The CyberWire Daily Podcast 1.26.22
Ep 1502 | 1.26.22

Tensions between Russia and Ukraine remain high as NATO offers Ukraine cyber, diplomatic, and other support. DDoS in the DPRK. DazzleSpy in the watering hole. TrickBot ups its game.


Dave Bittner: Tensions between Russia and Ukraine remain high as NATO's offers Ukraine cyber, diplomatic and other support. North Korea gets DDoSed. DazzleSpy hits Hong Kong dissidents drawn to a watering hole. TrickBot upsets game. A quick look at ransomware trends. Microsoft's Kevin Magee unpacks a recent World Economic Forum report. Our own Rick Howard speaks with Chriss Knisley from MITRE ATT&CK Defender on certifications. And Dame Fortune teaches Michiganders to throw caution to the winds.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, January 26, 2022. 

Dave Bittner: Russian forces near the Ukrainian border - now estimated in media reports as having stabilized around a troop strength of 100,000 - remain in position as NATO's increases its own readiness in the region, although forward-deployed NATO's troops number far less than the Russian forces on the other side. Ukraine has maintained its own forces in a state of alert, but Kyiv has also, Military Times reports, sought to reassure the public that a Russian invasion, while a serious threat, is neither imminent nor inevitable. A high state of military readiness is nothing new for the country's eastern provinces, which have seen Russian-backed separatist activity since 2014. Fighting, as the AP reports, has continued at a sporadic low level. Ukrainian military capabilities aren't negligible, resembling as they do a somewhat smaller version of Russia's. And an analysis in The Washington Post offers reason to expect that any large-scale combat would be both protracted and painful. 

Dave Bittner: The New Atlanticist has an overview of the current state of play in the Donbass region. Quote, "bolstering discussions about Donetsk and Luhansk independence may be aimed at putting additional pressures on Ukraine to make concessions to Russia. If Putin decides to recognize these regions as sovereign states, it would put an end to the 2014 and 2015 Minsk peace agreements in which Russia participated as a mediator between Ukrainian government authorities and the self-proclaimed republics. Recognition of the two breakaway regions could also lay the groundwork for Russia to deploy additional military troops there. The Ukrainian defense ministry estimates that there are currently 35,000 separatist fighters and 2,000 Russian regular forces in Donetsk and Luhansk, according to Reuters, though Russia disputes those tallies. Recognition of these territories would also trigger additional Western sanctions against Russia," end quote 

Dave Bittner: President Putin has said that Ukraine's efforts to restore authority over the area resembles genocide, The New York Times reports. And for all the Russian media attempts to characterize Ukraine as moving toward Nazism, they have convinced few abroad, but they are likely to remain a staple of Moscow's influence campaign. The crisis, as Moscow says it sees it, has been made in Washington and Brussels, where a mixture of calculation and hysteria have convinced Western governments that Russia is a threat to Ukraine. Russian television news outlets have been particularly active in distributing this particular line, Reuters reports. A correspondent for Vesti said in a representative interview, as far as any Russian threat to Ukraine is concerned, quote, "they've invented it. The Americans have been scaring themselves about a Russian invasion for months," end quote. 

Dave Bittner: In the present phase of the conflict, deniable, grey-zone cyber operations are generally regarded as likely. NATO has reaffirmed what it characterizes as its long-standing commitment to Ukrainian cyber defense. A statement from the alliance said, quote, "NATO has been working with Ukraine for years to increase its cyber defenses and will continue to do so at pace," end quote. The same statement also quoted Deputy Secretary General Mircea Geoana on the current crisis in NATO's eastern flank. Quote, "the use of hybrid attacks against Ukraine, including cyberattacks and disinformation, as well as the massing of advanced weapons on its borders, underlines the key role of advanced technology in modern warfare," end quote. 

Dave Bittner: The deputy secretary general, delivering a keynote yesterday at CYBERSEC Global 2022, described the situation with respect to Ukraine as grave and called upon Russia to return to negotiations with the Atlantic alliance. 

