CyberWire Daily - Ukraine's Defense Intelligence warns of coming Russian cyberattacks against infrastructure. Next moves for Lapsus$? Cashout scams and neglected wallets. Developments in the Optus breach.
Episode Date: September 27, 2022Ukraine's Defense Intelligence warns of coming Russian cyberattacks against infrastructure. Next moves for Lapsus$? We know it’s a bear market, but take a look at your wallet, crypto speculators, at... least now and then. Mr Security Answer Person john Pescatore on next year's most over-hyped term. Ben Yelin explains a thirty five million dollar data privacy settlement. And, finally, developments in the Optus breach. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/186 Selected reading. Invaders Preparing Mass Cyberattacks on Facilities of Critical Infrastructure of Ukraine and Its Allies (Defence Intelligence of the Ministry of Defence of Ukraine) Ukraine Says Russia Planning 'Massive Cyberattacks' on Critical Infrastructure (SecurityWeek) Ukraine warns of Russian cyber attacks targeting critical infrastructure (Computing) Russia plans “massive cyberattacks” on critical infrastructure, Ukraine warns (Ars Technica) Ukraine warns allies: Russia plans 'massive cyberattacks' (Register) Hackers Working With Russia to Coordinate Cyberattacks, Google Says - Tech News Briefing - WSJ Podcasts (Wall Street Journal) Viasat Hack "Did Not" Have Huge Impact on Ukrainian Military Communications, Official Says (Zero Day) Who’s next in Lapsus$’ crosshairs? (Digital Shadows) Report: Sift Uncovers New Cashout Scam Targeting Forgotten Crypto Accounts (GlobeNewswire News Room) Optus hacker releases 10,000 customers' details and issues new threat (Sky News) ‘Last thing I need’: Optus customer scrambles to protect himself (Australian Financial Review) An alleged hacker has offered their 'deepest apologies' to Optus. Here's the latest on the data breach (ABC) Singtel's Optus under further fire for cyber breach; purported hackers claim data deleted (The Straits Times) ‘Not feasible’ to crack properly encrypted data (Australian Financial Review) Optus hack not 'sophisticated' as claims 10,000 customers have data publicly released (9News) Everything Happening in This Optus Cyberattack Shitstorm, I Promise (Vice) Australian cybersecurity minister lambasts Optus for ‘unprecedented' hack (The Record by Recorded Future) FBI Working With Australian Authorities on Optus Cyberattack (MarketScreener) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Ukraine's defense intelligence warns of coming Russian cyber attacks against infrastructure.
What are the next moves for Lapsus?
We know it's a bear market, but take a look at your wallet, crypto speculators.
Mr. Security Answer Person John Pescatori on next year's most overhyped term.
Ben Yellen explains a $35 million data privacy settlement.
And finally, developments in the Optus breach.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, September 27th,
2022. The Ukrainian Defense Intelligence Service warned yesterday that the Kremlin is planning to
carry out massive cyber
attacks on the critical infrastructure facilities of Ukrainian enterprises and critical infrastructure
institutions of Ukraine's allies. The GRU added, first of all, attacks will be aimed at enterprises
of the energy sector. The experience of cyber attacks on Ukraine's energy systems in 2015 and 2016 will be used when conducting operations.
Their estimate concludes that the cyberattacks will be a combat support operation intended to augment the effects of kinetic strikes.
They state,
By the cyberattacks, the enemy will try to increase the effect of missile strikes on electricity supply facilities,
primarily in the eastern and southern regions of Ukraine.
The occupying command is convinced that this will slow down the offensive operations of the Ukrainian defense forces.
And Ukrainian allies, especially Poland and the Baltic states,
are warned to expect further distributed denial of service attacks.
Ukraine has said, and outside security experts tend to agree, that the country learned from
the 2015 and 2016 cyber attacks against its power grid.
Ars Technica notes the ways in which CERT-UA and its partners appear to have avoided a
repeat of those attacks.
