CyberWire Daily - Updates on the hybrid war: hacktivism and hunting forward. Election security. Trends in phishing. The return of Emotet.
Episode Date: June 9, 2022Another hacked broadcast in a hybrid war. Hunting forward as an exercise in threat intelligence collection and sharing. Cyber threats to the US midterm elections. Phishing for cryptocurrency. FakeCrac...k delivers a malicious payload to the unwary. Vacations are back. So is travel-themed phishbait. Ann Johnson from Microsoft shares insights on the trends she’s tracking here at RSA. Johannes Ullrich brings highlights from his RSA conference panel discussion. And Emotet returns, in the company of some old familiar criminal collaborators. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/111 Selected reading. Hacked Russian radio station broadcasts Ukrainian anthem (Washington Post) Ukraine Successfully Defends Its Cyberspace While Russia Leans Heavily on Guns, Bombs (CNET) Ukraine war: US cyber chief on Kyiv's advantage over Russia (Sky News) NSA Director Confirms Cyber Command 'Hunt Forward' Approach Applies to Russia (ClearanceJobs) Experts, NSA cyber director say ransomware could threaten campaigns in 2022 (CyberScoop) Ransomware, botnets could plague 2022 midterms, NSA cyber director says (The Record by Recorded Future) How Cyber Criminals Target Cryptocurrency (Proofpoint) Crypto stealing campaign spread via fake cracked software (Avast) Threat Actors Prepare Travel-Themed Phishing Lures for Summer Holidays (Hot for Security) Emotet Malware Returns in 2022 (Deep Instinct) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Another hacked broadcast in a hybrid war,
hunting forward as an exercise in threat intelligence collection and sharing,
cyber threats to the U.S. midterm elections,
phishing for cryptocurrency,
fake crack delivers a malicious payload to the unwary,
vacations are back, so is travel-themed fish bait.
Anne Johnson from Microsoft shares insights on the trends she's tracking here at RSA.
Johannes Ulrich brings highlights from his RSA Conference panel discussion.
And Emotet returns in the company of some old familiar criminal collaborators.
From the RSA Conference in San Francisco, where I've left my heart and a good bit of my expense account,
I'm Dave Bittner with your CyberWire summary for Thursday, June 9th, 2022.
Another broadcast has been hacked in the course of Russia's hybrid war.
The last such interference was in the Russian interest and interrupted the televised presentation of the Ukraine-Wales match in the World Cup qualifying round.
This most recent incident appears to be the work of pro-Ukrainian hacktivists.
work of pro-Ukrainian hacktivists. BBC reporter Francis Scar tweeted that a news broadcast carried by the Russian radio station Kommersant FM was interrupted to play the Ukrainian patriotic song
Oh the Red Viburnum in the Meadow. The Washington Post adds that the feed was also interrupted with
an anti-war song. The station has resumed normal operations and said it was investigating the
incident. Sky News, following up its interview with U.S. Cyber Command's General Nakasone,
concentrates on a discussion of what hunt-forward means in the context of cyber conflict.
It involves the collection of threat intelligence in friendly cooperating networks,
finding malware samples and other evidence of hostile activity,
and sharing that intelligence to inoculate friendly networks against such attacks.
General Nakasone said,
This ability for us to work at the behest of a foreign government
to go and hunt with them on their networks, then releasing the information.
We have released over 90 different malware samples to a series of private sector cybersecurity
firms.
What does that do?
It provides inoculation for all of us that operate in the domain.
And I think that's an example of where this public-private partnership is so important.
General Nakasone also credited Ukraine with considerable resilience in cyberspace.
He said, one of the things that we certainly learned is the importance that the Ukrainians have placed on having a resilient network.
If all that's said in terms of what's gone on in this conflict, one of the things that I think is sometimes missed
is that the Ukrainians have maintained their Internet and being able to communicate.
And this is a great tribute to them.
their internet and being able to communicate, and this is a great tribute to them.