Mircea Geoana: Of course, we are all very much focused on the tensions created by Russia in and around Ukraine. And Russia, with neither provocation nor necessity, has amassed over 100,000 troops and advanced weapons to the borders of Ukraine. Although we do not know for sure the intentions of the leadership in Moscow, the potential of invasion in the coming days and weeks is real. In the meeting of the NATO-Russia Council on January 12, all allies spoke with a single voice. They called on Russia to immediately de-escalate the situation and to respect the sovereignty and territorial integrity of its neighbors. They called on Russia to end its aggressive posturing and to stop its malign activities aimed at allies and partners. And the secretary general Jens Stoltenberg has proposed further meetings with Russia. And there are many concrete areas where we can make progress. And we are interested here to give diplomacy a chance. 

Dave Bittner: He emphasized NATO's willingness to seek a diplomatic solution to a crisis he described as being of Russia's own making, but also said that any acceptable solution would have to be consistent with NATO's core principles. 

Mircea Geoana: NATO and NATO allies are ready to engage and listen to Russia's concerns, but will not compromise on core principles on the right of each nation to choose its own path and on NATO's ability to protect and defend all allies. 

Dave Bittner: Finally, he described NATO's response to the recent cyberattacks against Ukrainian government resources. 

Mircea Geoana: We've seen the massive cyberattacks against Ukrainian public institutions. And it is for the Ukrainian authorities to investigate and attribute to what happened. But we all wholeheartedly condemn this attack on the Ukrainian government. The morning of the attack, NATO's cyber experts in Brussels were immediately in touch with the Ukrainian counterparts, exchanging information and offering their assistance. Allied experts in country are also supporting the Ukrainian authorities on the ground. NATO has been working with Ukraine for years to increase its cyber defenses, and we will continue to do so at pace. 

Dave Bittner: These clips are all from NATO's website. 

Dave Bittner: The cyberattack against Global Affairs Canada remains under investigation, the CBC reports. Ottawa has said the incident was contained, and that while services haven't been fully restored, no other government agencies or services were affected. The government hasn't said much about the nature of the incident, nor has it offered any attribution. An official statement said, quote, "there is no indication that any other government departments have been impacted by this incident. This investigation is ongoing. We are unable to comment further on any specific details for operational reasons," end quote. 

Dave Bittner: The timing of the incident, coming as it did as Canadian security services were warning of the possibility of Russian cyberattacks during the crisis over Ukraine, prompted much informed speculation to the effect that Russian organs were responsible - and CBC has an extensive summary of the reasons for thinking so. But, that said, attribution remains unclear, and coincidence remains a real possibility. 

Dave Bittner: The U.S. has devoted considerable attention to the sanctions it might bring against Russia should Moscow carry out its threat against Ukraine. Some of those resemble the U.S. measures against Huawei, but writ large, and designed to cover broad stretches of the Russian economy as opposed to one or a handful of companies. The U.S. is also considering, according to Bloomberg, sanctions directed specifically against Russian President Vladimir Putin. A recent example of what such sanctions might look like is afforded by last week's US Treasury Department action against four Ukrainian nationals accused of working as Russian agents of influence against the government in Kyiv. 

Dave Bittner: Elsewhere in the world, Reuters reports that North Korea's already closely controlled and tightly limited internet has been disrupted by a significant distributed denial-of-service incident for the second time in two weeks. Little information, still less any attribution, is available, but Reuters notes that the timing of the outages may be significant - they've occurred around Pyongyang's recent tests of long-range missiles. 

Dave Bittner: Security firm ESET has found that the compromised website of a pro-democracy - which is to say, objectively anti-Beijing - radio station in Hong Kong has been serving as a watering hole. Visitors to the site are served a WebKit exploit, DazzleSpy, that's designed for use against macOS systems. It's not the first time such activity has been observed. Google's Threat Analysis Group described watering hole activity back in November, and SEKOIA.IO researchers tweeted at about the same time that an inauthentic site catering to dissidents in Hong Kong had been designed from the outset with that purpose in mind. Which threat actor specifically is behind the campaigns ESET isn't yet prepared to conclude, but it does say that, quote, "given the complexity of the exploits used in this campaign, we assess that the group behind this operation has strong technical capabilities," end quote. 

Dave Bittner: TrickBot, malware traded in criminal-to-criminal markets and used in a wide range of cybercrime, especially bank fraud, has received an upgrade that renders it more resistant to analysis, BleepingComputer reports. IBM Trusteer researchers report rising rates of infestation and effective man-in-the-browser injections. 

