CyberWire Daily - Ukraine offers an update on the cyber phases of Russia's hybrid war. Atlassian patches Confluence. CISA advisory on voting system. "State-aligned" campaign tried to exploit Follina. "Cyber Spetsnaz."
Episode Date: June 6, 2022Ukraine offers an update on the cyber phases of Russia's hybrid war. Atlassian patches a Confluence critical vulnerability. CISA releases ICS advisory on voting systems. A "State-aligned" phishing cam...paign tried to exploit Follina. Is Electronic warfare a blunt instrument in the ether? Verizon’s Chris Novak stops by with thoughts on making the most of your trip to the RSA conference. Our guest is Tom Garrison from Intel with a look at hardware security. And a Russia-aligned group says they’re not just hacktivists; they’re "Cyber Spetsnaz." For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/108 Selected reading. Remarks by Victor Zhorov, deputy head of SSSCIP. (SSSCIP) US military hackers conducting offensive operations in support of Ukraine, says head of Cyber Command (Sky News) Russian ministry website appears hacked; RIA reports users data protected (Reuters) Confluence Security Advisory 2022-06-02 (Atlassian) Atlassian Releases New Versions of Confluence Server and Data Center to Address CVE-2022-26134 (CISA) Patch released for exploited Atlassian zero-day vulnerability (The Record by Recorded Future) CISA Releases Security Advisory on Dominion Voting Systems Democracy Suite ImageCast X (CISA) State-Backed Hackers Exploit Microsoft 'Follina' Bug to Target Entities in Europe and U.S (The Hacker News) Deadly secret: Electronic warfare shapes Russia-Ukraine war (AP NEWS) Exclusive: Pro-Russia group ‘Cyber Spetsnaz’ is attacking government agencies (Security Affairs) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Ukraine offers an update on the cyber phases of Russia's hybrid war.
Atlassian patches a confluence critical vulnerability.
CISA releases ICS advisory on voting systems.
A state-aligned phishing campaign tried to exploit Folina.
Is electronic warfare a blunt instrument in the ether?
Verizon's Chris Novak stops by with thoughts on making the most of your trip to the RSA conference.
Our guest is Tom Garrison from Intel with a look at hardware security. Chris Novak stops by with thoughts on making the most of your trip to the RSA conference.
Our guest is Tom Garrison from Intel with a look at hardware security.
And a Russia-aligned group says they're not just hacktivists, they're cyber spetsnaz.
From the RSA conference in San Francisco, the city by the other bay, I'm Dave Bittner with your Cyber Wire summary for Monday, June 6th, 2022.
Ukraine sees itself as waging a defensive cyber war,
leaving offensive operations to the Russian enemy
and to, perhaps, various friendly governments from the West.
In a briefing today, Victor Zora,
Deputy Head of State Special Communications Service of Ukraine,
characterized Russian cyber operations during the war as unremitting but largely
unsuccessful at crippling Ukrainian infrastructure. He also noted the high level of Russian
disinformation operations, which extend not only to pushing specific lines of propaganda,
but also to denying Ukrainians the means to gain reliable information and communicate with one
another. The Cyber Wire asked Mr. Zorro
why Russian cyber attacks against Ukrainian infrastructure haven't been a significant
factor so far. Had Russia not attempted them or had Ukraine succeeded in stopping them?
He answered that a kinetic attack is simply a more effective method of attack and that's where
the Russians had concentrated their efforts. He said Ukraine has successfully fended off cyber attacks against infrastructure and that it was very aware of the cyber risk to its power grid.
Ukraine has prevented by swift action an operation that would have deprived people of access to power.
Mr. Zora expects such Russian attempts to continue, and he's confident of Ukraine's ability to defend its power grid in particular.
But he emphasized that Russia has focused on kinetic attack,
and that cyber operations, especially information operations,
are being used by Moscow as a supporting adjunct to traditional military operations.
We were also able to ask about the operations in support of Ukraine
U.S. Cyber Command alluded to last week. The operations General Nakasone mentioned last week
to Sky News were, according to Mr. Zora, U.S. operations, and Ukraine didn't participate in
them, and so Ukraine is not in a position to comment on them. Mr. Zoros said he can add nothing to General Nakasone's statement.
He did say that Ukraine did not conduct offensive cyber operations.
It does, however, conduct defensive cyber operations,
and he said that cooperation with NATO was extensive and ongoing.
