CyberWire Daily - Ukraine claims to have taken down a massive Russian bot farm. Were Russian cyber operations premature? Report: Emergency Alert System vulnerable to hijacking. And more crypto looting.
Episode Date: August 4, 2022Ukraine claims to have taken down a massive Russian bot farm. Russian cyber operations may have been premature. A report says Emergency Alert Systems might be vulnerable to hijacking. The Mirai botnet... may have a descendant. Adam Flatley from Redacted with a look back at NotPetya. Ryan Windham from Imperva takes on Bad Bots. Attacks on a cryptocurrency exchange attempt to bypass 2FA. Solana cryptocurrency wallets looted. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/149 Selected reading. Ukraine takes down 1,000,000 bots used for disinformation (BleepingComputer) Did Russia mess up its cyberwar with Ukraine before it even invaded? (Washington Post)Â So RapperBot, What Ya Bruting For? (Fortinet Blog) Gaming Respawned (Akamai) Coinbase Attacks Bypass 2FA (Pixm Anti-Phishing) Thousands of Solana wallets drained in multimillion-dollar exploit (TechCrunch) Thousands of Solana Wallets Hacked in Crypto Cyberattack (Wall Street Journal)Â Solana, USDC Drained From Wallets in Attack (Decrypt)Â Ongoing solana attack targets thousands of crypto wallets, costing users more than $5 million so far (CNBC)Â Solana and Slope Confirm Wallet Security Breach (Crypto Briefing) How Hackers Target Bridges Between Blockchains for Crypto Heists (Wall Street Journal) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Ukraine claims to have taken down a massive Russian bot farm.
Russian cyber operations may have been premature.
A report says emergency alert systems might be vulnerable to hijacking.
The Mirai botnet may have a descendant.
Adam Flatley from Redacted with a look back at NotPetya.
Ryan Windham from Imperva takes on bad bots.
Attacks on a cryptocurrency exchange attempt to bypass 2FA,
and Solana cryptocurrency wallets have been looted.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire
summary for Thursday, August 4th, 2022.
The Security Service of Ukraine says it dismantled a large Russian botnet operation
that was being used to spread
Russian propaganda and disinformation. The bots, about a million strong, were herded from locations
within Ukraine itself, Bleeping Computer reports. Their output took the form of social media posts
from inauthentic accounts associated with fictitious persona. The SSU described the operation, stating,
To spin destabilizing content, perpetrators administered over one million of their own bots
and numerous groups in social networks with an audience of almost 400,000 users.
In the course of a multi-stage special operation, the SSU exposed the leader of this criminal group. He is a Russian
citizen who has lived in Kiev and positioned himself as a political expert. On the other side
of the information war, Bleeping Computer also reported earlier this week that Ukrainian
hacktivists, Torrents of Truth, were bundling instructions on how to bypass Russian censorship into movie torrents,
whose intended audience would be Russian viewers.
CNN reports that the U.S. Federal Emergency Management Agency,
that's FEMA, part of the U.S. Department of Homeland Security,
has warned that its emergency alert system could be vulnerable to cyberattacks
that would enable the attacker to broadcast bogus
messages. CNN quoted Mark Lucero, chief engineer for Integrated Public Alert and Warning System,
of which the EAS is a part, saying, a cybersecurity researcher provided FEMA with compelling evidence
to suggest certain unpatched and unsecured EAS devices,
are indeed vulnerable.
The agency this week urged operators of the devices to update their software to address the issue,
saying that the false alerts could in theory be issued over TV, radio, and cable networks. The advisory did not say that alerts sent over text messages were affected.
There is no evidence that malicious
hackers have exploited the vulnerabilities. EAS is the national system, familiar to the
television and radio audience in the U.S., that will interrupt programmings with warnings about
severe weather and other hazards. It's also used to communicateBER alert notices of child abductions. FortiGuard Labs has been tracking WrapperBot, which it describes as a rapidly evolving IoT
malware family, since mid-June.
Yesterday, the researchers published an update on the current state of the malware, which
makes heavy use of old Mirai Botnet source code.
WrapperBot departs from its ancestors in its built-in capability to brute-force credentials
and gain access to SSH servers.
Mirai had exploited Telnet.
Indeed, the brute-force capability
seems to be WrapperBot's core functionality
as it has only limited potential
as a distributed denial-of-service tool.
WrapperBot's operators, whoever they are,
seem more interested in establishing persistence in compromised systems than they are in propagating
to other systems. And the malware's DDoS potential, which the researchers say was removed,
then restored, may be there as a form of misdirection. What the operators are after
is unclear. FortiGuard Labs says that
the motives of RapperBot's masters remain unclear. In the meantime, FortiGuard Labs offers some
advice for mitigation, saying, regardless, since its primary propagation method is brute-forcing
SSH credentials, this threat can easily be mitigated by setting strong passwords for devices or disabling password authentication for SSH where possible.
Akamai reports that attacks on online gaming companies have more than doubled over the past year.
