CyberWire Daily - Ukraine’s security chief and head prosecutor are out. Cyberattacks hit Albania. APTs prospect journalists. The GRU trolls researchers. CISA to open an attaché office in London.
Episode Date: July 18, 2022Ukraine shakes up its security and prosecutorial services. Cyberattacks hit Albania. Advanced persistent threat actors prospect journalists. The GRU is said to be trolling researchers who look into Sa...ndworm. Thomas Etheridge from CrowdStrike on identity management. Our guest is Robin Bell from Egress discussing their Human Activated Risk Report. And CISA opens a liaison office in London. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/136 Selected reading. Ukraine's Zelenskyy fires top security chief and prosecutor (AP NEWS) Zelenskiy Ousts Ukraine’s Security Chief and Top Prosecutor (Bloomberg) Volodymyr Zelensky sacks top aides over 'Russian collaboration' (The Telegraph) A massive cyberattack hit Albania (Security Affairs) Information Systems Are Intact, Says Albanian Government after Cyber Attack (Exit - Explaining Albania) Albania closes down online gov't systems after cyber attack (ANI News). Albania Shuts Down Digital Services and Government Websites after Cyber Attack (Exit - Explaining Albania) Hackers pose as journalists to breach news media org’s networks (BleepingComputer) Cybersecurity Firm: What US Journalists Need To Know About The Foreign Hackers Targeting Them Forbes) Sandworm APT Trolls Researchers on Its Trail as It Targets Ukraine (Dark Reading) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Ukraine shakes up its security and prosecutorial services.
Cyber attacks hit Albania.
Advanced persistent threat actors prospect journalists.
The GRU is said to be trolling researchers who look into Sandworm.
Thomas Etheridge from CrowdStrike on identity management.
Our guest is Robin Bell from egress, discussing their human activity risk report.
And CISA opens a liaison office in London.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, July 18th, 2022.
The AP reports that yesterday, July 17, Ukrainian President Zelensky dismissed two senior members of his government,
SBU Chief Ivan Bakunov, described as a childhood friend and former business partner of the president, and Prosecutor General Irinia Venediktova.
The dismissals were prompted by concerns about treason and collaboration with Russian occupation
forces. Zelensky said, in particular, more than 60 employees of the prosecutor's office and the SBU, the State Security Service, have remained in the occupied territory and work against our state.
national security and the links recorded between Ukrainian security forces and the Russian special services raise very serious questions about their respective leaders. What effect the shake-up will
have on Ukrainian cyber operations remains to be seen. We'll be following developments.
Albania suffered a major cyber attack yesterday, Balkan Insight and other sources report.
Government sources stress the attack's foreign origin and unprecedented scope.
The Council of Ministers said in a statement,
Albania is under a massive cybernetic attack that has never happened before.
This criminal cyber attack was synchronized from outside Albania.
Cyber News quotes the Albanian national agency for the
information society on the government's decision to shut down some of its online services they say
in order to withstand these unprecedented and dangerous strikes we have been forced to close
down government systems until the enemy attacks are neutralized. Among the services disrupted are the websites of Parliament and the Prime Minister's office,
as well as eAlbania, the government portal that all Albanians,
as well as foreign residents and investors, have to use to use a slew of public services.
Services were still undergoing restoration today.
Little information is available about the details of the attacks,
and so far there's been no attribution.
Observers continue to comment on Proofpoint's study of attempts by intelligence services
in Turkey, Iran, China, and North Korea
to either impersonate journalists or gain access to news media networks.
Bleeping Computer describes the attempts as preparatory activity
intended to serve broader espionage campaigns,
writing,
The adversaries are either masquerading
or attacking these targets
because they have unique access
to non-public information
that could help expand a cyber espionage operation.
Their efforts include both spoofing
and credit harvesting.
Forbes sought advice from Proofpoint for media outlets and working journalists. Sherrod DiGrippo, Proofpoint
Vice President of Threat Research and Detection, told Forbes,
There are a number of ways journalists can protect themselves from APT attacks.
One is for journalists and their associated outlets to understand their overall level of risk. For example, we've seen targeted attacks against academics and foreign policy
experts, particularly those working on Middle Eastern foreign affairs, so individuals in this
line of work should be particularly cautious. Another is if journalists are going to use email
addresses outside of their corporate domain, such as Gmail or ProtonMail.
They should list those publicly on their website so public sources can verify whether or not it's a legitimate email.
