Kazakhstan shuts down its Internet as civil unrest continues (and one consequence is a disruption of alt-coin mining in that country). More on Log4j. Ransomware hits school website provider.
Dave Bittner: Kazakhstan shuts down its internet as civil unrest continues. The U.K.'s NHS warns of unknown threat actors exploiting Log4j bugs in unpatched VMWare Horizon servers. In the U.S., CISA continues to assist federal agencies with Log4j remediation, and observers call for more government support of open-source software security. A major provider of school websites is hit with ransomware. Our guest is John Belizaire of Soluna Computing with a new approach to data center efficiency. Thomas Etheridge from CrowdStrike on supply chain risks. And the U.S. extends the deadline to apply for grants in support of rip and replace.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, January 7, 2022.
Dave Bittner: As widespread unrest and an increasingly violent government response continue in Kazakhstan. That country's government has cut back internet services to an effective blackout level. Netblocks says that the interruption, which began Wednesday at about 5 p.m. local time, has also affected mobile and some fixed-line telephone services. This morning, service had flatlined at 55% of normal levels.
Dave Bittner: President Kassym-Jomart Tokayev, who has requested and received military support from the Russian-led Collective Security Treaty Organization of former Soviet republics to put down civil disorder, opened up mass communications long enough to deliver an address explaining the steps his government is taking. The CSTO includes Armenia, Belarus, Kazakhstan, Kyrgyzstan and Tajikistan in addition to Russia.
Dave Bittner: Shutting down the internet has now become a routine step in coups and crackdowns, the equivalent of the 19th century seizure of printing presses and the 20th century's takeover of the radio stations. This, however, pales in comparison to the kinetic violence in Kazakhstan, where President Tokayev has issued, Reuters reports, a shoot-to-kill order to forces confronting rioters.
Dave Bittner: One consequence of the internet blackout in Kazakhstan has been a disruption of cryptocurrency mining in that country. After China cracked down on coin mining in 2021, many coin miners set up shop in Kazakhstan, which became the world's second largest center of altcoin mining after the U.S., which moved into first place after Chinese restrictions came into effect. CNBC reports that the disruption of mining in the Central Asian country has already had an effect on bitcoin prices.
Dave Bittner: The U.K.'s National Health Service has issued a warning that unknown threat actors are working to exploit vulnerable VMWare Horizon servers to set up web shells in their victims, thereby establishing persistence in their targets. VMWare was quick to respond to notification of Log4j vulnerabilities, and its products have received appropriate upgrades. Nonetheless, as The Record points out, a non-negligible number of users haven't yet updated their software, and the threat actors are misbehaving accordingly.
Dave Bittner: NHS doesn't identify the threat actor, whose behavior it describes. And, indeed, there may not be any single actor responsible for the attempts.
Dave Bittner: Duo Security's Decipher says that there are more than one bad actor engaged in this kind of exploitation. Quote, "since the first disclosure of the Log4j bug, a wide variety of attack groups have been exploiting it. APT groups, lone actors and cybercrime groups all have been seen exploiting one or more of the Log4j flaws that have been disclosed in the last few weeks," end quote.
Dave Bittner: Duo's Decipher also points out that while the U.S. cybersecurity and infrastructure security agency has indicated that the agencies it oversees are now in general compliance with emergency directive 22-02, the agency has been tight-lipped about details of compliance. This is understandable in what CISA characterized to MeriTalk yesterday as an ongoing process of remediation, and the agency intends to issue a cross-agency status report by February 15.
Dave Bittner: The experience of finding and fixing Log4j vulnerabilities has demonstrated how complex the software supply chain is and how complicated the process of vetting it will inevitably be. As ZDNet puts it in writing about this particular case, quote, "the Log4j flaw for Java web applications will haunt tech people for years," end quote. An essay in Politico argues in part that Log4j has exposed the limitations of the self-correcting evolutionary model of security that's long informed the open-source community's practices.
Dave Bittner: You can follow the CyberWire's ongoing coverage of the Log4j vulnerabilities on our website.
Dave Bittner: BleepingComputer reports that Finalsite, a major provider of web services to schools, has acknowledged sustaining a ransomware attack that's interfered with its ability to deliver services to its customers. The company had earlier characterized the incident as disruption of certain computer systems on Finalsite's network. Finalsite is based in the U.K., but it provides services to schools worldwide, claiming to serve 8,000 systems from elementary schools to universities in 115 countries.
