Diplomacy and cyber warnings in the Ukraine crisis. REvil may not actually be out of business. A warning about Iranian state-directed hacking. And Data Privacy Day is observed.
Dave Bittner: Diplomatic channels remain open even as NATO and the U.S. reject Russian demands over Ukraine. More warnings over Russian cyber operations in the hybrid conflict. Social media as a source of tactical intelligence. The FBI tells industry to be alert for Iranian hacking. Josh Ray from Accenture digs into the Bassterlord Networking Manual. Carole Theriault examines a university data backup snafu. And a happy Data Privacy Day to all.
Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Friday, January 28th, 2022.
Dave Bittner: In the crisis posed by Russia’s aggressive posture with respect to Ukraine, TASS has written that there’s no understanding on new Russia-U.S. strategic dialogue meetings so far. The so far in TASS' headline is significant insofar as it suggests that diplomacy remains Russia's focus. Reuters also sees a softening of the Russian tone, but a change in tone doesn't necessarily imply a change in direction.
Dave Bittner: TASS quotes Vladimir Yermakov, director of the Russian Foreign Ministry’s Department for Nonproliferation and Arms Control, quote, "further strategic dialogue with the United States depends to a significant extent on Washington’s readiness to give a rational and realistic response to Russia’s core security concerns and to engage in practical work on legally binding guarantees of stopping NATO’s further expansion, refraining from deployment of offensive weapons of the U.S. and its allies near our borders and returning NATO’s military equipment and personnel to levels of 1997, when the Russia-NATO Founding Act was signed," end quote.
Dave Bittner: Those are substantially the demands Russia made during the Geneva talks, and neither NATO nor the U.S. are likely to accede to them.
Dave Bittner: The U.S. has called for a meeting of the United Nations Security Council on Monday, where the U.S. intends to confront Russia over its preparations to invade Ukraine.
Dave Bittner: The conflict between Russia and Ukraine is a hybrid one, with cyber operations preceding the physical, kinetic invasion the West would like to forestall. The BBC reports that Britain's National Cyber Security Centre has, like others among the Five Eyes - notably Canada and the U.S. - renewed warnings to businesses in the U.K. that they should be on alert for Russian cyberattacks during the present period of heightened tension.
Dave Bittner: Paul Chichester, the NCSC director of operations, said early this morning, quote, "while we are unaware of any specific cyberthreats to U.K. organizations in relation to events in Ukraine, we are monitoring the situation closely and it is vital that organizations follow the guidance to ensure they are resilient," end quote.
Dave Bittner: For all of the NCSC's reticence about attribution, Computer Weekly quotes Chichester as saying, "over several years, we have observed a pattern of malicious Russian behavior in cyberspace. Last week’s incidents in Ukraine bear the hallmarks of similar Russian activity we have observed before," end quote.
Dave Bittner: While experts temper the warning with reassurance that panic isn't called for, and that Russian cyber operations are likely, at least in the initial phases of a hotter hybrid war, to be confined insofar as that's possible to the theater itself, memories of WannaCry and NotPetya remain fresh and lend gravity to NCSC's latest warning. The BBC quotes former NCSC director Ciaran Martin as saying, quote, "at one point, around a fifth of the world's merchant shipping fleet was being controlled by WhatsApp because their computer systems weren't working," end quote.
Dave Bittner: Also mindful of the 2017 experience, the Danish Defense Intelligence Service has warned the maritime sector in particular to be alert for possible spillover from Russia's hybrid war against Ukraine. Shipping Watch notes that the Danish shipping giant Maersk was particularly hard-hit by NotPetya.
Dave Bittner: Former director Martin is among those who counsel against panic, at least with respect to cyberattacks. He said, "if the aim is to conquer Ukraine, you don't do that with computers," end quote. The BBC also suggests that both the U.K. and the U.S. have succeeded in establishing their own persistence inside Russian critical networks, that Russia knows this and that Russia will therefore be likely to exercise a degree of restraint before it lets an attack loose against Western targets. That the wiper used in the Bleeding Bear attacks against Ukrainian networks wasn't wormable and was therefore less likely to propagate beyond its intended targets may be one indication of such restraint.