It seems that a massive takedown of that grid has since become markedly
more difficult and considerably less likely than it was in the middle of the last decade.
Russian cyber operations have underperformed international expectations during the present war.
Their most marked success, the takedown of the Viasat network in the early hours of the invasion,
now seems retrospectively to have been less consequential than initially believed.
Services were indeed crippled, but the target selection in this case seems to have been wayward.
The evident intent was to degrade Ukrainian command and control, but Ukrainian forces used the satellite network only as a backup,
Ukrainian forces used the satellite network only as a backup,
and its disruption didn't have any significant impact on military communications, Zero Day reports.
After the high-profile incidents at Uber and Rockstar Games,
the Lapsus group seems again to have been disrupted by an arrest,
but it's unlikely we've seen and heard the last of them.
Digital shadows offer some speculation about where the group may be headed next.
Researchers at Digital Shadows have published a report looking at the possible next moves for Lapsus.
The group tends to carry out a combination of hacktivist and financially motivated crimes,
although their tactics are generally opportunistic.
The researchers say,
if reports are to be believed, then many of the culprits for the recent attacks may receive law enforcement attention.
One 17-year-old in London has already been arrested,
which is likely related to the incidents involving Uber or Rockstar Games.
It is realistically possible that this arrest may have a similar impact to what we saw in March.
realistically possible that this arrest may have a similar impact to what we saw in March. Lapsus may go underground for a period in reaction to increased media and law enforcement scrutiny.
There are also signs of an incipient but growing connection between the Lapsus group
and ransomware gangs, notably Yan Luowang. Digital Shadows points out, within the attack against Cisco,
Wang. Digital Shadows points out, within the attack against Cisco, lapses were also attributed with activity that is consistent with pre-ransomware deployment activity. As cryptocurrency assets
remain in a bear market, many speculators are reluctant to look at their accounts. It's just
too depressing. Scammers have been exploiting that inattention to run cash-out scams against
account holders. SIFT has published a report finding that cybercriminals are targeting
neglected cryptocurrency accounts amidst the drop in cryptocurrency's value over the past few months,
stating, as cryptocurrency prices have plummeted in recent months, SIFT's trust and safety
architects uncovered a new scam targeting
crypto account holders, stating, in this crypto cash-out scam, one fraudster who is looking to
launder stolen funds solicits the help of another fraudster who has successfully taken over connected
bank accounts and crypto wallets. Once they team up, the cybercriminals load the stolen funds into the hijacked bank account and then into the corresponding stolen crypto wallet, before draining the funds and splitting the profits.
Brittany Allen, trust and safety architect at SIFT, said,
Account takeover attacks are proving to be a primary attack method among fraudsters in our challenging economic environment.
attack method among fraudsters in our challenging economic environment. Adding insult to injury,
cybercriminals are leveraging automation via bots and scripts to match ATO attacks at scale,
often forcing businesses to choose between introducing excessive friction in their user experience or being consumed by fraud. So, as painful as it may be, take a look at your wallets every now and then.
And finally, investigation of the breach suffered by Optus in Australia continues.
The US FBI is rendering assistance to the Australian Federal Police. Australia's Minister
for Home Affairs and Cybersecurity called the attack quite a basic hack and criticized the
Telco for permitting it to happen, the record says.
For their part, the criminals have sought to increase the pressure on those being extorted
by releasing some of the data taken, ABC reports.
The hackers are also presenting some of the Robin Hood shtick
sometimes seen in other double extortion incidents, saying,
sorry to 10,200 Australian whose data was leaked.
It's not quite shadow speak, but if you could see the spelling, you'd call it, well, shadow writing.
Whoever you are, sir, Robin Hood, you ain't.
They spelled better in Sherwood Forest.
forest. Coming up after the break, Mr. Security Answer Person John Pescatori on next year's most overhyped term. Ben Yellen explains a $35 million data privacy settlement. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk.
In fact, over one third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
There is no shortage of hype in cybersecurity when the marketing and PR folks get their hands on everything.
