CyberWire Daily - Update on Russia’s hybrid threat to Ukraine. Vodafone Portugal continues its recovery. The FritzFrog peer-to-peer botnet is back. And there’s a new wrinkle in the old familiar Nigerian prince scam.
Episode Date: February 11, 2022Update on Russia’s hybrid threat to Ukraine, with observations on possible international spillover. Vodafone Portugal continues its recovery. The FritzFrog peer-to-peer botnet is back, and has resum...ed operations against government, healthcare, and education targets. Caleb Barlow warns of attacks coming from inside your network. Our guest is Tom Boltman of Kovrr on the shift in the cyber insurance market due to ransomware. And there’s a new wrinkle in the old familiar Nigerian prince scam–did you know the UN was compensating victims by sending them ATM cards? Neither did the UN. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/29 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An update on Russia's hybrid threat to Ukraine.
The Fritz Frog peer-to-peer botnet is back.
Caleb Barlow warns of attacks coming from inside your network.
Our guest is Tom Boltman of Cover on the shift in the cyber insurance market due to ransomware.
And there's a new wrinkle in the old familiar Nigerian print scam.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, February 11th, 2022. Regarding Russia's hybrid war against Ukraine,
there are no publicly known major cyber attacks in progress,
but disinformation and influence operations continue.
Russian media have seized upon a BuzzFeed story published earlier this week that described possible contingency plans for moving the U.S. embassy from Kiev to a location in western Ukraine should an invasion and an attendant refugee crisis render Kiev untenable.
Those stories are being represented as a form of Anglo-American attempt to stoke fear and exacerbate the crisis.
attempt to stoke fear and exacerbate the crisis. Such opportunistic amplification has become a staple of Russian disinformation, with Facebook in particular seeing tendentious posts that have
their origin in distorted interpretations of Western government statements and media reports.
Global trade outlines four major risks an escalation of Russian pressure on Ukraine would carry for international commerce.
Commodity prices and supply availability, firm-level export controls and sanctions,
wider geopolitical instability, and cybersecurity collateral damage.
That last one is worth some discussion here.
Global Trade reviews the experience of NotPetya in origin and intent
and action against Ukraine as an example of the digital wreckage Russian cyber operations can work
globally. But the danger isn't limited to collateral damage, but rather the prospect of direct attack.
Global Trade writes, quote, in 2017, the NotPetya attack on Ukrainian tax reporting software
spread across the world in a manner of hours, disrupting ports, shutting down manufacturing
plants, and hindering the work of government agencies. The Federal Reserve Bank of New York
estimated that victims of the attack, which included companies such as Maersk, Merck, and FedEx,
lost a combined $7.3 billion. This figure could pale in comparison to the global
supply chain impact of a Russia-Ukraine military conflict, which would inevitably include a cyber
element. Whether Russia would target its cyber war playbook at the U.S. or EU targets in retaliation
for any support to Ukraine remains hotly debated. But the Cybersecurity Infrastructure and Security Agency
has been urging U.S. organizations to prepare for potential Russian cyberattacks,
including data-wiping malware,
illustrating how the private sector risks becoming collateral damage
from geopolitical hostilities.
It seems that Russian cyberoperators know how to avoid collateral damage if they wish to do so.
The discriminating nature of the January cyber attacks against Ukraine suggests that this is so.
There's a great deal of talk about collateral damage circulating during the present crisis,
and it seems worth offering a definition.
The U.S. Department of Defense defines collateral damage as follows,
a form of collateral effect that causes unintentional or incidental injury or damage
to persons or objects that would not be lawful military targets in the circumstances ruling at
the time. Operations often have multiple effects, and a secondary effect, if it's intended, isn't collateral damage.
It might be a legitimate operation, or if a prohibited target is affected, it might be a war crime.
The gray area lies where effects are unintended but foreseeable.
Continuing coverage of the crisis in Ukraine can be found on our CyberWire website.
Continuing coverage of the crisis in Ukraine can be found on our CyberWire website.
Ars Technica reports that Vodafone Portugal has restored many but not all of its services.
An attack that hit Monday evening took out the company's 4G and 5G networks. It also halted fixed voice, television, SMS, and voice and digital answering services.
The motive for the attack is unclear.
and voice and digital answering services.
The motive for the attack is unclear.
