CyberWire Daily - Updates on what Ukraine is now calling “BleedingBear.” CISA advises organizations to prepare for Russian cyberattacks. Other cyberespionage campaigns, and a new ransomware strain.
Episode Date: January 19, 2022Ukraine confirms that it was hit by wiper malware last week, as tension between Moscow and Kyiv remains high. It remains high as well between Russia and NATO, as Russia continues marshaling convention...al forces around Ukraine. CISA advises organizations to prepare to withstand Russian cyberattacks. Other cyberespionage campaigns are reported, as is a new strain of ransomware. Microsoft’s Kevin Magee provides friendly counsel for CISOs and boards. Our guest is Clar Rosso from ISC2 on the communication gap between cybersecurity teams and executive leaders when it comes to ransomware. And the natural disaster in Tonga may offer lessons in resilience and recovery. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/12 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Ukraine confirms that it was hit by wiper malware last week as tension between Moscow and Kiev remains high.
Russia continues marshalling conventional forces around Ukraine.
CISA advises organizations to prepare to withstand Russian cyber attacks.
Other cyber espionage campaigns are reported, as is a new strain of ransomware.
Microsoft's Kevin McGee provides friendly counsel for CISOs and boards.
Our guest is Claire Rosso from ISC Squared on the communications gap between cybersecurity teams
and executive leaders when it comes to ransomware. And the natural disaster in Tonga
may offer lessons in resilience and recovery.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, January 19th, 2022. Ukraine has confirmed, according to the Washington Post, that last week's Whispergate cyberattacks were indeed destructive
and represented neither the hacktivist defacement nor the ransomware crimes they misrepresented themselves as.
Ukraine's State Service of Special Communications
and Information Protection said, quote, thus with a high probability it can be argued that the
defacement of the websites of the attacked government agencies and the destruction of the
data using a wiper are components of one cyber attack aimed at as much damage as possible to
the infrastructure of state electronic resources.
End quote.
Ukraine is calling the campaign Bleeding Bear and attributed it to Russia.
Security firm ESET has tweeted its take on how Whispergate used third-party criminal services to help stage the attacks.
These tools are useful in themselves, and they also lend further verisimilitude to the pretense that the whole campaign was conventionally criminal as opposed to state-directed.
The selection of ransomware as cover for the attacks is unsurprising.
Ransomware is not only a commonplace criminal activity, but it can also be, as CyberScoop observes, highly disruptive. The pretense of ransomware is not only useful for misdirection and concealing an incipient cyberattack,
but the tools used by ransomware gangs are readily repurposed for espionage and sabotage.
Concern that the crisis could escalate remains high.
Over the weekend, reports from Ukraine said that Russia had begun withdrawing
personnel from its embassy in Kiev. U.S. White House Press Secretary Psaki commented on the
withdrawal in yesterday's media briefing, seeing it as a significant harbinger of increased tension.
C-SPAN has the recording. I think as I noted a few minutes ago, we believe we're now at a stage where Russia could
at any point launch an attack on Ukraine. I would say that's more stark than we have been. In terms
of the decision to move, to evacuate their embassy or to move personnel out of their embassy,
we have information that indicates the Russian government was preparing to evacuate
their family members from the Russian embassy in Ukraine in late December and early January.
We certainly would refer you to them for more specifics about what their decision is,
but we don't have an assessment on why in the meeting.
Initial reports held that the embassy staff in Kiev was being drawn down,
and subsequent reports claimed that Russian diplomats
were being repatriated from western Ukraine. For its part, according to Newsweek, Russia has said
the reports are all nonsense, that it hasn't pulled any of its diplomats from Ukraine.
Aware of heightened tensions and with vivid memories of NotPetya and WannaCry,
governments are preparing for subsequent waves of cyberattacks.
The Deputy Secretary of Ukraine's National Security and Defense Council
described the steps Kiev is taking to protect the country
from further cyberattack in an interview with The Record.
The U.S. Cybersecurity and Infrastructure Security Agency yesterday published advice
on how organizations can protect themselves
against cyberattacks of the kind Ukraine sustained last week. The advisory is designed
to help organizations defend against, detect, respond to, and ride out destructive cyberattacks.
Poland has also raised its level of cyber alert, Reuters reports.
Russia has consistently represented NATO and the U.S.
as aggressors, interested in using Ukraine to hold Russia at risk. But it's fair to say that
this is a minority view. NATO wants further talks with Russia over the crisis, but Moscow says it
won't consider renewed talks until it receives responses to the proposals it put on the table last week.
Those answers are expected sometime tomorrow, and it seems unlikely that they'll be the answers
Moscow says it wants, since that would amount to NATO unraveling more than two decades of
alliance building. The Cyber Wire's current coverage of the crisis in Ukraine can be found on our website. Security firm ESET has offered an account of an APT, the Do Not Team, which it regards as
unsophisticated but highly focused and tenacious. The researchers describe two malware strains the
Do Not Team uses, Dark Musical and Get It. The spear-phishing emails were sent in persistent waves,
and the emails didn't use spoofing.
