CyberWire Daily - Ukrainian crisis continues, with attendant risk of hybrid warfare. MoonBounce malware in the wild. Pirate radio hacks a number station.
Episode Date: January 22, 2022US and Russian talks over Ukraine conclude with an agreement to further exchanges next week. Western governments continue to recommend vigilance against the threat of Russian cyberattacks against crit...ical infrastructure. The US Treasury Department sanctions four Ukrainian nationals for their work on behalf of Russia’s FSB and its influence operations. A firmware bootkit is discovered in the wild. Security turnover at Twitter. Caleb Barlow looks at wifi hygiene. Our guest is Allan Liska on his latest ransomware book. And a number station gets hacked, in style. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/14 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
U.S. and Russian talks over Ukraine conclude with an agreement to further exchanges next week.
Western governments continue to recommend vigilance against the threat of Russian cyber attacks against critical infrastructure.
The U.S. Treasury Department sanctions four Ukrainian nationals for their work on behalf of Russia's FSB and its influence operations.
A firmware boot kit is discovered in the wild.
Security turnover at Twitter.
Caleb Barlow looks at Wi-Fi hygiene.
Our guest is Alan Liska on his latest ransomware book.
And a number station gets hacked in style.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, January 21st, 2022.
Both sides of the dispute over Russian preparation for hybrid warfare against Ukraine bring firm lines with them to the talks now underway in Geneva,
where U.S. Secretary of State Blinken is meeting Russian Foreign Minister Lavrov.
The Guardian reports that Secretary Blinken told his counterpart
that the U.S. would reply formally to Russian proposals,
that is, the soft ultimatum issued last week, sometime next week, but that certain NATO
positions, in particular the right to offer membership to Ukraine and other countries,
were not up for negotiation. The Secretary also said that the U.S. was open to a summit between Presidents Biden and Putin.
Secretary Blinken summarized the U.S. position, which he took care to point out was also the NATO position.
The discussion today with Minister Lavrov was frank and substantive.
I conveyed the position of the United States and our European allies and partners that we stand firmly with Ukraine in support of its sovereignty and territorial integrity.
We've been clear.
If any Russian military forces move across Ukraine's border, that's a renewed invasion.
It will be met with swift, severe, and a united response from the United States and our partners and allies.
Those remarks are courtesy of C-SPAN.
The Wall Street Journal sees last week's cyber attacks against Ukrainian targets as pointing
to a broader risk of more general cyber war.
Whispergate was, like NotPetya a few years ago, a pseudo-ransomware attack that delivered a wiper behind defacements and spurious ransom demands.
It was, however, less sophisticated than its predecessor, and in particular it lacked the self-propagating worm features that made NotPetya a general danger.
In any case, governments in the civilized world continue to take the threat of Russian cyber war seriously.
Canada's communications security establishment Wednesday warned critical infrastructure operators,
quote, to bolster their awareness of and protection against Russian state-sponsored cyber threats, end quote.
The CSE cites earlier warnings by Britain's National Security Centre
and the U.S. Cybersecurity and Infrastructure Security Agency.
Indeed, the specific recommendations all three organizations offer track one another closely.
Ukraine has asked another one of the Five Eyes, Australia,
for technical assistance to help defend it against cyberattack, the ABC reports,
technical assistance to help defend it against cyber attack, the ABC reports, and Australia has said that it stands in solidarity with NATO in support of Ukrainian security.
Security firm Mandiant has outlined the form it expects Russian cyber operations to assume.
Quote, Russia and its allies will conduct cyber espionage, information operations, and disruptive cyber attacks during this crisis.
Though cyber espionage is already a regular facet of global activity, as the situation deteriorates,
we are likely to see more aggressive information operations and disruptive cyber attacks within and outside of Ukraine.
within and outside of ukraine and quote russia's allies in this case are belarus and the occupied ukrainian provinces in crimea and the donbas the company thinks that both information operations
and cyber attacks proper are a high risk quote cyber capabilities are a means for states to
compete for political economic and military advantage without the violence and irreversible damage that is likely to escalate to open conflict.
