The CyberWire Daily Podcast 3.29.22
Ep 1545 | 3.29.22

Cyber phases of a hybrid war continue at a nuisance level. IcedID’s distribution vectors. Automating software supply-chain attacks. CISA offers power supply risk mitigation guidance.


Dave Bittner: A cyberattack takes down a major Ukrainian Internet provider. Ghostwriter is said to deploy Cobalt Strike against the Ukrainian government. Anonymous makes some large claims. This just in - spies drive drunk. Ukrainian intelligence doxes FSB officers. Conventional criminals continue to exploit sympathy for Ukraine in social engineering scams. Red-Lili automates software supply-chain attacks. Ben Yelin considers Russian cyber capabilities. Mr. Security Answer Person John Pescatore addresses security automation. And CISA offers mitigation guidance on risks to uninterruptible power supplies.

Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Tuesday, March 29, 2022.

Cyberattack takes down major Ukrainian Internet provider.

Dave Bittner: Reuters reports that Ukrtelecom, Ukraine's major telecom provider of both Internet connectivity and mobile service, sustained a major cyberattack yesterday. It was apparently a distributed denial-of-service attack that Ukrtelecom described as "temporary difficulties with the installation of new internet sessions for Ukrtelecom customers. NetBlocks confirmed that Ukrtelecom service had indeed been disrupted, with real-time network data showing connectivity collapsing to 13% of pre-war levels. Forbes quotes senior Ukrainian officials as saying "they're presently unsure whether the attack was a conventional distributed denial-of-service attack or represented a deeper intrusion into Ukrtelecom's systems." 

Dave Bittner: The State Service of Special Communications and Information Protection of Ukraine, was quick to attribute the incident to a Russian cyberattack, which it said Ukraine had been able to mitigate. Ukrtelecom gave priority to military users and is said to be on the way to restoring full service for private and commercial customers. This seems to be the most significant Russian cyberattack since the opening hours of the invasion, but it still falls short of the disruptive attacks against Ukrainian infrastructure that have been widely expected.

Ghostwriter said to deploy Cobalt Strike against Ukrainian government.

Dave Bittner: Ghostwriter, a threat actor associated with the Belarusian government, has been using spearphishing attacks to install Cobalt Strike Beacon in Ukrainian government systems. Security Affairs cites CERT-UA as the source of the report. Cobalt Strike is a common legitimate penetration-testing toolset that's been turned to illegitimate use by criminals and, as in this case, intelligence services.

Trickbot's role in Russia's war; Anonymous makes some large claims.

Dave Bittner: The Wall Street Journal has an account of a Ukrainian researcher's infiltration of chatter by the managers of the Trickbot banking Trojan. The group interpenetrates Conti's operators, and the chats disclosed show a similar commitment to Russia's war effort. They also indicate an interest in hitting Western targets, including U.S. hospitals, but these should be taken with an appropriate grain of salt. Not only are the leaks so far unconfirmed by official sources, but criminals and privateers, like hacktivists, tend to crow large. 

Dave Bittner: A similar tendency is probably in evidence on the Ukrainian side, where hacktivists who claim allegiance to Anonymous, say on Twitter they're working on a data dump from their compromise of construction firm Rostproekt. 

Dave Bittner: Twitter has suspended some accounts associated with Anonymous, but Security Affairs reports that the hacktivist collective is saying that it's already counted coup against both the All-Russia State Television and Radio Broadcasting Company and the Russian Central Bank.

This just in: spies drive drunk: Ukrainian intelligence doxes FSB officers.

Dave Bittner: Ukrainian intelligence services have released the names and addresses of 620 people they allege to be FSB officers. The Times reports that, as well as names and addresses, the list includes details of agents’ cars, such as their numberplates, their phone numbers and dates and places of birth. According to the Telegraph, some of the officers whose data were exposed are believed to be operating in foreign countries, including the U.K. The data in the leaked files includes what appear to be entries in personnel files, and some of it in truth is kind of cringy, like observations that one officer likes luxury cars maybe a bit too much, and that another drinks too much and has a propensity to violate traffic laws. So what's next - sudden unexplained wealth? The incident is an embarrassing black eye for the FSB, which has attracted President Putin's ire for what he retrospectively sees as misleadingly optimistic intelligence assessments of Ukrainian public opinion and will to resist a Russian invasion.

Conventional criminals continue to exploit sympathy for Ukraine in social engineering scams.

