CyberWire Daily - Users advised to patch actively exploited Zyxel vulnerability. Hacktivism and influence ops in Russia’s hybrid war. Ransomware notes. Indiscriminate hacktivism? Alt-coin sanctions case will proceed.
Episode Date: May 16, 2022Users are advised to patch Zyxel firewalls. Battlefield failure and popular morale in Russia’s hybrid war. Nuisance-level hacktivism in the hybrid war. Sweden and Finland move closer to NATO members...hip; concern over possible Russian cyberattacks rises. Intelligence, disinformation, or wishful thinking? Conti calls for rebellion in Costa Rica. PayOrGrief is just rebranded DoppelPaymer. Anonymous action in Sri Lanka seems indiscriminate and counterproductive. Dinah Davis from Arctic Wolf examines cyber security for startups. Rick Howard looks at two factor authentication. And a judge says cryptocurrency can’t be used to evade sanctions. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/94 Selected reading. Critical Vulnerability Allows Remote Hacking of Zyxel Firewalls (SecurityWeek) Zyxel security advisory for OS command injection vulnerability of firewalls (Zyxel) Growing evidence of a military disaster on the Donets pierces a pro-Russian bubble. (New York Times) OpRussia update: Anonymous breached other organizations (Security Affairs) Italy prevents pro-Russian hacker attacks during Eurovision contest (Reuters) Finland, Sweden’s NATO moves prompt fears of Russian cyberattacks (The Hill) Coup to remove cancer-stricken Putin underway in Russia, Ukrainian intelligence chief says (Fortune) Conti ransomware gang calls for Costa Rican citizens to revolt if government doesn't pay (SC Magazine) Anonymous wanted to help Sri Lankans. Their hacks put many in grave danger (Rest of World) U.S. issues charges in first criminal cryptocurrency sanctions case (Washington Post) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Be sure to patch your ZEISEL firewalls.
Nuisance-level hacktivism in the hybrid war.
Sweden and Finland move closer to NATO membership.
Conti calls for rebellion in Costa Rica.
Is pay-or-grief just rebranded doppelpamer?
Anonymous action in Sri Lanka seems indiscriminate and counterproductive.
Dinah Davis from Arctic Wolf examines cybersecurity for startups.
Rick Howard looks at two-factor authentication.
And a judge says cryptocurrency can't be used to evade sanctions.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, May 16, 2022. Zyzil has released patches for its firewall versions affected by the OS Command Injection Vulnerability CVE-2022-3525,
which Rapid7 discovered and reported.
Yesterday, Shadow Server reported that its scans had found the affected devices to be widespread.
They saw at least 20,000 of the potentially affected ZEISSEL
firewall models accessible on the Internet, primarily in the EU, in France, and Italy.
NSA Cybersecurity Director Joyce retweeted Shadow Server's findings with a terse comment.
He said,
Exploitation underway. Check your ZEISSEL firewall version and patch. The mauling that Russia's 74th Motorized Rifle Brigade took during its failed assault crossing of the Donetsk on May 11th
may be having a more general effect on Russian popular morale.
The New York Times reports that pro-Russian military bloggers, some of them embedded with Russian forces,
have grown sharply critical of Russian military leadership. The Times writes,
Perhaps most striking, the Russian battlefield failure is resonating with a stable of pro-Russian
war bloggers, some of whom are embedded with troops on the front line who have reliably posted
to the social network Telegram with claims of Russian success and Ukrainian cowardice.
The Institute for the Study of War wrote Saturday that
the commentary by these widely read mill bloggers may fuel burgeoning doubts in Russia
about Russia's prospects in this war and the competence of Russia's military leaders.
in this war and the competence of Russia's military leaders.
The departures from a consistent line of Russian success and inexorable victory are striking.
So far, there aren't corresponding departures from the official line that Russia's special military operation is a just cause.
The cyber phases of the hybrid war have recently been marked for the most part by nuisance-level hacktivism.
