CyberWire Daily - Updates on Russia’s hybrid war against Ukraine. The leader of the Lapsus$ Gang may be a 16-year-old living with his Mom. Wanted cybercriminals. Hacktivism’s sometimes wayward aim.
Episode Date: March 24, 2022Concerns persist that President Putin will take his revenge in cyberspace for sanctions. Wiper attacks reported continuing in Ukraine. Russia also sustains cyberattacks. Lapsus$--living at home, with ...Mom. A carder kingpin finds his way onto the FBI’s Most Wanted List. Andrea Little Limbago from Interos on collective resilience. Our guest is Amit Shaked from Laminar Security on shadow data. Anonymous says it hit Nestlé, but Nestlé says it never happened. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/57 Selected reading. As Ukraine invasion stalls, Putin looks to cyber for revenge attack on US (Newsweek) Threat looms of Russian attack on undersea cables to shut down West’s internet (France 24) A Mysterious Satellite Hack Has Victims Far Beyond Ukraine (Wired) Anonymous hacks unsecured printers to send anti-war messages across Russia (HackRead) 'We want them to go to the Stone Age': Ukrainian coders are splitting their time between work and cyber warfare (CNBC) Teen Suspected by Cyber Researchers of Being Lapsus$ Mastermind (Bloomberg) Nestlé denies Anonymous hack, claiming it accidentally leaked data dump itself (Fortune) Nestlé says 'Anonymous' data leak actually a self-own (Register) Nestlé: You Can't Hack Us, We Leaked Our Own Data (Gizmodo) FBI adds Russian cybercrime market owner to most wanted list (BleepingComputer) United States of America v. Igor Dekhtyar (US District Court for the Eastern District of Texas) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Concerns persist that President Putin will take his revenge in cyberspace for sanctions.
Wiper attacks are reported continuing in Ukraine.
Russia also sustains cyber attacks.
Lapsus living at home with mom.
A Carter kingpin finds his way into the FBI's most wanted list.
Andrea Little-Limbago from Interos on collective resilience.
Our guest is Amit Shaked from Laminar Security on shadow data.
And Anonymous says it hit Nestle, but Nestle says it never happened.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, March 24, 2022.
Large-scale Russian cyberattacks against Western targets haven't so far materialized,
but governments aren't prepared
to drop their guard. It strikes many policymakers, Newsweek reports, that Russian President Putin
may turn to cyberattacks as retaliation for Western sanctions. U.S. Representative Jason Crow,
a Democrat from Colorado's 6th District, a member of the House Armed Services Subcommittee on Cyber,
Innovative
Technologies and Information Systems, told Newsweek that, quote, Putin will use the tools
at his disposal to respond, and the biggest one that he has is cyber, so I think we can
fully expect that there'll be cyber attacks on the United States and our allies in weeks
and months ahead.
I think we can expect Putin to come at our financial system
and some of our critical infrastructure, end quote. So far, the cyber attack that disrupted
Vyazat's service is the one cyber incident that's had significant effects beyond the borders of
Ukraine, Wired reports. That attack remains under investigation and hasn't been definitively
attributed to Russia. France 24 points out another possibility.
Russia might consider severing undersea cables that carry much of the world's internet traffic.
This is more a report of a priori possibility based on known capabilities
than a conclusion based on specific indicators and warning.
Cable cutting has a long wartime history going back to the
First World War. Russia has not departed from the line it took even before its invasion began.
The Russian embassy to the U.S. tweeted a representative statement back on February 18th,
quote, we categorically reject these baseless statements of the administration
and note that Russia has nothing to do with the mentioned events and in principle End quote.
Eric Cheen, security threat researcher at Symantec Threat Intelligence, emailed us to say that his team is seeing signs that Wiper attacks, specifically using variants of hermetic wiper, are continuing
against Ukrainian networks. As he put it, quote, very anecdotal and while it hasn't really been
in the news because it overall may not be material given the kinetic actions, the actual wiper
attacks in Ukraine have not stopped. We just saw a variant of heretic Wiper deployed again yesterday on an organization we saw previously affected.
And also on March 14th, we saw a variant of Hermetic Wiper deployed on an organization that we also saw affected on the first day of the war.