Dave Bittner: CrowdStrike has released its analysis of the probable course of Russian cyber action against Ukraine. They attribute most of the activity against Ukrainian targets to Voodoo Bear, a unit operating under the direction of Russia's GRU military intelligence service. Voodoo Bear has a long history of servicing Ukrainian targets that goes back to 2014, the year Russia seized and annexed Ukraine's Crimean region. The recent information operations in the campaign CrowdStrike calls WhisperedDebate are assessed as preparation. Should the conflict escalate, CrowdStrike expects Voodoo Bear to step up destructive wiper attacks.
Dave Bittner: In hybrid war, cyber operations for the most part amount to what military officers call combat support, and experts commenting to the BBC tend to see it that way. What combat power, kinetic power, looks like is on display in Belarus. DFRLab has been tracking the movement of Russian combat units into the Russian allies' territory, where they're positioned nominally for joint exercises along the border Belarus shares with Ukraine. And it's developed a surprisingly detailed picture of the Russian order of battle - that is, of the forces deployed in the vicinity of the Ukrainian border.
Dave Bittner: The sources of DFRLabs' information are interesting. Some of them derive from satellite imagery, but more of them come from social media as Belarusian locals take pictures and video of Russian equipment moving through their towns. Much of it appears on TikTok. And where else would you go for information on an enemy order of battle?
Dave Bittner: Information wants to be free, as they used to say, and the way social media have put the need to show off so firmly in the cultural saddle makes one wonder whether traditional military operational security is even possible anymore. Who needs hyperspectral sensing platforms in low Earth orbit when everyone is happily taking selfies in front of BMP-2s at the local railhead?
Dave Bittner: This is not, we should note, purely or even characteristically a Russian or Belarusian phenomenon. No army on the planet should be surprised when its deployments turn up on TikTok right beside the latest moves of the most viral influencers.
Dave Bittner: CrowdStrike has also published a long and detailed account of how Cozy Bear, Russia's SVR intelligence service, successfully exploited SolarWinds vulnerabilities in a long-running campaign CrowdStrike calls Stellar Particle. Especially noteworthy is the threat actors' ability to establish presence and remain undetected for months.
Dave Bittner: The U.S. FBI this week issued an advisory warning private industry that the Iranian threat group Emennet Pasargad is both newly active and posing a threat beyond the influence operations it's best known for. During recent U.S. election cycles, for example, the group's operators impersonated members of the Proud Boys to circulate inflammatory posts intended to exacerbate divisions in American civil society. The group is now held to be capable of and likely to engage in what the bureau calls traditional cyber exploitation activity targeting several sectors, including news, shipping, travel, hotels and airlines, oil and petrochemical, financial and telecommunications in the United States, Europe and the Middle East.
Dave Bittner: Researchers at ReversingLabs have been keeping an eye on REvil with a view to assessing how significant the much-ballyhooed FSB raids on those REvil apartments actually were. Quote, "the week before the arrest, there were 24 implants a day, 169 per week. The week after the arrest, there were 26 implants a day, 180 per week," end quote. That is, there's not much change, and what change has been seen actually represents an increase.
Dave Bittner: And so the mystery of what Russia's FSB was actually out to accomplish remains. But whatever's going on, it's unlikely to be the dawn of a new era in international law enforcement cooperation. And we can't help but notice how the criminal world's lifestyles seem to have taken a haircut. The guys in the FSB video looked as if they were living like slacker undergraduates. What happened to the style of the older alleged cyber gang kingpins, the yacht on the Black Sea, the exotic cat kept as a pet, the stylish designer tracksuit?