While information operations and cyberattacks,
such as the 2016 U.S. election operations and the NotPetya incident,
can have serious political and economic consequences,
Russia may favor them because they can reasonably expect
that these operations will not lead to a major escalation in conflict.
The U.S. Treasury Department yesterday announced that it was bringing sanctions against four individuals
for their role in advancing Russia's influence operations with the objective of destabilizing Ukraine.
Treasury explained its rationale as follows, quote,
Today's action is intended to target, undermine, and expose Russia's ongoing destabilization
effort in Ukraine.
This action is separate and distinct from the broad range of high-impact measures the
United States and its allies and partners are prepared to impose in order to inflict
significant costs on the Russian economy and financial system
if it were to further invade Ukraine.
The individuals designated today act at the direction of the Russian Federal Security Service, the FSB,
an intelligence service sanctioned by the United States,
and support Russia-directed influence operations against the United States and its allies and partners." The individuals sanctioned include two members of Ukraine's parliament
and a former deputy secretary of the Ukrainian National Security and Defense Council.
The connection with the FSB is important since that Russian agency is itself under sanction.
Researchers at security firm Kaspersky report finding the third known
firmware bootkit MoonBounce in the wild. Implanted in UEFI firmware, MoonBounce is,
Kaspersky says, not only sophisticated but difficult to detect and remove.
The researchers attribute the activity with high confidence to APT41, a Chinese threat group also known as Barium,
Winty, and Wicked Panda. APT41 carries out state-directed espionage, but there's also
good reason to think it runs an APT side hustle as well, engaging as it does in financially
motivated cybercrime. The U.S. FBI has had five members of APT41 on its wanted list since 2019.
Forensic News reports that U.S. officials are concerned that the Russian company Infotex
has maintained a business presence in the U.S., despite its place on the Commerce Department's
entity list. Twitter has purged its security team, the New York Times reports. The social
platform's new CEO, Parag Agrawal, let Mudge, the company's head of security, go this week,
and Twitter's CISO Rinki Sethi is also departing. They're both likely to land somewhere else soon.
CISA issued four industrial control system advisories yesterday.
Such advisories are always worth a look, and especially right now,
with the civilized world very much on the alert for cyberattacks against critical infrastructure.
And hey everybody, let's think a little about spycraft, electronic warfare, and popular music.
let's think a little about spycraft, electronic warfare, and popular music.
Some pirate radio station has hacked into the Russian number station UVB-76,
a Cold War relic, still active,
that for decades has broadcast numbers and beeps in support of espionage operations.
It's on the shortwave, and it sounds like this, with some Tatyana or Katerina reading off a corny bunch of numbers, totally in Russian, like this.
So, of course, the pirates also put up a bunch of predictable internet-inspired memes,
which, when you think about it, is really okay in its own way too, because the noise they put up through their SDR drew a troll face when you ran it through the spectrum analyzer.
But Vice says the hackers also chose to replace some of the dull beep and number feed with Gangnam Style.
So props to the pirates for acting like a bunch of internet delinquents and K-pop hotheads.
As an exercise in jamming, it's pretty good,
like the way the opposing force at the National Training Center
used to jam the Blue Force tactical nets with California Dreamin',
because nothing says a guard's motorized rifle division
is on the move into your AO
better than the mamas and the papas.
So well done, pirates.
Not actually that we approve of this sort of thing, but on the other hand, you've got
to admire their style, especially when it's Gangnam Style. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award winning digital executive protection platform secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk.
In fact, over one third of new members discover they've already been breached.
Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
Alan Liska is a threat intelligence analyst at Recorded Future and author of the new book, Ransomware, Understand, Prevent, Recover.
I spoke with Alan Liska over on the Recorded Future podcast about the book, and we've got an excerpt from that conversation here.
I co-authored the book with Tim Gallo back in 2016, and the ransomware kind of market has changed a lot since 2016.