In this edition of Mr. Security Answer Person,
John Pescatori takes a look at what just might be next year's most overhyped term.
takes a look at what just might be next year's most overhyped term.
Hi, I'm John Pescatori, Mr. Security Answer Person.
Our question for today's episode,
I just listened to the segment where you talked about how overhyped the term zero trust is.
Can you give us a prediction of what you think will be next year's most overhyped term?
Well, I promise I'll get back to your actual question,
but first I'm going to answer a slightly modified version.
What do I think should be the most hyped up term in cybersecurity in 2023? Last year, my daughter had her first child, our first grandson,
and no surprise, he turned their lives upside down. I started calling him Chaos Monkey after a cool piece of testing software that Netflix developed and describes this way. Chaos Monkey
randomly terminates virtual machine instances and containers
that run inside of your production environment. Now here's the important part of the quote.
Exposing engineers to failures more frequently incentivizes them to build resilient services,
end quote. Kind of like exposing dinks, dual income no kids couples, to their first baby does.
Chaos Monkey is just one of the tools in a collection Netflix calls the Simeon Army.
A lot of this grew out of chaos engineering work Peter Deutsch at Sun and others did,
where they defined the eight fallacies that developers in the early days of Internet software
assumed were true of distributed computing over the Internet.
The eight fallacies are, one, the network is reliable,
two, there is zero latency. 3. Bandwidth
is infinite. 4. The network is secure. 5. Topology never changes. 6. There is one administrator.
7. Transport cost is zero. 8. The network is homogenous. Too often, some or all of those
eight fallacies are still taken as gospel when
developers write code today, even using fancy new DevOps methodologies. All of this reminds me of
when I used to drive an old car that broke down a lot, so I carried a lot of spare parts and tools
and often planned my trips so that I'd always be in range of help if the inevitable failure occurred.
Cars have actually gotten a lot more reliable over the years, but software really has not. Of course, Mr. Security Answer Person's focus is mostly on fallacy number
four. The network is secure? Here, the network means the entire internet, as in all the connecting
paths and all the endpoints. So even if transport security is always running, as in SSL everywhere or over IPsec.
We know many of the endpoints will never be secure because they're running software and most endpoints are being used or being administered by people.
Software and people are soft and squishy and don't get harder very fast.
So I think chaos security should be the new buzzword and CISOs should be called chief chaos safety officers or something like that,
I've kind of become convinced
that chaos can be navigated safely,
but chaos can never be made secure.
Realistically though,
I doubt we are ready to admit all that yet.
With that off my chest,
let me answer your original question,
which brings me back to the second line
in Peter Deutsch's quote,
exposing engineers to failures more frequently
incentivizes them to build resilient services. Resiliency popped up on the cybersecurity buzzword
radar screen years ago, but it is definitely on the rise. An example is supply chain resiliency
vendor Interos and their resiliency operations center, or ROC concept, around maintaining a
secure, reliable, and yes, resilient supply chain.
We have certainly seen the impact of near chaos in supply chains the past few years,
as well as a definite lack of both resiliency and security. With wars and pandemics and climate
change all hitting the world all at once, resiliency is actually a pretty lofty goal.
I'm looking forward to broad adoption of resiliency development.
Maybe we'll call it ResDevSecOps.
Resilient data and, yes,
even resilient trust architectures.
Mr. Security Answer Person.
Thanks for listening.
I'm John Pescatori,
Mr. Security Answer Person.
Mr. Security Answer Person. Mr. Security Answer Person.
Mr. Security Answer Person with John Cascatori
airs the last Tuesday of each month right here on the Cyber Wire.
Send your questions for Mr. Security Answer Person
to questions at thecyberwire.com.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the Caveat podcast.
Hello, Ben.
Hello, Dave.
Interesting story.
This is from the Wall Street Journal written by Dave Michaels.
And it is about the good folks over at Morgan Stanley
paying $35 million to settle claims of failing to protect customer records.