Dave Bittner: Ivanti today released the results of its Ransomware Spotlight Year End Report, an overview of trends in ransomware the security firm observed over the course of 2021. The company found 32 new ransomware families in 2021, which brings the total they’re tracking to 157. That represents a 26% increase over 2020. Unpatched vulnerabilities continue to offer the criminals their principal entree, but the gangs also showed an ability to find and exploit zero-days. The criminals took a greater interest in software supply chains during 2021. And, of course, the C2C market continues to mature, with ransomware-as-a-service mimicking the growth of the legitimate software-as-a-service market. 

Dave Bittner: And finally, hey, you’ve won the lottery, says an email. Yeah, yeah, sure, you say. And you think, hah - tell it my great aunt, the widow of Prince Mokele-Mbembe because you weren’t born, like, yesterday, and you bong that email over to the bozo list. 

Dave Bittner: But wait, no, really, you actually did win the lottery. That was the recent experience of a woman in Oakland County, Mich., U.S. of A. The Michigan Lottery explains that one lottery player - we redact her name and age to preserve her privacy - matched the five white balls – 02-05-30-46-61 – in the December 31, 2021, drawing to win a $1 million prize. And how about this? Because she bought her winning ticket online at, the Megaplier - we're not sure what that is, but it sounds pretty good - the Megaplier, we say, automatically jumped her prize up three fold to a cool $3 million U.S. 

Dave Bittner: It gets better. She found the email in her spam folder, where, in truth, any one of us would have sent it. So there you go. Sometimes it seems too good to be true, except, in fact, it turns out to be true. So congratulations to the newest millionaire in Oakland County, but please don't use her experience as an excuse to let your guard down. We hate it when Lady Luck teaches bad lessons. 

Dave Bittner: Our own Rick Howard recently spoke with Chriss Knisley from MITRE ATT&CK Defender for the latest on their Engenuity curriculum certifications. Rick Howard files this report. 

Dave Bittner: I'm joined by Chriss Knisley. He's the general manager for the MITRE ATT&CK Defender program. Chriss, welcome to the show. For our listeners who don't know, can you walk us through just exactly what is the MITRE ATT&CK Defender program? 

Chris Knisley: As you may be aware, MITRE developed the MITRE ATT&CK framework a few years back. And, really, it provides that common adversary behavior language across vendors and tools and different teams within an organization, looking at how that was being used across the industry about a year and a half ago, and really saw a gap in the skills of people actually being able to employ it in practical ways. We really wanted to change that, so we launched MITRE ATT&CK Defender - MAD - as a training and certification platform to try to change the game in how people were using attack and threat-informed defense. 

Rick Howard: So I agree with you that the MITRE ATT&CK framework really hasn't been operationalized by most network defenders out there, and I'm always aghast at why. I think it's the greatest thing since sliced bread. But your program, the certification program you have with MAD, is going to help people learn about it, so they can deploy it better? 

Chris Knisley: Yeah, that's exactly it. We saw this gap of people not using it the way the ATT&CK teams thought it could be used. And then we also were looking at - one of the challenges that we saw just looking at the cyber landscape was the skills gap that everybody talks about - right? - is massive in this - you're just trying to fill it and then find ways to validate skills. I talked to tons of CISOs or organizations on a regular basis, and almost to a T, every single one of them says the certifications that are out there suck. The fact that I got a certification five years ago and it's still valid doesn't tell me anything. And at best, when I got it, I memorized a book. And I was able to just go and, you know, sit down for a four-hour exam and write down what I memorized and passed the exam. So we wanted to change those two things along with providing the ATT&CK knowledge. 

Rick Howard: So what makes the MAD program, the MITRE ATT&CK Defender program, different? What are you guys trying to do to change all that? 

Chris Knisley: The first is all of the training is free. 

Rick Howard: Wow. 

Chris Knisley: So just come and sign up for a MAD account and you can access - I forget the total number, but it's somewhere over 60 videos now. They're all designed to be bite-sized, so you can fit them in during the day, across ATT&CK fundamentals, ATT&CK cyber threat intelligence and ATT&CK SoC assessments. So that's what we've got today. And actually, probably by the time your listeners hear this, we'll have launched ATT&CK Adversary Emulation, the first set of modules there as well. 