Many of them bore email addresses associated with the targeted organizations,
which suggests that some of the accounts had been successfully compromised.
The researchers make no attribution,
but the Do Not Teams-focused list of targeted countries is perhaps suggestive.
Pakistan, Bangladesh, Nepal, and Sri Lanka. but the Do Not Teams focused list of targeted countries is perhaps suggestive.
Pakistan, Bangladesh, Nepal, and Sri Lanka.
So too are the file names the coders used in preparing their malware.
A lot of them reference characters in the movie High School Musical.
Who knew that spies or crooks would be fans of Disney adaptations of Romeo and Juliet?
We didn't, but you think about it, it's kind of sweet. Next time, kids, try Lady and the Tramp, a flick that's worth an homage or two.
A post at Bushido Token Threat Intel describes what appears to be a cyber espionage campaign
against industrial control system vendors, government agencies, non-governmental
organizations, and university researchers in several countries. The campaign itself proceeded
through phishing. A familiar mailbox phishing kit is being used to harvest usernames and passwords.
The list of targets is a long one, and you can find that list on our website.
Attribution is unclear beyond some circumstantial code similarities
to tools used by Russian and North Korean intelligence services.
The researcher speculates about a possible motive,
quote,
Supplemental targets such as ICS-OT organizations and educational institutions
would complement this intelligence-gathering campaign
if access could be obtained at these entities.
From this, it could be suggested that the adversary behind this campaign
is potentially a major source of fossil fuels
and is doing research on the renewable energy sector as a threat to its income.
Finn Ait, a financially motivated threat actor
that's been active against the retail and hospitality sectors since 2016 at least,
is apparently responsible for using a new relatively evasive ransomware strain, White Rabbit, against a U.S. bank last month.
Trend Micro researchers, who yesterday published a description of the attack write, Its payload binary requires a specific command line password to decrypt its internal configuration and proceed with its ransomware routine.
This method of hiding malicious activity is a trick that the ransomware family Egregor uses to hide malware techniques from analysis.
The malicious payload is small, about 100 kilobytes, and appears inactive and innocuous until it's activated.
Saturday's eruption of the Hunga Tonga-Hunga Haipai volcano disrupted Tonga's internet connection and many other modes of communication,
providing an extreme test of response, resilience, and recovery.
Apparently, the nation's undersea cable was severed.
MIT Technology Review has an account of what will need to be done
to reconnect the Pacific nation with the rest of the world.
And as we look for lessons to be learned in resilience and recovery,
let's not forget the immediate human toll of the disaster.
Our best hopes for recovery and
consolation to everyone in Tonga, and best wishes to the international relief efforts underway.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000
off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
The team at cybersecurity nonprofit association ISC Squared recently polled 750 C-level executives in the U.S. and U.K. to gauge how they're communicating with stakeholders in their
organizations about ransomware. Some of the results were surprising. Claire Rosso is CEO at ISC Squared.
Well, I'd have to say that first and foremost, what stops me in my track is hearing that 70%
of C-level executives believe that they are confident in their cyber defensives.
That's interesting. Is that coming higher or lower than you thought it would be?
I think it's a little higher than I expected. And part of the reason I say that is 60%.
There's several reports that say 6 in 10, 60 percent of organizations will be hit by
ransomware. And of those that are hit by ransomware, only about 50 percent are going to be able to
effectively restore their data. So hearing 70 percent of C-suite folks say we got it covered
doesn't line up for me. There might be a little bit
overconfidence there. Where do you suppose that overconfidence might be coming from?
Well, I think one of the things that we're seeing and we're hearing a lot is that in the C-suite,
in the boardroom, individuals need to build their cyber literacy. We've talked about this around financials for
years and years and years, but now it's time that we need to talk about it about cybersecurity.
What do they understand and what do they need to understand? And there's a role that the
cybersecurity professional can play in helping elevate that cyber literacy within the C-suite.
and helping elevate that cyber literacy within the C-suite.
Let's talk about some of the other findings of the report.
I mean, communications was one of the things that you highlighted here.
Right. We think the report identifies that there is an opportunity to increase communications and reporting to leadership.
The cybersecurity team within organizations should think about how can I
increase the frequency and the appropriate level of detail that I'm giving to the C-suite
to help instill confidence in the security of their operations and facilitate more informed
decisions, as well as support the calls for more investment in cybersecurity, both people and technology.
Was there anything in the report that was particularly surprising to you?
One of the things that I would say wasn't surprising, but that I was actually pleased by,
is when we asked what the top areas of concern for the C-suite were,
I think people were asking the right questions.
They wanted to know, is our security function working with IT to ensure our backups and
restoration plans will be able to work, right? They won't be adversely. If we do have a ransomware
attack, we can back up our data and get back running. I like the fact that they were
knowledgeable enough to understand that they need to be prepared to engage with law enforcement in
the event of a ransomware attack. They ask questions like, are we prepared to engage with
a cybersecurity firm to help us investigate and respond to a cyber incident? Where are we
most vulnerable? Things like that. Those are the questions that the C-suite's asking, and those are
good questions to be asking. You know, this report focuses on those executives in the C-suite. For
the folks who are doing the work in the cybersecurity department, what are your recommendations for them?