Dave Bittner: The ransomware incident led Finalsite to take down some 5,000 school websites. The company said, quote, "the Finalsite security team monitors our network systems 24 hours a day, seven days a week. On Tuesday, January 4, our team identified the presence of ransomware on certain systems in our environment. We immediately took steps to secure our systems and to contain the activity. We quickly launched an investigation into the event with the assistance of third-party forensic specialists and began proactively taking certain systems offline," end quote. Recovery and investigation continue.
Dave Bittner: CISA has continued to issue updates on ICS systems. The agency yesterday released four industrial control system advisories covering Philips Engage Software, Omron CX-One, Fernhill SCADA Server and IDEC Programmable Logic Controllers.
Dave Bittner: And there's been another update from the U.S. government on its rip-and-replace program designed to eliminate Huawei and ZTE equipment from smaller communications infrastructure providers' networks. The Federal Communications Commission's Secure and Trusted Communications Networks Reimbursement Program has extended the application deadline for rip-and-replace until the end of this month. The application deadline has been moved to January 28, 2022 at 11:59 p.m. Eastern Time. Rural telcos, contact the FCC for details.
Dave Bittner: It's common knowledge that data centers consume a lot of energy both for running the equipment inside and for keeping that equipment cool. And hooking them up to the more green sources of energy, like solar or wind power, presents the well-known challenge of, well, what do you do when the wind isn't blowing or the sun isn't shining?
Dave Bittner: Soluna Computing is an energy startup that's taking a novel approach to powering data centers with renewable energy, built on the notion that not all computing needs to happen right away. John Belizaire is CEO of Soluna Computing.
John Belizaire: What we're saying is, what if you built a completely different type of data center that wasn't designed to be on 24/7? It actually was designed to be less - on less than 24/7 and could match its consumption load that it brings to the grid to the actual production of the power plants on the grid. In fact, what if you placed that data center right at the power plant, and when there is wasted and spilled power, that data center would consume that spilled power and allow the power plant to balance itself better to the grid needs, and therefore you could put more of these power plants on the grid?
John Belizaire: And that's what we're doing at Soluna We're building specifically designed facilities that are based behind the meter, if you will. They consume wasted energy, so we bring load to places where you need that load. And inside those facilities, we put different types of computing applications in there, computing applications that can be paused that are running jobs that are OK essentially matching their - the energy that's available.
Dave Bittner: Would you be handing off processing jobs from data center to data center as the conditions were right or around the world. Is that one component of what will be going on here?
John Belizaire: Actually, what we do is we've looked at all of the different types of applications out there. So let's say you're a CIO of a big financial services organization or a big corporation. You've got different types of compute load inside your organization. You have one type that's mission critical, has to be on all the time. Your email service can never go down. Your financial services app or ERP applications always have to be up. What you want to do is place those applications in a regular data center.
John Belizaire: And then you've got a whole new set of applications that are fast emerging - applications for modeling your business, for example, that are powered by machine learning. You might have applications that are AI applications that help you determine which movie to show your customer next. Or you might have other applications that are focused on helping you find the next cure to the next global pandemic, where it's processing molecules and trying to find matches for how we might address, say, a particular new deadly virus.
John Belizaire: What we're saying is those two types of jobs - one is real-time, and one is batchable. What if you took the batchable ones, group them together and built data centers specifically designed just to run those types of applications and then connected those data centers to real renewable energy resources on the grid and built an entire network of these data centers around the world?
John Belizaire: Well, now you can create this very large zero-carbon cloud platform that's powered directly by green electrons that can deliver advanced computing processes to the global enterprise, to universities, to pharmaceutical companies, to movie houses, to streaming services, etc. at a much lower cost than you can from an Amazon, let's say, and really help save the planet in the process.
Dave Bittner: Is it ever a challenge getting folks to wrap their head around the notion that, you know, not all processing has to happen right now?
John Belizaire: It does, yeah. I think most people believe that computing is a continuous stream of activities. I think part of it is because we're now so used to computing really being close to our person. We carry pretty powerful machines in our pockets, and they keep us connected all the time. And so, you know, a typical person, if you grab them in the street, wouldn't imagine this concept of computing that's plausible or computing that can be performed in time slices.
