CyberWire Daily - Waiting for the Bears to come out. APT41 hits US state governments. A surge in mobile malware, and a look at yesterday’s Patch Tuesday.
Episode Date: March 9, 2022Zelenskyy addresses the House of Commons. Cyber operations in Russia's war against Ukraine. Chinese cyber espionage campaign hits six US state governments (but it might be an APT side-hustle). A surge... in mobile malware. Joe Carrigan looks at derestricting your software. Our guest Bob Dudley discusses cyberattacks against the European energy sector. And a quick look back at Patch Tuesday. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/46 Selected reading. Volodymyr Zelensky speech: Ukrainian President vows to fight Russians in 'forests, fields and on shores' as he channels Winston Churchill (The Telegraph) Putin’s Endgame Starts to Look Like Reducing Ukraine to Rubble (Bloomberg Live Updates: Biden Bans Russian Oil Imports and Major U.S. Brands Close Outlets (New York Times) The March 2022 Security Update Review (Zero Day Initiative) EU countries call for cybersecurity emergency response fund -document (Reuters) Annual Threat Assessment of the U.S. Intelligence Community (Office of the Director of National Intelligence) PTC Axeda agent and Axeda Desktop Server | (CISA) AVEVA System Platform (CISA) Sensormatic PowerManage (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Zelensky addresses the House of Commons,
cyber operations in Russia's war against Ukraine,
Chinese cyber espionage campaigns hit six U.S. state governments,
a surge in mobile malware,
Joe Kerrigan looks at de-restricting your software,
our guest Bob Dudley discusses cyber attacks against the European energy sector,
and a quick look back at Patch Tuesday.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, March 9th, 2022.
Ukrainian President Zelensky addressed the British House of Commons by video link yesterday.
He thanked the UK for its support and struck a deliberately Churchillian note, quote,
We will not give up and we will not lose.
We will fight to the end in the sea, in the air.
We will fight for our land, whatever the costs.
We will fight in the forests, in the fields, on the shores, in the streets.
End quote.
He asked for more support, quote,
Please increase the pressure of sanctions against this country
and please recognize this country as a terrorist state The Telegraph reports that the MPs gave him a standing ovation.
Western nations, which include a number of geographically eastern
nations, have increased their sanctions against Russia, moving to block or at least significantly
limit Russian oil and gas exports. Augmenting these formal sanctions has been a widespread
exit of private companies from Russian markets. That exit extends across many, perhaps most,
sectors. The effect on the Russian economy is already significant.
Market Insider reports that Fitch has cut its rating of Russian debt from B to C
and warned that default on Russian sovereign debt is imminent.
The cyber phases of Russia's hybrid war continue to be far more limited and restrained than most had expected.
An analysis in the Washington Post argues that this was to be expected, that offensive cyber
operations have never been a war winner, and that therefore Russia's Minji DDoS and defacement
attacks were about what we should have expected. There's something to the analyst's skepticism concerning cyber not being decisive,
but then it's not usually the case that a particular capability in a particular domain
is decisive. No one would seriously question the combat value of air power, but it would be
difficult to make the case that air power alone has ever been decisive, and simple lack of decisive effect wouldn't seem to rule
out the use of any capability. The analysts point out that earlier Russian disruptions of
the Ukrainian power grid were temporary and relatively quickly remediated. But disruption
of a grid, even if it lasts only a matter of hours, could be of considerable value in supporting a tactical operation.
So the mystery remains.
Why hasn't Russia so far executed the disruptive attacks it's shown itself capable of,
or the destructive capabilities that, in all probability, it has?
For all that, U.S. and European policymakers continue to watch for a significant increase in the Russian cyber threat,
waiting, as the record puts it, for the other shoe to drop.
In the EU, Reuters reports, the telecommunications ministers of the 27 members have called upon Europe to establish an emergency fund that would be used to respond to major cyber attacks.
Citing the war in Ukraine, the ministers, who will meet today to discuss the proposal, said,
The current geopolitical landscape and its impacts in cyberspace strengthen the need for the EU to fully prepare to face large-scale cyberattacks.
Such a fund will directly contribute to this objective.
The U.S. intelligence community's recently released annual threat report, for example, published as Russia was completing its preparations to invade Ukraine,
highlights the threat in cyberspace,
and suggests that Russia would wish to avoid direct kinetic combat with the U.S.