The company this morning released its study Gaming Respond,
detailing the current state of online gaming and the pervasive threats that target the industry.
Researchers discovered that COVID lockdowns resulted in a large increase in gaming
and that this increase seems unlikely to fall off.
Akamai recorded 250 terabits per second of game download traffic in April of this year.
Cyber attacks on gaming companies and player accounts have also increased dramatically,
with web application and API attacks representing the largest category of attacks overall.
Cloud-based gaming is coming into its own and has widened gaming companies' attack surface.
DDoS attacks are pervasive in a sector that prizes immediate availability, and these have
increased by 5% in
the last year. Gaming has retained its place atop the industry leaderboard, providing the target for
some 36% of all DDoS traffic. And finally, approximately 9,000 cryptocurrency wallets
attached to the Solana blockchain ecosystem have been robbed of at least $4 million
in total, The Verge reports. Solana says the attack has been linked to accounts using the
Slope mobile wallet app. Slope is still investigating and said in a statement,
we recommend all Slope users do the following, create a new and unique seed phrase wallet and transfer all assets to this new wallet.
Again, we do not recommend using the same seed phrase
on this new wallet that you had on Slope.
If you are using a hardware wallet,
your keys have not been compromised.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have
continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform Thank you. third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
We recently passed the fifth anniversary of the NotPetya pseudo-ransomware attack,
which targeted Ukrainian companies but spilled over and crippled global organizations like Maersk and FedEx.
When the war in Ukraine began earlier this year,
security folks couldn't help wondering if another round of NotPetya-like malware might be unleashed on the world.
For perspective on where we stand today,
I checked in with Adam Flatley,
Director of Threat Intelligence at Redacted.
So, you know, the biggest reason why NotPetya spread so far and so fast
was that the settings for lateral movement
were completely unconstrained by the threat actor.
And what that allowed them to do was to ride VPNs out of Ukraine
for companies that had connections into Ukraine,
and then they hit essentially completely flat networks
that was able to not only spread in the direct connection that was connected to Ukraine, but also all over the
world in these company networks. So the biggest mitigations that people have started putting in
place are actually segmenting your network properly from a general networking standpoint,
but then also looking at connections into various countries as having different levels of risk.
And I think that's really important because connections into some places are more dangerous than others.
And so you can put additional mitigations in place covering the high risk areas.
Can we dig into that a little bit?
I mean, specifically, what are you talking about here? Let's say, you know, we have a
multinational corporation and they have a network connection that lands into a portion of their
company that is in Canada and a portion of their company that is in a country that is suddenly
becoming a war zone like Ukraine. Connections coming out of Canada are going to be lower risk than ones coming
out of a country that is actively being hit with cyber attacks. Multiple wipers were released in
Ukraine and some still continue to be released in Ukraine now. And so that changes the risk
profile of anything that you still have connected to that area.
You monitor them differently.
You look at the telemetry more thoroughly.
You lock down permissions even further so that you're basically balancing your ease of operability with the proper strategic security measures for each area.
Do you suppose that it's possible for something like NotPetya to happen today,
given what we learned from the first round?
Absolutely. I think that while many companies have learned the lesson, and like I said,
Many companies have learned the lesson. And like I said, like they were aggressively coming to us asking for help when the Ukraine war started to help make sure that that they were decided to take the current constraints off of the wipers that they're using now and just unleash them in Ukraine unbridled like they did before, I'm quite sure many multinational corporations would go down just as hard.
Yeah, I mean, it's a fascinating thing to think about, isn't it?
I mean, I suppose to some degree diplomacy still holds sway here, right? It does.
And it's very complicated as well because in the original NotPetya attack, I am convinced that the Russians knew that it was going to go outside of Ukraine.
of Ukraine. And they weren't just targeting Ukraine to try and disrupt their economy, but they also wanted to basically punish any Western corporation that was doing business
with Ukraine to try and drive them away from Ukraine because it would be too risky to operate
there. And when you look at the way that the propagation settings were set up in NotPetya, it could literally go as far and wide as the network existed.
There was nothing set in there holding back how many hops it could take, for example.
But if you look at the wipers that the Russians are releasing in Ukraine now, they are set at a very constrained setting.
in Ukraine now, they are set at a very constrained setting. Like one or two hops is the most I've ever seen in any of the wipers that were released in Ukraine. So they're definitely intentionally
trying to keep it localized. And, you know, the politics are different now. There's a war going on.
There are sanctions in place. NATO is expanding. And as much as the Russians like to bluster, I think they're very reluctant to actually draw NATO into this conflict. And so they're most likely holding back on something that would cause like a worldwide cyber attack, like they did before, out of caution to just not give NATO an excuse to fully engage
in this conflict. So do you suppose that not Petya was a case of, I don't know, recklessness
or disregard for where this might go or was it calculated? Honestly, I think it was calculated.
Or was it calculated?
Honestly, I think it was calculated.
Russian doctrine essentially leads them down the path of escalation until someone stops you.
That's sort of how they test their boundaries.
And over the past, you know, 10 years, the Russians have been doing more and more bold things in cyberspace.