And ransomware attacks have changed dramatically.
Some of the defenses that are needed have changed.
Two really big things are big game hunting.
So instead of when I wrote in 2016 or when we wrote in 2016, ransomware was single machine, encrypt that machine,
and then you're done. It was still a big problem for organizations because they were getting hit
a lot. So those single machines kind of added up, whereas today it's encrypting thousands of
machines at the same time. And of course, with that comes a much more hefty ransom involved. And then there's also the idea of that extra extortion, the double and triple extortion
of leaking files, which wasn't the case.
And I'll also throw in ransomware as a service has made it a lot easier for anybody to kind
of get into the ransomware game.
Whereas in 2016, you had to have some level of technical skills, not much, but you had to have
some. Now, really, there's handbooks, there's guides that are available. Ransomware actors
brag about how easy their ransomware is to install once you get in the network. And so that really
does make a big difference. Yeah, it strikes me how much this vertical, I guess we could call it,
has really professionalized itself. That, you know, it's not just, you know, the kids in the
AV club who are doing this. I mean, these are serious organizations. Right, absolutely. I mean,
you know, when we talk about the growth of ransomware, it's not just that ransomware itself has gotten bigger, but the ransomware ink, if you will, has gotten bigger in that, you know, now you their ransomware. They hire initial access brokers to
gain that first footing and then buy the access from them. So there's this whole sort of set of
cottage industries that have sprung up in support of ransomware. And part of that is just because
ransomware makes so much money. Right now, outside of possibly business email compromise,
so much money. Right now, outside of possibly business email compromise, ransomware is the most profitable, by far, cybercriminal activity. So what has changed then in this updated book
in terms of your recommended approaches for people to prevent this and deal with it if they do find
themselves falling victim to it?
You know, it's funny because some of the things just haven't changed.
People just haven't started doing them yet.
So, you know, some of the things like you need better asset management,
you need better vulnerability management, right?
That's kind of, you know, you've been doing this for a long time.
I've been doing this for a long time.
We've been saying that for 20 plus years. That still is kind of needs to be done. Network segmentation, that was in the
first book, and that's still highly recommended now, even more so with, you know, mass deployment
of ransomware. Some of the things that are different, though, really focusing on improving your incident response and disaster recovery plans.
So, you know, before your incident response was on a single machine, right? So you can have kind
of a loose based incident response or a loose based disaster recovery because you were only
recovering for one thing. So if it wasn't fully up to date or whatever, it wasn't the end of the world. Now you need an updated incident response plan and disaster recovery plan
because you need to take into account the fact that you're not down one machine, but you're down
a thousand machines. And how are you going to respond? How are you going to get services back
online? How are you going to prioritize that? Especially when once it happens, every other
part of your organization is going to tell you
that they need to be a top priority. So you need to have that in advance. Ransomware negotiators
weren't a thing when we wrote the last book. So discussing when you need to hire a ransomware
negotiator and if you're going to have to pay the ransom, why it's so important to have a good
ransomware negotiator in there instead of trying to do it yourself. Double, triple, quadruple extortion
wasn't a thing. How to prepare for that, how to handle the fact that you're going to have a whole
lot of bad news coming your way, possibly for weeks or months at a time, depending on whether
you pay the ransom and how long the ransomware actor kind of strings out the release of files.
ransom and how long the ransomware actor kind of strings out the release of files.
And then, you know, really there's a whole chapter dedicated to protecting your domain controller because that wasn't as big a deal.
When they're landing on a single machine, not as big of a deal to have to worry about
them getting credentials and getting to the domain controller.
But now that's kind of critical to any ransomware operation.
So it has to be critical to any ransomware defense.
That's Alan Liska from Recorded Future.
The book is Ransomware, Understand, Prevent, Recover.
You can hear my complete interview with Alan
on the Recorded Future podcast.
Thank you. trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
And I'm pleased to be joined once again by Caleb Barlow.
