The CyberWire Daily Podcast 3.4.22
Ep 1528 | 3.4.22

Swapping propaganda shots. ICANN will not block the Internet in Russia. Hacktivists achieve a nuisance-level of success. NVIDIA gets a most curious demand. And there’s no US draft.


Dave Bittner: Propaganda engagements in Russia's hybrid war against Ukraine. ICANN will not block the internet in Russia. Hacktivists, real and pretended, achieve a nuisance level of success in Russia's war. Scams and misinformation circulate in Telegram. Nvidia gets a most curious demand from a cyber gang. CISA's ICS advisories. Johannes Ullrich looks at phishing pages on innocent websites. Our guest is Chase Snyder from extra hop to discuss the implications of the cyber talent shortage. And hey - news flash. No matter what the text on your phone might say, there's no military draft in the U.S.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Friday, March 4, 2022. We begin with a quick note on the situation on the ground in Russia's war against Ukraine. Russia's army seems to be compensating for tactical and material incapacity with brutally intense and indiscriminate fires. The big column approaching Kiev still appears to be both road-bound and stalled, but Russia seems determined to push through and persevere until it succeeds in disarming and neutralizing and probably partitioning Ukraine. Logistical, planning and possibly training and command failures may be responsible for the Russian Army's lack of rapid success. Russian and Ukrainian negotiators met again, without much progress. But certain corridors are said to remain open for the use of refugees. President Zelenskyy offered to meet President Putin and offered Mr. Putin a mildly insulting reinsurance - I don't bite. Belarusian President Lukashenko said today that his forces aren't participating in Russia's war and that he won't be sending them into combat.

The propaganda phases of a hybrid war. (Or, when you've lost Switzerland, you've lost the world.)

Dave Bittner: MIT Technology Review sees the propaganda war as having eclipsed the cyberwar. Who's winning this phase? Military Times gives a clear edge to Ukraine, whose messaging has held far more appeal than Russia's. Some of Kyiv's themes and memes are plausible - courageous, old ladies giving Russian invaders pieces of their mind, old men volunteering for service, captured Russian conscripts asking for their mothers to come and bring them home. Others are pretty dubious, like the cats who caught snipers. Still others more myth than reporting, like the Ghost of Kyiv, the Ukrainian fighter pilot who's downed six Russian aircraft to become the first European ace since 1945. But the Ghost sounds a little like those bowmen of Agincourt who were said to have succored the British Expeditionary Force during its retreat in 1914, to the frankly debunked, like the video the Ministry of Defense displayed that purported to be gun camera footage of a dogfight but turned out to be from the video game Digital Combat Simulator. The messages are feel-good stories that tell about good versus evil, and their effect has been augmented by President Zelenskyy's easy facility with the soundbite bite and the one-liner. I need ammunition, not a ride seems to have been particularly well-received. And the above mentioned, I don't bite will probably be equally well-received. 

Dave Bittner: New America political scientist Peter Singer told Military Times, quote, "When even Switzerland is joining in the sanctions, you've lost that narrative battle," end quote. We offer this, by the way, as a neutral account of the relative success of government propaganda campaigns, not as approval of any official lying. Russian propaganda has had much less success, in part because of the lies' lack of their usual bodyguard of truth. Moscow has had little success in convincing the world that President Zelenskyy's government represents a cabal of Nazis. And clumsy attempts to blame Russian misconduct on Ukraine have fallen flat. After extensive Russian bombardment of Kharkiv, for example, The Telegraph reports that NTV explained, quote, "In expert opinion, it was the Ukrainian military who attacked the Kharkiv administration building with a Smerch multiple rocket launcher or an Olkha, its modern Ukrainian modification," end quote. This kind of story isn't flying, internationally at least. Much of Russia's propaganda effort is inward-looking, focused on maintaining domestic order and, if possible, active support for the war. The Telegraph goes on to report that Russian authorities are relying on tight narrative control, specifying in some detail how the war is to be reported. If we were TASS or NTV, we'd be calling that war a "special military action."

ICANN will not block Russia's access to the Internet.

Dave Bittner: CNN reports that ICANN, the Internet Corporation for Assigned Names and Numbers, has told the Ukrainian government that shutting down Russia's access to the internet is beyond its power, both technically and as a matter of policy. ICANN CEO Goran Marby wrote authorities in Kyiv. Quote, "As you know, the internet is a decentralized system. No one actor has the ability to control it or shut it down. Our mission does not extend to taking punitive actions, issuing sanctions or restricting access against segments of the internet, regardless of the provocations," end quote. Blocking the internet in Russia, even if it were easily possible, would be, many observers suggest, an ambivalent move. Information about war does seem to be reaching Russian citizens even around the government's restrictions on the flow of information. And there's arguably more benefit from that than there would be from jamming. 

Hacktivists and cyber militias continue to score at a nuisance level.