Dave Bittner: Criminals are taking advantage of widespread sympathy for Ukraine's experience under Russian aggression by preying upon people's desire to help out. Grid News says the scams include conventional donation scams and more exotic appeals to those who would join the hacktivist IT Army that's formed under the uncertain direction of Kyiv to fight Russian interests. There are reports that naive volunteer hacktivists have been induced to install malware in their devices after being convinced that, no, really, they're helping set up distributed denial-of-service attacks against Russian networks.

IcedID Trojan being delivered by spearphishing and conversation hijacking.

Dave Bittner: Fortinet and Intezer independently report criminal campaigns to deliver IcedID, a Trojan that's been observed in the wild since 2017. Fortinet describes spearphishing emails with attached and bogus invoices that carry IcedID as their malicious payload. Intezer reports that IcedID distributors have also turned to conversation hijacking as the means to deploy the Trojan.

Employment fraud maintains its Covid-driven high levels.

Dave Bittner: Proofpoint researchers report that employment fraud continues to appear at a high level and that it disproportionately affects students at colleges and universities. They say there are many variations of this threat, including job offers as caregivers, mystery shoppers, administrative assistance, models or rebate processors. The goal of employment fraud isn't usually direct theft from victims but rather either theft of identities or credentials or the recruitment of victims into criminal activity as, for example, money mules.

Red-Lili automates software supply-chain attacks.

Dave Bittner: Checkmarx has been tracking the activities of the Red-Lili threat actor, which has been engaged in using anonymous disposable NPM accounts as one-time distribution vectors for malicious packets. Red-Lili has developed the ability to mount these software supply chain attacks at scale. According to Checkmarx, the attacker has fully automated the process of NPM account creation and has opened dedicated accounts, one per package, making the new malicious packages batch harder to spot. As Checkmarx notes, they're not the only researchers to have observed the activity. Both JFrog and Sonatype have reported on the malicious NPM activity. Red-Lili's allegiances and purposes remain obscure, but the actor represents a clear threat to software supply chains.

CISA offers mitigation guidance on risks to uninterruptible power supplies.

Dave Bittner: And finally, CISA this morning issued guidance on protecting uninterruptible power supplies, UPS devices - not to be confused with the United Parcel Service. CISA explains that UPS devices provide clean and emergency power in a variety of applications when normal input power sources are lost. The agency recommends that some well-founded best practice mitigations be applied at once. They say immediately enumerate all UPSs and similar systems, and ensure they are not accessible from the internet. They say you should check your UPS' username and password and see if it's still set to the factory default. If it is, shame on you. But that's OK; update it immediately. And they also say to ensure that credentials for all UPSs and similar systems adhere to strong password-length requirements and adopt login timeout and lockout features. Sound advice, courtesy of CISA. 

Automated Voice #1: Mister. 

Automated Voice #2: Security. 

Automated Voice #3: Answer. 

Automated Voice #4: Person. 

Automated Voice #1: Mister. 

Automated Voice #2: Security. 

Automated Voice #3: Answer. 

Automated Voice #4: Person. 

John Pescatore: Hello. And welcome back to Mr. Security Answer Person. I'm John Pescatore. Let's get into our question for this week. 

John Pescatore: Our question today comes from one of our listeners, Mr. Lucio Chagas. How do you see the progress of automation in the great realm of the security landscape? I would appreciate it a lot if you could link this to a little bit of history in the past-versus-future exercise. Thanks a lot. 

John Pescatore: Thank you, Mr. Chagas. This will be a fun one to answer. First, let me make an absolute statement. You cannot automate what you don't already know how to do. Doing the wrong things faster is rarely a winning strategy. This flows directly from the definition of security automation that I like to use, which comes from Red Hat. Security automation is the use of technology that performs tasks with reduced human assistance in order to integrate security processes, applications and infrastructure. I like this definition because it points out several important things. Security automation can reduce but not eliminate the amount of human effort required or the security skills required to perform certain tasks. 

John Pescatore: Often, integration between security processes is what's called automation or orchestration because such integration reduces the manual effort often involved in getting critical security information from one step in a process to the next. It points out that you must first have accurate and effective security processes, applications and controls in place before you can automate. So security automation is not and will never be a - instead of hiring a lot more security people, dump a lot of data into a software product, and it will protect you - kind of deal. You must have at least all the security basics in place - for example, the first two implementation groups of the Center for Internet Security Critical Security Controls - before you can benefit from automation. And to get to that point, you need a skilled security staff. 

