CyberWire Daily - Updates on the hybrid war, and on the incidents at the Royal Mail, the FAA, and the Guardian. Royal ransomware exploits Citrix vulnerability. CISA’s annual report is out.
Episode Date: January 13, 2023GitHub disables NoName accounts. Russia dismisses reports of cyberespionage attempts against US National Laboratories. The Royal Mail cyber incident is now identified as ransomware attack. An update o...n the NOTAM issues that interfered with civil aviation. A Citrix vulnerability is exploited by ransomware group. CISA publishes its annual report. Bryan Vorndran of the FBI Cyber Division calibrates expectations with regard to the IC3. Our guest is Kayne McGladrey with insights on 2023 from the IEEE. And Positive Hack Days and the growing isolation of Russia's cyber sector. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/9 Selected reading. Impact of Technology in 2023 and Beyond (IEEE) Ukraine at D+323: Fighting in Soledar, and industrial mobilization. (CyberWire) GitHub disables pro-Russian hacktivist DDoS pages (CyberScoop) Russia criticises Reuters story on Russian hackers targeting U.S. nuclear scientists (Reuters) Royal Mail cyber incident now identified as ransomware attack. (CyberWire) Not a cyberattack, but an IT failure. (CyberWire) The Guardian breach and news media as targets. (CyberWire) Citrix vulnerability exploited by ransomware group. (CyberWire) 2022 Year In Review (CISA) Russia’s largest hacking conference reflects isolated cyber ecosystem (Brookings) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
GitHub disables no-name accounts.
Russia dismisses reports of cyber espionage attempts against U.S. national laboratories.
The Royal Mail cyber incident is now identified as ransomware attacks.
An update on the NOTAM issue that interfered with civil aviation.
A Citrix vulnerability is exploited by a ransomware group.
CISA publishes its annual report.
Brian Vordren of the FBI Cyber Division calibrates our expectations with regards to the IC3.
Our guest is Kane McGladrey with insights on 2023 from the IEEE.
And positive hack days and the growing isolation of Russia's cyber sector.
From the Cyber Wire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Friday, January 13th, 2023.
We begin with some updates to stories we've seen break earlier this week.
The first two come from the cyber phases of Russia's war against Ukraine. First, GitHub has taken down
accounts associated with the Russian hacktivist auxiliary group NoName05716. Again, we are simply
going to refer to them as NoName. CyberScoop quotes a GitHub representative stating,
We disabled the accounts in accordance with GitHub's acceptable use policies,
which prohibit posting content that directly supports unlawful active attacks or uses GitHub
as a means to deliver malicious executables. Like so many other Russian auxiliaries,
NoName has specialized in DDoS attacks, and it's crowed high over them in its Telegram channel.
The group's New Year's greetings show some representative crowing, stating,
Did any of us know at the start of the year that something like this would happen?
Did we, ordinary programmers and difficult guys from the darknet,
know that we would need to go to the real and digital frontiers?
Did anyone know that the issues of protecting the motherland
and the re-education of the civilized world
would be carried out by us as well?
The no-names ask rhetorically,
No, no, no one knew,
but the current situation has divided everything into before and after.
We don't know how long the NWO will last, how many spears we'll break,
and how many bumps we'll hit. One thing we know for sure, we will win. We will definitely win.
Even if the whole world is against us, they will lose for one simple reason.
The right guys are not with them. And it's total. Holiday greetings. We all have strength and
perseverance. There is
nowhere to retreat. There will be no other motherland. Well, that's one way of looking at it.
In another note from the cyber front, Russia has taken exception to Reuters' report last week
that the Cold River Group has the Kremlin's fingerprints on it. Cold River, widely believed to operate on
behalf of a Russian intelligence and security service, probably the FSB, has attempted to
compromise workers at the U.S. Brookhaven, Argonne, and Lawrence Livermore National Laboratories.
Maria Zakharova, Russia's foreign ministry spokeswoman, harumphed yesterday in a press briefing,
the latest pseudo-investigation was unfortunately published by Reuters news agency.
There was no evidence given, no facts, she added, but did not further elaborate.
Reuters stands by its story, as indeed Reuters should.
Our third update concerns the disruption of Britain's Royal Mail Service.