The U.S. midterm elections will be held this coming November,
and experts are outlining the cybersecurity risk to those elections.
At the RSA conference yesterday, CyberScoop reports,
industry experts reminded election officials that phishing and email doxing had been major threats in 2016 and that those shouldn't be overlooked in the current election season.
But the way the threat landscape has shifted suggests
that election officials should be particularly alert for ransomware attacks.
Among the U.S. federal agencies that are involved in securing the vote,
the Cybersecurity and Infrastructure Security Agency has the leading role.
NSA's Cybersecurity Director
Rob Joyce said that his organization would be supporting CISA. Joyce said,
The worry in all of election security is trust and confidence that we've delivered a safe and
secure election. And if you know if elections are subject to ransomware or if there's a botnet that
runs a denial of service, what you'll find is that's probably going to, in this day and age, escalate to be an issue of trust.
He pointed out that working against botnets and ransomware were squarely in NSA's wheelhouse,
so Fort Meade's support can be expected to work primarily against those two classes of threat.
This morning, Proofpoint published a study of criminal
attempts against cryptocurrency holdings. They divide the operations into three categories,
cryptocurrency credential harvesting, cryptocurrency transfer solicitation,
and commodity stealers that target cryptocurrency values. As is so often the case, the tools for
this kind of cybercrime are traded in the underworld's criminal-to-criminal markets.
Phishing kits, prepackaged sets of files that contain all the code, graphics, and configuration files
to be deployed to make a credential capture webpage are popular offerings.
Fake Crack, a criminal operation that distributes malware to its victims' devices,
works by offering a shady come-on, free crack software.
Avast explains that the campaign is designed to compromise and steal two classes of sensitive data, personal information and cryptocurrency holdings.
It's another reason to avoid gray market software.
Bitdefender reports that travel-themed spam has been seen hitting users since March 2022 and has been primarily seen targeting the United States, Ireland, India, and the United Kingdom.
The spam can be found in the form of ads and phishing emails,
with the emails containing buzzwords related to summer vacation and many well-known airlines.
The researchers also found that malicious domains and URLs are in play. These are used to trick victims
into downloading infected invoices and credit card transactions. The fish bait is topical. Not only
is the summer travel season upon us, but the pandemic has abated enough to render vacation travel more feasible than it has been for the last two summers.
Deep Instinct reported today that Emotet has seen a resurgence in 2022.
Emotet re-emerged in late 2021 and has seen a 27-fold increase in detections in early 2022.
Companies in Japan were targeted in phishing campaigns utilizing Emotet in February and March
of this year, and more regions have been found to be targets in April and May, including Italy and
the United States. The TrickBot gang has been observed helping Emotet deploy to infected devices
to download the new variants of the malware. Deep Instinct writes, the threat actors behind
Emotet have been credited as
one of the first criminal groups to provide malware as a service. They successfully utilized
their mass to create a massive botnet of infected systems and sold access to third parties,
an enterprise that proved so effective it was soon being used by criminal entities such as
the Rayak and Conti ransomware gangs.
Emotet also has a history of collaborating with Trickbot,
famous for their info-stealing Trojan, and Cackbot, another well-known banking Trojan.
So it seems that old gangs never or rarely die.
They just fade into rebranding or disperse into other criminal crews.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
One of the highlights of the RSA conference is running into friends, new and old.
Anne Johnson is a corporate vice president at Microsoft
and host of Afternoon Cyber Tea
right here on the CyberWire network.
She dropped by our meeting space at the conference
to share her thoughts on the show.
You know, RSA Conference,
and this is my 20th, 21st year at RSA Conference,
so let me give you one side note.
Because it's June and not February,
the weather is outstanding.
It's not raining.
It's been a lovely week.
Right.
That aside, the vibe feels much the same.
I think it's a smaller conference this year
because the date changed
and people are still coming out of COVID
and thinking about travel.
