CyberWire Daily - Ukrainian President Zelenskyy addresses the US Congress, as Russia’s hybrid war continues. LokiLocker ransomware flies a false flag. CISA warns of Russian cyber threat. Advance fee arrest.
Episode Date: March 16, 2022Ukrainian President Zelenskyy addresses the US Congress, as intelligence services, contractors, and hacktivists wage their part of a hybrid war. BlackBerry describes LokiLocker, a new strain of ransom...ware that’s not Iranian, but would have you think it is. CISA and the FBI warn of a Russian cyber campaign. Nigeria arrests an alleged advance-fee scam artist (he’s been wanted for some time.) For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/51 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Ukrainian President Zelensky addresses the U.S. Congress
as intelligence services, contractors, and hacktivists wage their part of a hybrid war.
BlackBerry describes Loki Locker, a new strain of ransomware.
CISA and the FBI warn of a Russian cyber campaign.
Awais Rashid looks to securing critical infrastructure.
Our guest is Derek Manke of Fortinet with a look at advanced persistent cybercrime.
And an alleged advance fee scam artist is arrested in Nigeria.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, March 16th, 2022.
First, a brief note about Russia's war against Ukraine. Russia continues its maneuver-poor, firepower-rich assault on Ukraine's cities.
President Putin may have said this morning that all was proceeding according to plan and that victory was in sight,
but the facts on the ground seem to belie this.
The British Ministry of Defense in yesterday's situation report argued that Moscow is feeling a manpower shortage among its combat forces.
Addressing Americans and friends, Ukrainian President Zelensky spoke to a joint session of U.S. Congress this morning.
His general aim was to argue that Ukraine's cause was substantially humanity's cause. His specific aim was to obtain a no-fly zone, or failing that, shipments of combat aircraft and air defense systems.
Denouncing Russia's invasion as an assault against basic human values,
Mr. Zelensky emphasized that the hopes and aspirations of the Ukrainians,
who are now under threat, are felt and shared by people everywhere.
He compared the Russian invasion to the attack on Pearl Harbor
and the attacks of 9-11, and asked that Americans consider that Ukraine has been experiencing a Pearl
Harbor and a 9-11 every day for the past three weeks. President Zelensky, switching to English,
closed with an appeal for a recognition that peace in your country depends upon peace in your neighbor's
countries. He said, quote, we want the right to live in peace and to die when your time has come,
end quote. Ukraine's cause is, he argued, the cause of humanity itself.
There may be a benefit to permitting some U.S. companies to continue their Russian operations.
a benefit to permitting some U.S. companies to continue their Russian operations. The Washington Post says that one reason Apple, Google, and Cloudflare, to take three tech examples, have
maintained a presence in Russia, albeit a reduced one, is that the U.S. government wants them to
stay there. Their services provide Russian citizens at least some access to unfiltered news.
citizens at least some access to unfiltered news. Ukraine has arrested an individual identified only as a hacker who was allegedly engaged in helping Russian commanders send instructions to their
troops via cellular networks, CNN reports. Investigation of the attack against Viasat's
KASAT internet service continues, Reuters says. It's presumed to have been a Russian operation,
and while technical details on the incident have been sparsely shared,
senior Ukrainian cybersecurity official Viktor Zora said,
quote, I believe that's one of their goals,
to destroy providers' infrastructure
and to prevent the Ukrainian armed force to actually communicate with each other. End quote.
Zora also shared his assessment of why Russian cyber operations
have been less devastating than was confidently predicted during the run-up to the war.
The Washington Post gives Zora's top three reasons
for Russian cyber's failure to show up in overwhelming force.
First, Russian hackers aren't nimble enough to identify and compromise
the most important Ukrainian government and industry targets
during fast-moving military operations.
Second, stealthy cyber attacks aren't that useful in comparison
to the damage Russian troops are causing with bombs and missiles.
And finally, Russian cyber operations are too busy protecting their own digital infrastructure.
That digital infrastructure is itself under attack, mostly at a nuisance level, by hacktivists sympathetic to the Ukrainian cause.
Zora expressed his appreciation for their efforts against the Russian enemy, but he distanced their activities from Ukrainian government control.
but he distanced their activities from Ukrainian government control.
BlackBerry this morning announced its discovery of a new strain of ransomware,
which it's calling LokiLocker.
It targets Anglophone victims who use Windows PCs.
It's unrelated to the Locky ransomware variant and to the InfoStealer LokiBot.
It shares some similarities with the LockBit ransomware,
such as registry values and ransom note file names, but it doesn't seem to be its direct descendant. One notable feature of LokiLocker is its self-presentation under an Iranian false flag.
CISA and the FBI have issued a new joint advisory on Russian state-sponsored activity.
The activity has been in progress for some time, traceable back to May of last year,
and seems to bear no immediate connection to Russia's present war against Ukraine.