Vodafone Portugal has said that the incident was a deliberate attack intended to disrupt services,
but that the company hasn't received an extortion demand,
and so it doesn't appear to be ransomware.
The Fritz Frog peer-to-peer botnet went quiet back in December,
but it's now making a comeback.
Researchers at security firm Akamai, who began tracking the bot net in August of 2020, say that FritzFrog is newly active and
that it's increased its infection rate by an order of magnitude over the course of a month.
Akamai says, quote, the decentralized bot net targets any device that exposes an SSH server,
cloud instances, data center servers, routers, etc.,
and is capable of running any malicious payload on infected nodes.
End quote.
It looks for exposed servers, cloud instances, servers, or other devices,
then goes on to brute force SSH credentials,
and goes on from there.
It can be used to carry any number of malicious payloads.
Akamai gives Fritz Frog high technical marks, and goes on from there. It can be used to carry any number of malicious payloads.
Akamai gives Fritz Frog high technical marks,
describing the botnet as constantly updating, aggressive, efficient, and proprietary.
Many of its infestations are in China,
and Akamai thinks the operators may either be based in that country or would like people to think they are.
Its targets have been for the most
part government, healthcare, or educational organizations. And finally, hey hey everybody,
here's a brassy twist to that old Nigerian print scam. An email is circulating that represents
itself as coming from the United Nations. Dear email user, it begins, which seems a little impersonal,
but maybe that's how they write their emails over in Turtle Bay. It goes on all business like this.
This is to inform you that we have been working towards the eradication of fraudsters and scam
artists in Africa with the help of the Organization of African Unity, the International Monetary Fund, and FBI.
That's some credible alphabet soup to conjure with, hmm?
We have been able to track down so many of this scam artist in various parts of African countries and Europe,
which includes Nigeria, United Kingdom, Spain, Ghana, Cameroon, and Senegal,
and they are all in government custody now. They will appear at International Criminal
Court, Hague, Netherlands, soon for criminal fraud and justice. All right, they're beginning to lose
idiomatic control, as scammers tend to. So maybe dear email user is reluctantly moved to a twinge
of skepticism at this point. During the course of our investigation, we have been able to recover so much money from these scam artists. But, well, maybe you, dear email user, have read about how
the feds clawed back all that altcoin Razzlecon and her sweetie are alleged to have tried to
launder. Maybe it's something like that. But then they really lay it on thick. The United Nations
Anti-Crime Commission and the International Monetary Fund have ordered that the money recovered from the scammers be shared among
Wait for it, wait for it
100 lucky people around the world for compensation
This email letter has been directed to you
because your email address and country name was found in one of the scammer artist's files
and computer hard disk during the investigation
Maybe you have been scammed one of the scammer artist's files and computer hard disk during the investigation.
Maybe you have been scammed.
You are therefore being compensated with the sum of 850,000 euros,
which you will get in the currency of your present location for easy accessibility to the money.
And how would an international organization distribute funds?
Well, through an ATM card, obviously.
The issuing bank has converted the fund into ATM card and registered it with security company to deliver to you,
according to the approval of your ATM card by the manager of the issuing bank.
The maximum amount signed for you to be withdrawing is some of 5,000 euros only daily until you withdraw all your total fund credit on your ATM account.
Just contact them with the information they've asked for, and €850,000 could be yours,
dear email user, at the rate of €5,000 a day. In just 170 days, you, dear email user,
will be on Easy Street. And it looks totally legit. Only, why would the UN be using some random dude's Gmail account?
It's pretty weird.
And it's all courtesy of the United Nations Funds Investigation Unit.
We couldn't find the United Nations Funds Investigation Unit,
which makes us wonder if it's not some made-up organization like Starfleet,
or the Illuminati, or the Brotherhood of the Bell.
Starfleet or the Illuminati or the Brotherhood of the Bell.
The UN itself, alas, with almost palpable weariness, is raining on dear email users' parade.
A fraud alert on the actual United Nations site says, quote,
The United Nations does not offer prizes, awards, funds, certificates, automated teller machine cards,
compensation for internet fraud or scholarships,
or conduct lotteries, we think maybe they got the same email we did.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
The rise of ransomware has triggered a shift in the cost and availability of cyber insurance and prompted many organizations to take a closer look at how they're calculating their own cyber
risk. For insights on that,
I spoke with Tom Boltman. He's VP of Strategic Initiatives at Cover, a provider of cyber risk
model quantification. Businesses are powered by technology. Their supply chains are powered by
technology in every way, in some way, shape or form, either directly dependent or indirectly
dependent on technology and the service providers, you know,
the power of their business. And so the potential absence or interruption or disruption to those
technology infrastructures or those supply chains, which are third party service providers that are
powering their business is now, you know, it's something that people are very sensitive to.