But the vibe is still the same.
You still have a bunch of passionate industry professionals who are dedicated to their mission and trying to solve really hard problems and having really deep conversations as late as like 10, 11 o'clock at night.
It is a wonderful community, as you know.
And everyone, I'm seeing lots of friends on the street, people I haven't seen in a few years, and it just feels wonderful to be here. Yeah, yeah. As you walk around, what sort
of trends are you noticing? You know, we've had years where everything was artificial intelligence
and then years where it was the human element. And any idea what this year's theme is? Oh,
yeah. It's the year of XDR. I have seen like window storefronts, sidewalks, every bit of branding.
I was joking with a friend in the industry and I don't drink alcohol,
but I said I'll take a drink of ginger ale or Diet Coke every time I see a XDR sign
and you can have a shot of beer or whatever it is.
You have to take frequent bathroom breaks if you do.
That's exactly right.
But I think that it's the year of XDR, but again, trying to solve really hard problems,
if you don't have that visibility end-to-end
across your estate that XDR can give you,
like Microsoft XDR, we give it to you across our platform
and with third-party solutions,
you can't solve hard problems because you're not seeing.
You have to, the biggest problem customers try to solve
is visibility.
And theoretically, that's what XDR is going to bring to them
is that promise of visibility and correlation of threats
across the entirety of your environment. Is now the right's what XDR is going to bring to them is that promise of visibility and correlation of threats across the entirety of your environment.
Is now the right time for XDR?
Let me say that another way.
Why XDR at this moment having the popularity it does?
I think it's because a lot of organizations
are now both hybrid and cloud.
And so visibility becomes a really different conversation
for them, right?
They're trying to figure out what's still in their estate
on-premises, and then they're trying to figure out what's still in their estate on-premises, and then they're trying to figure out
what they have in the cloud.
And that dream of us,
I'll use the Microsoft example, right?
Microsoft Defender for endpoint,
looking at what is on-premises
or on your endpoints,
as opposed to Microsoft Defender for cloud
or Microsoft Defender for identity,
we can look across the entirety of your estate
and say, these threats are coming in from the cloud,
these threats are coming in from on-premises, and we can correlate those. And that's, I believe,
why there is such this impetus for it now, is because customers' estates have gotten much more
complex. In addition to that, threat actors have ramped up and have figured out where the soft,
chewy center is, whether the soft, chewy center is externally in a cloud or the soft,
chewy center is still on-premises. So being able to detect really quickly. Time to detection is
the most important thing.
And XDR should be able to reduce your time to detection,
which gives you a better opportunity
to defend your environment.
As I'm wandering around the show floor here,
I'm seeing a lot of young, fresh faces,
people who are looking to find their place
in the community here.
Are you seeing the same thing?
And what kind of energy do you see them bringing to things?
I had so much fun last night.
I was one of the experts at the RSA Scholars Dinner. Oh, wow. Okay. Terrific. Yeah. So the
RSA Scholars Dinner, we bring in college students who are mostly postgraduate. They're, you know,
master's or PhD students. I had so much fun with them. I actually said to one of the students,
you know, he was talking about how he's writing CTFs, how he's helping write grants for students to go to cybersecurity education.
And I'm like, when I was in college, I was thinking about where the next party was.
I wasn't thinking about like, seriously.
They are so committed.
Remember, when we were in college, cybersecurity wasn't an industry, right?
No, it wasn't, no.
But they were so passionate.
I was talking to somebody who was doing embedded work on embedded systems
and risks for nuclear power plants.
These kids, they're going to save us all because they are so passionate
committee and they're digital natives.
So they're so much further ahead than we were in understanding the landscape.
I think another element, for me anyway, is I'd like to get the word out
that for those folks who are coming up, don't be shy.
Come up and introduce yourself.