The unnamed threat actors gained network access through exploitation of default MFA protocols and a known vulnerability.
That vulnerability was print nightmare. CISA advises organizations to take three steps,
enforce multi-factor authentication and ensure configuration policies prevent fail-open and
re-enrollment problems, disable inactive accounts, and finally patch systems,
especially against known exploited vulnerabilities.
And finally, Nigeria's Economic and Financial Crimes Commission has announced the arrest of
someone the authorities in a few countries, the U.S. among them, have been interested in talking
to for some time. Mr. Osundu Victor Igwilo, who's been wanted by the FBI for a couple of years, was apprehended when
the Economic and Financial Crime Commission's LAGO command swooped on him, as they say. Mr.
Iguilo is accused of money laundering, aggravated identity theft, and conspiracy to commit wire
fraud. He and his colleagues are thought to have scammed people out of about $100 million through advance
fee scams, the kind where they ask you to pay some money to set up a big, big, bigger than you can
imagine payday. You'll soon receive his day in court.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
We are familiar with the term APT, Advanced Persistent Threat, typically defined as a
stealthy threat actor, typically a nation-state or state-sponsored group which gains unauthorized access to a computer network
and remains undetected for an extended period.
Derek Manke is chief security strategist and VP of global threat intelligence at Fortinet's FortiGuard Labs.
He and I spoke recently about a category of threat actor his team is calling APCs, Advanced Persistent Cybercrime.
Typically, you know, when we look at the vast majority of attacks we're looking at through FortiGuard Labs and our lens, it's cybercrime, of course.
That's mostly what we deal with. Ransomware, of course, is a household name now today.
Largely, though, in the past, those attacks have been more of the
blanketed campaigns, right, trying to land a lot of different targets, see what they can do with it
and monetize it that way. So we know it's a big business cybercrime. But the disturbing trend
we're seeing is this shift to, yeah, exactly what we're calling advanced persistent cybercrime,
because it's exactly that. It's just like an APT, but now we're getting the world of cybercrime
more heavily focused on that pre-attack phase,
reconnaissance, weaponization, targeted attacks.
We're starting to see these cybercriminal groups hop on
zero-day vulnerabilities and exploits quicker.
We're starting to see them do more of the reconnaissance and blueprinting
and really move towards targeted attacks.
Look no further than some of the high-profile ransomware attacks that we've seen that have been targeted.
So that's really what this is about.
It's categorizing these into this sort of newer form.
And the other thing, the driver, the underlying driver behind all of that is sophistication.
That's what we're seeing, and that's what we've highlighted in our latest threat landscape report.
It's interesting to me that it seems as though we're seeing some of these actors taking on some of the techniques that we would have previously expected to see from some of those advanced persistent threats and some of those nation-state groups. And I've seen speculation that perhaps some of these folks are actually, you know, moonlighting,
that maybe, you know, by day they're working for some of those organizations,
and then those organizations look the other way while they do a little bit of privateering.
Do you suspect that's part of what we're seeing here?
Yeah, absolutely.
And it's actually interesting, Dave, because we're working on another project to try to find exactly that.
This is actually through the World Economic Forum and the Partnership Against Cybercrime.
But we're actually looking at exactly those connections, right?
How we can tie the APT groups, which are widely documented and known, specifically, I mentioned MITRE before, and cyber criminal groups. And really what we're already discovering is that there are inherent connections between the two in terms of infrastructure, the techniques used and so forth.
And it's no surprise, too, that the cyber criminal aspect of this, the reason they're able to do this now is a result, unfortunately, of years of making mass profits off cybercrime.
So given that this is the reality, what is your advice to those out there who are tasked with
defending their networks? What words of wisdom do you have for them?
Don't be scared. I think there's a lot of, there's still a lot of good news happening out there.
First of all, just be rest assured, we're fighting this fight ourselves when it comes to partnering and collaborating and working on the disruption piece.
First, we need to understand these groups, the ecosystem, the makeup of it first.
Then we can actually start from our perspective, yes, we're a security vendor. So we create, you know, through our security fabric and FortiGuard
labs, we create all the protection for customers to raise and elevate the security stack. But we're
also participating in the disruption campaigns, right, to work with law enforcement, to work with,
you know, Cyber Threat Alliance, World Economic Forum, and so forth, to share threat intelligence
and action on it.
So we're doing that.
But if we look at this from a CISO lens, the other thing you can do here is to really look at the TTPs, right?
That's what we're honing in on now.
So I call this high-resolution intelligence, but it's the techniques, tactics, procedures, being able to not boil the ocean, because that can be an exercise for eternity.
There's millions of these logs coming in a day.
But really to look at the relevant techniques that are happening with these APC groups,
understanding how that applies to your vertical.
And then once you have that strategic view, i.e., okay, we know there's 10 different techniques
that they're employing in the minor attack framework, you can come up with a much more strategic defense for that, identify gaps.
