At a glance.
- Conti continues to press Costa Rica.
- Bluetooth Low Energy proof-of-concept hack.
- Advice on how to make initial access more difficult.
- Cyber phases of a hybrid war.
- NATO's Article 5 in cyberspace.
Conti's ransomware attack against Costa Rica spreads, in scope and effect.
Reuters reports that the number of Costa Rican organizations affected by Conti's ransomware attack has now grown to twenty-seven. Recently elected President Rodrigo Chaves has said that nine institutions, most of them governmental, were heavily affected, and that the attacks were having an "enormous" impact on foreign trade and tax collection. The governments of Israel, the United States and Spain are all providing Costa Rica with assistance in recovery and remediation, but a lot of work remains to be done.
Conti (and remember, the ransomware gang operates from Russia and with the effective protection of the Russian government) has been crowing large over its malign intentions for the Central American country. “Just pay before it’s too late, your country was destroyed by 2 people, we are determined to overthrow the government by means of a cyberattack, we have already shown you all the strength and power, you have introduced an emergency,” the gang said in a recent online communiqué quoted by Recorded Future. And, by the way, the ransom demand has gone up to $20 million, and (somewhat irrelevantly) US President Biden is a "terrorist." Costa Rica has refused to pay the ransom.
Bluetooth vulnerabilities demonstrated in proof-of-concept.
NCC Group researchers have demonstrated that Bluetooth Low Energy (BLE) systems are vulnerable to link layer relay attack. The news has been generally reported with headlines that point out that crooks could now open and start your Telsa without so much as a by-your-leave, but the problem is more widespread than that. BLE is, NCC Group explains, "the standard protocol used for sharing data between devices that has been adopted by companies for proximity authentication to unlock millions of vehicles, residential smart locks, commercial building access control systems, smartphones, smart watches, laptops and more." It's not the kind of problem that can be resolved with a patch. Rather, NCC Group argues, it's the kind of issue that arises when technologies are extended beyond their intended purposes, and BLE, they say, was never designed for use in critical systems. The researchers offer three recommendations, two for manufacturers, one for users:
- "Manufacturers can reduce risk by disabling proximity key functionality when the user’s phone or key fob has been stationary for a while (based on the accelerometer)
- "System makers should give customers the option of providing a second factor for authentication, or user presence attestation (e.g., tap an unlock button in an app on the phone)
- "Users of affected products should disable passive unlock functionality that does not require explicit user approval, or disable Bluetooth on mobile devices when it’s not needed"
CISA and its international partners urge following best practices to prevent threat actors from gaining initial access.
The US Cybersecurity and Infrastructure Security Agency (CISA) and its partners in Canada, the Netherlands, New Zealand, and the United Kingdom this morning issued Alert (AA22-137A) "Weak Security Controls and Practices Routinely Exploited for Initial Access." The Alert describes "common weak security controls, poor configurations, and poor security practices" that are used for initial access, and it recommends particular attention to seven best practices.
- "Control access.
- "Harden Credentials.
- "Establish centralized log management.
- "Use antivirus solutions.
- "Employ detection tools.
- "Operate services exposed on internet-accessible hosts with secure configurations.
- "Keep software updated."
The following sections pertain directly to the cyber phases of Russia's hybrid war against Ukraine. CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.
An assessment of the current Russian cyber threat.
An op-ed by Akamai in CSO warns that "the cyberwar against pro-Ukrainian countries is real," and then goes on to describe the nature of those threats. They're the sorts of activity that have been much in evidence recently: Russian-aligned cybercriminal gangs engaged in ransomware, and Russian-aligned hacktivist groups engaged in distributed denial-of-service attacks. The author urges organizations to apply sound best practices to protect themselves. Against ransomware they recommend network segmentation. Against DDoS they recommend "conducting service validations, confirming authorized mitigation service contacts, reviewing and updating runbooks, performing operational readiness drills, and updating your emergency methods of communication."
NATO expansion, and Article 5 in cyberspace.
Sweden this morning joined Finland in formally seeking NATO membership. Prime Minister Magdalena Andersson said Russia’s invasion of Ukraine motivated the decision. “We are leaving one era and moving into another,” the Prime Minister said. “To remain outside of NATO alone, would put Sweden in a very vulnerable position. So the best thing for Sweden’s security and the Swedish people’s security is that we join NATO together with Finland." Turkey is the sole dissenter within NATO to the admission of Finland and Sweden. Ankara is aggrieved, the BBC reports, by what it perceives as the two Nordic countries' support for Kurdish separatists. All current NATO members must agree to the admission of a new member, and thus continuing Turkish objections would amount to a veto on membership.
With a hybrid war in progress and NATO directly adjacent to that war's active theater of operations, the European Leadership Network has published an essay that argues for greater clarity in how the Atlantic Alliance will execute its commitment to collective defense when the attack comes in cyberspace. The authors offer five recommendations:
- "In the event of adversarial cyberspace actions warranting Article 5 action, the NATO Commander becomes the commander and coordinator for all cyberspace activities, both defensive and offensive, by NATO nations within the area of hostilities.
- "NATO identifies, establishes, prioritises, and continually refines critical infrastructure and key resources within member nations, as well as criteria for what constitutes necessary action for collective responses.
- "NATO identifies limits of activity, or 'red lines' resulting in Article 5 response discussions.
- "NATO members present the NATO Commander intelligence identifying indications, warnings, and attribution of cyberspace attacks, both for response action and, where applicable, public consumption.
- "NATO members present legal constraints and capabilities of nations to the NATO commander allowing maximisation of nations’ capacity and capability."