And I know this is something you feel as well. You're willing to take the time to have those conversations, help people along the way. You know, I was talking to a member of my
team this morning and I said, if someone is, and I'll say it, brave enough to walk up to me, I'm
going to give them time. If you want to send me a LinkedIn message, I'm going to give you a few
minutes, maybe ultimately, because I do, and I like to do quality things like you, right? So maybe if I feel like I don't have enough time, I'm going to ask you a few minutes. Maybe ultimately, because I like to do quality things like you, right?
So maybe if I feel like I don't have enough time, I'm going to ask
you to meet with someone after that.
But I'm going to give you time. I want to get the
next generation passionate.
I've been doing this for over 20 years. We've been doing it for a long time.
I want the next generation to be as passionate
as we are because they're going to have harder problems
to solve and they're going to come with fresh ideas.
And we need fresh ideas.
You are the host of the podcast, Afternoon Cyber Tea.
Can you give us a preview?
What's coming up there?
Yeah, so Afternoon Cyber Tea is, I talk about it in terms of I like to humanize cybersecurity.
I like to bring on really interesting guests.
So we have a really interesting guest coming up who is not in the cybersecurity industry.
He is actually in the media entertainment industry,
but he is going to talk about an initiative he has started.
It's based in Tulsa called Black Tech Street to get folks into technology careers.
So he's going to talk about how he has stepped out
of a little bit of the media entertainment industry
to really invest in making this a reality.
So we have guests like that.
We have industry luminaries on. We have up-and-comers.
We love to have up-and-comers on the show. Talk about young talent. We like to give visibility
to somebody who's just starting out. So it is probably one of my favorite things to do. And
of course, it's hosted on CyberWire. It is our honor to do so. Anne Johnson,
thanks for joining us. Thank you. Have a wonderful day.
That's Anne Johnson from Microsoft.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And joining me once again is Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute
and also the host of the ISC Stormcast podcast.
Johannes, always great to welcome you back.
Yeah, good to see each other in person this time.
I know, we are here at the RSA conference face-to-face,
which is certainly a treat.
You just finished a presentation here at RSA.
Can you give us a little overview?
What was the presentation about?
Yes, I was really part of a panel with Ed Skoudis,
Katie Nichols, Heather Michalik, and Rob Lee.
And we sort of always try to summarize at once here at RSA
what sort of the bigot hacks are that we see coming.
So it's not just looking backwards as what they are right now,
part of it is that as well,
but also a little bit looking forward.
So what are the things on the horizon for you all?
Well, for example, Katie talked about
that living off the cloud idea.
It's something I've certainly observed,
like when we look at the reports
for getting in with Storm Center and such,
where people are using cloud services against you,
where they're using sort of like Ncroc
or even like simple things like Dropbox and such
to exfiltrate data, to use it as a command control channel.
Because from the network point of view,
that blends in really nicely with the normal traffic that you're seeing. Because so much is coming and going from the network point of view, that blends in really nicely with the normal traffic that you're seeing.
Because so much is coming and going from the cloud
and everyday operations,
it's sort of masked by default?
Correct.
And these are services that have legitimate users too,
so you can't just outright block them.
I see.
Or if you block them, then you have angry users.
Right.
Also not so nice.
Angry users are the bane of security practitioners everywhere.
What other things did you all discuss?
I talked a little bit about how actually the infrastructure
you're building for backups could potentially be used against you.
Because if you think about it, you're installing agents
on all of your endpoints to collect the data that you are backing up.
You're typically exfiltrating it to some kind of cloud service.
So what about an attacker that will just take that over
and configure it for you?
Not necessarily how you intend to configure it,
but use that same software to steal your data
and just send it to a different cloud endpoint.
In particular, since a lot of these cloud systems
have had vulnerabilities in the past,
so it's not necessarily that they're foolproof either.
And some of them are just not configured right
because it's boring.
Backups are boring.
So that's why they're often ignored
until you actually need them.
And they're also like your last line of defense
for ransomware in many cases.