Ukraine's lack of dedicated cyber units,
by which he presumably meant organizations trained, equipped, and authorized to conduct offensive operations,
and its reservations about the permissibility of such operations under international law,
are the principal reasons for Kiev's restraint in this regard.
We followed up with a question about hacktivism.
If Ukraine doesn't conduct offensive cyber operations,
what about hacktivist attacks on Russian assets?
Are these conducted independently with Ukrainian guidance, direction, or control?
Mr. Zorro replied that the hacktivists were acting independently
and were not under Ukrainian control.
He also noted that hacktivism has so far not been very significant in its effects.
Much hacktivism has gone into defacement of Russian websites.
Reuters reported Saturday, for example, that the site belonging to Russia's Ministry of Construction, Housing and Utilities
had been defaced with the slogan Glory to Ukraine.
This particular ministry of negligible strategic significance was clearly a target of
opportunity, hacked because it was hackable. But the question suggested to him that the possibility
of developing an offensive capability as a deterrent was worth serious discussion with
partners and allies. He noted the difficulty under international norms of conducting offensive cyber operations,
and he stressed that Ukraine aimed to behave responsibly, and that Ukraine wanted to bring Russia to a similar responsibility in cyberspace. He thinks that the ways in which nations defend
themselves in cyberspace will certainly change after this war, and that Ukraine intended to be
a full participant in that change. And he thought questions about responsible defense in cyberspace
would be good ones to address to General Nakasone.
The existence of cyber forces do indicate a country's potential to defend itself effectively,
but it's not yet clear how such potential can be used to build deterrence.
Thinking about deterrence in this way will be among the matters
countries will take up at the end of the present war. As promised, Atlassian released a patch for
confluence vulnerabilities this past Friday. Atlassian's tools are widely used. The record
estimates that more than 200,000 enterprises use the company's products. CISA, which had on Thursday required all the U.S. federal agencies whose security it oversees
to immediately mitigate the risk of compromise via the vulnerability
by disconnecting affected versions of Confluence from the Internet,
on Friday updated its direction.
Per BOD 22-01 Catalog of Known Exploited Vulnerabilities,
Per BOD 22-01, Catalog of Known Exploited Vulnerabilities, federal agencies are required to immediately block all Internet traffic to and from Atlassian's Confluence server and data center products, and either apply the software update to all affected instances or remove the affected products by 5 p.m. ET on Monday, June 6, 2022.
On Friday, CISA released an advisory on a voting system,
specifically Dominion Voting System's ImageCastX.
CISA recommends election officials continue to take and further enhance defensive measures
to reduce the risk of exploitation of these vulnerabilities.
The advisory includes 13 specific steps CISA urges election officials to follow
should they plan to use the Dominion system.
Proofpoint found targeted attacks that sought to exploit the Folina vulnerability.
The company tweeted its discovery late Friday evening.
They said,
Proofpoint blocked a suspected state-aligned phishing campaign
targeting less than 10 Proofpoint customers, European government and local U.S. government,
attempting to exploit Folina. While Proofpoint suspects this campaign to be by a state-aligned
actor, based on both the extensive recon of the PowerShell and tight concentration of targeting,
we do not currently attribute it to a numbered threat actor. Microsoft had released recommended mitigations on May 30th,
and the following day CISA urged users to apply those to their systems.
We return briefly to the hybrid war in Ukraine. Russian electronic warfare capabilities,
which before the invasion of Ukraine had been regarded as national strength, have indeed been employed with effect in Russia's war. They are, however,
being used as a kind of artillery in the electromagnetic spectrum. The preferred
technique has been jamming, as opposed to collection or deception, and that jamming
has tended to be powerful and indiscriminate, pushing noise across wide swaths of the spectrum.
The AP reports some use of electronic warfare for targeting, but the Russian main effort seems to be carried out by the jammers.
Finally, there's a new self-proclaimed crew of cybercommandos in action, or at least a crew that says they're in action.
of cyber commandos in action, or at least a crew that says they're in action. Security Affairs reports that researchers at ReSecurity have associated a threat group with Operation Panopticon,
a nominally hacktivist campaign announced by a Russian group during the last week in May.
That group styles itself the Cyber Spetsnaz and identifies with the Killnet Collective. Security Affairs explains,
the actors are positioning themselves as an elite cyber-offensive group targeting NATO
infrastructure and performing cyber espionage to steal sensitive data. Their report adds,
On June 2nd, the group created a new division called SPARTA. The responsibility of the new division includes cyber sabotage,
disruption of internet resources, data theft and financial intelligence focused on NATO,
their members and allies.
