The CyberWire Daily Podcast 2.16.22
Ep 1517 | 2.16.22

A warning of cyberespionage targeting US cleared defense contractors. Update on the hybrid war against Ukraine. China’s favorite RAT. QR codes. Addiction to alt-coin speculation.


Dave Bittner: U.S. agencies warn of Russian cyberespionage against cleared defense contractors. Updates on the Russian pressure against Ukraine. ShadowPad as China's RAT of choice. Blackcat claims to have leaked data stolen in a double-extortion ransomware attack. Follow the bouncing QR code. Dinah Davis from Arctic Wolf on Canada's government ransomware playbook. Rick Howard chats with Bill Mann from Styra on DevSecOps. And if you're addicted to cryptocurrency speculation, the first step in recovery is admitting you've got a problem.

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 16, 2022. 

Dave Bittner: Around noon today, the U.S. Cybersecurity and Infrastructure Security Agency, the FBI and NSA issued a joint cybersecurity advisory. The advisory, AA22-047A, bears the descriptive title “Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology.” The tactics the Russian operators are using are described as common but effective. Those tactics include spearphishing, credential harvesting, brute force and password spray techniques and known vulnerability exploitation against accounts and networks with weak security. The goal, unsurprisingly, is espionage. 

Dave Bittner: The operators are after sensitive, unclassified information and any company proprietary or export-controlled technology. The advisory says, quote, "the acquired information provides significant insight into U.S. weapons platforms, development and deployment timelines, vehicle specifications and plans for communications infrastructure and information technology." What are cleared defense contractors? It's a term of art in the U.S. acquisition system. A cleared defense contractor is defined as a private entity granted clearance by the Department of Defense to access, receive or store classified information for the purpose of bidding for a contract or conducting activities in support of any program of the Department of Defense. So if you work for one of those cleared defense contractors, be on your toes. The Bears are snuffling at you. 

Dave Bittner: If you buy the theory that markets are the best predictors and that wisdom is to be found in crowds more often than is madness, then you should feel a bit better about the prospects of an intensified, fully kinetic Russian war against Ukraine. U.S. stock indexes rose yesterday after three consecutive days of losses. And the Wall Street Journal attributes the gains to investors optimism that the crisis is relaxing. An opinion piece in the Telegraph argues that what the markets are actually bullish on is a Western sellout of Kyiv. But both military and diplomatic signals remain mixed in that troubled part of the world. 

Dave Bittner: On a day of mixed military and diplomatic signals, two major Ukrainian banks and the country's Ministry of Defense sustained denial-of-service attacks yesterday. Forbes identifies the banks as PrivatBank and Oschadbank and quotes Ukrainian government sources as saying that public-facing websites of the Ministry of Defense were affected. Those military sites are unlikely to be directly relevant to command-and-control. The attacks appear to have been nuisance-level operations - disturbing but not crippling, relatively unsophisticated and easy to remediate. 

Dave Bittner: The Wall Street Journal reports that both the banks and the ministry have been quick to begin remediation. Neither Ukrainian government nor security industry sources have so far offered official formal attribution of the incident, although Ukrainian authorities are rounding up the usual suspects, pointing out the a priori likelihood that Russia was behind the incident. An AFP story in the Kyiv Post quotes the country's communications watchdog as saying, quote, "it cannot be excluded that the aggressor is resorting to dirty tricks," end quote. Moscow was quick to deny any involvement. But if you bet on form, Moscow was probably involved. 

Dave Bittner: Following its recent practice of releasing intelligence assessments that might otherwise be closely held, the U.S. intelligence community has said, The Washington Post reports, that it's likely Russian cyber operators have penetrated and established persistence inside Ukrainian critical infrastructure networks. Russia's pressure on its neighbor has brought new urgency to space systems' and commercial space companies' cybersecurity. Russia has jammed or spoofed PNT - that's the positioning, navigation and timing - signals in the past. And given the prominent role commercial satellite imagery has played in revealing Russian military deployments over the course of the crisis, there's speculation that Western space companies and the assets they run will become early targets of cyberattack should Russia's hybrid war against Ukraine intensify. Cyberattack is an attractive alternative to kinetic antisatellite operations. Cyberattacks are more ambiguous, more deniable, less easily attributable and less likely to draw retaliation in kind. Commercial ISR is also a useful source of tactical and operational intelligence for Ukraine. And denying Kyiv easy access to such combat information would be an obvious move should the conflict become more intense. 