So particularly if you're looking at the modern ransomware
that often has the extortion component to it,
they'll just take the data and maybe even use then
the endpoints, the software that you installed on your clients
as part of the backup system to do some of the encryption for you
because they often have encryption capability because encrypted backups are good. that you installed on your clients as part of a backup system to do some of the encryption for you,
because they often have encryption capability,
because encrypted backups are good.
You usually like to have the clear text version around as well.
Well, and is this also a matter of, from the user's point of view,
that it appears as though your backup software is doing everything that you configured it to do?
It's sending stuff off somewhere to a cloud
and it's easy to overlook which cloud where.
Exactly, and the hacker may even use the same cloud
as you're using, so that makes it even more difficult.
And because you're typically dealing with a lot of data,
you often again exempt it from network monitoring, for example,
because you don't want to bog down
your network monitoring solution
with lots of traffic that you really don't care about
because you know it's just a backup software.
It's going from your backup server
to that S3 bucket or whatever,
but really all you're often caring about
is that it's going to Amazon
or whatever service you configured.
What are your recommendations then?
I mean, given that backups are boring,
how do you prioritize, give them the attention they deserve?
Well, I always say as a security practitioner,
I like boring because it gets exciting,
it's usually not that good.
But yeah, give them the attention they deserve.
That's really what it comes down to.
And review configurations, monitor configurations.
they deserve. That's really what it comes down to.
And review configurations,
monitor configurations.
How do you change management on backup configurations?
Who has access
to those processes
and is allowed to make or authorized
to make changes?
So really by tying them more into
your overall security practices,
that's a good start.
And of course, keep that stuff updated like everything else.
It's a little bit of a one-off solution,
so it's not like your
Windows updates where you have
thousands of them, and it's not
as mechanical as that, but
yeah, don't ignore it.
Any other particular items from the presentation
that deserves attention?
We had two more.
Heather Mihalix was talking about stock over there,
which is a huge issue.
Also some of the more advanced exploits that you have here
against mobile devices.
NSO Group, even though they are sort of fading away,
but their exploits, their tools are sticking around.
And then Rob Lee was talking about some of the attacks against satellite systems
that we have seen in Ukraine.
Now, a lot of it has been written about
how it has affected or didn't affect it,
whether it didn't affect the wind power systems
in Germany and such.
But one sort of not well-publicized effect of this
was that actually these communication systems, the Ukrainian army used
in part of its artillery targeting systems where
someone at the front line could send a message back that they found
some Russian tank or something like this.
And the way Rob described it, it's like an Uber
for artillery where Then the system
automatically found the closest artillery battery to them, launched shells at them.
Now you have sub-minute kind of response times, and that was shut down by shutting down those
Viacom motors. Then course, Elon Musk stepped in
and gave them his satellite system,
which was basically the private sector now
fulfilling an important military role.
Things get a little fuzzy now, don't they?
Things get fuzzy, and now it's part of Chinese military doctrine
to, hey, if you ever fight the Ukraine,
not the Ukraine, the US,
the first thing we probably want to do
is take out SpaceX or Starlink.
So you have this,
we always had this when it comes to cyber
where there is no clear delineation
between sort of private industry and government.
Most government networks use privately owned
or commercial connectivity.
They're not usually running their own wires.
And this becomes really obvious here.
I'm going to get to space,
which is literally now the new high ground in warfare.
Can't get any higher than some satellite.
Yeah, yeah.
Geosynchronous orbit or whatever.
And if you look at some of the news from Ukraine,
how effectively it is sometimes used,
sort of the connectivity between drones and artillery,
so this immediate feedback and targeting.
Right, right.
Well, I have to say it's great to be back here in person
to see people face-to-face
and delighted that you made time for us today.
Johannes Ulrich, thanks for joining us.
Thank you.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Rachel Gelfand,
Liz Ervin, Elliot Peltzman, Trey Hester,
Brandon Karpf, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.