Dave Bittner: Other ransomware operators are also active. SecurityWeek reports that France's Ministry of Justice has sustained a LockBit 2.0 infestation. Palo Alto Networks Unit 42 describes BlackCat ransomware, an unusually sophisticated strain that's been circulating in the wild since this past November. But not every problem is the work of hackers. Federal News Network reports, for example, that the U.S. State Department has assessed the worldwide email outage it sustained yesterday as due to a glitch, not an attack.
Dave Bittner: And finally, we close by wishing all a happy Data Privacy Day. We hope you've completed your holiday shopping and done so with as much discretion as possible. But seriously, a good way of observing the day would be to review NIST's data privacy framework, which coincidentally is celebrating its second birthday. Many happy returns, NIST.
Dave Bittner: The continued success of ransomware operations worldwide has put the spotlight on organizations' backup and recovery plans - seen as a critical step in protection against ransomware. But what happens when things don't go according to plan? Our CyberWire U.K. correspondent Carole Theriault has that story.
Carole Theriault: So years ago, I held the job of managing crisis communications for a global IT security firm. And over the years, there were, well, countless events that demanded a clear head and a clear message, even when everything around you was completely chaotic. Managing a digital crisis and being directly responsible for it - those are very different indeed. I mean, some bad decisions, even ones made erroneously without an iota of ill intent, can still have catastrophic consequences.
Carole Theriault: Case in point, Kyoto University, famed for producing world-class researchers, including 13 Nobel Prize laureates - well, they have recently found themselves in a nasty pickle. At the tail end of 2021, Bleeping Computer reported that the university lost 77 terabytes of research data due to a backup system error. Seventy-seven terabytes of data - this isn't a flash in the pan. This is a mountain - a monumental mountain - of data. And apparently the incident happened in just two days.
Carole Theriault: According to a Kyoto University data release between December 14 and 16, 34 million files from 14 different research groups were wiped from the system and backup file. And from what I could make out from the Google-translated version of the release, there was a careless modification of the backup program by the supplier of the supercomputer. And looking into it a bit further, it seems that this supplier are publicly taking the hit. Again, this is using Google Translate, and it seems to be a response on the incident. It says we are 100% responsible and deeply apologize for causing a great deal of inconvenience due to the serious failure of the file loss of the system. And they go on to explain that a modified script was overwritten in a way that spurred on the disaster.
Carole Theriault: Now, it's quite rare for a massive corporation to own up, to say, mea culpa, our bad, and that victims need compensation. But ultimately, what a painful screw-up. All that research and data - poof. Like, no offense, but no compensation or sorry's really can make up for that, can it?
Carole Theriault: And despite the details on the disaster being very high level at best, I think we can all agree that none of us would want to swap places with the person who is actually responsible for this blunder - well, person or persons. Due to stress, lack of resources, lack of attention, distraction, phone calls, a mistake with catastrophic consequences occurred. And maybe it was not just one mistake. Maybe there were several little oversights that led to this nightmare.
Carole Theriault: All this leads me once again to build the case for regular risk assessments, not just on your own systems, but also those in your supply chain as well. This could be a requirement for doing business with you - a regular risk assessment on your systems to make sure that a mistake at their end has, for example, backup fail safes, which would mean that if someone made a mistake, you don't lose all your data.
Carole Theriault: This was Carole Theriault for the CyberWire.
Dave Bittner: And I'm pleased to be joined once again by Josh Ray. He is managing director and global cyberdefense lead at Accenture Security. Josh, it is always great to have you back here on the show.
Dave Bittner: I wanted to touch base with you on some of the things that I know you and your team are tracking when it comes to activity happening in that cyber underground. What sort of things are on your radar these days?
Josh Ray: Hey, Dave. Yeah. Thanks for having me back. And yeah, this has been a - really a primary requirement for our cyber recon team. And it's, you know, as we've spoken about before, a trend that we've seen primarily over the last 18 months of threat actors just showing a huge amount of interest around these VPN and server-side type of vulnerabilities. And as you know, this is likely, you know, a direct result of the remote work environment. But also, you know, these server-side vulnerabilities really afford an attacker higher privileges. And, you know, sometimes they're a little bit less noisy, but they also provide a lot of access to much more broader targeting opportunities.