Conversely, experts approached by journalists should check the journalist's website to see if the email address belongs to the journalist.
the journalist. Proofpoint also suggested that all organizations try to arrive at some clarity concerning which of their people are most likely to receive this sort of attention,
and that they tailor their training and other protective measures appropriately.
Dark Reading reports that ESET, which will be offering a report on countermeasures to the
Sandworm malware in Destroyer 2 at Black Hat next month, says it's
being trolled by the GRU. They write, the sandworm attackers disguised the loader for one of its data
wiping variants as the IDA Pro reverse engineering tool, the very same tool the researchers had used
to analyze the attacker's malware. ESET thinks this is no coincidence, but rather a right back at you from
the aquarium to let ESET know that the GRU knows what ESET's studying and that the GRU doesn't
care. ESET's Robert Lepofsky said, it's fairly clear the attackers are fully aware we are onto
them and blocking their threats. They are maybe trolling us, I would say. Lepovsky also said the GRU deployed a Trojanized version of ESET security products
in the course of its attacks on Ukrainian networks.
He observed,
They were sending a message that they were aware we are doing our job
protecting the users in Ukraine.
Yes, it's a dog-bites-man story, but worth following.
In general, if you're interested in the GRU, you might well count on the GRU being interested in you.
And finally, this morning, the Cybersecurity and Infrastructure Security Agency announced in an email to its media contacts
that it will establish its first attaché office abroad this month and that it will be located in London.
The agency's announcement said the attaché office will serve as a focal point for international collaboration
between CISA, UK government officials and other federal agency officials.
The CISA attaché will advance CISA's missions in cybersecurity, critical infrastructure protection, and emergency
communications, and leverage the agency's global network to promote CISA's four international
strategic goals, advancing operational cooperation, building partner capacity, strengthening collaboration
through stakeholder engagement and outreach, and shaping the global policy ecosystem.
engagement and outreach, and shaping the global policy ecosystem.
CISA's first attaché will be Julie Johnson,
most recently Regional Protective Security Advisor for CISA in New York, and also CISA's regional lead for federal interagency working groups.
She came to CISA from the U.S. Department of State,
where she worked on the Bureau of Intelligence and Research,
Bureau of International Narcotics and Law Enforcement,
and Bureau of Educational and Cultural Affairs.
Congratulations and best wishes to Ms. Johnson
as she gets ready to get to work in London.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Security firm Egress recently published a report focused on what they describe as human activated risk
highlighting the security risks organizations face particularly from non-technical employees
and the tools they use on a daily basis things like email robin bell is chief information security
officer at egress the volume of email in the first place. And they predicted volumes.
I think it was 376 billion emails every day by 2025 is predicted.
Even with the shift of messaging systems like Slack and Teams being taken into account, that's still a mind-boggling number.
And those are things that people have got to deal with every day.
You sit down to an inbox flooded with email and try and sort out what you need to deal with and what's not relevant.
You know, some of the things that caught my eye reading through the report here,
you all pointed out that just over half of the IT leaders say that their non-technical staff are only somewhat prepared or not at all prepared for a security attack.
What's causing that gap there?
Why do we feel as though more folks aren't where they should be?
Email is just so prevalent in everybody's life.
It's something that you use whether you're in work, whether it's at home, whether you're organizing things for your kids' school.
It's just used all day, every day.
And it's just taken for granted.
So people just see emails, they just respond to them,
and they don't really necessarily think about the consequences
of what that might be or clicking on links in emails.
There's such a vast array of different technologies
for organizations to work with as well
to put in place mitigations for those.
And they're not always very end-user friendly.
Sometimes they're more administrative-based
than user-based.
Well, how does an organization best balance
those two elements then? The human element
versus the technology side of things. What are your recommendations for dialing that in?
Well, user training is definitely a key aspect of that. And we have quite an extensive program of
internal training for colleagues just on how to spot phishing emails and emails
that might lead to compromises and obviously not just in work but for home use as well you know
getting banking email into your personal email address so there's that definitely that aspect
is a core way to help mitigate and manage that.
But it's also, as I said, it's around having tooling that helps users make those decisions at the time
that they're about to make an action
that could result in a compromise.
I like the saying that, I don't know where it came from,
but I'll pinch it anyway,
that we're always just one click away from a breach.
And that's the idea that there
are so many users and so many emails, it only takes one mistake to result in a compromise or
a breach. So having tools that can help users prevent whether that's inbound or outbound
email threats at the time they're occurring, rather than trying to deal with them later from a route.