Those disruptions to the UK's Royal Mail Service, first reported on Wednesday as a cyber incident,
has now been identified as a ransomware attack linked to the Russian-affiliated LockBit gang,
computing reports today. The Telegraph broke the news of the confirmed ransomware attack yesterday with attribution to LockBit or an actor using the gang's encryptor. The attack was behind the
encryption of devices used for shipping internationally, and ransom notes were
reportedly printed on printers intended for custom dockets. The ransom note claims to be
LockBit black ransomware with links to Tor sites used
by LockBit operators and a decryption ID said by multiple security researchers to be unusable,
Bleeping Computer confirmed yesterday. When Bleeping Computer reached out for comment,
LockBit support claimed that the gang did not attack Royal Mail, and they blamed it on other threat actors using their leaked builder.
There is no end in sight to service disruption, stressed a Royal Mail spokesperson,
the BBC reported last night.
Computing writes this morning that the FAA continues to attribute Wednesday's NOTAM outage
to a damaged database file.
A source speaking to CNN claimed that air traffic controllers recognized the system issue on Tuesday afternoon,
intending to reboot the system during less congested hours on Wednesday morning. The reboot took place as planned,
though the system still wasn't completely pushing out the pertinent information that's needed for safe flight,
and it appeared that it was taking longer to do that, according to CNN's source,
which led to the eventual grounding order.
A senior government official cited aging infrastructure as a contributing factor,
noting that the system is 30 years old and not scheduled to be updated for another six years, according to NBC
News. In the long-running disruption of the UK news service The Guardian, the paper has confirmed
that it sustained a ransomware attack last month. The Guardian Media Group's CEO Anna Bateson and
The Guardian's editor-in-chief Catherineiner, sent an email to employees on Wednesday
stating that the firm had suffered a highly sophisticated cyber attack
involving unauthorized third-party access to parts of their network.
The attackers were able to access personal data of the company's UK employees.
Graham Cooley explains that the data included names, addresses, dates of birth, national insurance numbers, bank account details, salary information, and identity documents, such as passports.
This morning, researchers at security firm At Bay reported that they have reason to believe a critical Citrix vulnerability is being exploited by the Royal Ransomware Gang.
Citrix vulnerability is being exploited by the Royal Ransomware Gang. Citrix disclosed CVE-2022-27510 on November 8, 2022. The vulnerability allows for the potential bypass of authentication measures
on two Citrix products, the Application Delivery Controller and Gateway. At Bay researchers last
week observed what appears to be the first known
exploitation of the flaw in the wild. The researchers recommend that organizations apply
Citrix's patches and mitigations as soon as possible. The U.S. Cybersecurity and Infrastructure
Security Agency yesterday released 12 industrial control system advisories. The agency also released its 2022 year in review.
The report is organized into four topical sections, cyber defense, risk reduction and resilience,
operational collaboration, and agency unification. On that final point, the report explains,
foundational to our success, the agency is unifying as one CISA through integrated functions, capabilities, and workforce.
The agency is building a culture of excellence based on core values and core principles that prize teamwork and collaboration, innovation and inclusion, ownership and empowerment, transparency and trust.
Brookings offers some reflection on last May's Positive Hack Days,
the annual conference organized by the Russian security firm Positive Technologies,
a company now under U.S. sanctions for its cooperation with Russian intelligence services.
The essay sees an increasingly isolated cyber ecosystem
in which the Russian cyber sector has now become a closed system with aspirations to self-sufficiency.
The aforementioned Maria Zakharova called it the creation of a multipolar world, which is, as we've said before, one way of looking at it.
We've said before, one way of looking at it.
Monday is the U.S. holiday that honors Dr. Martin Luther King Jr., and the Cyber Wire won't be publishing that day.
We'll be back as usual on Tuesday.
In the meantime, best wishes on the occasion to all
who will be observing the holiday with us.
Coming up after the break, Brian Vordren from the FBI Cyber Division
calibrates our expectations with regard to the IC3.
Our guest is Kane McGladrey
with insights on 2023 from the IEEE.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility
is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Cain McGladry is field CISO at Hyperproof and is a senior member of the IEEE, the Institute of Electrical and Electronics Engineers.
They recently released a global study titled The Impact of Technology in 2023 and Beyond.
