The US and EU seek to shore up cybersecurity as Russo-Ukraininan tensions run high. NIST updates secure system standards. Ransomware exploits Log4shell. Dog bites man: fraud in social media.
Dave Bittner: The U.S. issued an alert over the prospect of Russian cyberattacks, and the EU begins a series of stress tests. NIST updates its guidance on engineering trustworthy secure systems. Night Sky ransomware exploits Log4shell. Phishing affects a hotel chain. Carole Theriault examines international efforts to stop digital fraud. Ben Yelin on the Seattle police faking radio chatter. And we're shocked - shocked - to learn of fraud and piracy on a social media platform.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, January 12, 2022.
Dave Bittner: Tensions between Russia and Ukraine have prompted authorities in both the European Union and the United States to take steps to shore up their cybersecurity in anticipation of possible conflict. We'll take up the U.S. measures first.
Dave Bittner: Yesterday afternoon, the U.S. Cybersecurity and Infrastructure Security Agency issued a joint warning with the FBI and NSA - Alert (AA22-011A), Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure. CISA Director Jen Easterly tweeted a brief commendation of the joint advisory her agency issued yesterday in conjunction with the FBI and NSA. Quote, "Russian state-sponsored malicious cyber activity is a continuing threat to our critical infrastructure - why we're working closely with public and private sector partners to reinforce the importance of vigilance against these threats. Read our latest advisory," end quote. Stressing vigilance, NSA Cybersecurity Director Rob Joyce emphasized in this tweet, "logging is key. With Russian focus on persistent access to compromised networks, you need robust logs and focused effort to hunt, find and kick them out," end quote.
Dave Bittner: The alert doesn't call out the threat of Russian military operations against Ukraine as the proximate cause of the warning, but its timing seems hardly coincidental, and the trade press isn't reading it as coincidental, either. The summary says, quote, "this CSA provides an overview of Russian state-sponsored cyber operations, commonly observed tactics, techniques and procedures, detection actions, incident response guidance and mitigations. This overview is intended to help the cybersecurity community reduce the risk presented by these threats," end quote. The alert is directed toward critical infrastructure providers, but its recommendations have broad application to any organization that faces a risk of cyberattack. At a high level, those recommendations are summarized as follows. Patch all systems. Prioritize patching known exploited vulnerabilities. Implement multifactor authentication. Use antivirus software. And develop internal contact lists and surge support. CSA and its partners have provided, at the very least, a detailed overview of past Russian cyberattacks - and there's no ambiguity in the alert's attributions - as well as advice on the tactics, techniques and procedures organizations can use to help secure themselves. Those responsible for cybersecurity anywhere and in any kind of organization should give this alert close attention.
Dave Bittner: Reports of U.S. and NATO talks with Russia over Russian preparations to invade Ukraine are not optimistic. The Moscow Times' coverage is representative, as is the AP's, and it seems worth noting that most of that negative assessment comes from the Russian side. Russia is concerned about NATO encroachment into what it regards as its proper security sphere of influence. NATO and the U.S. are concerned over an expansion of Russian aggression against its neighbor. That aggression is conventionally held to have begun with the Russian annexation of Crimea in 2014.
Dave Bittner: Western powers have offered Ukraine various forms of support. The New York Times has reported that the U.S. and U.K. have lent expertise to Ukraine intended to shore up that country's power grid against disabling cyberattacks of the kind Russia has mounted before. The U.S. has also, according to CNN, allocated some $200 million in security assistance for Kyiv, which has said, according to Reuters, that it's united with Washington against Moscow. Both Russian and Ukrainian forces remain in a high state of readiness. Since cyber operations in wartime amount to combat support, the increased risk of kinetic war carries with it an increased risk of action in cyberspace.
Dave Bittner: To turn to the EU, it's begun a series of exercises designed to assess its ability to withstand cyberattacks. Bloomberg reports that the EU's member states are holding a series of cyber stress tests this week designed to check Europe's resiliency to attacks on supply chains and to give them the ability to redress any shortfalls they discover.
Dave Bittner: Quote, "The exercise will be structured around a gradual escalation toward a major crisis that culminates in an attack that could qualify as an armed aggression under the United Nations Charter, according to one of the documents. In order to be as realistic as possible and better prepare the bloc for a real-world attack, it will be modeled on incidents that have taken place or could occur in the near future," end quote. That's according to Bloomberg. The exercises were proposed by France.
Dave Bittner: More of the CyberWire's coverage of Russo-Ukrainian tension can be found on the CyberWire website.
Dave Bittner: Routine government work on cybersecurity has continued during the current period of rising tension. CISA yesterday published an industrial control system advisory on Johnson Controls VideoEdge.
Dave Bittner: And the U.S. National Institute of Standards and Technology has issued a revision to its cybersecurity guidance, Engineering Trustworthy Secure Systems. NIST says in its introduction, quote, "With the continuing frequency, intensity and adverse consequences of cyberattacks, disruptions, hazards and other threats to federal, state and local governments, as well as private sector organizations, the need for trustworthy secure systems has never been more important to the long-term economic and national security interests of the United States," end quote.