Both sides have developed characteristic attack styles.
Anonymous, hacking in the Ukrainian interest under its OpRussia hashtag,
continues to dox its targets and dump the stolen data online at DDoS secrets.
On the Russian side, the hacktivist style appears to have become distributed denial
of service attacks, directed most recently at prestige targets in retaliatory attacks.
Last week, the pro-Russian hacktivist group styling itself Legion, a Killnet affiliate,
called for cyberattacks against the Eurovision Song Contest, which had excluded Russian artists
from the competition
as a gesture of disapproval of Russia's war. Reuters reports that Italian police successfully
disrupted the attack, which was itself intended to interfere with voting. Ukraine's Kalush Orchestra
won the contest, in case you missed it, with their performance of Stefania.
Finland's and Sweden's interest in NATO membership has attracted Russian comment,
some of it grandiose and violent with talk of annihilation,
forward deployment of tactical nuclear weapons to deter NATO aggression, and so on.
And all of it, even the most measured expressions, have been strongly unfavorable.
Neither the alliance nor the two
prospective new members seem likely to be dissuaded, but the two Nordic countries and NATO
are preparing for the possibility of Russian cyber attacks with realistic caution, The Hill reports.
Major General Kirill Budanov, chief of Ukraine's military intelligence service,
told Sky News Saturday that Russia's president was suffering from cancer and that his illness would provide a covering justification for a coup that would remove Mr. Putin from power.
The major general said,
It will eventually lead to the change of leadership of the Russian Federation. This process has already been launched and they are moving into
that way. When asked by Sky News if that meant a coup was in progress, General Budanov said yes,
adding, they are moving in this way and it is impossible to stop it. It's impossible to evaluate
the truth of his claims or the soundness of his assessment. President Putin has been rumored to be in poor
health, but General Budanov's widely reported remarks are the only openly circulating reports
of an imminent coup in Moscow. Conti is calling for rebellion in Costa Rica,
unless, of course, Costa Rica's government pays Conti the ransom the gang demanded in its ransomware attack earlier this month, SC Magazine reports.
A revolution in the interest of Conti is, of course, unlikely in the extreme, but what's Conti got to lose in asking for one?
Investigation of the ransomware attack against the city government of Thessaloniki, Greece, last July,
indicates that the attackers, pay or grief, were not in fact a new gang, but simply a rebranding of Doppelpamer, Darktrace researchers report.
Anonymous hasn't confined its activities to OpRussia.
It's also declared its support of anti-government protesters in Sri Lanka by declaring cyberwar against the government.
in Sri Lanka by declaring cyber war against the government.
But the website Rest of World reports,
the effects of the action may not be entirely welcomed by those it's intended to support.
The anarchist collective conducted distributed denial
of service attacks against websites operated
by the Ceylon Electricity Board, the Sri Lanka Police,
and the Department of Immigration and Emigration.
The hacktivists also doxed Sri Lanka Scholar, a private portal connecting students to universities,
and the Sri Lanka Bureau of Foreign Employment. In both cases, the names and email addresses of
ordinary Sri Lankans were exposed, increasing their risk of falling victim to cybercrime.
increasing their risk of falling victim to cybercrime.
And finally, any lingering sense of legal immunity cryptocurrency users may retain experienced further erosion on Friday.
The Washington Post reports that U.S. Magistrate Judge Zia M. Farraquay of Washington, D.C.
explained his approval of a Justice Department criminal complaint
against a U.S. citizen who stands accused of sending over $10 million in Bitcoin
to a virtual currency exchange in a country under comprehensive U.S. sanctions.
The investigation is still in progress,
which is why details of the complaint and the identity of the defendant remain under seal.
But the judge wants to make two points.
of the defendant remain under seal. But the judge wants to make two points. Cryptocurrency isn't untraceable, and sanctions law applies to cryptocurrency as much as it does to more
traditional forms of cash. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365 with
Black Cloak.