The report said, quote,
We assess that Russia does not want a direct conflict with U.S. forces.
Russia seeks an accommodation with the United States on
mutual non-interference in both countries' domestic affairs and U.S. recognition of Russia's
claimed sphere of influence over much of the former Soviet Union, end quote. In Cyber Proper,
even excluding the related problem of what the ODNI calls malign influence. The report says, quote, Russia is particularly
focused on improving its ability to target critical infrastructure, including underwater
cables and industrial control systems, in the United States as well as in allied and partner
countries, because compromising such infrastructure improves and demonstrates its ability to damage infrastructure during a crisis.
Russia is also using cyber operations to attack entities it sees as working to undermine its
interests or threaten the stability of the Russian government. Russia attempts to hack
journalists and organizations worldwide that investigate Russian government activity and,
in several instances, has leaked their information.
End quote.
Researchers at Mandiant report that the Chinese government threat actor APT41,
also known as Barium, Winti, or Wicked Panda,
has succeeded in gaining access to the governments of at least six U.S. states.
Some of the attacks exploited Log4J vulnerabilities.
The campaign's goals are unclear, but there seems to have been some attempt to collect personal identifiable information.
This might serve espionage, but APT41 has also been known to engage in financially motivated APT side hustles.
Security firm Proofpoint describes a surge in mobile malware afflicting Europe in particular,
up by 500% since last month.
They say, quote,
Most mobile malware is still downloaded from app stores,
but over the past year or so,
we've seen an increase in campaigns that use SMS and mobile messaging as their delivery mechanism.
Of the two big mobile smartphone platforms,
the latter is a far more popular target for cybercriminals, end quote. The common strains of malware being observed
include FluBot, T-Bot, TangleBot, Mokau, Brata, TianaSpy, and KeepSpy. The Zero Day Initiative
summarizes yesterday's Patch Tuesday.
Microsoft issued 71 patches in addition to the 21 issues Microsoft Edge fixed earlier this month,
which brings the total number of March fixes to 92.
Three of the vulnerabilities are rated critical,
which the Zero Day Initiative thinks for the second month running is curiously low.
Sixty-eight others are rated important.
Adobe issued three patches that affected Adobe Photoshop,
Illustrator, and After Effects.
None of these vulnerabilities is known to be under active attack in the wild either.
And finally, CISA issued three ICS security advisories yesterday.
So, get out there and get patching, friends.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Bob Dudley is former CEO of BP and is currently chairman of the board of directors at risk management software provider Axio. I checked in with him for insights on the European response
to cyber threats to critical infrastructure, especially given the ongoing situation in Ukraine.
infrastructure, especially given the ongoing situation in Ukraine. Well, like we saw in North America with the colonial pipeline and we've seen the indications are that ransomware attacks
do appear to be opportunistic. They are, of course, to make money. They appear to be emanating from
Eastern Europe or Russia or in those areas.
No one's quite sure.
Oftentimes, in an attempt to raise money, it's a little bit like they're not quite sure of the tiger they've grabbed by the tail.
So they may not have full understanding of the implications it has for movement of fuel.
And it isn't apparent to people that this is really to disrupt fuel
movements. It's to make money. But sometimes the economic impacts are so great that they actually
don't want that sort of attention. So it's hard to say right now. And of course, I think everyone
is a bit on edge due to the situation in Ukraine. How has that affected the industry? I suspect there's enhanced vigilance
at this moment? Well, yes. Cyber is something you should always have vigilance on all the time.
Governments have issued warnings to not only energy, but all industry and all companies
that they should expect a heightened level of cyber activity, and they should be absolutely vigilant and ready
to respond. So, at the moment, you know, companies have their defenses. They have their ways of doing
this, and I think they've got their finger on the triggers and the buttons to be able to respond.
And, you know, for your listeners, sometimes I call it, you know, be ready to unplug things,
For your listeners, sometimes I call it be ready to unplug things.
And it's not exactly what happens.
But be able to separate your systems very, very quickly so things don't spread through.
And I know there's a heightened level of awareness.
And to be honest, companies have different levels of preparedness here.
Big companies tend to have large teams that can be ready.
Smaller companies. And like some of the stuff that's happened recently in terms of distribution of fuel, these are not really large companies.
Hopefully, there will be a dissemination of lessons learned from this around industry and energy.