Dave Bittner: The 207-page document builds upon earlier standards documents, and NIST has asked for comment. "The objective," NIST explains, "is to address security issues from a stakeholder protection needs, concerns, and requirements perspective and to use established engineering processes to help ensure that such needs, concerns, and requirements are addressed with appropriate fidelity and rigor throughout the system life cycle," end quote.
Dave Bittner: BleepingComputer reports that the Night Sky gang, whose malware is held to be a fork of Rook, has been exploiting the Log4shell vulnerability in exposed VMware Horizon systems to conduct ransomware attacks against its victims. Microsoft has a detailed account of the exploitation, which it attributes to the China-based group it tracks as DEV-0401.
Dave Bittner: The investigation into the ransomware double-extortion attack against the Nordic Choice hotel chain, now more than five weeks old, has determined that the criminals got into the chain's systems through a successful phishing email. The Wall Street Journal reports that Nordic Choice continues to recover from effects of the attack's data breach.
Dave Bittner: And finally, we see again the usual human propensity to abuse whatever it can on full display in social media.
Dave Bittner: Security firm Tenable this morning reported that YouTube Shorts, Google's short-form vlogging platform that competes with TikTok, is being used for a variety of fraudulent purposes. As Tenable rather primly, but aptly, observes, YouTube Shorts has become a haven for adult-dating scams and the promotion of dubious products - mostly bogus diet aids. It has also been used as a short-cut to increase online social currency, such as subscribers and video views, Tenable says, in an interesting if dispiriting account of what it found.
Dave Bittner: So it's basically TikTok, right? I mean, no one is going to confuse any TikTok content with, oh, say, Plato’s dialogues - not even the Symposium. So fraud and sleaze are par for the course.
Dave Bittner: But this case piles injury upon injury because much of that sleazy content is pirated from TikTok itself. The piracy and fraud are, of course, the work of users, not Google, which can be accused at worst of being lax in policing content on the platform. We confidently await the arrival of content flacking colloidal silver or one weird trick to - well, you get the picture.
Dave Bittner: International agencies around the world are stepping up their efforts to combat online fraud, increasing their collaboration and information sharing. Our U.K. correspondent Carole Theriault has the story.
Carole Theriault: Sometimes in the world of cyber and security and privacy and scams, we need a good news story - something to make us feel like the good guys are getting ahead sometimes. So we're celebrating Interpol, the international policing agency. They have had a hand in more than a thousand cyber criminals getting arrested. Better yet, they recovered 27 million U.S. dollars in illegal proceeds.
Carole Theriault: The crackdown saw law agencies across 20 different countries close 1,600 cases and block more than 2,000 bank accounts tied to fraudulent, illicit funds. This is things garnered through romance scams or financial scams, and they did all this in just four months, from June 2021 to September '21. The reason they had their international crackdown skates on was because coronavirus brought with it a surge of online nasties. Interpol Secretary General Jurgen Stock said it showed no signs of waning. In a single case in Colombia, explains Interpol's press release, a prominent textiles company found itself defrauded of more than $8 million U.S. through a sophisticated business email compromise scam, what we call BEC. The perpetrators impersonated the legal representative of the company, giving the order to transfer more than $16 million to two Chinese bank accounts. Half of the money was transferred before the company uncovered the fraud and alerted Colombian judicial authorities, who quickly contacted Interpol's Financial Crime Unit through their National Central Bureau.
Carole Theriault: This is where international police cooperation was activated between Interpol bureaus in Beijing, Bogota and Hong Kong to freeze the transferred funds. Over 94% of the money was intercepted in record time, saving the Colombian company from bankruptcy. In another case, a company in Slovenia was duped into transferring more than $800,000 to money mule accounts in China. Again, the Slovenian Criminal Police opened an investigation and reached out to their foreign counterparts through Interpol. The National Crime Bureau and Beijing allowed local authorities to successfully intercept and return the stolen funds to Slovenia in full.
Carole Theriault: So what's behind all this? Well, it's technology. The operation saw Interpol officials pilot test a new global stop payment mechanism called the Anti-Money Laundering Rapid Response Protocol, or ARRP. And this tool proved critical to successfully intercepting funds before they disappeared into crypto or wherever. Interpol Secretary General Stock said it also underlines the essential and unique role played by Interpol in assisting member countries combat a crime which is borderless by nature. Only through this level of global cooperation and coordination can national law enforcement effectively tackle what is a parallel cybercrime pandemic. Huh. Who knew that cooperation could work? Well, Interpol is looking to officially launch its ARRP tool in 2022, and based on the success shown in just four months, we could see life getting a little more difficult for scammers and thieves who have basically gotten away with tons of stuff simply because they're located in another geography. So there you go. A happy news story. The good guys get a win. Love it. This was Carole Theriault for the CyberWire.
Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, and also my co-host over on the "Caveat" podcast. Hello, Ben.
Ben Yelin: Hello, Dave.
