CyberWire Daily - Update on Russian cyber ops and disinformation around Ukraine. Ransomware disrupts European ports. Chinese intelligence services exploit a Zimbra zero-day.
Episode Date: February 4, 2022Primitive Bear is snuffling around Ukraine, and Russia may be preparing deepfake video to lend legitimacy to its claims with respect to its neighbor. European ports and other logistical installations ...are under attack by ransomware, apparently uncoordinated criminal activity. Daniel Prince from Lancaster University on safeguarding IoT in Healthcare. Our guest is Chris Wysopal of Veracode with research on increases in automation and componentization in software development. And a Chinese APT is said to be exploiting a Zimbra webmail cross-site-scripting zero-day, so users beware. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/24 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Primitive Bear is snuffling around Ukraine,
and Russia may be preparing deepfake video.
European ports and other logistical installations are under attack by ransomware.
Daniel Prince from Lancaster University on safeguarding IoT and healthcare.
Our guest is Chris Weisopel of Veracode with research on increases in automation and componentization in software development.
And a Chinese APT is said to be exploiting a Zimbra webmail
cross-site scripting zero-day, so users, beware.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Friday, February 4th, 2022.
We open again with some notes on Russia's pressure on Ukraine and its implication for cyberspace.
some notes on Russia's pressure on Ukraine and its implication for cyberspace. Russian President Putin is in Beijing for discussions with Chinese President Xi Jinping. One purpose of the visit is
to secure Chinese support for Russia's stance with respect to Ukraine. While troops remain poised in
Russia and Belarus, staged near the Ukrainian border. Those hoping to avoid a war see hopeful signs
in Russia's apparent continuing openness to diplomacy.
But tensions remain high, and the U.S. warns
that Russia is preparing deepfake provocations
to supply a casus belli.
Palo Alto Network's Unit 42 reports that Gamerodon,
also known as Primitive Bear, a threat actor associated with Russia's FSB, has been active against a Western government entity in Ukraine. monitoring three clusters of Gamerodon infrastructure, collecting over 100 malware samples and finding 700 malicious domains and 215 IP addresses.
Unit 42 writes,
quote,
19th, 2022. We have also identified potential malware testing activity and reuse of historical techniques involving open-source virtual network computing software. The campaign they observed
relied on phishing for its initial access, and the phish bait was the familiar and surprisingly
anodyne bogus job ad. The three infrastructure clusters Unit 42 observed it characterizes as
Gamerodon Downloader Infrastructure, Cluster 1, File Stealer, Cluster 2, and Terranodon,
Cluster 3, and it cautions that there are probably other so far undiscovered clusters in use.
The FSB's attentions to Ukraine are nothing new and are likely to continue.
Unit 42 says, quote, Gamerodon has been targeting Ukrainian victims for almost a decade.
As international tensions surrounding Ukraine remain unresolved, Gamerodon's operations
are likely to continue to focus on Russian interests in the region, end quote.
For further background on Gamerodon's recent activity,
Unit 42 recommends the study Estonia's CERT-EE published early last week.
The United States yesterday said that Russia had begun to prepare the production of imagery,
including video, that would present faked evidence of either a Ukrainian attack on Russian forces or Ukrainian atrocities committed against ethnic Russians in Ukraine.
Quote,
We believe that Russia would produce a very graphic propaganda video,
which would include corpses and actors that would be depicting mourners
and images of destroyed locations,
as well as military equipment at the hands of Ukraine or the West,
even to the point where some of this equipment would be made to look like it was Western-supplied.
That's Defense Department Press Secretary John Kirby speaking Thursday during a Pentagon press briefing.
This is the third announcement by either the United States or the United Kingdom
alleging Russian plans for provocations
or deniable false flag operations.
These announcements have been warnings
and preemptive in intent.
The Washington Post lists the earlier allegations.
On January 14th, the U.S. said
that Russia had staged covert operators into Ukraine
where they were positioned to conduct false flag attacks
against the nominally irregular alleged separatist forces Russia supports in Ukraine's Donetsk and Luhansk
regions. A U.S. official explained, quote, the operatives are trained in urban warfare
and in using explosives to carry out acts of sabotage against Russia's own proxy forces,
end quote. On January 23rd, the British Foreign Office
announced that Russia was advancing plans to install a pro-Russian government in Kiev.
Foreign Secretary Liz Truss said, quote, the information being released today shines a light
on the extent of Russian activity designed to subvert Ukraine and is an insight into Kremlin thinking, end quote.
In none of these three cases did either the U.S. or U.K. provide details on the intelligence that
supported their accusations, which, of course, Russia dismissed as nonsense. As preemptive
announcements, however, the three accusations clearly have some utility. Should the Russian
provocations occur, there's a chance they'll be recognized as such.
Or, better yet, if Moscow concluded the gaffe had been blown,
the provocations might not take place at all.
The story's developing, and we shall see.