Josh Ray: And I was actually talking to two of my colleagues the other day, Paul and Luca from our recon team, and they were talking to me about how they discovered this networking manual guide of sorts that had some very specific recommendations regarding some free tools and exploits to take advantage of - you know, just some previously disclosed vulnerabilities and things like RDP, net login, other types of VPN technology - again, things that help an actor to not only gain access to a network but, you know, do things like move laterally effectively and things.
Josh Ray: But, you know, as we start to think about, how do we, you know, defend against this, it's really important to note that two very well-respected actors were primary contributors to this networking manual guide, and they have repeatedly shown interest in the darknet about virtual private network vulnerabilities and which - offering some significant bounties, meaning that they are very well-resourced to buy these zero-day exploits.
Dave Bittner: When you say significant bounties, what sort of dollar signs are we talking about here? Can you help me calibrate my scale?
Josh Ray: Absolutely. And this is - I mean, this is kind of serious when you talk about the resources that these actors can bring to bear now for a lot of these zero-day exploits, particularly ones that are affecting Windows and Linux and VPN products and also Android.
Josh Ray: So we've seen actors that are placing bitcoin deposits on forums to show that they have actually the resources to pay somewhere in the order of magnitude of about 27 bitcoin, which is right around 1.3 million U.S., as a deposit - right? - when they're actually offering three million for a remote code execution exploit against Windows or Linux. And in early January, another actor placed a 20 bitcoin - you know, right around 900,000 - deposit and offered about a million for exploits in Windows, IoT, Android and Linux. So we're talking significant dollar amounts, really, to really focus on being able to get the latest and greatest zero-day exploits to exploit these technologies.
Dave Bittner: And is it fair to say this is a pretty exclusive club here, that we're playing in the nation-state level with these kinds of dollar amounts?
Josh Ray: I mean, it's tough to say nation-state or otherwise. But, I mean, the fact of the matter is that there are actors that are out there that have the resources. And we're obviously seeing this, you know, environment and operations become more and more specialized. So, you know, it's a high-risk, high-reward type of environment. And the criminals are, I think, you know, ready to pay whatever is necessary to continue to advance their objectives.
Dave Bittner: And when you see this sort of thing out there, this sort of networking manual, what are your recommendations for folks to best protect themselves?
Josh Ray: So there's three things that I, you know, try to help people kind of understand. And when we talk to clients, we put context around it, right? So patching hygiene is critical - right? - and absolutely needs to happen. But it's table stakes, right? And I think just as a community, we need to agree that we need to do better than that. We really need to be thinking about how do we drive an intel-driven approach into our vulnerability and attack surface management programs.
Josh Ray: And this is - I mean, it's not just good enough to get, you know, the latest and greatest proof of concept code or active exploitation out there to help drive your patch prioritization. That's important. But I would say that even if you're doing that, you're a little bit behind. We really got to start thinking about taking it a step further, right?
Josh Ray: When we see that a new server-side exploit is found, we have seen actors that are initiating scanning of the entire IPv4 space within hours to find vulnerable systems. So that means that you, as a network defender, have to be much more proactive, and you have to be actively hunting your environment and your attack surface and using, you know, a third-party or even internally built intel capability that can operate responsibly in the darknet.
Josh Ray: And that's important, right? You have to be able to do it without causing a lot of risk to your organization to provide those advanced indications and warning about how the threats are operating, the things that they're interested in targeting, because if you can't do that, then you're always going to be on your back foot, Dave. And I think it's going to be really difficult for organizations to achieve that resilient security posture.
Dave Bittner: All right - well, interesting insights, as always. Josh Ray, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com.
Dave Bittner: Be sure to check out this weekend's "Research Saturday" and my conversation with Sylvester Segura from Symantec's Threat Hunter team. We're discussing their work on espionage campaigns targeting telecoms organizations across the Middle East and Asia. That's "Research Saturday." Check it out.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.