The question is, though, what do you do to ensure that you have business resilience,
right? How do boards and CISOs and decision makers ensure that they are prioritizing the right investments, making sure that they have the right risk transfer mechanism in place so that
should one of these events occur, they can make the right decision. So the challenge right now is
how do you make those decisions when you're not necessarily sure what your cyber exposure is in the first place.
And so how are they going about doing that?
What are some of the best practices out there
in terms of organizations assessing their cyber risk?
So today, you know, it's an evolving space.
Obviously, you know, budgets are allocated on an annual basis,
and security teams will invest in security controls and teams of people
to make sure that they are building an appropriate level of security
for the enterprises.
In addition to that, it's fairly typical that businesses will seek
some kind of insurance coverage, perhaps specifically cyber insurance coverage. And there they are receiving input from the brokers and from their carriers about
what they may be exposed to. The challenge, though, is that there is not necessarily an
evolving view of that risk that is really tailored to the organization. So it's not necessarily sure,
are we investing in the right place? What is the return on investment? Is our exposure reducing?
Is this making an impact? And what is the likelihood of all these events that could
impact us in the first place? And it's very hard to communicate between perhaps the CISO and the
board and the board to the security teams and have a unified language which can help
them you know really articulate in clear terms what that is part of the reason is because it is
technical in nature and so it can be challenging to talk in those technical terms to people who may
or may not have a cyber background they may not have a technology background and so what we're
advocating is that if you're able to financially quantify each of
those decisions, whether they relate to board reporting on the overall exposure, whether they
relate to understanding and prioritizing security controls and the investments, you know, and those
sorts of decisions, of course, risk transfer, you know, how much insurance should we have?
And what should our risk transfer strategy be in the first place? Maybe, you know, maybe we can just
ensure the tail risk, those infrequent large events that, you know, could really do a serious
damage and not necessarily, you know, the first offer that comes in, but have your own view of
risk that you can assess in a more dynamic way as that risk evolves.
You know, it seems to me that one of the challenges that, you know, folks like yourself who are in the cyber risk business is that cybersecurity is so dynamic and things are changing so quickly.
You know, we see even changes in the insurance market or what they will and won't cover and
prices and so on and so forth.
Can you give us some insights into that, how you adjust to those particular challenges?
Yeah.
So, I mean, part of the trick here is having the cyber expertise on hand and having the technology that can interpret those changes in the field, right? So as I mentioned, understanding those changes in the threat intelligence landscape and how they could impact businesses in an evolving, continuous way
is something that we believe is super important because ultimately events do change and companies
do change. And so you need the ability to have an on-demand way of knowing what has changed.
But of course, the wider market, especially around insurance,
is evolving as well in reaction to all of this.
And so we've seen across the board globally
higher deductibles, sublimits putting in,
exclusions around ransomware
or certain types of events and attacks that may occur,
and ultimately with massively increased premiums as well.
So you're finding a situation now where it's actually harder to get coverage that you would
like, and the terms of that are much more expensive.
And so now what we're seeing is that boards have this additional challenge is because
we're able to show them that there is, let's say, an exposure, let's say, to ransomware.
They recognize that and they
understand that. They understand that they could invest and they should invest perhaps more to try
and mitigate and prevent it. But the risk transfer options, which would ultimately, in a previous
world, have helped them ensure against potential losses, may not be available to them. So now they
have this issue where they know that they can't ever 100% say we're never
going to be attacked and have this situation occur and the business interruption and the
ransom requests that come with it.
So now we have a capital management problem as well, right?
Because now we know that we have a potential liability or exposure to a potentially large
amount, and we can't stop it 100%. And we can't necessarily get the insurance
coverage that we would like that would satisfy as it did in previous times. So now we have to
perhaps either set it aside or at least understand that this is something we may have to deal with
in the year ahead. That's Tom Boltman from Cover. There's a lot more to this conversation.
If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects,
where you get access to this and many more extended interviews.