John Pescatore: The second must-have before security automation can be effective is the automation technology has to be fast enough and accurate enough, as in low-to-zero false positives, and the action taken has to result in minimal or, ideally, no business disruption. A lot of security automation technologies talk about zero false negatives. We did not miss a single Heartbleed attack but never mentioned a false positive rate. Twenty percent of the time, what we called a Heartbleed attack was really a legitimate access. Similarly, stopping a threat but crashing complex business applications and transactions is rarely a net positive for the business. 

John Pescatore: Some examples in the past where those two requirements have been met and security automation has proven to be valuable - signature-based antiviral. A file matches a known malicious file signature, and we automatically delete it versus just warn the user and flag for security review. We like to trash signature-based approaches because of their high false negative rate, but their lack of false positives enables automation. Web security gateways - we block user access to known bad URLs. We don't just warn the user and hope they comply. Again, low false positives is key. Having the required fix-by date triggered by a vulnerability rescan, integrating trouble ticket data with automated vulnerability scans to automatically update trouble ticket priority as it ages - low false positive, low business disruption. 

John Pescatore: Network-based intrusion prevention - it's often called fancier things, but network-based intrusion prevention. This is where detection had reached zero false positive rates and mitigation can be done with no or most acceptable business impact. We block or drop traffic versus just issue alerts. A lot of threat-specific automation is really this type of action with a very narrow focus. But if it blocks network attacks, it is really a network intrusion prevention capability. The idea is if we are 100% certain something is bad, why let it through? These may sound like very simple use cases, but they are all very valuable in freeing up scarce skilled resources to focus on the hard problems, allowing us to use pieces of software and lesser-skilled or experienced analysts to handle more routine issues. 

John Pescatore: An extension of this is where the integration of data and the application of smart software, which could be but does not have to be machine learning, is used to prioritize alerts or action recommendations to reduce time to respond - not very sexy automation, but very powerful in reducing time to detect without increasing staff. But a lot of the automation examples tossed around are word detection, analysis, response and remediation are magically all automated. An old example was where a credentialed vulnerability scan could identify unpatched servers and automatically install the patches. But there are often valid business reasons why a server had to be left unpatched. And forcing patches would disrupt operations, not to mention that in most organizations the security group is not responsible for patching. More recent examples around detecting an attack and automatically changing firewall or IPS rules or server OS configurations - almost none of these are practicable yet in the real-world complex business application environments we're in. False positives and mitigation rates are just too high. 

John Pescatore: So, Mr. Chagas, to summarize, integration of well-thought-out security processes is a powerful form of automation that can reduce time to detect, respond and restore. It takes skilled security folks and very accurate security tools to reach that point. In certain areas, many have done just that. This level of automation can allow lesser-skilled security staff to handle more security events per shift, which enables our limited security unicorns to focus on the more difficult issues. And that is a huge gain. 

John Pescatore: But hyped-up security automation, as in, AI detects and kills attacks fast, is a long way away for more than the simplest of attacks in the real world. I think the most likely area we will see near-term advances and more sophisticated automation will be by embedding security policies into the kernel level or virtual environments such as VMware and cloud-based applications. There's an intersection of security admin, app admin and virtual platform admin where the AWS's, Azure's, Google Cloud Platform folks do amazing stuff. If you can get those three worlds to cooperate in the virtual data center, more amazing automation is possible. 

Automated Voice #1: Mister. 

Automated Voice #2: Security. 

Automated Voice #3: Answer. 

Automated Voice #4: Person. 

John Pescatore: Thanks for listening. I'm John Pescatore, Mr. Security Answer Person. 

Automated Voice #1: Mister. 

Automated Voice #2: Security. 

Automated Voice #3: Answer. 

Automated Voice #4: Person. 

Dave Bittner: Mr. Security Answer Person with John Pescatore airs the last Tuesday of each month right here on the CyberWire. Send in your questions for Mr. Security Answer Person to 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host on the Caveat podcast. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Interesting article caught my eye. This is from Kim Zetter writing over on Politico, really highlighting what we have and have not seen when it comes to cyber capabilities in this ongoing war in Russia and Ukraine. What's going on here, Ben? 