Disruption of logistical choke points, petroleum distribution in Germany,
port operations in Belgium and the
Netherlands, continues to spread across Europe, industrial cyber reports. The record says that
officials in the Netherlands don't believe the attacks are related, and Security Week quotes
Dutch authorities as saying that the attacks were probably committed with a criminal motive.
The incidents are thought to be a ransomware attack, specifically
with the Conti and Black Cat strains. According to Deutsche Welle, both Europol and national
authorities are investigating. The consequences of the attacks against Belgian port facilities
seems to have been contained and limited. Among the operators affected was SeaTank,
which works in Antwerp. The BBC reports that SeaTank's
corporate parent, SeaInvest, has said that its operations worldwide have been affected by the
incident. For all the attention ransomware attracts as a threat to data availability and
privacy, it's worth noting the particular threat it poses to industrial systems.
Clarity's recent report on the global state of industrial
cybersecurity notes that, of those who responded to their survey, about half reported an effect
on operational technology and industrial control systems.
Valexity reports that a Chinese APT is exploiting a cross-site scripting vulnerability in Zimbra,
an email platform organizations use as an alternative to Microsoft Exchange
against European governments.
Veloxity calls the campaign Email Thief, and it began in mid-December.
The initial infestations arrive through phishing,
and the emails use a two-step approach.
The first email is technically benign,
that is, it carries no malicious payload
and contains no malicious links. Its purpose is reconnaissance. The operators want to see first
if the email account is an actively monitored one, and if it is, they want to see whether the
account user is ready and willing to open an email received out of the blue from some unfamiliar sender.
Many users, we note, are willing to do that,
and in many cases opening emails received out of the blue is somebody's job,
so those who open the message aren't necessarily slackers, suckers, or slack-jawed doofuses.
Once the operators have determined that they got a live one nibbling on the fish bait,
they send a second email that contains the hook,
usually a link to a malicious site that executes a cross-site scripting attack
against their Zimbra webmail app.
What follows can be readily imagined.
Compromise of emails, compromise of networks, hijacking of accounts,
which can then be used in further phishing attacks, and so on.
So it doesn't stop, alas, but keep plugging away out there, friends.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
AppSec firm Veracode recently released their yearly state of software security report,
tracking trends they see in their customers to see how application development processes are changing. Chris Weisopel is Chief Technology Officer at Veracode.
So we looked at all the applications over a 13-month period.
This was 310,000 applications.
And it included over 5 million scans of those applications.
So the average was scanned six times,
but we know that some apps are scanned daily and some are scanned yearly.
But we looked at the makeup of those applications to understand how are application development
trends changing. And what we saw was the apps are getting smaller and the development process is
getting more automated. Some of these findings, you know, if you split apps into small, medium, or large, we saw 143%
growth of small applications. If you split the way people are invoking a testing service, are they
manually doing this through a web interface? Are they doing it through an API? We saw there's 133%
growth of the API method. So these things tell us apps are getting more componentized,
more microservice-oriented,
and development pipelines are getting more automated.
And what do you suppose is driving this trend?
Yeah, so I think it really is, it's two trends, right?
It's the trend towards DevOps,
which is any manual step in the process is sort is deemed a bug that needs to be fixed.
And automation be put in place of manual processes to make things more repeatable, more reliable, and of course faster.
So I think that's one major trend.
The other one is the cloud-native application trend. Cloud-native applications are just built out of smaller executable code chunks called microservices with APIs on them,
rather than the traditional data center application was more of a three-tier architecture.
So we see that the fact that apps are shrinking, we're assuming that those apps are becoming more componentized and more microservice oriented.
What, if any, are the security implications of things heading in this direction? attack surface because all these microservices now have APIs on them which require input validation,
authorization, and authentication. That connection needs to be encrypted. When you break up a monolithic application where everything is running in one process into many different microservices,
now you got to think about you have more attack surfaces,
more edges that people can interact with your code from.
And so that has to be thought through.
It could be a negative unless you take care of it
and have a consistent approach for building these microservices
and securing them.
It can be a positive.
It's definitely a positive to see automation of security testing. Anything that is automated
can be done for every code deployment or perhaps
every code change. And that basically leads to
defects being found earlier in the development lifecycle.
And when you know about a problem earlier, it's both
easier to fix and typically less expensive to fix.
There's less people involved.
There's less systems involved
when you catch things as quick as possible
after the defect has been created.
Well, based on the information that you gathered here,
what are your recommendations
for folks in the security side of the house?
Should they be making some adjustments here with this reality?
Yeah, so I think the trend towards microservices is something that your development teams are going to want to do.
It's just a more reliable and more efficient way to build applications, especially when you have that cloud-native infrastructure.
So that's something that you're going to just have to adjust to.
But I think the thing that security teams can do
is make sure they leverage all that automation
that their development teams have built
in their CICD pipeline
and make sure that any security testing they're doing
that is automated can be integrated in
in the right places in
that CICD pipeline. And I would say even
before that, if you can integrate into the IDE even before the code
is built, that's even better. Use automation,
use integrations, and shift as far left as you can.
