False flags, disinformation, and cyber operations in a hybrid conflict. Log4j vulnerabilities exploited. Wiper used against Iranian television. Kraken’s evolution. CISA’s guide to free security tools.
Dave Bittner: False flags and disinformation in Ukraine as Western governments warn of the risk of both Russian escalation and the prospects of cyberattacks spreading beyond Ukraine's borders. Log4j day-one vulnerabilities are exploited in the wild. Threat actors deployed a wiper in the course of hijacking Iranian television. The Kraken botnet is evolving, picking up an information-stealing capability. Our guest is Brittany Allen of Sift to discuss the DOJ seizing $3.6 billion worth of stolen crypto. Chris Novak from Verizon addresses geopolitics and threat intelligence. And CISA launches a catalog of free cybersecurity services and tools.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Friday, February 18, 2022. False flags, information operations and cyberattacks continue to mark Russia's hybrid war against Ukraine. Whether Moscow will escalate the conflict with a large conventional campaign remains to be seen. But senior officials in both the U.S. and U.K. have continued to warn that a large-scale invasion could be imminent, perhaps just days away.
Dave Bittner: Reports of shelling in eastern Ukraine continue. Russian media has accused Ukrainian forces of hitting a kindergarten and blaming it on Russian-led separatists in an attempt at provocation. Separatist leaders in Donetsk, however, acknowledge that their guns were the ones that hit the school but say it's Ukraine's fault anyway since, say the Russia-aligned separatists. Ukrainian forces used mortars and grenades against them first. Most observers see the ongoing artillery fire as part of a Russian attempt to frame Ukraine as an aggressor against ethnic Russians in Donetsk and Luhansk.
Dave Bittner: British Foreign Secretary Liz Truss called the shelling and other abnormal military activity, quote, "a blatant attempt by the Russian government to fabricate pretexts for invasion," end quote. The U.S. embassy to Ukraine was equally unambiguous, tweeting, "Russia's shelling of Stanytsia Luhanska in Ukrainian-government-controlled territory in Donbas hit a kindergarten, injured two teachers and knocked out power in the village. The aggressor in Donbas is clear - Russia. This attack, as with so many others, is a heinous Russian violation of the Minsk agreements and again demonstrates Russia's disregard for Ukrainian civilians on both sides of the line of contact," end quote. The leader of the Donetsk separatists, Denis Pushilin, has announced that the danger of Ukrainian military action is now so high that the separatists have begun evacuating the province's population across the border to Russia's Rostov Oblast, The Telegraph reports.
Dave Bittner: Ukraine denies that it's engaged in any operations against the provinces Russia is seeking to detach. Russia continues to disclaim any intention of preparing a further invasion of Ukraine, Bloomberg reports. The U.S. continues to say that the risk of intensified ground combat remains high. President Biden said yesterday, quote, "We have reason to believe they are engaged in a false-flag operation to have an excuse to go in," end quote. False-flag operations are provocations staged as outrages that can be more or less plausibly attributed to an adversary. U.S. officials, speaking on the condition of anonymity, told The Washington Post that there was additional intelligence indicating a false flag by Russia would involve the use of a chemical agent that would immobilize civilians, then use cadavers to make it appear as though the Ukrainians had gassed and killed civilians. One of the officials said the blame might also be pinned on Americans.
Dave Bittner: U.S. Secretary of State Blinken made a similar case yesterday at the United Nations. He enumerated three possible false flag provocations - fabricated so-called terrorist bombing inside Russia, a fake mass grave, a staged drone attack on civilians or a fake, even a real attack using chemical weapons. Russia's Ministry of Defense repeated its claim that units were returning to Garrison yesterday after Western intelligence services said they weren't seeing signs of withdrawal from assembly areas near Ukraine. Western governments aren't in general buying it.
Dave Bittner: Reuters reports that the U.S. ambassador to the Organization for Security and Cooperation in Europe, Michael Carpenter, told a meeting of the OSCE today, quote, "we assess that Russia probably has massed between 169 and 190,000 personnel in and near Ukraine, as compared with about 100,000 on January 30. This is the most significant military mobilization in Europe since the Second World War," end quote.