Dave Bittner: NATO says it hasn't seen signs that Russian troops are moving from exercise and assembly areas back to their home stations, the AP reports, whatever Moscow may be saying. NATO Secretary-General Jens Stoltenberg said, quote, "at the moment, we have not seen any withdrawal of Russian forces. If they really start to withdraw forces, that’s something we will welcome, but that remains to be seen," end quote. Nor have Ukraine's leaders. The BBC reports that President Zelensky isn't seeing a drawdown yet, either. President Zelensky told the BBC, quote, "when the troops do pull back, everyone will see that, but for now, it’s just statements," end quote. 

Dave Bittner: The Economist wonders whether the Russian troop deployments may be more bluff than realistic military threat. One hundred fifty thousand troops are a lot, to be sure, but Ukraine wouldn't, at this stage of its post-Crimea rearmament, be a pushover, either. And the paper also isn't seeing the level of domestic propaganda it would expect to see on the eve of an invasion. Given the factitious atrocity stories circulated by Russian media, the Economist has high expectations indeed for what wartime propaganda would look like. 

Dave Bittner: It may be the year of the Tiger, and not of the RAT, but Beijing seems to have a favorite RAT. SecureWorks describes ShadowPad, an advanced remote access trojan that's been used since 2017 by threat groups affiliated with the Chinese Ministry of State Security civilian intelligence agency and the People's Liberation Army. CSO calls ShadowPad the RAT of choice for both the MSS and the PLA. 

Dave Bittner: There’s a bit more on the BlackCat ransomware gang. Swissport is investigating claims by BlackCat that they've leaked data stolen from the aviation services provider during its recent ransomware attack, SecurityWeek reports. 

Dave Bittner: The Coinbase Super Bowl commercial drew a great deal of attention. The ad presented a minute's worth of empty screen with a QR code ricocheting across the screen with an implicit invitation to scan it and go to the company's site, where you can speculate your way to wealth. If judged by viewer response, the commercial was a hit. Security Magazine says that the landing page where the QR code sent those who responded received more than 20 million hits in a minute. This quickly amounted to a kind of auto-DDoSing, since Coinbase's site crashed under the traffic, but the company was pleased with the results. The commercial also prompted some discussion of the ways in which QR codes lend themselves to abuse by malicious actors. Help Net Security writes, the codes don't lend themselves to easy user inspection. Even the minimalist cues a url or an email address might contain are absent, and it's wise to treat them by default with suspicion. 

Dave Bittner: So let’s say you were one of those who couldn’t help themselves. There you were, minding your own business, watching the Super Bowl, and while you couldn’t define the difference between pass interference and illegal contact, you were right there with your phone to follow that bouncing QR code toward the pot of alt-coin you were sure you could see at the end of that rainbow. Or maybe you’ve got a mining rig in your basement that’s using so much juice, it’s prompted the local power utility to ask you if you’re refining aluminum. 

Dave Bittner: The first step is admitting you have a problem. Therapists have noticed that cryptocurrency traders are getting obsessive, that they’re exhibiting some of the behaviors and preoccupations that accompany other addictions. Quartz writes that one therapist is noticing that many of those who consult her - and a lot of them are from the San Francisco area - are troubled by thoughts like these - should I have sold it at a higher price? Should I have done it two months ago? All these questions, said therapist Patty Fiore, were cropping up, along with regret, depression, and anxiety. 

Dave Bittner: She’s not the only one seeing people present with these symptoms. The U.S. National Institutes of Health has published a study on the psychology of cryptocurrency trading - risk and protective factors. The authors conclude that more research is necessary. Quote, "the paper suggests the need for more specific research into the psychological effects of regular trading, individual differences and the nature of decision-making that protects people from harm, while allowing them to benefit from developments in blockchain technology and cryptocurrency," end quote. 

Dave Bittner: Until such time as the paper is completed, perhaps we might consider the advice of philosopher Kierkegaard's pastor - travel, divert yourself, take a laxative. Well, on second thought, all of those, even the third one, wouldn't necessarily get you away from your device. Kierkegaard would have understood, friends. 

Dave Bittner: Our own Rick Howard has been pondering the utility of DevSecOps, and he recently chatted with Bill Mann from Styra on that very topic. Rick Howard files this report. 

Rick Howard: I'm joined by Bill Mann, the CEO of Styra. It's a company that helps its customers on their infrastructure-as-code journey and the minds behind the most excellent open-source project called OPA, which stands for Open Policy Agent. It's kind of a policy-as-code project that helps with zero-trust initiatives. Thanks for coming on the show, Bill. Now, I've been a fan of the DevSecOps movement since Gene Kim published his Cybersecurity Canon Hall of Fame book, "The Phoenix Project." But it's been at least seven years since he did that. Can you give us a sense on the current state of the DevSecOps deployment in 2021? 

