you think this is going to fit in? Yeah, I mean, I think every technology company should be looking at what they're building
and where they're going to see if AI can be used in their projects. I think, you know, maybe it's,
I want to say I saw a statistic recently about it was less than 50% of companies that have
actually incorporated AI into their software products. So I think that 50% of companies that have actually incorporated AI into their software
products. So I think that a lot of companies are looking at this, looking at AI, trying to figure
out, you know, can it help my business? Can it help my product? But it's, you know, they're
figuring out that in a lot of cases that the answer is no. So I think over time, it's just
more and more companies, technology companies figuring out exactly what types of problems that AI does well at solving and which ones don't.
And really honing in on those that it helps with and investing there.
I think a lot of folks are looking forward to the time when we get past that marketing hype.
looking forward to the time when we get past that marketing hype. And it's a tool in the toolbox,
but maybe not one that's getting the emphasis that it gets today.
Absolutely. Yeah. I mean, and that's really, that's where the market and technology companies need to go. And today, for example, AI is great at classifying data and identifying abnormalities in data using pattern recognition.
And so there are a lot of products that need that functionality.
It's just that too many companies today, I think, feel the pressure to just check the box and advertise that they're using AI when actually they're not really using it in a significant way.
That's Steve Carter from Nucleus Security.
There's a lot more to this conversation.
If you want to hear the full interview, head on over to CyberWire Pro and sign up for Interview Selects,
where you'll get access to this and many more extended interviews. Roland Cloutier is executive advisor to the CEO at TikTok,
where Roland previously served as chief security officer.
He's also one of the judges of the upcoming Data Tribe Challenge,
which the Cyber Wire is a media partner for. Chief Security Officer. He's also one of the judges of the upcoming Data Tribe Challenge,
which the Cyber Wire is a media partner for. I started my conversation with Roland Cloutier by asking him for his insights on attracting talent in a highly competitive marketplace.
I think first you have to understand, you know, the basic premise of what do you really need
and when do you need it? You know, I often joke on this topic when we're
having discussions in industry on it about, you know, you probably don't have any firewall
engineer level threes anymore, right? Those jobs don't exist. You probably have, you know,
principal cloud engineers. You probably have risk analysts or critical incident response analysts
or business resilience designers, right? It's a
very different job field than it was 10 years ago, five years ago, and in some, you know, areas,
even two years ago. So you have to really understand what you need now, what you need
just over the horizon and create that job family. I think that's number one. Number two, when you've
done that, understand what is the
pathway to get there. What is, you know, if this was a sales organization, what's your pipeline?
So where do you get your people? Where do you think you can get your people? And sometimes
it's natively easy if you're in more, say, of a critical infrastructure organization. You know,
the military and government specialists that do
this around the world, that's a great pipeline. And often people want to transition from military
into a commercial job and you can align there. Sometimes nobody's doing this stuff yet. I mean,
you might be doing some really cool stuff on data defense and access assurance that you're
building your own system. So you're going to actually have to help a university design their program or two or three of them and use them as your pipeline over the
next three to five years. So it really depends on what's in your program, what type of technologists,
analysts or professionals you need. And I think the third thing is how do you how do you play for
that long game? So how are you thinking about 10 years down the line?
Now, I know a lot of CISOs and CSOs, the running joke is the average 10 year is only two and a
half to three years. And there's a lot of truth in that. But your job isn't just about what you're
delivering today. Your job is making your organization successful over the long haul.
And whether you're in seat or not doesn't matter. Making the executives that work for you today that will be the executive tomorrow
successful tomorrow. And that means planning for these things. So how are you thinking about
not just universities, but high school programs? How are you thinking about maybe even going
further into the middle schools and preparing STEM around cyber programs that
your organization can support. And whether that's financial support, you're lending
technical support to those programs, volunteerism, there's a lot of ways to do it.