And nobody has done anything about it. There have been no real repercussions against
them. And so they kept pushing the limit and pushing the limit. Pause, see if anyone would
react. Nobody did anything. They pushed a little further and harder. And I think NotPetya was done
out of a calculated risk assessment on their side that the West wasn't going to do anything to them. And you know what?
They were right. Not that it happened. Multi-billion dollar corporations were affected.
Millions and millions of dollars lost and nothing. No repercussions for Russia.
That's Adam Flatley from Redacted.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
The team at security firm Imperva recently released the latest version of their Bad Bots report looking at bot traffic on the Internet in 2021.
Ryan Windham is vice president of application security at Imperva.
Yeah, so, you know, unfortunately, the problem isn't getting any better.
In 2021, we saw that Bad Bots accounted for a record setting 27.7% of all global website traffic.
So, you know, that's roughly, you know, almost a third of all global website traffic is being
generated by bots. So huge toll on, you know, the internet at large, on society, on these application
internet at large, on society, on these application vendors, and on customers.
And of those bad bots, we saw a rise in what we call evasive bad bots. So those made up about 65.6% of all bad bot traffic. So these are what we call both moderate and advanced bat bots that use really sophisticated methods to try to
avoid detection.
So they'll do things like cycling through random IP addresses.
They'll come in through anonymous proxies or services that are known as residential
proxies.
They'll change their identities.
They'll mimic human behavior to evade detection. So
definitely seeing a lot more of these more sophisticated bots. You know, one of the other
big things that we saw in 2021 was a rise in what's called ATO attacks or account takeover
attacks. And so these are attacks where bots will attempt to,
you know, as it sounds, take over users' accounts. And so they'll be trying to get access to financial information
or other personal information
because maybe they want to commit identity fraud
or maybe steal, you know, loyalty points or that sort of thing.
So these were on the rise.
They were about 148% up over the prior year. Now, when you talk about some of these advanced bots that you all
are tracking here, do you have any sense for how successful they are? I mean, you're detecting them,
right? Yeah. So we were detecting them. And in many cases, we were stopping them. In most cases, we're stopping them.
We can't speak for the internet at large, but certainly the attacks that we see, we're offering protection against them. so difficult to protect against is if you think about kind of traditional vulnerabilities,
you know, hackers are essentially exploiting, say, a code vulnerability. But in the case of bots,
you know, there's really no code being exploited. They're actually just coming in and taking
advantage of what we call a business logic layer attack or an application layer attack. So
essentially, they're using the application the way that a regular user would use it,
except they're doing it at scale with the intent to commit fraud or abuse.
So I encourage listeners to look at getting some specific bot protection solutions in
front of their application architecture if they
don't have it already. What are you seeing in terms of who they're focused on attacking? Are
there any particular verticals that they're going after here? Yeah, so great, great question. You
know, the account takeover attacks, we actually saw, you know, be a pretty cross the board horizontal attack type. But then we did see,
you know, financial services certainly stood out as being one that's often attacked as well as
travel vertical and retail. And, you know, the reasons I guess are pretty obvious, just there's
higher stakes involved, typically financial
gains to be had in these industries. You know, one thing that caught my eye here was
in the report, you all pointed out that a lot of these bots will disguise themselves as mobile web
browsers. And you pointed out that mobile Safari was popular because of Apple's increased privacy settings.
It makes them harder to detect.
That's an interesting response.
That's right.
So as you were mentioning, Apple rolled out some enhanced privacy settings last year.
And those are intended to prevent advertisers or others from tracking you across sites.
But it also creates additional protections for bot operators to masquerade behind.
So it makes it more difficult for technology that is attempting to block bots from actually being able to track them and identify them.
So you have to get more
creative with your detection techniques. So mobile user agents were a popular disguise
for bad bot traffic in 2021. They accounted for more than a third of all internet traffic,
which was up from 28.1% in 2020. So what are the take-homes here? I mean,
in terms of recommendations for organizations to
best protect themselves here, what do you all recommend? Yeah, so the impact from bots is
pretty cross-functional and pretty strategic. It can create revenue loss, increases potential for
customer churn. There's skewed metrics,
especially when you think about, you know,
content and price scraping that takes place
that, you know, where bots come in
and effectively look at content, scrape it,
but don't close a transaction
that's going to skew your metrics.
So it's really a cross-functional problem,
one that everyone needs to be aware of.
In terms of how to protect against them, I think it's important to look for any increases in traffic that are out of the ordinary.
Oftentimes, these will come in as high rates of traffic. The other is to think about putting in place a specific solution
that's intended to block bots going beyond just your traditional web application firewall that may
look more at rules or signature-based detection and something that takes into account behavior
and can use dynamic machine learning
and other advanced techniques to monitor this traffic and identify malicious behavior.
That's Ryan Windham from Imperva.
Thank you. Tribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brendan Karp, Eliana White,
Puru Prakash, Justin Sabey, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Bilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan,
Rick Howard, Peter Kilby,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.