Dave Bittner: Distributed-denial-of-service attacks and doxxing seem to have been the preferred modes of attack by both sides of the war, Check Point suggests. DDoS is easier to confirm than are claims of breaches. And hacktivists in particular have been prone to exaggerate the effects they've achieved. But it's undeniable that there have been nuisance-level successes. 

Misinformation and scams related to Russia's war against Ukraine (as seen through Telegram).

Dave Bittner: Check Point Research has been watching Telegram traffic during the war, and it sees a mixed record. They're observing three broad classes of activity. First, cyberattack groups against Russia that urge followers to attack Russian targets in different tools and ways, mainly DDoS. Second, groups urging followers to support Ukraine by fundraising of doubtful authenticity, often suspected to be fraud. And third, numerous news feed groups airing updated and exclusive news reports about the conflict, bypassing mainstream news outlets. Much of the claimed hacktivism is bogus, either deliberate scams or the self-aggrandizing fantasies of those who wish to see themselves as self-importantly engaged. What else are social media for? Check Point urges people to be particularly cautious when they're considering donating to an appeal for funds. Fraudsters follow the news, too, and they craft their phish bait accordingly. 

NVIDIA gets a most curious ransom demand.

Dave Bittner: Turning to a story that seems to have nothing to do with Russia's war against Ukraine, there have been developments in this week's cyber incident at Nvidia. video. The chipmaker said this week that the attack did not appear to involve ransomware. It does appear, Hacker News reports, to involve a different kind of extortion. DarkTracer says the Lapsu$ gang has employee credentials and about a terabyte of other data. Lapsu$ also issued what Ars Technica calls one of the most unusual demands ever. Quote, "We request that Nvidia commits to completely open source and distribute under a FOSS license their GPU drivers for Windows, macOS and Linux, from now on and forever." Lapsu$ claims an altruistic motive. Quote, "We decided to help mining and gaming community. We want and Nvidia to push an update for all 30 series firmware that remove every LHR limitations. Otherwise, we will leak HW folder. If they remove the LHR, we will forget about HW folder. It's a big folder. We both know LHR impact mining and gaming," end quote. What they really appear interested in doing is making it easier to mine altcoin. LHR blocks many forms of mining. And apparently, Lapsu$ would like to be able to find coins in them there GPUs. 

CISA issues three ICS advisories.

Dave Bittner: CISA yesterday issued three industrial control system advisories. Two of them affected medical systems. The third advisory involves a telecontrol communication device. 

Have you noticed? There hasn’t been a draft in the US since 1973. Thank you, President Nixon.

Dave Bittner: And finally, American youths, have you received a text telling you that the U.S. Army is drafting you to fight in Ukraine? It's a scam, Army Times reassures everyone. The U.S. Army wouldn't text something like that. And besides, as the Army points out, there's no draft, and it would take an act of Congress to establish one. So fraudsters follow the news, but they also have a good sense of when their marks really aren't paying attention. So, friends, there's no draft, and it's not the 1960s anymore. We've seen Civil War reenactors. Will the 2020s see a wave of draft resistance reenactors? Probably not. 

Dave Bittner: It's commonly accepted that there's a talent shortage in cybersecurity. And in response to that, many organizations are embracing security operations automation, or SecOps, as a way of closing the gap and making the most of the talent they have. Chase Snyder is senior manager of security at ExtraHop. And he thinks the emphasis on SecOps makes sense but also deserves thoughtful consideration. 

Chase Snyder: For one thing, people believe that there is a technological answer to the problem, that by embracing automation and AI, they can get more efficiency out of their security operations and that they can get a better sort of outcome without having to solve this seemingly intractable problem of staffing. There's some truth to that, but it's a little bit more nuanced. But by embracing security operations, companies feel that there is a sense that there is a path forward in this extremely challenging both global remote work landscape and also rapidly evolving threat landscape, where the cyberattackers are getting more and more sophisticated at how they intrude upon their targets. And the field of security operations and the growth and innovation that's happening there offers sort of a beacon of hope that there might be an answer, that businesses can continue to operate in these circumstances. 

Dave Bittner: And what is the typical pathway here for organizations who are looking to, you know, sort of formalize their journey into security operations? What does that look like? 

Chase Snyder: Well, starting up a security operations center is a pretty big ask. But I think there's a sort of mixed bag happening now where many organizations are having some in-house staff for security. And they're splitting off so that it's not just the IT operations team or the CIO who's running the security team kind of on the side. Having it be a separate, dedicated organization within the business is a big part of it. And then figuring out what you can handle in-house and what you have to outsource to a managed service provider or what you need to rely on some other sort of service for. 

Dave Bittner: Do you have any tips for organizations that are considering that journey? I mean, you know, are there common places where people trip up or find themselves challenged? 