Learn more at blackcloak.io.
And I am pleased to be joined once again by Rick Howard.
He is the CyberWire's Chief Security Officer and also our Chief Analyst.
Rick, always great to have you back.
Hey, Dave.
So on this season of CSO Perspectives, which is of course over on the pro side of the CyberWire,
you have been breaking out your Rick the Toolman toolbox to help understand some of the mechanics
of things like SBOMs and single sign-on. And for this week, you are tackling two-factor
authentication. So,
what do you got in store for us? Yeah, so while we're working on this episode,
I discovered that we've come a long way from when the first commercial second-factor token device,
you know, built by a company called Security Dynamics Technologies in the mid-1980s,
and to the AT&T patenting the idea of second-factor authentication in the mid-1990s.
You know, all the rules that we just kind of throw off today like everybody knows them.
Like, you have to pick two or three factors, something you have like a smartphone,
something you are like a fingerprint, or something you know like a password.
Yeah, you know, I know what you mean. And I think back, like when I was growing up, my father was a realtor and that was his profession.
And so at some point along the way, the local board of realtors decided to adopt multi-factor authentication.
Good for them.
Yeah, but like this was, I've been trying to think back on it.
And I've been trying to think back on it.
All I remember is like this little LCD screen on this little device that had this rotating series of numbers and codes that would just keep changing.
Yeah.
Right?
Like it was this little eye candy kind of thing.
It must have been before USB.
So I don't know.
Did this thing just plugged into a serial port?
I don't remember.
But what I do remember is that it was a pain in the butt and it wasn't around very long.
I think the users revolted and it did not stick around. And I think that's a really interesting thing. Like,
in those early days, those systems were hard to use and they were mostly reserved for protecting,
like, you know, highly secure things like, you know, spies and nuclear power plants and things
like that. But yeah, but these days, I mean, it seems like if nothing else, we have a lot of options,
you know, things like SMS and email authentication, push notifications.
I mean, even stuff like today's just universal second factor keys like the Yuba keys, you
know, come a long way.
I have to say, though, you know, especially over on the Hacking Humans podcast,
Joe and I talk about SMS and email. It seems like all the time when I'm reading cybersecurity news
or Joe and I are talking about it over there, it always comes up that maybe SMS second factor
authentication isn't everything that it should be. Is that wrong? Well, let me put it this way, Dave. Yes, you're wrong.
Okay. Well, thanks for coming on the show, Rick.
Well, go on. Go on. All right. So, I just want to be clear here. Any form of second or two-factor
authentication is exponentially better than just using your user ID and password to log in somewhere.
So has SMS authentication been defeated in the wild?
Yep, absolutely it has.
Is it pretty good for run-of-the-mill internet surfing,
like logging into Audible or your Twitter account?
Yes, absolutely it is.
So you may not want to use SMS authentication
to protect those nuclear codes you were talking about before.
But for normal Internet stuff, it's pretty good, right?
So in this CSO Perspectives episode, we talk about how each of the current set of two-factor authentication tools, how they work.
And we're going to put them on a scale from least secure to most secure.
But all of them are better than just user ID and passwords.
All right.
Good to know.
Good to know.
So before I let you go today, I would be remiss if I didn't mention that your WordNotes podcast has hit a bit of a milestone this week.
That's right.
We're publishing our 100th episode.
And I have to tell you, I've learned more about cybersecurity than I have in my 35 years of
doing this stuff as a career professional. Because when you're tasked to explain highly complex or
technical words and phrases in just five minutes, like non-fungible tokens, common vulnerabilities
and exposures, the Shields Up program, and Pegasus, just, you know, to name four, you might learn a
thing or two. And so with this week's phrase, the diamond model, we will have produced 100 of these
shows. And I'm very happy to have met that milestone. All right. Well, congratulations.
100 is a big deal. Thank you, sir. Well, Rick Howard, thanks for joining us. Again,
you can check out CSO Perspectives over on CyberWire Pro.