I checked in with Cain McGladrey for the details.
Cybersecurity concerns have really increased overall since last year's report.
Cloud vulnerability, for example, I think last year only 35% of people thought that cloud vulnerabilities were a concern.
This year it's over half. It's 51%.
Or mobile hybrid workforce is an enduring concern, actually.
It's up to 46%, which was last year 39%.
And that's interesting because work from home is not necessarily new.
I just think that for budgetary purposes, many companies might have thought,
oh, that'll be over soon.
And then the final one I
found to be particularly interesting is around data center vulnerabilities. And if we get really
deep into the data underpinning the survey, that seems to be mostly from China. Whereas if you
think domestically in the United States, the predominant number of companies have moved to
the cloud and to a hybrid working model.
Oh, that is interesting that there'd be a regional difference there.
Yeah, it is. And I think it might speak really to defensibility as well. And if you think about it,
when you look at data centers, they're feeling a little antiquated at the moment. Given how many companies are moving to the cloud, that's causing
a lot of vendors to update their tooling and technology and defensive mechanisms to be
predominantly on cloud. And so the concern would be if you are still running on-premises hardware
and services, it's at some point your vendor may no longer support those and it becomes an
incrementally harder situation to actually defend those with any level of adequacy.
Yeah, that's interesting.
Kind of, you know, get on the bandwagon, or this train is leaving the station, right?
You don't want to miss it.
Absolutely, yeah.
And I think that's where a lot of the cybersecurity frameworks and associated regulatory controls are moving towards is the recognition that we used to do things that way.
That was neat back in the day when we used to have big iron-on premises and you could stand up Windows servers and not secure them and then have a breach.
That wasn't so bad.
These days, that's no longer considered to be acceptable by organizations.
And your regulatory entity will also beat you about the ears if you have that occur.
Well, in terms of cybersecurity professionals,
what are some of the other things that rose to the top here?
So cloud vulnerabilities was definitely the number one,
and I think that's really the narrative on software supply chain
that we first saw hit the news in mainstream news when
SolarWinds occurred and then Log4J, where a lot of companies are starting to look in their supply
chain and say, how much do we actually trust you? And we're seeing a lot of companies request a SOC
2 type 2 report as proof that, hey, you're doing the cybers okay. But also in a lot of cases,
that's pushing SaaS vendors to be pushed towards FedRAMP low-impact SaaS or FedRAMP moderate,
not necessarily because they're doing business with the company, or with the government,
I should say, but rather because, hey, it's hard to go get. And so if you're doing that well,
you must be doing cybersecurity fairly well.
The other thing that we've seen is that increase in hybrid and mobile workforce and concerns around there. And that comes to companies needing to really invest and continue to invest in adequate
controls and measuring the effectiveness of this. And that's not just for cybersecurity controls.
If you've got something like, if you look at data loss controls, which are not necessarily considered to be cybersecurity,
there have been many studies showing that as employees are working more from their home devices,
you can have those information leak onto those personal devices.
And if that employee is considering departing, they might take that information with them.
And if that's financial information that they could conduct inside trades on,
or if that's proprietary information that they could sell to a competitor or take to a competitor,
or even a sales book, really, those all become material concerns that companies have to cover down on.
Whereas previously, when everyone was inside the magical office and there was the super cool firewall around it,
somehow that we all put our heads
in the sand and pretended that that didn't happen. You mentioned that this is an annual study that
you all release. Are there any long-term trends that you're tracking here that you can see
to give us some insights on the direction we might be headed? I think that if we look at the larger
technology stack, I think that's illustrative towards where the world is moving.
So in 2022, for example, and in prior years, we've seen cloud and wireless technologies be continuing trends that are popular.
Of course, initially it was 4G.
This year it was 5G, as obviously we've added yet another G to that stack.
This year it was 5G, as obviously we've added yet another G to that stack.
But also things like the investment in electric vehicles has been increasing as those have become more commercially viable. And of course, when you think about electrical vehicles and the underpinning infrastructure of those, that becomes now an interesting question of how do you ensure that your users have security and privacy associated with those
technologies.
I think one that may be a, it shows up and then it goes away and it shows up again is
around augmented reality, virtual reality, and the metaverse.