What about on the diplomacy side of things? I mean, are we seeing, you know, pushes from governments that these
sorts of things, critical infrastructure should be off limits for this sort of privateering on
behalf of the bad guys? Well, I think it's hard to put your finger on who the bad guys are. I mean,
you know, there are those that believe it's opportunistic people trying to raise money
and take money for ransom. And there are some that believe it's connected to state actors.
And I think maybe there's a combination of both.
I think the big question in terms of diplomacy is also from governments signaling they can respond as well.
signaling, you know, they can respond as well.
And so do you want to set off a tit-for-tat set of responses?
And what do you want to let other governments know? I don't know of a single state actor in this country that has yet admitted that any of these things are related to the state.
And so that makes diplomacy quite tricky if they would be involved.
Yeah, I mean, it's an interesting situation, isn't it, where you have these private companies,
but obviously the protection of critical infrastructure is of a national interest.
Is it fair to say that makes some of the lines a little fuzzy?
Yes, of course it does.
And the legal lines here are also, and regulatory lines are also a bit fuzzy.
You know, I'll take the United States, which has, you know, probably the most, be kind here, the most developed litigious system in the world.
So companies can be held liable even if they're doing everything correctly.
It's less so in Europe, which is why I think there's more information sharing.
But there is a lot of – it's not only infrastructure, critical infrastructure.
It's also about customer data, and energy companies are involved in that.
And there's huge fines in both Europe and the U.S. if customer data is somehow compromised.
both Europe and the U.S. if customer data is somehow compromised. So, it creates, and governments rarely tell a company what to do. They want to know what's going on, but they can't give them
advice. You know, do you pay ransomware? If you pay ransomware to sanctioned organizations or
individuals somewhere, then a company can be subject to somehow cooperating
on this and have fines.
So we have ways to evolve both yet to evolve in Europe and in North America between government
and companies on exactly how to respond and what to do.
That's Bob Dudley.
He's former CEO of BP and currently chairman of the board of directors at risk management software provider Axio.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute,
also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Article caught my eye.
This is from Paul Ducklin over at the Naked Security blog from Sophos.
Good old Duck, yep. And it's titled, Ransware with a Difference. De-restrict your software or else. What's going on here, Joe?
Well, it's all about cryptocurrencies, Dave. Some cryptocurrencies like Bitcoin and Ethereum
and others that are based on similar technologies have a model called proof of work
in order to determine who gets to create the next block.
Okay.
And that process is called mining.
And that process is essentially a hashing algorithm
where you have to get a hash below a certain value.
Okay.
That is, for all intents and purposes,
effectively a random process.
All right.
Meaning that you have to demonstrate that you've done enough work to find this to merit putting a block on the chain.
Okay.
Now, it's done all throughout the network.
So, the first person to find the next block wins, and they actually get a cryptocurrency reward given to them.
Okay.
So, that's a financial incentive.
given to them.
Okay.
So that's a financial incentive.
So people go out and they buy these graphics cards because your CPU can do the work,
but a graphics card can do it a lot faster.
And this whole process is extraordinarily computationally intensive.
Very computationally intensive.
Right.
Exactly.
Okay.
And it's computationally simple as well.
So it's a lot of work that can be done by small processors
like the thousands of processors, stream processors that are in a GPU.
Right. So massive parallel processing versus the more serial processing that goes through a regular CPU.
Correct.
The GPU are massively parallel.
Correct.
Right. Okay.
So that means people can actually go out and buy a $1,500 graphics card and make a profit off of it. What does that do
to the graphics card market? Oh, I can tell you. I have a friend who does 3D rendering. He does
animation for NASA. And they have, for a couple of years now, had a real hard time buying graphics
cards that they need to do their work because they're all getting scooped up by the crypto miners. It's remarkably difficult. Yeah. And the prices have gone through the roof.
Right. I bought a GTX 1080 four years ago, five years ago. Yeah. It was 700 bucks. Okay. The
current price for a comparable line model is like 1,600 bucks. Wow. And that's retail. Yeah.
So I still run my GTX 1080. Okay. The crypto mining has jacked this up. So
Nvidia's response to this was May of last year, they started putting hardware into these cards
that allowed them to limit the hash rate. When the card sees that it's doing hashing of Ethereum
blockchain, it limits the hash rate. And that is a change that can be activated by a driver.
