The CyberWire Daily Podcast 3.2.22
Ep 1526 | 3.2.22

Slow-motion brutality against Ukraine as sanctions begin to bite Russia. Big Tech takes sides. Ransomware continues to bother major corporations.


Dave Bittner: Russia’s invasion in Ukraine is still slow, but it’s grown more brutal. Sanctions are beginning to hit Russia hard. The cyber phase of this hybrid war seems more informational than destructive. Big Tech has taken Ukraine’s side, and some Russian companies face a tough balancing act. Our guest is Lavi Lazarovitz from CyberArk with predictions on supply chain security. Malek Ben Salem from Accenture on deploying effective deception systems. And ransomware continues to pester major corporations.

Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Wednesday, March 2, 2022. 

Dave Bittner: Russia's invasion of Ukraine has proceeded at a slower pace than Russia had expected. While Russia's operations enter a new, more brutal phase in which cities and their civilian populations are subjected to heavy fire, its forces have shown themselves unable to achieve and sustain the operational tempo necessary to quick victory. Defense News suggests there are five basic reasons for this - poor communications of the commander’s intent - that is, President Putin seems not to have shared his goals with his field commanders) - failure to fight as the Russian army had trained, overconfidence - they expected a walkover, to be greeted as liberators - ineffectual use of air power and, finally, the surprising unanimity of the European governments in their negative response to the Russian action. 

Dave Bittner: The Moscow stock exchange remains closed in the longest shutdown since 1998. Bloomberg reports that the exchange closed over the weekend and has yet to resume trading as sanctions bite ever deeper into the Russian economy. The ruble itself has cratered under the effect of sanctions. According to Business Insider, one Russian ruble is currently worth less than one US cent. 

Dave Bittner: Microsoft, as we’ve heard, found that the malware it called FoxBlade, and that others have called HermeticWiper, was staged and deployed hours before Russian troops crossed their lines of departure and invaded Ukraine. 

Dave Bittner: SecurityWeek has an update on ESET's research into those Russian cyberattacks against Ukrainian targets. The company says it's detected a worm, HermeticWizard, that's spreading HermeticWiper, which, as its name suggests, is data-erasing malware. ESET has also found HermeticRansom in the wild, which adds a capability for extortion to the campaign. CrowdStrike has also detected the Go-based ransomware, which it's calling Party Ticket, but which it confirms is the same malware as HermeticRansom. Kaspersky assesses the ransomware as misdirection for the wiper campaign, which would be consistent with Russian practice at the outset of the war against Ukraine. 

Dave Bittner: There are reports of local Russian jamming of GPS in and around Ukraine, but so far, Breaking Defense reports, their effect seems relatively contained. U.S. support operations in particular are said to be unaffected. 

Dave Bittner: Ukraine has shown some ability to attract hacktivists and volunteer hackers to its cause, the Wall Street Journal reports, and Vice describes some of their activities, many of which have taken the familiar form of vandalism, defacing websites and performing other mischief. 

Dave Bittner: Of arguably more significance have been signs that Ukraine has been able to obtain and publish material from online Russian sources. Ukrainska Pravda reports that The Centre for Defence Strategies has acquired the names of 120,000 Russian servicemen who are fighting in Ukraine. These have been posted online. That's unlikely to have any immediate tactical effect, but it can't be good for either Russian morale or for Russian confidence in the security of its networks. 

Dave Bittner: WIRED reports that Ukrainian networks have proven more resilient than anticipated, even under Russian cyberattack. According to Space News, SpaceX has made a contribution in-kind to a more resilient Ukrainian Internet, delivering, as promised, a number of StarLink terminals and the services that go with them. 

Dave Bittner: Platformer gives the social networks generally favorable marks for being on the side of the angels during Russia's war against Ukraine. Here are some of the specific measures Big Tech has taken. Apple is the latest Big Tech firm to shut out Russia. Quote, "we are deeply concerned about the Russian invasion of Ukraine and stand with all the people who are suffering as a result of the violence." That's Reuters quoting an Apple representative as explaining. We are supporting humanitarian efforts, providing aid for the unfolding refugee crisis and doing all we can to support our teams in the region. 

Dave Bittner: YouTube has banned Russian media outlets from its platform across Europe, Politico reports. Google Europe tweeted a terse explanation. Quote, "due to the ongoing war in Ukraine, we're blocking YouTube channels connected to RT and Sputnik across Europe, effective immediately. It'll take time for our systems to fully ramp up. Our teams continue to monitor the situation around the clock to take swift action," end quote. 

Dave Bittner: Facebook's corporate parent Meta has taken two steps. It's both demoting Russian media content as probable disinformation, and it's seeking to improve user safety with an encrypted Instagram messaging app. According to Protocol, Meta's president of global affairs sees the second move as particularly important. Quote, "we think it essential, as long as this continues, that the ordinary Russians can use our services to express themselves, organize and protest and reach out to family and friends in the wider community," end quote. The downgrading of Russian media principally affects RT and Sputnik, which have generally come to be seen, particularly in Ukraine and the EU, as the most prominent vectors of Russian disinformation. 