I know that when we conducted this study in September of this year, metaverse was predicted
to be one of the most important technologies in
2023. I think since the collapse of FTX and the continued bear market in the crypto markets in
general, Metaverse, which is almost entirely blockchain-backed, is going to perhaps not be
as important as would have been initially predicted when you look at the study.
That's Cain McGladrey from Hyperproof.
The IEEE's report is titled
The Impact of Technology in 2023 and Beyond.
You can find a link to that in today's show notes.
There's a lot more to this conversation.
If you want to hear more, head on over to the CyberWire Pro and sign up for Interview Selects,
where you'll get access to this and many more extended interviews. And I'm pleased to be joined once again by Brian Vordren. He is assistant director of the cyber division at the FBI.
Director Vordren, thank you for joining us here once again.
I wanted to touch base with you today on the IC3, which is the FBI's Internet Crime Complaint Center.
Kind of set expectations.
What exactly is the IC3 best used for? And what can you tell our
audience about the best ways to make use of it? Dave, thanks for inviting me back. And it's a
really good question and one that we receive quite routinely. What I would say is this, IC3 was
initially implemented about 20 years ago when internet-enabled, computer-enabled fraud
became a thing. And so certainly over those two decades, it has continued to grow and serve a
meaningful platform, meaningful role in that it is a consolidation point for not only an
internet-enabled, computer-enabled fraud, but it has also become a very, very heavily utilized reporting center for traditional cyber intrusions.
When we look broadly across the data set, I would say between two-thirds and three-quarters of the data reported to IC3 still is computer and Internet-enabled fraud.
Victimization complaints and the other balance, 25% to a third, is traditional
cyber intrusions. We always have thought that it's important to have one consolidated location
for American citizens, whether corporate citizens or individual citizens, to have a place to report these crimes to. But I do think that IC3's role can never replace the role of an
actual human contact. And so we do always encourage corporations and organizations to really maintain
an ongoing robust relationship with their actual cyber squad of their cyber investigative squad
or the field office of wherever they're based. And that's really important because that cyber squad
can become an active point, an active center of gravity for any organization to share cyber
threat intelligence. But more importantly, it's really important to have that relationship in place if an organization does become a victim.
So we do encourage corporations and organizations to report to IC3 because it does serve as that consolidated point of data.
But we also think it's actually just as important, if not more important, for organizations and corporations to have an ongoing relationship with their cyber investigative
squad in their area that they reside, whether that's a major city or a smaller city. You know,
one of the things we say is that every organization should have an active relationship with their FBI
field office. They should have that point of contact written into their incident response plan, and they should actually exercise their incident response plan with their FBI POC in the office with them at that time.
So hopefully, Dave, that gives you a little bit to think about in your audience, a little bit to think about IC3's historic role, their current role, and then how that balances out with actually having a human contact.
Is it fair to say that the IC3 tends to be a little more consumer-facing, whereas the
direct relationships with the field offices tends to be at more of a professional level?
I think that's fair. I would want to give it a little bit more context and say that we would love, you know, we're a victim-centered organization. That's what we pride ourselves on. It's been the backbone of the organization for more than a century.
business who has two or three people or an individual household compromise of a computer,
we would love to because that's what's in our DNA, but we just don't have the resources to do it.
And so IC3 can serve as a very meaningful portal for those type of individuals to report to or those types of small organizations to report to and know that they're doing their part to facilitate
an understanding of the larger threat picture.
Whereas for corporations or larger organizations,
the FBI can scale to have personal and professional relationships with them
and be actively involved with those organizations prior to an intrusion and during an intrusion.
So hopefully that additional context helps round out the understanding.
No, it absolutely does.
Brian Vordren is Assistant Director of the FBI's Cyber Division.
Thanks so much for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default-deny approach can keep your company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday
and my conversation with Mohamed Kazem Hassan Najad from WithSecure's team.
We're discussing their research, Ducktail Returns, underneath the ruffled feathers.
That's Research Saturday. Do check it out.
The Cyber Wire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Trey Hester,
Brandon Karp, Eliana White, Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan,
Carol Terrio, Maria Varmatsis, Ben Yellen, Nick Vilecki, Millie Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janine
Daly, Jim Hochite, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.