Dave Bittner: Bloomberg quotes Ukrainian authorities as calling the distributed denial of service attack that began Tuesday and extended into Wednesday the largest the country had seen. This may be an exaggerated local perspective. Reuters cites Netscout to the contrary. The security firm said that what Ukraine faced was relatively standard and not unusually large. Netscout's Richard Hummel said, quote, "it's possible that it was the largest they'd seen against targets. It's definitely not the largest we've seen," end quote.
Dave Bittner: At the Chicago session last night, Mylovanov said that contrary to most reports, the effects of the attack had not been confined to just two banks but had affected the banking sector as a whole. He assessed the level of interference as comparable to that Estonia sustained when it came under Russian cyberattack. That Ukraine escaped a crippling shutdown he ascribed to the country's improved resiliency.
Dave Bittner: Warnings that Russian cyber operations could affect countries beyond Ukraine continue. The Voice of America reports U.S. concerns about the possibility of cyberattack, and it cites the often-mentioned case of NotPetya, which spread beyond its Ukrainian targets to affect commerce globally. Media in the U.K. are retailing similar warnings, although they focus on the possibility of a direct cyberattack against British assets. Online shopping, pay card transactions and health care information are regarded as especially at risk.
Dave Bittner: Speaking at the Munich Cybersecurity Conference, U.S. Deputy Attorney General Lisa Monaco warned again of the blended threat of criminals working with nation-states. She also followed on a theme CISA annunciated in the course of this week's warnings that people should have their shields up.
Dave Bittner: While the general push to address the risk posed by Log4j vulnerabilities seems to have limited the damage organizations might otherwise have sustained, exploitation of vulnerable systems continues. SentinelLabs researchers describe the activities of an Iranian-aligned threat actor they're calling TunnelVision and which is hitting vulnerable instances of VMware Horizon. SentinelLabs notes overlap between TunnelVision activity and the operations Microsoft describes to Phosphorus and CrowdStrike to Charming Kitten or Nemesis Kitten. Whether these represent activities of the same unit or distinct groups remains unclear.
Dave Bittner: Some are calling the Log4j vulnerabilities one-days. They're not zero-days because they're known. And mitigations are available, but they're fresh enough so that a number of systems are still vulnerable to exploitation.
Dave Bittner: Iran itself has been the target of cyber attacks. Check Point looks into recent incidents affecting Iranian state television. Their surface motivations seemed straightforwardly hacktivist, designed to denigrate the regime and urge assassination of Tehran's supreme leader. But an examination of the malicious files finds that the unknown threat actors also deployed wiper malware against their targets.
Dave Bittner: ZeroFox this week published an update to its research on the Golang-based botnet its researchers described last October. It's called Kraken, but it's not to be confused with the botnet that appeared in 2008 and had the same name. The two are unrelated. The current Kraken spreads via SmokeLoader. And while it's still under development, it already features the ability to download and execute secondary payloads, run shell commands and take screenshots of the victim's system. While it's still maturing, Kraken nets its operators a small but interesting sum of around $3,000 a month. Its most recent infestations show signs of deploying an information stealer, but to what end is unknown.
Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency - that's CISA - today announced that it's launched a catalog of free cybersecurity services and tools. The resources it offers fall into four categories - reducing the likelihood of a damaging cyber incident, taking steps to quickly detect a potential intrusion, ensuring that the organization is prepared to respond if an intrusion occurs and maximizing the organization's resilience to a destructive cyber incident. You can find it all on their website, cisa.gov.
Dave Bittner: The recent news of the Department of Justice seizing $3.6 billion worth of stolen cryptocurrency captured the attention of both good and bad actors in the cybersecurity and cryptocurrency worlds. Brittany Allen is trust and safety architect at digital trust and safety firm Sift, and I checked in with her for perspective on the impact of the seizure.