Bill Mann: Sure. I think I agree with you wholeheartedly. It's not moving as fast as we all anticipated it was going to move at. 

Rick Howard: I know. I'm very disappointed. I thought we'd be all over this by now, but apparently we are not. 

Bill Mann: Well, we're heading in the right direction, right? And I think it's worthwhile. When you think about DevSecOps, it's three thing - it's development, it's security, it's operations. And that's different from what we had before, which was development and operations. To get it working within any organization, it's a combination of culture - you know, changing everybody's perspective on how they've been doing business, which is very hard, obviously - it's automation, and lastly, it's the way we think about platform designs and how we think about software engineering and so forth. 

Bill Mann: So that's kind of one part of the context - right? - about why it's moving slower. But the other context is we're changing everything around how we deliver software. Every organization is going through a - kind of a platform rethink, which predominantly is open-source software like, you know, Kubernetes and service meshes and so forth. Everybody now realizes - it doesn't matter if you're a car company or a health company, right? Everybody realizes that software is the leading-edge capability. So there's a need to innovate really, really fast. So you've got a new stack. Now you've got an urgency to innovate. And then lastly - no surprise because we're talking about security - everybody wants more privacy as well. That combination is what's slowing it down. 

Rick Howard: My observation is that, yeah, that's all hard. But mostly, the biggest problem, I think, is cultural, like you mentioned, right? The security people and the IT people are still siloed, so it makes the whole idea of a DevSecOps movement more difficult because those two sides still do not communicate with each other on a regular basis. Is that your observation, or am I wrong about that? 

Bill Mann: No, you're right. And look; we can't expect those two organizations to be best of friends because there's a... 

Rick Howard: (Laughter). 

Bill Mann: There's a yin and yang here, right? You know, developers, you know, want to get code out the door as fast as possible. Security is - historically are wanting to stop things from going out the door. Tooling is required to make those organizations work better together. 

Bill Mann: Let me give you a simple example. You mentioned earlier on, you know, we're the creators of the open source project Open Policy Agent. One of the use cases of Open Policy Agent is to provide guardrails - a pipeline, essentially. So when an application configuration which is defined in code gets to a certain point in the pipeline, it needs to be checked to make sure that its meeting certain security requirements. We call them guardrails, right? So, for instance, a very simple guardrail could be you don't want this application to ever talk to a certain S3 bucket. The job of OPA is to enforce that policy. But who writes that policy? Typically, the person is going to write that policy is definitely going to be in security. But the ramifications of that policy failing, it then goes back to the developers. So how can we have these two organizations work together for the greater good of the application going out into production? And the way we try and solve that is by providing better tooling. 

Rick Howard: So I like the idea here that there's kind of a natural bifurcation, where the DevOps people continue to do their thing, but we make them go through, like, an OPA engine, where the security people can set the policy so the DevOps people don't have to be experts in security, and the security people don't have to be expert coders, right? And therefore, those two things can merge and have a better outcome in the future. 

Bill Mann: You're spot on. And the reason why OPA was created was - it was a common approach to defining policy across different elements of the stack because one of the other things that is happening with this new application stack is there's many, many, many new tools being introduced. And the point I'm making is if there's hundreds of projects and all of these projects will need some sort of policy and configuration, but you can't expect a developer or a security organization to know how to configure policy or hundreds of tools that they may be using. So that's why OPA was designed as a general purpose policy system that can work across the stack. 

Rick Howard: We're going to have to leave it there. That's Bill Mann, the CEO of Styra. Bill, thanks for coming on the show and explaining this to us. 

Dave Bittner: And I'm pleased to be joined once again by Dinah Davis. She is the VP of R&D operations at Arctic Wolf, also the founder of Code Like A Girl. Dinah, always great to have you back. 

Dinah Davis: Thanks, Dave. 

Dave Bittner: You know, ransomware stays at the top of the news stories on everyone's mind, and I thought it'd be interesting to check in with you, being up north in Canada, as you are, what you're seeing from the Canadian government when it comes to recommendations for ransomware. 

Dinah Davis: Yeah. In December, they actually put out a really great guide, and it was a guide for ransomware for companies and how companies should handle ransomware. And they even - well, they sort of answered it, but there's always this question, should you pay, right? 

Dave Bittner: Yeah, yeah. 