Dave Bittner: Interesting story caught my eye here. This is from The Seattle Times, an article written by Daniel Beekman, and it's titled "Seattle Police Faked Radio Chatter about Proud Boys as CHOP Formed in 2020, Investigation Finds." Unpack this, Ben, for me here. What's going on?
Ben Yelin: So during the 2020 post-George Floyd racial justice protests, you know, this was a very anxious time. There are a lot of anxieties in cities across the country. Certain protests turned violent. So, you know, we were in a pretty precarious moment. And what happened in Seattle is members of the Seattle Police Department started a ruse on police radio claiming that members of the far-right group Proud Boys were present in the area, were armed and were going to be threatening people in the CHOP. It was the Capitol Hill Organized Protest. This feels like a long time ago now, but that was, like, the area that protesters had occupied.
Dave Bittner: OK.
Ben Yelin: And so, you know, people were listening to police radio, people who were part of these racial justice protests, and they were very alarmed at what they heard, saying, you know, we're going to have these violent armed Proud Boys people coming in. And that's going to be, you know, causing a lot of anxiety and potentially adding fuel to the fire. It turns out that this was part of a approved police operation, a misinformation effort, to kind of lure people to the area and, you know, make arrests of people who were seeking confrontation. You know, generally, this is legal. Police have a lot of leeway in conducting investigations. You know, if you're detained, they can generally lie to you that...
Dave Bittner: Right. I was going to say, they're allowed to lie.
Ben Yelin: Yeah. You know, your co-conspirator just ratted you out, so, you know, and they can say that even if it's not true. So they do have a lot of leeway here. This seems rather unethical, I would say, even if it's not illegal. And I think we've seen some pushback from the Seattle City Council and other stakeholders within the city of Seattle that the police should not be causing additional harm on top of what was already a very tense situation.
Dave Bittner: Well, the thing that struck me about this story, additionally, is something you and I have spoken about on "Caveat" before, is how many police organizations are looking to encrypt their communications.
Ben Yelin: Right.
Dave Bittner: They're looking to take away the public's ability to monitor these communications. That would be contrary to this particular effort here.
Ben Yelin: Right. You wouldn't be able to propagate this ruse if your communications were encrypted unless, you know, we got a situation that without anybody knowing, the real police communications are encrypted...
Dave Bittner: (Laughter) Right.
Ben Yelin: ...And then what's, you know, supposedly the public police channel or, you know, the blotter or whatever is actually all a ruse intended to deceive the public. But you're right. I mean, law enforcement has done things like this in the past, and they wouldn't be able to do so if the public wasn't able to access those lines of real-time communications.
Dave Bittner: Would the police be within their bounds to release, say, a press release ahead of an event that said, you know, we've been notified that, you know, this - that the Proud Boys or some other group is going to be at this event, and even if that were not true, is that - I'm just trying to extend this, you know, beyond the - sort of that real-time radio communications realm.
Ben Yelin: I don't really know from a legal perspective, but I feel like that - you know, a press release has to be approved by the higher-ups, probably a politically appointed police chief, and I just don't think you could get away with that.
Dave Bittner: Yeah.
Ben Yelin: Whereas when you're propagating a ruse over radio channels that's intended to lure a certain subset of protesters, that's something that's a little more, you know, away from the public eye, at least in real time. You know, so I don't know if there are any legal limits on doing that. Usually, police departments are not held accountable for even instances that really seem like entrapment. So there is this incident in 2020 where there was a plot in Michigan - or supposedly among people who were radicals, radical right-wing extremists, threatening the governor of Michigan, Gretchen Whitmer, with violence.
Dave Bittner: Oh, yeah. Yeah.
Ben Yelin: And we later found out that that was largely coordinated by people who are undercover agents. It wasn't entrapment because there were still people who were willingly participating in it who were not agents, but it was awfully close to entrapment. So I think it really is a fine line, both legally and ethically, in terms of how much you're using a ruse to try and prevent crime and how much you're just kind of causing crime to happen in the first place.
Dave Bittner: Right. And I suppose, you know, reporting like this from Daniel Beekman of The Seattle Times is important to both put the police force on notice that this sort of thing will be reported on, but also future protesters will know to take radio communications with a grain of salt.
Ben Yelin: Right. Yeah, don't always take them literally, just as you - you know, everything they tell you in an interrogation room, can't take that literally, either. So...
Dave Bittner: (Laughter) Right.
Ben Yelin: And, again, you know, sometimes that's part of really good, important law enforcement work. I think in this circumstances - to me, it just doesn't seem justified because the person who came up with this idea said that he did it so - because he knew people were monitoring police radio transmissions, and he wanted to give people the impression that, quote, "we had more officers out there doing regular stuff." I don't know that goal - that that goal really justifies propagating this ruse, in my opinion.
Dave Bittner: All right. Well, the story is from The Seattle Times. Again, it's titled "Seattle Police Faked Radio Chatter About Proud Boys As CHOP Formed In 2020, Investigation Finds." Ben Yelin, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.