What should be their approach to best communicating their needs to the folks up in the C-suite?
Right. I would take advantage of the headlines that we're seeing in the news every day.
The next time you see a major headline about a cyber breach, when the Log4J happened in December, when something like that happens,
use that as an opportunity to speak to the executives in your organization.
Talk about how you're prepared to address these cyber risks and talk about what you
need to be better prepared to address future cyber risks.
That's Claire Rosso from ISC Squared.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Kevin McGee.
He's the Chief Security Officer at Microsoft Canada.
Kevin, always great to have you back. You know, I want to touch today on the relationship between CISOs and their boards of directors.
At times, this can be a challenging relationship.
And I know this is
something that you have spent some time working on. I wanted to touch base with you for your
specific insights here. Yeah, thanks for having me again, Dave. Having sat on a lot of boards and
having been a cybersecurity professional, I've got a foot in each camp. And there's a lot of
articles and whatnot published on how best to talk to boards. But what happens
when it goes wrong when you present to the board as a CISO? And how do you rebuild that relationship?
Or how can you, you know, re-approach the board if, you know, you have a misaligned set of
mis-expectations? And so, I do a lot of what I call CISO therapy sessions after they've been
savaged by the board or had bad encounters and just trying to reset those relationships.
And I've developed sort of a seven-step program to help them that's been super effective.
All right.
Well, let's go through it together.
Walk us through the steps.
First is employee empathy.
It's really understanding what their situation is.
I call it the current ratio epiphany.
When I was sitting on an audit committee,
we were talking about the current ratio
for about half an hour
and everyone seemed really concerned about it.
But it'd been 20 years since I took financial accounting
and finally I raised my hand and said,
I don't know what a current ratio is
or should it be bigger or smaller?
And it turned out a lot of people around the table
didn't know either.
And then it dawned on me
that that's how folks must feel around the boardroom table
when they talk about cybersecurity, when they don't understand the topic. They don't
want to look like they don't understand from their peers. So, employee empathy, really understanding
their role and what their challenges are, is sort of step one. And then along with that is
confirming altitude. The board should have their noses in, fingers out figuratively.
But if you come to the board as a CISO with operational information or indicators,
expect operational questions to come back, then we're going to get into the fingers in
to your business instead of where they should be at the proper altitude,
which is noses out, or noses in, sorry, fingers out.
So making sure you confirm that altitude and stay at the proper altitude is sort of step
two.
The next three are sort of teach, tailor, and take control, really teaching the board
about their own personal awareness and understanding their role in the organization and the unintended
consequences of their decisions to create a compensation plan for a CEO to drive growth and what that can have effect.
Tailoring the message and making sure that you're, again, communicating at the right level.
And then taking control of the metrics they're using, such as a NIST maturity level to manage your growth of a security program as opposed to a number of attacks on the website or whatnot
can really change the discussion.
And the last two are just partner
and build trust,
really get them engaged
in tabletop exercise
and build consistency
and relations with individuals.
And ultimately,
never surprise the board.
You should really,
when you come to that board,
they should be fully aware
of what they're going to talk about,
what that will look like. and there's no surprises.
And that's sort of the rehabilitation program that I use with CISOs.
And I suppose, I mean, it's got to be easier to establish these things off the bat in a positive way than try to do damage control after you've had a bad encounter.
troll after you've had a bad encounter? I think too often CISOs wait till they're summoned to the board and then they throw together what they think the board wants to see or, again,
overload them with information. The average board package can be 300 to 500 pages of material.
You know, get to the point, summarize. Again, a poise of empathy. What are the things that
they're going to want to learn? What do they know? What do they know? What do they don't know? And give them the benefit of the doubt in terms of
their ability to understand the information, but then also summarize in ways that are easily
digestible and not using big words or industry words or whatnot as well too. So taking a very
proactive approach to that relationship is ultimately the key. I've heard lots of folks
say that you're much better off communicating with
them in the language they understand, which quite often is that of risk.
And we talk about, you know, protecting the crown jewels.
It's one of the examples I use all the time.
Well, telling IT or security to protect the crown jewels, what are the crown jewels?
I'm not really sure what they are.
And walking through a business process
and understanding where the critical aspects
of the organization's data really is developed,
maintained and whatnot may throw some surprises.
And that can't be done in a vacuum.
That really needs to be defined
by the senior levels of the organization,
including the board, what the risk tolerance is.
And IT and security need to be a partner, not driving that overall discussion. So again, often the board doesn't
know how to approach the subject, but we assume that they're on the board, they must know what
they're doing. So employing empathy, understanding that they may not understand the basics we do,
and teaching them how we go about evaluating risk, how we identify data in the business process,
how we protect it and whatnot. It's not talking down to them. It's really empowering them to make
better decisions, ask better questions and provide better oversight. All right. Well,
good insights for sure. Kevin McGee, thanks for joining us. Thanks, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Bilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.