Dinah Davis: (Laughter) So they don't give you an answer because no government agency actually would give you an answer there. But they do give you some good information about it, right? So first, report it to your local police. Paying doesn't guarantee access. We all know that. 

Dave Bittner: Sure. 

Dinah Davis: But you may not know that if you - if it's your first time around, seeing this - right? - or it's happening to you. You know, heard it happen to other people, but now it's happening to you. It's a lot more scary. Payment might be used to fund other illicit activities, so you have to remember that, right? Do you want to fund further illicit activities? Even if you pay the threat actor, they may still demand more money, retarget your organization with a new attack or copy, leak or sell your data. So, I mean, I think the Canadian government is saying don't pay here. It's like a subtle - there's a subtle undertone *** 

Dinah Davis: ***** without actually saying the words. But, yeah, that's where they're standing on that. 

Dave Bittner: Yeah. It seems to me like we're in this - we're sort of in this era of being practical about it, where, you know, government organizations, the FBI and so on and so forth would say, don't pay under any circumstances. But now I think there's a realization that you have to be practical, and there are occasions when the path of least resistance may be paying the ransom. But you're right. It's hard for them to say that because then the bad guys win, right? 

Dinah Davis: Yeah. 

Dave Bittner: What about prevention itself? Anything - any recommendations in terms of backups and all that sort of good stuff? 

Dinah Davis: Yeah. They have two major recommendations, right? One, make sure you have a backup plan. And two, make sure you have an incident response and recovery plan. They actually go through the benefits of the different types of backup plans you can have, whether it's, like, full backups on a regular basis or differential, which is just going to copy the differences each time, or incremental, where it's like, you know, it does it, but then it's saving it as a whole. 

Dinah Davis: So each one has their benefits, right? Full backups on a regular basis, you can restore real quick, right? But it takes up a lot more space and data, whereas a differential, you know, it's doing - it's a lighter weight system. But to get a full backup, you have to go to the last time you did a full backup and then add all of those things in a row, so it can make it pretty long. And then incremental basically saves a copy of the data since your last differential, so it pulls it together each time. 

Dinah Davis: There's choices and reasons why an organization may want to choose one or the other. And then they also talk about, you know, the differences between, you know, online, offline, cloud and the benefits of each one of those - right? - offline being probably the most secure because if your system is hit, then, you know, your offline backup shouldn't be connected to anything... 

Dave Bittner: Right. 

Dinah Davis: ...Meaning it should be, you know, more safe. And then the second step after you have a good backup plan is develop your incident response plan, right? You need to do all the things that regularly you need to do, right? So you need to do a risk assessment, and you need to make sure you have policies and procedures in place. Big ones for me are, like, make sure you have a response team in place and you actually do example runs of this stuff so that people know what to do when it happens, right? You want to have good training, training on how to restore from backup, making sure you know who's going to handle communications to your customers if something like this happens, making sure you know who all of your stakeholders are right? 

Dinah Davis: And then one really big thing that I think often gets forgotten is to make sure you're managing your user and administration accounts, right? Always be applying the principle of least privilege, right? Only give people enough access to things that they can get their job done. But make sure you're also auditing that, and if somebody leaves or moves department - this is the bigger one inside companies, moves department. How many times do people move a department, keep all the access from their previous department but now they're doing a new job? They forget they have it, but they're a really good target for attackers because they have all this access that they don't really need... 

Dave Bittner: Right. 

Dinah Davis: ...And don't really think about using very often, right? And the one interesting thing I saw that they put in there was to use a separate system to do any administrative work. So for example, like, if - you know, I've got my work computer. But if I was an admin for a system, I should have a separate - either a separate computer, a separate VM, a separate, like, system where the administrative work gets done that is not the same system that you just do your regular, everyday work on. So that reduces the chance of, you know, a malicious attack coming in via email or something because the system you do administration on should not have an email account on it at all. 

Dave Bittner: Right. Right. Yeah. The other thing that I think of, too, which I think is good advice is as you're doing your practicing, you know, your playbook response, think about what happens if many, if not most of your computers are not working, are not available. How is your team going to communicate if none of their computers are accessible? 

Dinah Davis: Yes. 

Dave Bittner: People often don't think about that. 

Dinah Davis: Well, interestingly, that's also something you should do, even not in an attack, because right before Christmas, Amazon had some major outages that took out companies like Slack. And because that's an outage - right? - you might actually have some of your systems running on that Amazon cloud. Now you've got to manage your internal operations, and you've lost Slack. Have a default secondary communication tool that you're going to use if one goes down. 

Dinah Davis: All right. Well, good advice, as always. Dinah Davis, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland and the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.