Where do you suppose we're headed here? I mean, I can't think of anyone that I know certainly who
looks forward to going through their email. It seems like it's sort of a necessary evil. We
accept that we must do it, but nobody that I know enjoys it. And the security aspects are part of that.
Is there any hope of progress in the future with that?
Or does it seem like we've been stuck with email for all this time
and looks like that's what the future holds?
Well, I mean, there's definitely a shift to more messaging type of communications
in a lot of organizations.
But they largely hold all the same similar challenges as email does.
You log into Teams, for example, and you can sit there with 50 different
Teams channels pinging away nonstop all day and links being there
and having external users that you're communicating with outside of your organization.
So a lot of those risks also exist in those messaging platforms
as well as email.
What are the take-homes for you from this report?
What are the things that you hope people take away from it?
I think it's, I mean, the key thing is that people make mistakes.
You know, obviously there are malicious actors who go out there
and deliberately trying to compromise,
whether that's trying to compromise your organization
or whether they're kind of taking part in a scam to fraud
to get some vouchers or something like that.
Those things happen.
But it's more likely that it's an accident.
You know, someone's not concentrating, they're working late,
they've got an email thrown on the phone, it looks urgent,
and they're clicking to respond.
So, as I said, having good training in place
and making sure people understand the sort of pressures
colleagues would put on each other in order to get something done
and what's acceptable and what isn't.
But it's making sure
that you've got tools that are kind of ubiquitous across the different environments you've used,
whether you're using Outlook as a client or a mobile device,
and have advice on whether that email is a risk or not. That's Robin Bell from egress.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And joining me once again is Thomas Etheridge. He's Senior Vice President of Services at CrowdStrike.
Thomas, it's great to have you back.
I want to touch today with you on identity management,
which I know is something that you and your team there at CrowdStrike focus on.
What can you share with us today?
First of all, Dave, it's great to be back.
Identity seems to be becoming the new endpoint, so to speak.
We've seen a huge influx of incidents over the last year.
With those incidents and ransomware outbreaks, the big denominator is that most of them occur through the use of stolen credentials. So identity is increasingly more important from a security perspective
based on the threat actors and the activities we see from an incident response perspective.
And what sort of shifts are we seeing to improve our security in this particular area?
In terms of security, Dave, there's a big focus around understanding identities,
privileges, privileged accounts, who has them, whether or not they're compromised.
And the concept of zero trust is becoming increasingly more important for organizations as they try to build out a framework that protects critical assets and infrastructure within their organizations.
What sort of things are you and your team
recommending here in terms of organizations who want to get on top of this? What's your
words of wisdom? Well, first of all, there's a lot of confusion around what is zero trust.
One thing we try to do is educate customers on what it is and what it is not. Zero trust requires that all users, whether in or outside of an
organization's network, that they should be authenticated, authorized, and continuously
validated before being granted and maintaining access to certain systems and applications and
the data that they're using. So really putting a kind of a model in place that allows organizations to better
get visibility into how identities are being leveraged in their organization, to monitor
those and to make sure that if a user needs to get additional privileged access to resources
within an organization, that they're re-authenticated through a higher level of
authentication to those assets.
How heavy of a lift is that for organizations to take that on?
What's that transition period typically like?
Well, I think the big thing is the cost and the time spent not doing it is way too risky.
We've seen an 82% increase in ransomware-related data leaks.
62% of the attacks we saw were malware-free attacks,
meaning the threat actor was able to gain access to stolen credentials and use those credentials to gain access into an organization's environment.
And we've also seen breakout time,
which is a metric we've talked about before on this podcast,
down to about 98 minutes.
So organizations really have about an hour and a half in order to detect a malicious
user using stolen credentials before that user can move to other assets in the environment
and potentially deploy ransomware.
So there really is a focus around the technology and the people in the process to try to improve visibility and control over this particular area.
What's the outlook here? Are you optimistic that we're gaining ground on this?
I am. I think this has been a huge topic in a number of the conferences recently that I've attended.
A lot of organizations understand the importance of identity.
that I've attended. A lot of organizations understand the importance of identity.
We need access to identity data when we're performing investigations, and I think that's not lost on organizations. Identity management's not a new concept. It's been around for a number
of years, but I think getting visibility and implementing controls like zero trust across
organizations are things that companies and organizations can do to improve their overall capabilities to detect and respond to incidents when they do happen.
All right. Well, Thomas Etheridge, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security, huh?
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Liz Ervin,
Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Justin Sebi, Our amazing CyberWire team is Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.