That's Chris Weisopel from Veracode.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Daniel Prince.
He's a senior lecturer in security and protection science at Lancaster University.
Daniel, it's always great to have you back. I want to touch base with you today on some of the things I know you're tracking when it comes to IoT devices,
and specifically IoT devices that have to do with the
healthcare side of things. What sort of things have you been tracking lately? So we've recently
started a project here at Lancaster University to look at how can we improve the security in
developing health IoT devices. And one of the challenges that we've come across,
like many IoT and industrial control system kind of environments,
is this balance between safety and security
and the tensions between the two.
And one of the things that we've been looking at
is how do we actually help developers really develop a good understanding of
that balance for the products they're developing and the user and the communities they're trying
to serve and we've developed this concept of safeguarding and it's this idea that you can
really use security as a protection mechanism for the safety aspects of your product. And it sounds very obvious
up front, but this idea of security as a safeguarding mechanism and using that as a
tool to help developers understand the kind of features that they need to have in their
health IoT products is something that we're really working to develop interventions on.
Can you walk us through the types of things
that you're recommending here? What exactly are you laying out? So as part of the project,
what we're trying to do is work with health ID developers to get them to understand at a very
early stage the types of threats that they might face from the attackers. So who are the attackers
and why might they attack their system?
And then from that, we're helping them to develop approaches to take a balanced view about where to
put their constrained resources. We've seen a boom of health IoT products from, you know,
very large companies, but a lot of very small startup companies coming along. And they've got
what we call constrained developer resource, you know, it might be two, three along. And they've got what we call constrained developer resource.
You know, it might be two, three people.
And so when you've got that limited resource,
how do you actually allocate developing of new features for the consumer
alongside developing the aspects of the system that need protection
and develop the safeguarding of the safety of the system,
whether that be the data of the individual
or more physical aspects, such as, you know, thinking about a pacemaker, for example, is the
classic cybersecurity scenario. So what we're trying to do is develop interventions and new
approaches that the developers can really think about how to balance, you know, the idea of
developing new features to gain more commercial ground with
the protective elements that protect the safety of the individuals using their products.
Is part of this making the case that it's in their long-term interest to do so, that despite
the pressures to release the product, to ship the product, that in the long run, they're going to be better off if they're mindful of these things?
Yeah, definitely.
I mean, there's been quite a lot of work done on the economics of security in systems.
And so people like Hal Varian are building on the work of Hal Varian.
So Ross Anderson, Bruce Schneier, these have looked at the economics of cybersecurity.
And, you know, there's some really rational decisions around being first to market, getting the good features, making it easy for complementors to use your product, because that helps drive a monopoly within a particular sector.
And so what we're trying to do is also have balanced that with this long-term view that actually you're going to have to protect your consumers and ultimately the end customers that are using your products because they're the ones that are going to be vulnerable and need these healthcare devices.
So you need to be able to have that take a bit more of a long-term view, but balance that with the commercial incentive to be able to get the new features out there to be able to sell your product. And so it's entirely right to think
that we need to have these approaches built in through the lifecycle of the developing of the
device so that to enable developers to take this long-term view. Because after all, one of the
classic problems with security is you never know when that a security failure might occur but you definitely know that very
early on what features the user wants to buy so you know it's balancing something that may never
happen with something that you definitely know is going to happen and will actually help the
business grow but actually you're turning the the whole thing around and will actually help the business grow. But actually, you're turning the whole thing around
and saying actually security and safeguarding
is a particularly important aspect of your product and service
and how do you actually market and sell that
is something else that we're working on.
Do you find that that's resonating with the people that you're talking to,
that they're finding security?
Is it a place where it's a competitive advantage?
Yes and no. I think one of the things that when we're talking to the health IoT companies,
they're aware that they have to really make sure that their product is safe, particularly those
health IoT products which have a direct impact on physical well-being. So, you know, your classic insulin pumps and so on,
the things that really directly affect the body
or those that affect the environment,
for example, looking after older people
so that they can remain in their home.
And so you've got this real understanding
that we need to build products
that are safe for those to use.
So the idea of how to turn security into that kind of
also that message that sits alongside saying that this is a safe product, which is underpinned by
digital technology. And we've gone through a really rigorous development approach to ensure
that security is something that the companies we're working with are really kind of focusing
on and saying, yeah, this is exactly the type of intervention and support that we need long
term so that we can improve and gain that commercial advantage.
All right.
Well, Daniel Prince, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's Research Saturday
and my conversation with Danny Adamidis from Lumen's Black Lotus Labs.
We're discussing the new Kony campaign
that kicks off the new year
by targeting Russian Ministry of Foreign Affairs.
That's Research Saturday.
Check it out.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technology.
Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabe, Tim Nodar,
Joe Kerrigan, Kirill Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Ivan,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.