Notably, SPARTA outlines the activity as a key priority today
and confirms the newly created division is an official part of the Kilnet Collective group.
Based on the description, the actors call themselves hacktivists.
However, it's not yet clear if the group has any connection to state actors.
Sources interviewed by Security Affairs interpreted this activity
with high levels of confidence to be state-supported.
Interestingly, the name Sparta, in context of the current
Ukrainian war, is related to the name of a unit from the Donetsk People's Republic.
Spetsnaz is a Russian term for a special operations unit. Historically, the name was
used most often to refer to the GRU's special operations forces. Western equivalents of cyber Spetsnaz would be names like cyber
commandos, cyber green berets, cyber rangers, cyber seals, things along those lines. The name
is grandiose. We shall see how far, if at all, the cyber Spetsnaz lives up to its press releases.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Intel recently sponsored research by the Poneman Institute titled Security Innovation, Secure Systems Start with Foundational Hardware.
To dig into some of the findings, I checked in with Tom Garrison,
Vice President and General Manager of Intel's cybersecurity team in the client organization.
People are spending a lot of money.
in the client organization.
People are spending a lot of money.
Research suggests that there's about $172 billion just this year that's going to be spent on cybersecurity
and enhancing cybersecurity.
So there's a tremendous amount of expenditures
that's going on in the industry,
which I think is fascinating.
We dove also into, I mentioned, hardware-based security.
And what we found was that only about,
just a little over a third of the respondents
said they had already adopted
hardware-assisted security solutions,
which isn't very high.
As we all know, within the security world,
if you are relying on a software-only strategy,
you aren't as safe as you could be with a hardware-based one.
So with only a little over a third of respondents
having already adopted, we know there's a lot more to go.
But we are reassured
that about 47%, or just, just call it half,
of the respondents that responded
are saying that they're going to do so
within the next six to 12 months.
So while only a third have done it up till now,
half say that they have plans to do it
within the next six to 12 months.
So that's a good start.
Can we take a step back here and just provide some clarity on the definitions here?
I mean, how do you and your colleagues at Intel define the difference between a software or hardware approach?
Yeah, that's a good question.
The way that we think about hardware-assisted approaches is to think about software-based solutions
that don't rely only, obviously, as we would say, in software.
They know how to use the hardware capabilities
that are built into the platform.
For example, the ability to look for
return-oriented programming attacks and to be
able to use technologies that are built into the silicon, like control flow enforcement technologies.
So, this is a very technical way to talk about it, but these are features that are built into
the platforms that can deliver on a very, very high degree of trust
that you just can't get with software.
And there's a whole host of those,
but it's important to understand that as we think about
supply chain attacks and other types of attacks,
the attackers are looking for any exploit they can.
And the good news is, with hardware-assisted
and hardware-based security solutions,
this is sort of the bedrock
with which security attackers
really can't get underneath.
So that's the challenge with software,
is that anybody trying to attack
a software-based solution,
if they're trying to attack the application,
for example,
once the application
becomes more hardened and difficult of a target, they'll go underneath the application to, let's
say, the operating system. Once the operating system gets really good and hard to attack,
they'll go under the operating system to the VM. And likewise, attackers are constantly trying to get underneath the attack surface
and all the protections that exist there.
And so with hardware-based solutions, the good news is there's nothing below hardware.
And so hardware can act as this bedrock with which then a security solution,
both hardware and software-based, can be built upon with a high degree of trust.
So, based on the information that you have gathered here, what's your advice?
What should the security folks out there do?
Well, first and foremost is I would say, ask yourself,
do you know whether your machines are capable of the latest in security innovation.
So basically, if your platforms are older
than about three years old,
you really should be considering refreshing those platforms.
Newer platforms are considerably safer
from a feature set standpoint.
The second piece doesn't sound really all that sexy,
if you will, but it is very important.
And that is, do you have a process to keep your machines updated on a regular basis?
And as simple as that sounds, a lot of companies don't have a process where every quarter or at
least twice a year, they are taking all of the known vulnerabilities
for that specific platform
and making sure that the mitigations
are loaded on that machine to keep it safe.
And that is a big area that, again,
doesn't sound that interesting,
but it turns out to be one of the biggest single steps that you can have,
having a process to keep those platforms updated.
That's Tom Garrison from Intel.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And joining me once again is Chris Novak.