Rick Howard: This is a fantastic resource. Let me just restate the wow factor here. The training for the MITRE ATT&CK framework, called the MITRE ATT&CK Defender program, or MAD for short - spelled MAD - the how-to instructions to make the ATT&CK framework work for your organization is completely free. That's amazing. Now, MITRE Engenuity, the commercial arm for MITRE, has to make money somewhere, so they charge for certifications, and I think that's totally fair. Do the training for free, and if you want to be a certified MAD, pay for the badge. We should all be taking advantage of this program. And I want to thank Chriss Knisley, the general manager for the MAD program, for coming on the show and explaining it to us. 

Dave Bittner: And I'm pleased to be joined once again by Kevin Magee. He is the chief security officer at Microsoft Canada. Kevin, it's always great to have you back on the show. You know, I saw a recent report come out from the World Economic Forum, and it struck me that among the sort of economic news that they put out there when it comes to the global economy does not exist in a vacuum. And that affects those of us who are fighting the good fight in cybersecurity every day. I wanted to check in with you for your insights on that specific notion. 

Kevin Magee: Well, Dave, you know I love a good report. And as a chief security officer, the Global Risks Report is a real page turner for me. It comes in at 117 pages, so it's not a light read. But I like to read it as a cybersecurity professional. And I think we need to do this - step back and see what's coming, see what the global perspective is, what the geopolitical risks are, what the socioeconomical changes are, what environmental risks are really weighing on us as humans and as a global community, and then start to translate to that down the future. What will be the consequences that I will need to think about and prepare for as a security professional and a chief security officer? Again, you know, even climate change can have effects on cybersecurity in ways that we don't even conceive about until we start to really think through the ramifications of power lines being cut or natural disasters taking out data centers and whatnot. We do that in disaster recovery, but there are security ramifications as well, too, if we start to think that way. 

Dave Bittner: Can we go through some examples of the things that catch your eye in a report like this? 

Kevin Magee: Yeah. What I found interesting in this year's report is really this theme of divergence. You know, there are nations that are becoming fully vaccinated, some that are not, some that have accelerated digital transformation, some that are not, socioeconomical divergence that the pandemic has really brought about. So we're seeing these divides and these divides becoming even wider, which the best way to find vulnerabilities if you're an attacker is to look for a place to put a wedge in and either create disinformation campaigns if it's a nation-state actor or find socioeconomical challenges to leverage as well, too. So these are the type of things we need to look at as security professionals to think of - how are the cyber criminals? How are the nation-state actors going to respond? - because often we see real-time responses to things that are happening in the news and threat actors taking advantage of what happens in the news. So the more we can look down to what's coming in the future, the better we can start to prepare for ourselves and our organizations to protect against these challenges. 

Dave Bittner: How do you take a report like that and turn it into proactive actions? 

Kevin Magee: I think one of the best things is to do thought experiments. And one of the areas that the report really looks at is space and what's going on in space now. We're seeing commercial satellites launch. We're seeing a lot more friction. We're seeing a lot of turf wars beginning to happen in space. What ramifications will have that on my organization? When I was talking to a financial services company, they felt, you know, if satellites were taken out, there was no effect to their business. But it turned out a good portion of their ATM fleet was actually managed by satellites. So there are ramifications and security problems that can come out of some of these areas. So thought exercises of, you know, what could happen down the line and then teasing out - what effect would that have on my organization? And you start to find new vulnerabilities that would have never occurred to you as - in the past. 

Kevin Magee: And as we rely more and more on technology - and our countries are ones that have really accelerated digital transformation - we're going to do - we need to do much more of this because these vulnerabilities will hit us faster and more often and in - from sectors or areas of technology or the globe where we never really thought there could be cybersecurity challenges before. So again, thought exercise is stepping back, not focusing on the individual attack vectors and whatnot, which we like to do the technology. But by getting to the layer eight level of security and really understanding what's driving some of these tensions, you know, what are the opportunities being created by cybercriminals - for cybercriminals or nation-states to exploit? And then what does that look like six months out, 18 months out, three years out? And how can I start to prepare now to start to close some of these gaps? 

Dave Bittner: Well, Kevin Magee, thanks for joining us. And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing cyber wired team is Elliot Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.