Dave Bittner: No one is really buying the Russian line that the war was necessary to deNazify a genocidal Ukrainian fascist junta that was itself bent on Russia's destruction. And it's difficult to find much conviction anymore in the routine Russian diplomatic assertions repeated on Russian domestic media that, no, really, that's what's going on here. 

Dave Bittner: One well-known Russian company and a company that has customers abroad because it produces a product that people actually want is the cybersecurity firm Kaspersky. Kaspersky hasn't been free of suspicion of Kremlin influence. Indeed, a few years ago, its antivirus products were excluded from U.S. government networks on the grounds that they allegedly collected too much information about the networks they protected. But in general, Kaspersky has achieved international status as a normal company. 

Dave Bittner: Presently, according to Vice, Kaspersky is attempting a difficult balancing act. It's a Russian business trying to occupy a neutral ground in Russia's war against Ukraine. Founder Eugene Kaspersky's tweets include these. Quote, "we welcome the start of negotiations to resolve the current situation in Ukraine and hope that they will lead to a cessation of hostilities and a compromise. We believe that peaceful dialogue is the only possible instrument for resolving conflicts. War isn't good for anyone," end quote. Also, quote, "like the rest of the world, we are in shock regarding the recent events. The main thing we can do in this situation is provide uninterrupted functioning of our products and services globally," end quote. 

Dave Bittner: Leaving Russia's war in Ukraine aside, we turn to some of the other developments in cyberspace. Huntress has updated its research into an APT it associates with North Korea and which is generally being called BabyShark. The threat actor's operational practices are consistent with those Palo Alto Networks last month observed being used earlier against think tanks. And Huntress says the attack it observed was significantly customized and tailored to the specific victim environment, indicating a targeted attack. The initial infection vector was phishing. Huntress councils that preventative measures alone are insufficient for protection and that organizations should make full use of logging, monitoring and hunting. 

Dave Bittner: Researchers at JFrog report finding five security vulnerabilities in PJSIP, a widely used open-source multimedia communication library developed by Teluu. 

Dave Bittner: Toyota's suspension of production in Japan, which a cyberattack on a third-party supplier induced, is now over. The disruption to the manufacturing lines lasted one day, Edge Markets reports. According to CNN, 14 factories were affected. 

Dave Bittner: TechCrunch reports that the cyber incident U.S. chip manufacturer Nvidia suffered was a ransomware attack and that the company has confirmed that the attackers have begun to leak stolen information online. Some of the stolen data includes employee credentials. 

Dave Bittner: A Form 8-K that insurance giant Aon filed with the U.S. Securities and Exchange Commission disclosed that the company was investigating a cyber incident it detected on February 25, Computing reports. Aon says that its operations were unaffected. Quote, "the incident has not had a significant impact on our operations. We remain focused on our clients, and our ability to serve them has not been impacted by this event," end quote. 

Dave Bittner: Finally, we return to the Russian war against Ukraine. People are asking what kinds of cyber action is permissible under the laws of armed conflict. Consider the hacking of electric vehicle charging stations in Russia, which Vice reports have been displaying demotic assessments of Mr. Putin's leadership. Are such defacement war crimes? No, almost certainly not, even though the laws of conflict in cyberspace are still at what we might call an aspirational stage. Website or device defacement that say - as they have, and which we believe because we're a family show - Putin is a blank head, as have been observed in Russia, don't present any obvious criminal case no more than claims that the Russian president has now established himself as the world's most toxic man. Indeed, under some domestic legal systems, they might not even constitute civil tort under U.S. law to take one example. Truth is an absolute defense to an accusation of slander. Reflect on that in your dacha, President Blank Head - or on your yacht, at least until it's seized by Interpol, Blank Head. 

Dave Bittner: Where open-source software meets supply chains, there is ample opportunity for vulnerabilities. And given the recent focus on supply chains by threat actors, it's fair to say there's increased vigilance on the part of developers. Lavi Lazarovitz is head of research on CyberArk's Labs team, and I spoke with him on the topic of supply chains and open-source software. 

Lavi Lazarovitz: When we all - all organizational software vendors, suppliers use the same open-source libraries, codes and packages, we also replicate vulnerabilities. And this is why - I think this is the essence of the significant attack surface that is now being utilized by many threat actors. Moving on to mitigation, on what should be done to mitigate the risk, the first thing that any organization, any software vendor needs to do is have a clear and visible list of the libraries that are used within its own software and in the software that the organization uses, the third-party applications and services. 

Lavi Lazarovitz: And although it sounds pretty obvious and simple, this is not the case. Knowing what packages I am using in my code, code that I imported for my software or the software that I developed is not a trivial task. And there are a lot of tools out there that help with that. But this would be the first thing that organizations should do, because after you know what you have, then you can respond quickly. You can look for common vulnerabilities in those packages that might be prone to severe vulnerabilities like authentication - authentication algorithm or mechanism. So those would be - I would start from there. 

Dave Bittner: You know, I've heard it said about open-source software that one of the advantages is that, by its very nature, it has a lot of eyes on it. There's a lot of - it makes - it's available for people from all over to take a look and make sure that it's secure. In response to what we've seen from some of these supply chain attacks, I've seen other folks say, you know, these days, that might be a bit of a myth. What's your take on that? 