Communication with organizations in Ukraine is difficult, but our understanding is that for most of these organizations,
they are far more impacted by the kinetic effects in their country.
Anonymous continues its nuisance-level hacktivism against Russian targets,
most recently by hijacking printers to publish anti-war messages to Russian audiences.
About 160 printers were compromised to send more than 40,000 messages into Russia, according to Hackread.
The IT Army of Ukraine, which is more militia than Hacktivist Collective, has been operating
with more official direction. CNBC puts the total number of members of the IT Army as somewhat more
than 311,000. One IT Army member said of the Russian enemy, quote, we want them to go to the Stone Age
and we're pretty good at this, end quote. Bloomberg reports that the leading intellects behind the
lapsus gang may be a couple of teenagers, one in the UK, the other in Brazil. Researchers at two
prominent lapsus targets, Microsoft and NVIDIA, say they've traced one of the teens to Oxfordshire, England.
In view of the British teen's tender years, Bloomberg isn't revealing their name,
but they do report that they go by the hacker name White and Breachbase.
The police have yet to accuse Breachbase of any crime.
Apparently, rival hackers put Bloomberg onto them, quote,
The teenage hacker in England has had their personal information, including their address
and information about their parents, posted online by rival hackers, end quote. The reporters haven't
spoken to breach base, but they were able to talk to their mom through the doorbell intercom.
She said she knew nothing of the allegations,
was upset that her child had been the subject of harassment,
and that she was calling the police.
Police in the Thames Valley and in San Francisco,
who are investigating Lapsus, declined to comment.
Lapsus, which was apparently motivated in part by a thirst for notoriety,
may now have more of it than they're finding comfortable.
Bloomberg quotes one of the gang's accounts.
A few of our members has a vacation until the 30th of March 2022.
We might be quiet for some times, the hacker wrote in their Telegram channel.
Thanks for understand us.
We will try to leak stuff ASAP.
Stay tuned.
The US FBI has added accused Russian Carter Kingpin Igor Dyaktyarchuk to its most wanted list.
He's charged with wire fraud, aiding and abetting, access device fraud,
trafficking in unauthorized access devices and other crimes.
And finally, to return to Russia's war against Ukraine
and the sometimes wayward aim of the hacktivists engaged therein,
Anonymous claims to have compromised Nestle's corporate network.
The hacktivist collective says it extracted 10 gigabytes of sensitive data,
which it subsequently dumped on the Internet
in protest against the company's failure to have completely suspended
operations in Russia. But this seems to be mistaken exaggeration at best. Data were indeed
exposed, but Nestle says, according to the register, that their networks weren't in fact
compromised. The data, the company says, originated with, quote, a case from February this year
when some randomized and predominantly publicly
available test data of a B2B nature was unintentionally made accessible online for a
short period of time on a single business test website, end quote. Nestle investigated and found
the exposure to be trivial. In a separate move, lest any hacktivist decide to take a real whack
at them, Nestle expressed its solidarity with Ukraine
and said it was limiting sales in Russia to baby food and hospital nutrition products.
Specifically, Mr. Lavrov will henceforth lack access to KitKats and Nesquik.
Nestle's distinction among its products is difficult to fault on humanitarian grounds,
and their statement is worth quoting in full,
As the war rages in Ukraine, our activities in Russia will focus on providing essential food,
such as infant food and medical and hospital nutrition, not on making a profit.
This approach is in line with our purpose and values.
It upholds the principle of ensuring the basic rights to food.
Going forward, we are
suspending renowned Nestle brands such as KitKat and Nesquik, among others. We have already halted
non-essential imports and exports into and out of Russia, stopped all advertising, and suspended
all capital investment in the country. Of course, we are fully complying with all international
sanctions on Russia.
While we do not expect to make a profit in the country or pay any related taxes for the
foreseeable future in Russia, any profit will be donated to humanitarian relief organizations.