But getting sticky, again, in the pipeline of people learning STEM for cyber in these early programs and a lot of great organizations out
there that are doing it. So you need to focus there. And like I mentioned, these jobs weren't
the same that they were a year ago. So how are you preparing the people that are in seat doing
these jobs for the jobs that we'll have to do tomorrow? So your internal education and practitioner preparation programs have to be
spot on. They just do. So if you have someone that is in a more of a legacy program or, you know,
maybe it was a growth build program and now they're going to have to transition into an
operations program, how are you preparing them internally to do that job? You know, we used to,
you know, we used to say, well, you got to go
past this and then take a science course and do this. But is that really what they need to be
successful in any one of those, those job families? So making sure that you have the talent pipeline,
you have the talent on staff, and you're creating educational programs internally for each one of
them. And that may be, you know, I'm an analyst
level three in this discipline tomorrow. I want to be a director. What are the four steps I have
to take to get there? And whether that's internal training or external training, you need to help
develop that. And, you know, in my last job as the CSO for ByteDance and TikTok, we actually hired a leader on the CSO Directs organization to ensure that there was the capability to build educational programs in.
So anyways, I love that question because it's so broad and you can go so deep in so many ways.
What about some of the so-called soft skills?
go so deep in so many ways. What about some of the, you know, so-called soft skills? I mean,
I hear lots of folks lamenting that in a technical field such as cybersecurity,
a lot of people would, they do themselves well to up their game when it comes to communications.
Yeah, Dave, this is one of those, you have to have those skills and you develop them over time.
It took me a while to learn, I'll tell you that.
You know, I came out of government law enforcement into this career field.
So can you imagine stepping into a corporate environment and like,
no, you will do this, right? Just the facts, ma'am, just the facts.
Yeah, that's not the truth.
Let's answer the truth at this table.
So, yeah, soft skills are important. And I find mentorship in this area is great. At least it
worked for me. Like, you know, people, you know, how to make yourself self-aware. Quite frankly,
there's great programs. I did one at Babson College in Massachusetts at one point that took you through developing these type of soft skills for future leaders.
But mentorship helps people that hear you in the context of the job you are in or see you as you know, as you are working, that can give you that mirror you need some time and help educate you.
I'm sure there's good books on it, but you're right. I mean, how to
act appropriately, how to channel your internal thoughts into reasonable, articulable discussions
externally, how to leave the right wake. I had a great coach once that said to me,
Roland, it's not about if you're right or wrong. It's not about if you're good at what you do.
It's about what's the wake you want to leave in the room that you're in at that time.
Maybe you want people to know that you're serious and you can be a jerk if you need to be.
And that's okay on occasion.
But maybe you want people to say, that was a fair and reasonable conversation.
I'd like to do more business with him.
And so when you learn that it's about how you act and how other people perceive you and you can learn for a living, you have to be able to understand and work with other people.
Before I let you go, you are one of the judges of the upcoming Data Tribe Challenge where several startup hopefuls are going to be competing for some seed round funding.
What draws you to this? Why is this something you want to invest your time in? startup hopefuls are going to be competing for some seed round funding.
What draws you to this?
Why is this something you want to invest your time in?
Well, you know, I'm a proud member of what Jim Routh had called the 10% club at one point.
Jim Routh's great CISO who's retired and is now in the analyst community.
And what that means is we take 10% of our time and we dedicate it towards finding the thing that is going to, the next greatest thing that's going to help us in
our industry going forward. And I've always been a big believer in that. How do you focus on that
over the horizon control need technology that will solve my problems in the next two or three years?
And so the fact that I get to sit and do these,
that I get to sit on the judging panels is incredible because it's so important for us as,
you know, operational practitioners to understand what is out there, to understand we have many
needs. Not one thing meets all of our needs. Not one roadmap maps to all those needs over time. And our priorities shift and change as the threat surface changes, as the industry changes, as the products our companies are delivering to market change, our needs change. companies understanding the reality of what they can or cannot bring to the defensive posture of
any organization is super important, I think, to how any of us operate. And so that's why I'm so
excited to be able to do this. That's Roland Kludier from TikTok. The submission deadline
for the Data Tribe Challenge is September 23rd. You can learn more at datatribe.com slash challenge.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Breaking news happens anywhere, anytime.
Police have warned the protesters repeatedly, get back.
CBC News brings the story
to you live. Hundreds of wildfires are burning. Be the first to know what's going on and what that
means for you and for Canada. This situation has changed very quickly. Helping make sense of the
world when it matters most. Stay in the know. Download the free CBC News app or visit cbcnews.ca.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. Be sure to check out this weekend's Research Saturday
and my conversation with Deepan Desai from Zscaler.
We're talking about their work,
Return of the Evil Numb APT with Updated TTPs and New Targets.
That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is
Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Liz Ervin,
Rachel Gelfand, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week.
Thank you. channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.