You can find that on the CyberWire website. Rick, thanks for joining us.
Thanks, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and
securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. and joining me once again is dina davis she is the vp of r&d operations at arctic wolf
dina always great to welcome you back to the show you know i i was thinking recently um actually my
my son is a budding entrepreneur and he and some of his friends are starting up a new business.
And it got me thinking about, you know, what are some of the things I can do as a helpful dad in terms of providing him guidance when it comes to the cybersecurity provisions that they're going to need?
And I thought this would be an interesting topic for you and I to touch on.
What are your thoughts here?
I thought this would be an interesting topic for you and I to touch on.
What are your thoughts here?
Yeah.
So, I mean, you're right on because, you know, there's been at least 42% of small businesses attacked in the last year, right?
So it's no longer a thing that just like big enterprise really needs to worry about.
It's even the small guys really need to look at it, right?
So to help myself remember, I've called it the four P's
that people should think about the four P's. So your perimeter, patch, your people, and protect.
So for your perimeter, you're looking at making sure you have, you know, a decent firewall in
place. If you're a small company, you can buy some that are out of the box, that are quite decent, and just set them up.
You know, you can just stop the bad traffic right away.
Patching, patching, patching, patching, patching.
So always knowing what's in your system and keeping your, like, even in a small business, that might be you have four machines.
Just always keep them up to date, right?
Always keep them up to date, right?
That's the easiest thing you can do with little to no security knowledge whatsoever is to always keep your software of your key tools that you're using up to date.
People comes from user awareness training. this so many times, but it is really very, very important that people are aware of the types of
attacks because you're just as good as your weakest link. And usually your weakest link
is going to be your people. Social engineering attacks are quite effective. They happen often.
I always recommend if you can get training that comes in like three to five minute bursts every few weeks, then that's going to help.
It's going to keep things top of mind, right? And then finally, I had to stretch for the fourth P
here, but protect, which really means MFA, multi-factor authentication. If there's, you know, anything from a, an actual security thing to
put in place for your company, it's multi-factor authentication. It pretty much shuts down most,
um, email based, uh, phishing attacks, right? They're trying to get your password and then
reuse your password everywhere else. As long as you have a second or a third source of authentication
that's not a password, then that's really going to help you out.
I don't know.
Can you think any of those would be good for your son and his company?
I think so.
I think the challenge with multi-factor, of course,
is that it does introduce a little bit of friction.
And young, excited entrepreneurs, the last thing does introduce a little bit of friction. And, you know,
young, excited entrepreneurs, the last thing they want to do is slow down for something. But
they have to make the case that it is in their best interest. You know, I'm curious. We have
these services available today that are primarily cloud-based. I'm thinking of, you know, the
Googles of the world, the Microsofts of the world, where you can get pretty much everything you need
to start up from a provider like that.
You can get your email, you can store files,
all those kinds of things.
For a startup, I mean, is that a good way to go?
Do you find that to let those big companies
do much of the heavy lifting
for a lot of the security things,
is that a reasonable
approach? Yeah, I would highly recommend that. I mean, even for Code Like a Girl, which I run
on the side and it's not really a for-profit thing, I have a Google business account. And
I have multi-factor authentication on the logins, on my email address. And I don't use it a lot for a lot
of things, but just having that there and having a place where my files can go, you know, I am
leaning on Google's security abilities there. And, you know, I think that's a pretty good bet,
to be honest. If you're, you know, it's way better than trying to roll your own or anything like that.
Right.
So especially if you're using cloud services, those doing something like that, you know, Google or Office 365 or any of the big ones.
I'm not I'm not saying one is better than the other or anything like that right now.
But they are spending a lot of money on security today because they're protecting a wide, wide range of people.
Right, right.
All right.
Well, good advice.
Dinah Davis, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Rachel Gelfand, Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karff, Eliana White, Puru Prakash, Justin Sebi, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.