Lavi Lazarovitz: So we all know, and I really think that the old saying that there is no such thing as security by obscurity, I really think - I really stick to it. I really think this is true. I think that in many cases where the mechanism, the algorithm is not visible, when there is a vulnerability there, it might explode. And it might be very - its impact would be enormous. And when you have a whole community looking into the code, then huge mishaps, they have a potential to be detected a bit before the vulnerability cause some major exploitation or severe exploitation. So my take on it is that the OS, the visibility into the code visibility into the code is a clear advantage. 

Lavi Lazarovitz: So you can also say, Dave, that, OK, so if the community has visibility, the threat actors has visibility as well, but this is where I think that the large number plays a role. The community is huge. The dev community is huge, and we can take advantage of that community for the good, and not just allow those threat actors looking for a specific vulnerability to reverse the code and find it for themselves, maybe sell it for millions for offensive security vendors out there. When it's closed source, I tend to think that threat actors might have an advantage here. 

Lavi Lazarovitz: Automation here is a huge advantage - making, developing - or the development process pushes it to a higher velocity, but also it comes with a lot of risk. So I got to say there is no silver bullet here. I would start from assuming breach and try to reduce the attack surface or contain the attack while assuming the threat actor is on my machine, and then work back to make sure that I am aware what code I'm using so when something big comes up, I know what I have, and I know if I need to respond or not. And lastly, I would be also subscribing to get notification when new updates come in so I would either review them first and then have them integrated into my code. 

Dave Bittner: That's Lavi Lazarovitz from CyberArk's Labs team. 

Dave Bittner: And I'm pleased to be joined once again by Malek Ben Salem. She is the technology research director of security at Accenture. Malek, it is always great to have you back. We are talking today about this notion of deception systems for software resilience - an interesting topic. What do you have to share with us? 

Malek Ben Salem: You know, deception has been historically used as a technique by the information security community to detect attackers or to detect attacks, right? We are familiar with the concepts of honeypots, honeynets, honeyfiles, honeytokens, but today I'm here to call for rethinking how we might use deception systems and to expand, you know, the users or the communities using deception systems. Basically, I think that there is a huge opportunity for application teams to leverage deception systems in order to develop more resilient and secure software. So imagine a world in which developers and operators of systems exploit attackers as much as attackers exploit us defenders, right? Imagine a world where they can capture or gather information about how those attackers behave, how they attack a system. When they have access to that type of information, they should be able to design systems that are much more resilient, that can predict how attackers would behave or learn how attackers would behave, as opposed to predict how they would behave based on our own mental models of attackers. 

Dave Bittner: Well, can you give us an example of how this sort of thing would play out? 

Malek Ben Salem: Basically, this would require the improvement of the deception systems that we have available to us today. But once we deploy a deception system that is very believable, that is very similar to a real-world implementation of a real system, and we allow attackers to interact with it and we have the right logging and monitoring tools within that environment to observe what the attackers are doing, then we can gather that wide information. And then we can use that, you know, information asymmetry to our advantage as we design new systems. 

Dave Bittner: So how does this differ from a traditional honeypot? 

Malek Ben Salem: So the traditional honeypot has been typically isolated from real-world environments, right? It's very separate. We deploy it in a, you know - a different system deployed on, perhaps, on a different network. It does not exhibit believability - right? - for the adversary, for the attacker. What we need is more systems that are very similar to what a real-world system would look like that have that high fidelity, if you will. And they may not necessarily be fully isolated from the real world system. You know, they look believable to the attacker so that, you know, the amount of information that we gather from them can inform the design of these systems and can inform how real attackers behave. 

Malek Ben Salem: The ones we have today have the honey tokens or honey files that we have today are not interactive enough, right? For the most part, they're static. In some cases, they may have some traffic that looks realistic, but there is no way for the attacker, let's say, to pivot from one system to another to explore a network. They don't provide that capability for the attacker to experiment and to showcase their TTPs - right? - their tactics, techniques and procedures. And if the attacker doesn't know or doesn't use those TTPs, obviously, we are not collecting them. We're not observing them. 

Dave Bittner: So where do we stand right now that this sort of thing is practical? 

Malek Ben Salem: Yeah, I think we're at a point where we can leverage existing technology to deploy these more realistic and believable deception systems. First of all, cloud computing enables us or gives us the ability to provision fully isolated infrastructure with little expense. With that ability to automatically deploy, we can easily leverage this technology to our advantage. The virtualization advancements that we've seen recently, the widespread availability of nested virtualization that has been mature, the hardened virtualization technologies today all inspire confidence that attackers are isolated from production. So I think we're at a point where we can leverage those advancements to deploy these more realistic deception systems. And obviously also, you know, SDN, software defined networking, proliferation of SDN, the widespread use of SDN and the ability to define networks programmatically also helps with the deployment of these deception systems. But I think a combination of these technologies available to us would help us be able to deploy deception systems, you know, through code, right? Using infrastructure as code, we should be able to have more of these systems available to us. 

Dave Bittner: All right. Well, Malek Ben Salem, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.