Brittany Allen: What it really just highlights for me is confirmation of what we keep saying about the transparency of the blockchain, where even if money is moved to dark web websites or taken to illicit locations for money laundering, we can still follow the path of those funds and then eventually be able to figure out who is behind that theft when they invariably make a mistake. One example I would like to compare it to where we probably have some people in the audience who are true crime fans because of how popular that that genre is, if you think back to one of the most famous art thefts in the United States, the 1990 robbery at the Isabella Stewart Gardner Museum in Boston, where 13 priceless artworks were stolen, those still in 2022 have never resurfaced. And we don't know who took them, but we also don't know where they are. Now, imagine if it was something similar to being able to have the path of these items tracked on a blockchain so that we would at least know where the artwork is, even if we hadn't yet figured out who was behind the theft and who we could go after to then get those items back. It would be a completely different picture. So that's really something very exciting about this news from the DOJ.
Dave Bittner: Are we seeing a response from the, you know, usual suspects, the threat actors out there? Is this giving them pause?
Brittany Allen: I would say it is not, as far as the majority of those who are talking in fraud forums that we'll monitor, such as those on Telegram or other messaging apps and services, even on Facebook, because they are not as big of a scale to be targeted in the same way as these particular alleged criminals, those who have been arrested here in Manhattan. And it's something that is unfortunate to have to face because there is so much fraud that is happening online, such as the huge take-off over the past 18 months of money that was made through PPP loans or Small Business Association loans, and the fact that fraudsters now have even more funds than they previously had to then be able to leverage and, you know, learn how to commit new, different types of fraud attacks. I don't think they have a concern on that minor level, especially just because we don't see regular focus on a fraudster who operates at not even billions or millions of dollars worth of fraud.
Dave Bittner: Do you suppose that this is an inflection point here, that, you know, going forward, both the folks who are up to no good and the folks who are using cryptocurrency exchanges in legitimate ways - to what degree is this going to inform how they do business from this point on?
Brittany Allen: So I think 2022 by itself is an interesting enough inflection point where we have this major breakthrough and potentially solving this crime. But then at the same time, we have, you know, continued adoption of cryptocurrency. I don't know if you watched the Super Bowl last week, but quite a few people held their phones up to the TV and scanned that QR code ad that Coinbase ran.
Dave Bittner: Right.
Brittany Allen: And that might have been a large, you know, population of people who had never considered cryptocurrency before or who had thought, oh, I don't know how to do that, that's beyond me, that now might be, you know, a little bit more comfortable or at least willing to try it out and talking about it amongst their friends. So obviously, as a payment method or a payment type becomes more adopted, the fraudsters naturally gravitate towards it because they know there's more funds that they can access. They know that they're able to leverage it better for their fraud attacks.
Brittany Allen: But when it comes to what can be done, I really want to stress the importance of user education, first of all, and then of the importance of crypto exchanges and other crypto companies making sure that they're putting protections in place beyond what is on the consumer responsibility side. So for consumers, you've got some now who will for the first time be, you know, quote, unquote, "their own bank" by holding their own funds, whether in a, you know, offline cold wallet or in some other method. But you can't rely on them entirely to be able to protect themselves. It's also responsibility of the exchanges and other businesses.
Dave Bittner: That's Brittany Allen from Sift.
Dave Bittner: And joining me once again is Chris Novak. He's the global director of the Threat Research and Advisory Center at Verizon. Chris, always a pleasure to have you back on the show. It is a complex world in which we live. And in the cybersecurity world, geopolitics certainly plays into the things we do every day. I just want to check in with you on that and the kinds of things that you're tracking when it comes to the political realities around the world and how that affects things like people's approach to threat intelligence.
Chris Novak: Yeah. It's always a pleasure to be here, David. You're spot on with that. I think that's a very interesting and poignant topic because I think if you're not looking at threat intelligence, you're missing a big piece of kind of that radar view of what's happening around you. You're missing a big piece of situational awareness. And I think whether or not you're in an industry that, you know, plays heavily into, you know, the geopolitical conversation - you know, you're a big finance organization or a big defense organization - I'd say that that is only part of it. I think every organization that has some kind of cyberdefense requirements, which is probably everybody, needs to be looking at this, as well because, you know, to be honest, when we look at the geopolitical landscape, whether it's, you know, Russia, China, North Korea, you know, the U.S. withdrawal from Afghanistan, everything has some element to it where we're seeing cyber playing a bigger role because, you know, to be honest, when we look at, you know, things like military actions, those are not something that anybody wants to lead with. But cyber actions are for many countries and for many military organizations or intelligence operations - a cyber action may be an easier thing to pull off, maybe an easier thing to disguise. And there's a lot more potential, you know, deniability aspects to it while also being able to inflict and cause pain on their intended target. So that geopolitics understanding and that threat intelligence nexus, I think, are absolutely critical.