Chase Snyder: I'd say for organizations that are just starting their security operations journey, going from not having a security team to having it, there's a huge landscape of technology and a huge landscape of services out there. But where you really need to start is examining your own risk posture and, what is business critical for you? So when an organization is trying to get started in security, they have to know what it is that they are trying to secure and really introspect quite a bit about why they're even considering moving towards having security operations as part of their organization. 

Dave Bittner: What's the value proposition here? I mean, if I the person who's making the case to my board, I'm walking in and saying, hey, this is the direction we want to go in, what should I lead with? What should that conversation look like? 

Chase Snyder: If you're saying that you want to start up a security operations team within your organization when there isn't already one, I think pointing to the growing scope of the type of attacks that we're seeing, there are a constant barrage of headlines about the massive increase in ransomware demands and supply chain attacks that sneak in and cause enormous damage, enormous financial damage, brand damage and even shut down the business. And so pointing to those things and saying we know that prevention doesn't work and we know that this is an area of growing concern, we can see what's happening to our peers. We need to have the ability to address this from inside the house. 

Dave Bittner: That's Chase Snyder from ExtraHop. There's a lot more to this conversation. If you want to hear the full interview, head on over to CyberWire Pro and sign up for our Interview Selects, where you'll get access to this and many more extended interviews. 

Dave Bittner: And I'm pleased to be joined once again by Johannes Ullrich. he is the dean of research at the SANS Technology Institute, also the host of the ISC "StormCast" podcast. Johannes, it's great to have you back. You have been tracking some interesting techniques that attackers are using to upload phishing pages to some websites here. What's going on? 

Johannes Ullrich: Yeah. So the way we figured this out as we do run this honeypot network that emulates web applications. And if you go to our website, we sort of have a page where we display everything we have seen that's new that this network sort of detected. And recently, we found a number of hits for something called elFinder. And we were really trying to figure out, what was this about? So elFinder there is a tool that allows you to manage content on your web server. If you for some reason don't like SSH and the command line in order to connect to your web server and move files around and upload files, you can use elFinder. It gives you a nice web-based interface. The name Finder sort of comes from the macOS Finder that they are trying to emulate here. Fancy tools have fancy vulnerabilities. 

Dave Bittner: (Laughter) I need that on a T-shirt. 

Johannes Ullrich: And turns out last year, July, elFinder you'll find there had a couple of on abilities where it is possible for anybody to upload arbitrary files to your system. And looks like phishing actors have caught onto this and are now actively looking for elFinder. The tricky part is with, you know, all of these components of that - these days, people like to call it supply chain issues sort of catches that again here. ElFinder is a component that may be part of a plugin that you will then run as part of a content management system like WordPress and such. So you have these multiple levels of redirection here until you actually realize that you're operating using this malicious - or not malicious, I should say vulnerable component. 

Johannes Ullrich: So is it - in this case, is it a matter of making sure that your copy of elFinder is up to date? 

Johannes Ullrich: Definitely make sure it's up to date. That's the first thing to do. And with any admin interface admin feature like this, I would always recommend some additional layer of obfuscation in your web server. You can usually configure something called basic or digest authentication. It's not super strong, but it sort of provides an additional layer of protection to components like this, which sadly tend to have a lot of vulnerabilities, in particular, if it's only maybe you and someone else or so who needs to really access that component to upload files and manage the content on your website. 

Dave Bittner: You know, a colleague of mine does a lot of WordPress development, and they use one of the popular WordPress hosting platforms. And it costs a little bit more. But one of the advantages there is that that hosting platform for WordPress also keeps an eye on some of these vulnerabilities and makes sure, you know, that you're informed and that, you know, the things that they can keep up to date are kept up to date. And I think that's noteworthy if you're someone who's running a WordPress site. 

Johannes Ullrich: No, I would definitely recommend that to people. You don't really want to bother with all the plumbing around WordPress. And WordPress also always is put out here because it's somewhat the biggest one, but all these other - Drupal and such have similar issues. I heard someone once saying that WordPress's business model is that they make it so hard to patch that you have to sign up for their for-pay service. 

Dave Bittner: (Laughter). 

Johannes Ullrich: But the price is not really that bad. So it's definitely worthwhile considering because pretty much whenever I look at a phishing website these days, it's either WordPress that got compromised or it is some kind of free cloud hosting service that's being used. That's really sort of where a lot of phishing comes from. So you don't want to be part of the problem. And talking to sometimes to people who got compromised, it's actually a fun thing that you should do at times. It's usually a church. It's a small business that has someone who years ago put together the site for them, and they really don't have any talent - really can't afford anybody that would sort of really manage the site for them other than, you know, updating a couple of pages here, there. 

Dave Bittner: All right. Well, good advice as always. Johannes Ullrich, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at Be sure to check out this weekend's "Research Saturday" and my conversation with Mike Benjamin from Fastly. We're discussing open redirects, real-world abuse and recommendations. That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brendon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.