What's going on here, Ben?
So there is a federal regulation that requires brokers and money managers like Morgan Stanley
to protect the security and confidentiality of customer records. So we don't have a comprehensive
data privacy law in this country, at least at the time that we're recording this. So we have
this sort of patchwork that applies in various industries.
HIPAA applies when we're talking about healthcare and covered entities.
The SEC has promulgated regulations as it applies to these brokers and money managers.
So what happened with Morgan Stanley is allegedly it scrapped computer servers and hard drives
without ensuring they no longer held sensitive customer information,
and they resold those servers and hard drives
with customer data still on it.
Oops.
Yeah, so that's a big problem.
Right.
So it's the role of the SEC to impose fines
for a variety of purposes.
The first is to pay monetary damages to individuals who have
suffered harm. And that's part of this $35 million that's been imposed here. But the other part is to
send a message to Morgan Stanley that this type of improper safeguarding of sensitive customer data
is unacceptable, and we will bring the full force of Uncle Sam down on you if you
don't do your due diligence. So $35 million is a lot of money. It's going to be a very steep
penalty, probably one of the largest we've seen for what they refer to in this article as a record
keeping misstep. The three previous fines levied by the SEC on financial firms for this type of
violation were much smaller fines, only in the amount of about $300,000 or so. So we're talking
about multiplying that, what is that, a hundredfold? I'm not so great at math.
I believe that an order of magnitude is the term of art.
Exactly. We'll go with that. Right, right. I think from Morgan Stanley's perspective, they're a big company.
They're probably going to be fine.
They are going to pay the fine and be relieved of the obligations of this investigation.
Right.
They're admitting no wrong here.
Worth noting, I suppose.
They are not admitting any wrong.
They're just paying.
It's sort of how I feel about when I get caught by one of those speed cameras.
Right.
Where I'm probably not going to be able to challenge this.
I could certainly argue that maybe I wasn't going 45 in a 30, but it's not worth it for me to go to court on this.
So they're going to pay the fine.
They say that they've notified all of their applicable clients about what happened.
They say this is something that happened in the past.
They've been much better over recent history about detecting and protecting against unauthorized access to personal client information. And so from their perspective and I think from the government's perspective, this matter has been resolved.
Yeah. It's interesting.
has been resolved.
Yeah.
It's interesting.
This article points out that the SEC claims that Morgan Stanley lost track of 42 computer servers
that potentially contained unencrypted customer data,
which it sounds like were in field offices,
not at Morgan Stanley headquarters,
but out in the offices they have around the country.
And it's easy to imagine a scenario
where the IT folks come in to upgrade the server
and transfer all the data over,
and now you've got this pile of old servers,
and what are you going to do with them?
Well, maybe Bob will put them on Craigslist.
Exactly.
Who knows?
It's easy to sell them.
I mean, you probably just don't think about
the inherent risks
of there being confidential customer information on them
if it's just one piece of hardware in an office.
But when you multiply this by a large magnitude,
we're talking about 40 different devices or servers,
then that becomes a pretty big problem,
and it feels more like a pattern in practice than just an isolated incident.
It seems like they just had been somewhat negligent in how they dealt with those outdated
servers and that outdated hardware. Yeah, I think this is a really good reminder for folks who are
tasked with these sorts of things. Because I've seen several cases over the years where
a piece of hardware gets decommissioned and then it just
kind of gets forgotten about. It sits on a shelf maybe for years. And then at some point, somebody
says, what are we doing with all these, you know, these servers that are on that shelf? And he says,
I don't know. Just, you know, tell you what, Bob, go out, just, you know, toss them in the dumpster.
No one will ever know. What you got to do is go full office space on them. Take them to a field
with a baseball bat
and just whack them and get some good music playing in the background too.
Yeah. That's a solid plan. All right. Ben Yellen, thanks for joining us.
Thank you.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. Thank you. Thanks for listening.
We'll see you back here tomorrow. Thank you. ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.