So NVIDIA was saying, in order to do a better job with supply and demand,
we're going to make these cards less attractive to crypto miners.
Exactly.
So that the folks who need them as GPUs, gamers or animators or whoever, they will be able to get their hands on them.
Absolutely.
Okay.
That's exactly right.
All right.
Now, they're also marketing a new crypto mining line as well based on similar processors.
But this doesn't do any video output.
It just does crypto mining.
I see.
Now, those cards are five grand.
Yeah.
Right?
Premium cards.
Right.
Okay. So somebody was irritated by NVIDIA doing this and they have broken into NVIDIA's systems
and they claim to have downloaded a terabyte of data. And now they're threatening NVIDIA
with releasing this data if NVIDIA doesn't disable what they call LHR,
which is limited hash rate, I think.
So now NVIDIA has a, I guess, a dilemma?
I mean, do they?
I mean, it's a new wrinkle on ransomware, right?
Rather than asking for money, they're asking for a feature to be enabled.
Right.
Or asking for the feature to be disabled, the hash rate limiting feature to be enabled. Right. Or asking for the feature to be disabled, the hash rate limiting
feature to be disabled. Right. Now, here's the interesting dynamic here, right? Normally, I say
you should never let the threat of a data release be part of your calculus for whether or not you
pay the ransom or comply with the demands, right? Okay. But here's the thing. NVIDIA actually could say, okay, we'll comply with your demands if you never release
our data. But if we ever see that data released, we're going to go ahead and just reissue the
patch. I don't know if that will have any impact. That's my initial assessment.
You could have a bunch of unpatched systems that are not connected to the internet that
wouldn't get an automatic firmware update.
Right.
So they would be fine.
Yeah, they would never be there again.
But on the other hand, like anything in electronics, GPOs, they age.
Right.
And today's hot GPU is not yesterday's hot GPU and not tomorrow's hot GPU.
Correct.
So there's that as well.
Yeah, so NVIDIA does have leverage here if they decide they're going to comply.
I don't think they're going to comply.
Yeah. And I'm not think they're going to comply. Yeah.
And I'm not sure I would comply for this.
You know, one of the big problems right now is we're having a hard time getting chips.
You know, NVIDIA is no different. They just cannot meet the demand that's caused by these cryptocurrency miners out there.
The cryptocurrency miners are, whenever they see a card, they'll buy it up because they do the calculation and they find out that there's a return on investment.
Yeah.
So they just buy them up.
Scalpers go out and they buy the cards and then wait for the supply to run out and then charge double to gamers or to miners for the cards.
The people who get the, you know, who take it here the worst are the people who just want to buy a graphics
card for playing games. Right. You know, and I have done cryptocurrency mining. I don't do it
anymore. I just, it's just not profitable. So no sense in me doing it. Yeah. It's interesting that
they're not blocking Bitcoin mining though, but I don't think Bitcoin mining is at all profitable
because there are actually hardware miners that do a really good job of mining Bitcoin.
Yeah. Well, there's also the environmental consideration.
That's a different concern.
The amount of power that's required to do all of this is extraordinary.
If there were only five people in the world, or even if there were only a million people in the world, or a million processors in the world who were doing the proof-of-work
effort, then this would not be an issue. But now there are billions of processors doing it.
Yeah.
There are mining pools out there that collaborate on these proof-of-work things.
There's another way you can determine who generates the next block, and that's with an
algorithm called proof-of-stake, where that doesn't require nearly the amount of power.
of stake where that doesn't require nearly the amount of power. I mean, it's orders of magnitude better for the consumption of power. There are cryptocurrencies out there that are proof of
stake as opposed to proof of work. Of course, there's always the talk amongst the users of
these cryptocurrencies and the development community, whether or not they should move
from a proof of work to a proof of stake. I think that's something that should definitely be considered by all of these currencies.
Yeah, yeah.
All right.
Well, it's an interesting story for sure, as I say, a wrinkle on ransomware.
It's going to be really interesting to see how this unfolds.
Yeah.
I'll make a prediction.
I don't think NVIDIA caves.
Yeah.
All right.
Again, that's over on the Naked Security blog by Sophos.
Paul Ducklin wrote that one.
Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Karol Terrio, Ben Yellen, Nick Vilecki, Thanks for listening. We'll see you back here tomorrow. Thank you. needs AI solutions that are not only ambitious, but also practical and adaptable. That's where
Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.