That's Derek Menke from Fortinet.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Awais Rashid.
He is the director of the Center for Doctoral Training in Cybersecurity at the University of Bristol.
Awais, it's great to have you back.
I wanted to touch with you today on critical infrastructure and the security of Bristol. Weiss, it's great to have you back. I wanted to touch with you today on critical
infrastructure and the security of that. Obviously, this is something that I think has really come to
the fore with some of the situations we're seeing around the globe. Indeed. And, you know, you only
need to go to major news sites in the last few months. We saw the ransomware attack on the Colonial Pipeline
in the U.S. There were also news that an attacker breached a water treatment facility
and was only detected because a human noticed that the treatment parameters had been altered.
And of course, with the current geopolitical situation, including the conflict in the Ukraine,
you know, there are echoes of what we saw a few
years ago, for example, a cyber attack on a power grid in the Ukraine a few years ago. And this has
really brought all of this to the fore and the importance of cybersecurity and securing these
critical infrastructures that service large swaths of society. And actually, a compromise to them
has a real potential to compromise supply of services
or even safety of large populations. And so what are some of the specific things that
you and your colleagues there have your eye on? So I think there are a number of things that we
need to really understand in this regard. These infrastructures tend to be very large.
They are historically, they grow organically,
and they have a large combination of legacy and non-legacy systems that are in place.
In many cases, it's not really possible to have the best encryption mechanisms or the best access
control mechanisms on devices that are meant to be simpler so that they work in very predictable
ways and you can prove particular safety properties for them. Now, traditionally, on devices that are meant to be simpler so that they work in very predictable ways
and you can prove particular safety properties for them.
And now traditionally,
they used to be what you would call air-gapped
because they used to be behind barbed wire,
but now they're increasingly connected
to main office systems
because you want to get real-time
or near real-time information
on the performance of the physical processes
so that you can fine-tune them
and you can ensure that they are operating optimally,
even provide remote maintenance.
And that brings with it a lot of different types
of risks and threats.
What about the fact that many times
with some of these critical infrastructure elements,
the update cycle on them can be measured in decades.
So you can have modern equipment
that's connected to something
that might be, certainly by IT standards, quite old. Absolutely. And it is really this combination
of the old and the new that poses serious challenges. But if you think about it, for instance,
you're not building a power plant to replace it in two years' time, like we do with our mobile phones on
a regular basis.
These infrastructures exist for a very long time.
And yes, they do get updates, but the updates are also organic and incremental.
So you may potentially have a controller that is running a part of the infrastructure that
is 20 years old, and you don't want to change it to an up-to-date controller because
you want to continue to operate that in predictable ways. But there are other parts of the infrastructure
that are using newer controllers and newer up-to-date devices. And it's providing security
in this really, really complex setting where you have potentially less secure devices and systems
interfacing with more secure devices and systems, interfaces with what we would consider regular IT, like your Microsoft Windows and your Linux operating systems and so on. But equally,
if you, for example, think about maritime and shipping systems and things like that,
again, they are built and ships are not kind of replaced and refitted every year. These systems
are in place for 10, 20, 30 years' time. And when we think about securing them,
we need to almost really anticipate
where the future challenges are going to come from
and how we are actually going to mitigate
against those future security challenges.
And is that where it seems that we're headed here?
I mean, the natural sort of disconnect
between the two things.
I mean, IT systems get updated regularly,
operational technology, not necessarily.
Is that sort of leapfrogging of different technologies?
That's the shape of things to come?
Yes, and it is the inevitable nature
of these kind of infrastructures.
But there are two things to bear in mind.
You actually don't want to be live updating
your critical infrastructure all the time
because you want that predictability
and you want to make sure that it's not going to keel over because of an update. But there is even
a bigger challenge because these infrastructures grow organically. Many a times, you don't know
exactly what you've got because they are distributed across many, many sites. There
are lots and lots of different devices.
You may have acquired some infrastructure that gets integrated into your network.
So one of the biggest challenges, how do you actually find what you have?
And then once you know what you have, how do you know that if you're going to run your standard kind of asset scanning or vulnerability scanning tools against that kind of infrastructure, it's not going to bring the infrastructure down. So one of the things that we are doing at the moment is really building a very systematic analysis of various, for example,
asset scanning tools that are out there, both free and commercial ones, to try and understand what their capabilities are, what kind of information can they readily provide to infrastructure owners,
and how they can actually guide them in understanding where the risks and challenges for their infrastructures might arise,
and where might be the potential pathways that an attacker might take to compromise the integrity of the infrastructure in the sense of it operating,
not just in the sense of information integrity.
All right. Well, Professor Awais Rashid, thank you for joining us.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Liz Ervin,
Elliot Peltzman, Trey Hester, Brandon Karpf,
Eliana White, Puru Prakash, Justin Sabey,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Bilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, Thanks for listening. We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.