Thank you. suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Caleb Barlow.
Caleb, it is always great to have you back on the show.
I want to touch on a specific scenario here and get your take on this.
As opposed to a company being hit by a data breach, let's imagine that someone has gotten into my organization's network and they're using my infrastructure to do the things that they want to do.
How should I be coming about that?
What is your take on that
scenario? Well, I think, Dave, this is something we're seeing more and more routinely, not only
from nation-state adversaries, but also organized crime. It's something that's not really thought
through in most runbooks. And the response oftentimes is a little bit disingenuous because,
you know, of the 52 different breach disclosure laws we have in the United States,
they almost all focus on the idea of data exfiltration, not the bad guys using my
infrastructure. So I think one of the first things we've got to recognize when we think
about building a runbook for an adversary leveraging our infrastructure, especially if
we provide services for other people, maybe we're a cloud provider, maybe we are an application provider, is what is the extent of the damage? What are they doing? And the first inclination
people have is just to go shut things off. And that's usually the wrong answer because
then you have no idea what they're doing or what they're going to do next.
So is the play to observe them for a while, figure out what they're up to? where the adversary is on someone's infrastructure, the reaction is to shut it off
or rapidly deploy a set of security tools
that the adversary is going to become made aware of.
And then what happens is the adversary goes
and hides on that infrastructure
in a place where they can't find them, right?
So you've got to really pay attention here
and figure out what are they doing there?
What is their motivation?
How much do they own
in your environment? Because the other thing to remember is that classic iceberg scenario.
Wherever you found them, that's probably the tip of the iceberg of where they are in your
organization. And you need to make sure that you don't lose that investigative thread to find the
rest of that iceberg. So when you eradicate it, you can eradicate the whole thing.
rest of that iceberg. So when you eradicate it, you can eradicate the whole thing.
What's the ultimate end game here? I mean, it seems to me like on first thought, it sounds obvious, but I'm guessing there's probably some nuance.
Well, I'll tell you the big place there's nuance to is what do you communicate? Because,
you know, if you haven't lost data, what you typically see in these scenarios is the company,
you know, kind of putting out, maybe they've got to put out some sort of press release or notification.
They'll say things like, well, we have no signs that any of our infrastructure was impacted.
Okay, that's great, but what about all your customers' infrastructure?
Or was this used as a beachhead or a trusted party to get into other infrastructure?
That's oftentimes not discussed. So part of what you've got to do also, if you're kind of the downstream of this, maybe
you're the customer of somebody whose infrastructure was breached, you've also got to know what
questions to ask. Do you have logging of where the adversary was? Can you demonstrate where they were
not? And oftentimes you start asking those questions and people really
don't know the answer. So it's really key to be able to watch the adversary enough to know where
they are and what they're doing so that, you know, when you eradicate them, they're actually gone.
You know, one of the things that I think of with this is who takes the lead in something like this.
And specifically, I'm thinking, first of all,
making that decision before you're in the heat of it.
But I could very easily imagine different folks,
you know, the legal team, the C-suite,
you know, wanting to be in charge of things here.
And in the heat of battle, that could really get in the way
of doing the things you need to do.
It can.
So again, you've got to have these things thought out,
but also you've got to think of the downstream implications.
So we've seen examples of this where, let's say,
a cloud provider is implicated in that bad guys are using their infrastructure.
Well, they may not have a regulatory issue,
but their customers downstream,
let's say they're providing services to a healthcare entity that falls under HIPAA, as an example.
Well, that downstream customer has a responsibility to disclose and a whole set of regulatory pressure that's going to be on top of them.
So, you know, figuring out, like, who's going to do the disclosure?
Who's on first?
How does this information flow?
How do you coordinate?
Who's on first? How does this information flow? How do you coordinate? That is very difficult to figure out in the heat of the moment with lots of lawyers involved.
You really want that stuff thought through well ahead of time.
Yeah. All right. Good advice as always. Caleb Barlow, thanks for joining us. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
If you're looking for something to do this weekend, and honestly, who isn't,
check out Research Saturday and my conversation with Abigail Mechtinger and Ryan Robinson from Intezer.
We're discussing the sysjoker backdoor that targets Windows, Linux, and macOS.
That's Research Saturday.
Check it out.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Trey Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Bilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilby,
and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Thank you. and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.