This is in addition to the hundreds of tons of food supplies and significant financial assistance
that we have already contributed to support the people in Ukraine and refugees in neighboring countries. And these efforts will continue. We stand with
the people of Ukraine and our 5,800 employees there. Nicely said, Nestle.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Trying to imagine the amount of data storage in the cloud is kind of like trying to fathom the distance between
galaxies and space. At some point, the numbers get so big, it's just not possible for our brains to
comprehend in any meaningful way. For cloud storage, the abundance of available storage can
lead to organizations losing sight of what they have and where they have it. Amit Shaked is CEO and co-founder at cloud data security firm
Laminar, and I caught up with him for a lesson on shadow data. Shadow data refers to all the
data stores, databases, data lakes, warehouses that are largely unknown to the organization.
And this can be running a data store or a backup or a copy or a log file or even just a data in a table
format that's hiding in your environment.
And shadow data is more likely to be misconfigured and unmonitored and also violate your data
security and privacy policies.
And what we find is that very often shadow data is not even used.
It can sit there for months or even years in the environment without anybody using it
and without creating any revenue for the organization.
But this whole time, it's a wonderful target for the attackers.
So what are the ways in which shadow data is typically created here?
Is this a matter of folks just sort of going about their day-to-day business and forgetting
that they've copied something and stuck it in a folder for their convenience?
Things like that? Yes, exactly. It's part of the day-to-day work and it's
part of what comes with the cloud transformation.
Actually, it's a combination of the cloud transformation that just drives
developers or makes it easy for developers and data scientists it's a combination of the cloud transformation that just drives developers
or make it easy for developers and data scientists
to leverage data more easily to create, store,
and the data democratization
that kind of encourages them to do it more freely.
So the combinations of these two
just creates more and more data stores
and combined with the lack of gatekeepers,
it means that security teams are not always aware of all these data stores that are being
created and used.
And this lack of gatekeepers is just because modern security organizations don't want to
stop developers from leveraging data.
They want to enable them to do it more and more.
But what it means is that they're no longer always part of the process of creating
and leveraging this data. So they lost the opportunity to ask very important questions
about the data, like what is this data used for? How is it protected? Who do you share it with?
And so having more and more data stores without security and data teams awareness creates all
these shits of data. And that's kind of the, let's say, motivators and drivers for them.
And I'm happy to also share some examples for shed of data that we find with our clients.
Well, help me understand then, how do we go about preventing this?
It seems to me like data storage is cheap enough to practically be free.
And I can understand users having a bit of a pack rat mentality
of saying, I'm just going to set this aside until I need it.
And why delete it if it's not really causing me any trouble?
Who knows when I may need this again?
Yes, exactly.
So you're almost right.
It is exactly the mentality of developers.
And I'll also say that it's, you know,
it's always very scary to delete a database.
Maybe someone else is using it.
So it's way easier to create one than delete it.
But it's not that data is free.
Actually, data is one of the main cost drivers in the cloud.
It's just not that, like, the people that are creating it
are not the people that are paying for it.
So yes, I mean, this is a huge cost in the cloud.
And so what do you propose here?
How can organizations get on top of this?
As you said, the abundance of data stores
means that in modern enterprises,
there can be thousands or even tens of thousands of data stores.
With that, millions of different files
that can be stored within them.
So manually go one by one and trying to find shadow data is not really effective.
So automation here is the key, right?
You need continuous and automated, first of all, discovery of data stores and of shadow data,
of security, like how this shadow data is configured,
and also in terms of access monitoring.
So who is actually accessing this shadow data?
So you need this continuous monitoring
embedded within your environment,
embedded within your cloud,
embedded into the CI and CD5.
That's Amit Shakad from Laminar.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And I'm pleased to be joined once again by Andrea Little-Limbago.
She is the Vice President of Research and Analysis at Interos.
Andrea, it's always great to have you back.
I want to touch base with you today on something I know you've had your eye on,
and that is this notion of collective resilience.
Can we dig into that?
What exactly are we talking about there?
Yeah, and thanks, Dave, for having me back.
You know, I think we spend a lot of time, you know, appropriately highlighting some of the challenges and attacks and the offensive measures that are going on and the innovations that are going on.
And absolutely need to cover that.
But I think there's been much less focus on some of the innovation that's going on on the defensive side.
And I think there's been a lot going on in that area over the last couple of years.
Really moving away from, you know, we've heard for way too long, you know, the perimeter is dead and so forth.
And some of that kind of stops and has become kind of marketing and so forth.