John Belizaire: But the truth is that just even to create the real-time experience that we get from lots of applications, it's really a stream of multiple different smaller, you know, plausible elements that are doing their work to participate in that. You know, look at some of the social platforms. You know, to generate your feed, there's an entire AI and machine-learning process that's running just for you to make sure that you're seeing the best content and directing you, perhaps, or influencing you to buy products on certain platforms. That's all being performed by processes that are continuously running.
John Belizaire: But you could stop those processes and move them to another location. And then restart that running in your feed wouldn't even - you know, you as a human wouldn't even notice that.
Dave Bittner: That's John Belizaire from Soluna Computing. There is a lot more to this conversation. If you want to hear more, head on over to CyberWire Pro and sign up for "Interview Selects," where you get access to this and many more extended interviews.
Dave Bittner: And I'm pleased to be joined once again by Thomas Etheridge. He's senior vice president of services at CrowdStrike. Thomas, it's always great to have you back.
Dave Bittner: You know, with Colonial Pipeline getting farther and farther in the background in that rearview mirror as time goes on, I just wanted to check in with you for kind of where we stand at this moment when it comes to supply chain risks. What's your take there?
Thomas Etheridge: Thanks, Dave. I appreciate you having me again on the show.
Thomas Etheridge: Yeah, supply chain has been a topic that's been top of mind for firms like CrowdStrike for a long time. Third-party application vulnerabilities and the vulnerability of the supply chain in general has been something that threat actors are able to take advantage of to supersize the impact they can have on their victims. And that's something that we've been responding to as instant response service providers for quite a long time.
Dave Bittner: Where do we stand right now in terms of your recommendations for folks? I'm thinking of the, you know, checklist, the due diligence that they should be doing with their own suppliers.
Thomas Etheridge: That's a great question. I think for me, I talk to organizations all the time about their vendor-management programs. What are they doing to assess the security capabilities of the technologies and the service providers that are accessing their infrastructure? Are they doing red team-type testing engagements, penetration testing? Are they doing compromise assessments before they onboarding a new technology or vendor to make sure that those organizations are not bringing a problem to the relationship? And then lastly, what else can be done from a documentation and a, you know, compliance perspective to make sure those vendors have the ability to respond in the event that there is a vulnerability or a breach?
Dave Bittner: Well, let's talk about incident response itself. You know, when you and your colleagues there from CrowdStrike are brought in in an incident response case, how does all of the communication work between the folks that you're dealing with directly and then their suppliers down the chain?
Thomas Etheridge: Well, incident response is a team sport, Dave. We talk about this all the time. It does require orchestration and collaboration from all the interested parties. We are having conversations not just with the customer and their legal team and their compliance team and outside organizations that may need to help with communications, but working with the vendors and making sure they understand where some of these risks are at and how we can solve for some of those problems, specifically around things like implementing zero-trust architectures as well as making sure we are looking past the vulnerability into how threat actors might be moving in that infrastructure.
Dave Bittner: As we look toward this coming new year, any thoughts on where things might head when it comes to supply chains or is it going to be more of the same or is there anything on your horizon that may, I don't know, indicate an evolution of how we deal with these sorts of things?
Thomas Etheridge: Something we talk to victims about all the time, Dave, is really focusing on post-vulnerability exploitation and the value add of threat hunting. If you assume that a zero day exploit or a supply chain vulnerability is going to be used by a threat actor - and I think that's a safe assumption given the history and what we've seen over the last few years with some of these supply chain attacks - you need to have the capability to threat hunt on what threat actors are doing after the exploit's been taken advantage of and really building out - whether it's internally or in collaboration and partnership with a third-party organization that provides threat hunting capabilities - the ability to look past the vulnerability and understand the telemetry of the infrastructure and what's going on in the environment so you can respond faster to a threat that's taken place in your environment.
Thomas Etheridge: The other thing that we emphasize as well as the importance of identity and zero trust - a lot of these e-crime threat actors and the big game ransomware hunting type of activities that we see in the market today are precipitated by the use of stolen credentials. Understanding identities and solving for credential theft and poor identity management through the implementation of zero trust capabilities is something we discuss with victims all the time.
Dave Bittner: All right. Well, Thomas Etheridge, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com.
Dave Bittner: Don't miss this weekend's episode of "Research Saturday" and my conversation with Rob Boyce from Accenture security reviewing their Karakurt threat group research. That's "Research Saturday." Check it out.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where their co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.