Caleb, it is always great to have you back on the show.
You know, we just went through the holiday season, and that means lots of folks have gotten lots of new devices that they are hooking up to their home networks. And for most people, I'm sure that means Wi-Fi. What are
some of the things we need to look out for as we're connecting these newly purchased devices?
Dave, did you get anything for Christmas besides coal?
Did you get those cool Apple or Google devices you were after? You know, I got some N95 masks.
I got a new toothbrush. You've been a bad boy, Dave. We called it the loosey-goosey Christmas
this year. So you know what? I cannot say that I got any fancy electronic devices this year. No. Well, I know you have kids of similar age to mine. Yes, they did. And if your
home network is anything like mine, it's totally out of control in COVID times. So like every kid
in the neighborhood is connected to my network, every visitor and every device. And I swear,
if a 14-year-old shows up at my house, they've got a watch, they've got a phone, they've
got four other devices, and they need Wi-Fi when they come to the door because it's more important
than food. You know, but the bigger problem is many of these things, old appliances, friends
that aren't friends anymore, they are still connected to your network, right? And this
includes everything from my Sub-Zero refrigerator is connected to my network. Why? I don't completely
understand. Well, if you leave the door open, it sends you an alert, which is kind of cool, right?
Okay. That's useful.
The alarm system, lighting, who knows what else. But the problem here is you don't know the
inventory of what's connected in your house. And more importantly, you don't have any idea of what's
old, unpatched, and no longer needed. So let's talk about a way to clean this up, Dave.
Okay. So this kind of fits into New to clean this up, Dave. Okay.
So this kind of fits into New Year's resolutions right up there with change the batteries on your fire alarm.
I want everybody to go out and change the name of your home Wi-Fi network because this is the easiest way to root out all the devices.
And yes, it's going to be painful for your kids for 24 hours, right? So,
add devices back in as you find them. If your router allows you to do it, you can figure out,
you know, the few things you've got that are hardwired, but refresh it clean and make sure
everything is updated and patched as you add it back onto your Wi-Fi network.
What about some of the things that may not immediately alert you that they're a problem?
You know, like you mentioned, your Sub-Zero freezer.
I'm thinking about your alarm system might not immediately tell you that,
hey, I don't have access here.
Is that a concern?
Well, if you have life safety devices in your house, like, you know,
you should definitely make sure, for example, your alarm system is connected.
Or, you know, if grandma lives with you and has some sort of, you know, alerting mechanism,
you definitely want to make sure those things are connected. I would also argue, do you really want
those things wirelessly connected? Maybe they should be hardwired, right? But the next thing
that you've got to do here is when you rename it, and we've talked about this on the CyberWire
before, this is really important.
You've got to name it to something not unique, not your address and certainly not your name. What most people don't realize is that your SSID is mapped.
It's mapped by cellular carriers.
It's mapped by the trucks that are driving around doing street mapping.
trucks that are driving around, you know, doing street mapping, because the SSIDs in neighborhoods are used when you can't get a GPS signal to figure out where devices are.
And if your SSID was like BittnerNet, I could go out and look that up and figure out where
in the world it is.
And it would tell me where your router is within a few feet.
And don't forget, your devices are broadcasting out the SSIDs they connect to
all the time. So all I have to do is be near you, and I can figure out what your home Wi-Fi network
is, and then I can figure out where you live. And oddly enough, you know, when I consult with
law enforcement, this is a great tactic for law enforcement to figure out where a suspect's been
traveling, where they connect to, because they're broadcasting it out.
All they got to do is look up those SSIDs and figure out where they are.
Hmm. All right. Well, good advice for sure.
Caleb Barlow, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out Research Saturday and my conversation with Rob Boyce from Accenture Security. We'll be discussing his joint research with Prevalient titled,
Who are the Latest Targets
of Cyber Group Lyceum? That's Research Saturday. Check it out. The Cyber Wire podcast is proudly
produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen, Nick
Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick
Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here
next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.