But we're seeing some really interesting movements as to what can we do to be working together as defenders to build up all of our own collective security, our own collective resilience against the onslaught of cyber attacks that are going on.
security, our own collective resilience against the onslaught of cyber attacks that are going on.
And it was a couple of years ago, around May of 2020, that CISA put out a blog really focusing on how to build collective resilience for the ICT supply chain. And in there, they walk through
really how both obviously critical infrastructure is necessary to protect, but that can't be done
alone. That really does need to be a public sector, private sector together, working together in really interesting and innovative ways.
And that's how we will, as a society, build up this notion of collective resilience against the attacks.
That each of us going off on our own, doing our own thing, really doesn't help out that much.
It really does have to be greater coordination.
On the one hand, it's easy to make sense when you say it, but in reality, it becomes very, very difficult. Is this sort of the cyber equivalent
of a neighborhood watch? Yes, although even with neighborhood watch, you do worry about some of
those. You've heard like the social medias that kind of have gone crazy. So we want to avoid,
we want the benefits of some of the neighborhood watch, but avoid some of the craziness that goes
along with it. But it is thinking along the lines of, what can neighborhood wash, but avoid some of the craziness that goes along with it.
But it is thinking along the lines of, you know, what can we be doing together?
And so some good examples are, you know, there was a joint simulation of a cyber attack on a global financial system that the IMF put out.
And this is, you know, on one hand, this was just in December of 2021.
And so you'd think that, oh, I'm sure the IMF has done things like this for years. But no, it was the first time they had done sort of this joint basically wargaming of what different – they brought countries, I think about 10 different countries together to this joint wargame on what would happen if there was a cyber attack on the financial system.
And that kind of coordination and cooperation is necessary, right? I mean, those are, we talk about, you know, these sort of, these negative, you know, kind of events happening, but don't do, but haven't really focused on, you're bringing the various groups together to help address those. And when you, we see a lot of it going on
within companies or within a country, but not necessarily across those areas, across those
boundaries that normally tend to exist. And so we're seeing, you know, numerous instances of that
where we're seeing both at the strategic level, countries starting to come together to see how they can create
defenses together or policies that align together. And we see it all the way down
to the tactical level where we're seeing a lot of open source contributions, for instance, on
how to help build supply chain security and open source software
as well into your security system.
So that's really interesting to see. There's at least
almost like half a dozen different efforts right now of open source software that's been
created to help companies and individuals at large really spot
vulnerabilities, how to assess the integrity of their digital supply chain.
And that's in the open source area. You've got the Linux Foundation, open web application
folks are doing work in this area.
And so it's really, you see it all the way, almost from the grassroots and open source community all the way up to the highest levels of governments and then international government organizations.
Thinking of pursuing interesting and novel ways for collaboration to help strengthen our defenses. You know, one thing I've noticed in doing our Research Saturday show, the folks that
I talk within research arms of organizations where, you know, you have these organizations that
public facing are competitors, but the researchers behind the scenes have channels to share
information with each other. And that's a big part in the success of what they do, of making sure that they're able
to bounce things off of each other, share things for the greater good. And that's exactly right.
And that's when you think a lot about information sharing, and we think about the information
sharing communities, and those are very important. That's the more formalized mechanisms that you
need. But to your point, the informal avenues, I'd argue, are just as important because those
are the ones that are very timely.
You know who you can call if you have a question and you can get that answer right away.
You don't have to deal with various kinds of bureaucracies limiting some of that collaboration.
So the formal mechanisms are 100% necessary, but these informal ones really are a great way for researchers to help each other out
and to help get that real-time awareness of what may be going on and help spread that word. And so, again, I think it goes back to as well, you know, it's
one of the benefits of having some of the in-person conferences that we used to have where a lot of
those conversations would happen where people could meet other people working in those areas.
And, you know, the hybrid has been, or the virtual has been great for exposing greater audience.
But I think, you know, the more that we can help promote those informal means as well for
the researchers to meet each other, connect with their community
in this area, I think that's just an essential part
of the security community, is that sharing
through those means.
Alright, well Andrea Little-Limbago,
thanks for joining us. Yeah, thanks for having me. Thank you. Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Ervin, Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.