He's Managing Director of Security Professional Services for Verizon Business.
Chris, it's always great to welcome you back to the show.
You know, as we head into this week of the RSA conference, I really wanted to
check in with you. You're someone who's been around in this industry for a few years and have
attended your share of RSA conferences here. What does this represent to you as sort of a marker
point for our year and an event for the community? You know, I think it's, first of all,
it's always a pleasure to be here. And I think, you know, when we look at RSA, it is, you know,
really the bellwether. It is what everybody kind of rallies around in the security community. Whether
you love conferences or not, there is a lot of great intellect and knowledge that comes together
at those events. And obviously, you've also got to have a fair share of skepticism and paranoia, as I think most security professionals do,
in knowing that there's probably some marketing silver bullets out there that aren't really silver
bullets. But I think nonetheless, it's important to get a view on where, you know, innovators are
going, where the disruptors are. You know, you always typically have kind of a camp of relatively
mainstream approaches to security, and of a camp of relatively mainstream
approaches to security and then a camp that's looking to really say, how do I change things up?
How do I make a name for myself? And I think, you know, an event like RSA is a good place to kind of
see how all that comes together and see, you know, what the future might hold.
We've had a break for a couple of years here with everyone hunkering down with COVID, but
people are back in person this year.
Is there an extra element that that adds to be able to see folks face to face?
I think without a doubt, you know, and this is one of the things that I've had a long
held belief on is that, you know, people are naturally social creatures.
We like to interact with one another.
And, you know, I think everybody has done a great job of trying to make things work during the course of the pandemic. And obviously,
you know, the opportunity to come face-to-face, I think we tend to build better and more resilient
relationships when we've had the opportunity to meet face-to-face, grab a lunch, grab a drink,
grab a dinner. You build a relationship differently that way than you might do virtually. So I think
for a lot of organizations, that'll be a big opportunity for them.
And I also think you're going to see a lot of organizations that will probably have a better success breaking new ground when they have an opportunity to demo their new widget or service or whatever it might be in front of an actual live audience where you can actually walk up, see it, and touch it.
actually walk up, see it, and touch it. For those folks who are new to the industry,
and maybe this is their first time at a conference of this scale, any tips or words of wisdom to have it not be so overwhelming? So I would say the best advice I would give someone is, one, take a look
at the conference agenda before you go. If you've never been there before, it will be wildly overwhelming.
The venue is huge. The amount of people, the lights, the flashy objects, it can be extraordinarily
overwhelming. I mean, you literally get a map when you enter. So I would say take a look at the agenda
in advance and try to map out what sessions you may want to go to. There are sessions that do
actually fill up or sell out, and you might not get a seat
if you haven't planned in advance or you haven't gotten there in advance. So I'd encourage folks
to really figure out what are the things that are really the most important so you can make sure you
can map your schedule out accordingly for that. And obviously, I'd be remiss if I didn't give a
little plug for my session on Tuesday morning. So hopefully, folks can come check that out as well.
But yeah, definitely check out the
session agendas and figure out what works for your needs. And I think it's also a great opportunity to
network with people as well. There's an opportunity to meet with a lot of your vendors,
a lot of your partners, and really cover a lot of ground that maybe if you were to try to do that in
person, especially in today's day and age with COVID, you might have had a much harder time traveling around and meeting all those
people face-to-face, especially if a lot of people maybe are coming out that normally right now would
be hybrid or work from home. They might not be entertaining in-person meetings otherwise. So
this may be an opportunity for you to meet those folks face-to-face. Yeah, I would add also, don't
be shy. You know, if you see somebody who you'd
like to get to know, introduce yourself. I think most of us are happy to meet new people and happy
to help folks who are new to the industry get a leg up. So don't hold back. Absolutely agree. That
is definitely good advice. And I often find that a lot of people will come up to the expo booths
and, you know, we see, you know see folks from all different parts of their security career journey,
from just breaking in to longtime veterans.
And the one thing I do find is most folks are very accepting, very supportive, and very much happy to have a conversation.
I tell people you generally don't kind of end in or find yourself in cybersecurity if it's not a thing you're passionate about.
And you'll probably find a lot of people
who are happy to share how they got to where they are
or what they're doing
or where they might find interesting insights
or creative opportunities for yourself.
All right.
Well, Chris Novak, thanks for joining us. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland at the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Rachel Gelfand, Liz Ervin,
Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Justin Sebi, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilby,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.