Dave Bittner: When it comes to threat intelligence, to what degree - having it be an internal function of my organization versus engaging with an outsider, what are the pros and cons of each of those approaches?
Chris Novak: Yeah. So, I mean, I'd say every organization should have some internal capability and some understanding of what their desired outcome of a threat intelligence program is, right? In fact, oftentimes, when we talk to organizations, that's going to be one of the first things we ask them - is what do you do or how do you define threat intelligence? What does it mean to you? What is it that you want to accomplish with it? And then typically at that point, we'd have further conversation with them as to, OK, this might be the art of what's possible, right? These additional things could be layered into or on top of what it is you're doing.
Chris Novak: And I think it always is beneficial, especially from an intelligence standpoint, for there to be some kind of hybrid internal-external approach. I think organizations that try to do everything internally - there may be an ego aspect to that, but the reality of it is if you're trying to do intelligence really well, world class, you need to be plugged in with external entities that may be able to source intelligence from places that you might not have access to, right? And even the best and the biggest organizations, they do exactly that.
Dave Bittner: What about the regulatory regime, you know, of organizations that fall under those sorts of rules? You know, having an external source of this sort of information, how much does that contribute to their ability to stay within those guardrails?
Chris Novak: Yeah. So I think a lot of organizations can benefit from that because they can depend on those external entities to do a lot of that vetting and compliance and regulatory aspects for them, if you will. So in other words, that becomes that third party's responsibility as opposed to their own internal responsibility. And typically, we'll see that everybody will put that kind of language in their contracts and say, look, you know, we're depending on you for this intelligence, and we're expecting that you meet and comply with all various, you know, laws and regulations around the same.
Chris Novak: And to be honest, that is a typical, you know, kind of table stakes for us when organizations engage with us for threat intelligence. You know, we assure them that, look, we're meeting all those laws and regulations as well. And to be honest, we even see organizations will reach out, and sometimes they will kind of do that wink, wink, nod, nod, yep, we get it. You're going to follow the laws and regulations, but you're going to get us to this kind of information, right? Like, no, no. We're really going to follow all the laws and regulations.
Dave Bittner: (Laughter) Right.
Chris Novak: There's no wink, wink, nod, nod (laughter).
Dave Bittner: Right, right.
Chris Novak: It's all by the book.
Dave Bittner: Yeah, yeah. For organizations that are starting down this pathway and trying to figure out how to calibrate, you know, how much of their cybersecurity spend should be going towards this sort of thing, where's a good place for them to begin?
Chris Novak: So I mean, typically, there's a lot of really good white papers out there. And then also typically, we would talk with a lot of the analysts. You know, so we engage with all the big analysts out there. And in fact, you know, we - maybe toot our own horn here a little bit - but we've rated really well with all the analysts, as you know, a leader in all their different ratings as it relates to this as well.
Chris Novak: And I'd encourage, you know, organizations to talk with the analysts because they can be an independent, unbiased third party that can give a view into both what is it that organizations are typically spending - not that spending has to equal quality. But typically, it is a metric organizations use to try to figure out where they are. You know, are they investing enough, maybe not enough? How do they compare to their peer groups? And then also, where is it that the analysts might suggest that if they're going to invest additional dollars, that they might see the best or biggest return on their investment?
Chris Novak: And you know, look, I'd love to tell everybody, you know, come to us, talk to us. But honestly, I prefer to send people towards that third-party route to kind of get that unbiased view because I, you know, I believe strongly in what we do. And I think a lot of those conversations are important.
Dave Bittner: All right. Well, Chris Novak, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. If you're looking for something to fill your time on the upcoming long holiday weekend, check out "Research Saturday" and my conversation with Marcelle Lee from SecureWorks. We're discussing ransoms demanded for hijacked Instagram accounts. That's "Research Saturday." Do check it out.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.