Ben Yelin: Yeah. So maybe I'm out of line here, but I almost found this article somewhat reassuring. So we know that our intelligence agencies, the CIA and the NSA, have spent decades now spying on Russia's computer networks. They are collecting intelligence, both, you know, for the purposes of figuring out what Vladimir Putin's going to do, as they did prior to this war in Ukraine... 

Dave Bittner: Right. 

Ben Yelin: ...But also for the potential to order destructive cyberattacks on Putin's regime. I think we've always imagined that we would use this as a defensive weapon, that if we were attacked with some type of kinetic or cyber incident, that we would want to have the capabilities to respond in kind. But what this article gets at is both sides, the United States and Russia, are treading very slowly in this potential cyberconflict. And I think the reason they are treading slowly is the same reason we didn't have widespread nuclear Armageddon during the Cold War. And that's mutually assured destruction. We don't know exactly what Russia's capabilities are. 

Ben Yelin: But if we went in and, you know, for the purposes of responding to Russian aggression in Ukraine, damaged the critical infrastructure in Moscow - we shut off the lights. We damage the sewer system, water treatment plants, etc. - there's a very real fear that they not only would retaliate against us, which would escalate the conflict, and that certainly could be very difficult for our own citizens, having power cut off in a major American city or attacks on other parts of our critical infrastructure. But it could escalate from there. You know, that - the cyber warfare could lead to kinetic warfare, which could eventually lead where - a place where none of us want to be, which is a full-on war between two nuclear powers. 

Dave Bittner: Right. 

Ben Yelin: So I just thought it was interesting and encouraging that both sides are treading lightly. Our government hackers have been working for the past couple of decades to develop these capabilities. I just think there's the reluctance to use them knowing that Russia potentially has the capability to retaliate. 

Dave Bittner: I find it fascinating that we look at this and, in retrospect, it makes absolute sense. But this is not the way that people were thinking going into this conflict. What do you make of that? 

Ben Yelin: Right. I think people were expecting that Russia would have already used offensive cyber operations in Ukraine to help their war effort - so shutting down Ukrainian power grids. A point that you made on the Caveat podcast when we discussed this is they really haven't done that really because they think it would be detrimental to their own war effort. They've needed to use the same cellular networks that are already deployed in Ukraine for their offensive military operations. 

Dave Bittner: Right. 

Ben Yelin: So I think we haven't seen that yet as part of this conflict. I think the conflict has been - I don't want to say traditional - but has kind of been more of a 20th-century type of warfare. They, with their military, through air and ground support, invaded a sovereign foreign country. And we responded with economic sanctions. I think that's the safest place for all of us to be right now, given that this could potentially turn into a large global conflict. 

Ben Yelin: I think people imagine that we would - if they destroyed Ukrainian power grids or nuclear facilities or something or any other attack on critical infrastructure, I think people were anticipating that we might use our cybercapabilities to do the same in Russia. But I think there is a real reluctance to do that because of this fear of escalation. Breaking into their country's core systems is something we, frankly, have been able to do. It's kind of a power that we can't use lightly... 

Dave Bittner: Right. 

Ben Yelin: ...Because if our calculus is wrong and we use this as an offensive weapon - as we say in the 2000s, we don't want the smoking gun to be a mushroom cloud. 

Dave Bittner: Yeah. To what degree is this situation establishing norms in cyber conflict - is - because this is all new, right? The - a hybrid war like this is still relatively new. So to what degree, if any, is this establishing future rules of the road? 

Ben Yelin: I think it's really unclear. It's a unique situation when we're dealing with Russia as opposed to some of our other adverse adversaries, whether they are nation states or terrorist groups. For one, they've lost a lot of their economic power as a result of this war. But they're still a nuclear-armed country. And we also have reason to believe that they have enhanced cybercapabilities. We've seen them perpetuate cyberattacks before. Certainly their involvement in the 2016 election - GRU - indicates that those capabilities are there. So we know that they could respond in kind. I'm not sure that that would be the case in other cyber conflicts across the world. So I don't think this is setting any broad ground rules for cyber warfare. 

Dave Bittner: Right. 

Ben Yelin: I think the fact that it is Russia is significant for the reasons that I mentioned. So I think it might not be precedent-setting, but I think it's just an interesting outgrowth of the conflict that we're seeing now. 

Dave Bittner: Yeah. All right. Well, that article is over on Politico. It's written by Kim Zetter. It's titled "Not the Time to Go Poking Around: How Former U.S. Hackers View Dealing With Russia." Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.