Cyber takes point in a hybrid war. Medical robot vulnerabilities remediated. A Cyber Civil Defense for the US? Europol leads the takedown of RaidForums.
Dave Bittner: GRU deploys Industroyer2. Anonymous doxxes three more Russian companies. CISA warns of an exploited firewall vulnerability. Medical robots’ vulnerabilities are remediated. A Cyber Civil Defense effort in the U.S. Ben Yelin on newly passed cyber legislation. Our guest is Chase Snyder from ExtraHop to discuss their recent Cyber Confidence Index. And good riddance to RaidForums.
Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Tuesday, April 12, 2022.
GRU deploys a new version of Industroyer against a Ukrainian energy company.
Dave Bittner: Sandworm, also known as Voodoo Bear, and in the org charts Unit 74455 of Russia's GRU, has deployed CaddyWiper destructive malware and an Industroyer variant being called, simply, Industroyer2. ESET tweeted the results of its findings early this morning and provided additional details in a report also published today. They said, ESET researchers collaborated with CERT-UA to analyze the attack against the Ukrainian energy company. The destructive actions were scheduled for April 8, 2022, but artifacts suggest that the attack had been planned for at least two weeks. The attack used ICS-capable malware and regular disk wipers for Windows, Linux and Solaris operating systems. We assess with high confidence that the attackers used a new version of the Industroyer malware, which was used in 2016 to cut power in Ukraine. We assess with high confidence that the APT group Sandworm is responsible for this new attack.
Dave Bittner: At first look, the incident seems an attempted repetition of the 2016 Russian cyberattacks against the Ukrainian grid that ESET mentioned in its report. CERT-UA offered a further description of the attack. It intended to use Industroyer2 against high-voltage electrical substations in a fashion tailored to the individual substations. CaddyWiper was used against Windows systems, including automated workstations, and other destructive scripts - OrcShred, SoloShred and AwfulShred - were deployed against Linux systems.
Anonymous-affiliated actor NB65 counts coup against Roscosmos.
Dave Bittner: The Telegraph reports that Network Battalion 65, NB65, has posted images it claims show that it succeeded in compromising servers at the Russian space agency Roscosmos. Roscosmos boss Dmitry Rogozin, lately much given to incandescent verbal sputtering in a westward direction, downplayed the effects of the attack and called NB65 a bunch of scammers and petty swindlers. That may be, but it appears that NB65 did obtain some access to Roscosmos networks, and that the hacktivists or hacktivist deployed some of Conti's ransomware code therein.
Anonymous releases data taken from Russian enterprises in #OpRussia.
Dave Bittner: Hack Read says that Anonymous has hit three more Russian enterprises - Aerogas, Forest and Petrovsky Fort - Aerogas, which handles oil and gas production services; Forest, which handles logging; and Petrovsky Fort, which handles office space. The collective leaked roughly 437,000 emails belonging to the companies. Petrovsky Fort lost about 300,000 emails, about 244 gigabytes, Aerogas lost 145 gigabytes, and Forest lost 37.7 gigabytes worth of information, including 375,000 emails. Petrovsky Fort and Aerogas are state-owned. The material has been posted to the familiar Distributed Denial of Secrets site.
As Mr. Putin says he sees the matter.
Dave Bittner: Here's a study in disinformation relevant to those interested in cybersecurity and hybrid warfare because of the way we can expect to see it repeated and amplified in Russian-controlled or sympathizing online outlets. Long-suffering Russia is waging a good war, President Putin said in a speech this week
CISA warns of vulnerability the GRU exploited in firewall appliances.
Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency yesterday added eight vulnerabilities to its Known Exploited Vulnerabilities Catalog. Among them was the high severity privilege escalation flaw in WatchGuard firewall appliances the GRU had exploited to build up its Cyclops Blink botnet, disrupted last week by the U.S. FBI. BleepingComputer quotes WatchGuard on the effects of exploitation - "WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access." WatchGuard issued its own warning at the end of February.
Vulnerabilities fixed in medical robots.
Dave Bittner: Cynerio today announced its discovery of vulnerabilities in Aethon TUG hospital robots that could allow attackers to circumvent security and remotely surveil and interact with patients, tamper with medication distribution and disrupt day-to-day hospital operations. Cynerio disclosed the bugs, collectively called JekyllBot:5, to the manufacturer under the CISA Coordinated Vulnerability Disclosure Process, and the issues have now been remediated, and patches are available.
Cyber Civil Defense.
Dave Bittner: The Global Cyber Alliance reports that Craig Newmark Philanthropies has committed to donating more than $50 million total to support a broad coalition of organizations dedicated to educating and protecting Americans amid escalating cybersecurity threats. Craig Newmark, who is the Craig in Craigslist, characterizes the effort as a cyber civil defense initiative. It will focus on cyber education, cybersecurity career opportunities, development of cybersecurity tools for community protection, usability and customer service for security tools and services, and championing equitable cybersecurity.
Adios, RaidForums (and good riddance).
Dave Bittner: And finally, Europol this morning announced the takedown of RaidForums, the large cybercriminal forum and market where techniques were discussed and tools and stolen data were traded. The forum's infrastructure was seized, and its administrator and two accomplices were arrested in Operation Tourniquet. This was a yearlong international effort coordinated by Europol to support the separate investigations of law enforcement agencies in Portugal, Romania, Sweden, the United Kingdom and the United States. Europol credits effective information-sharing with enabling investigators to define the different roles the targets played within this marketplace, such as the administrator, the money launderers, the users in charge of stealing or uploading the data and the buyers. So, bravo, Europol. Congratulations on the collar.
Dave Bittner: Cyberdefense firm ExtraHop recently released results from their 2022 Cyber Confidence Index, conducted by Wakefield Research, exploring how IT and security decision-makers assess their security practices. Chase Snyder is senior product marketing manager at ExtraHop.
Chase Snyder: One of the big things, Dave, is that the disparity between confidence in the ability of cybersecurity teams or security operations teams to respond to threats versus their admission that their own cyber hygiene and the existence of old insecure protocols and unmanaged devices in their environment - there's a gap there. So many teams, the - I believe the Cyber Confidence Index indicated that 77% of teams believed that they were highly able to respond to and mitigate and prevent cybersecurity threats. But 64 of them said that half of their cybersecurity incidents were due to their own outdated protocols and their own outdated security posture. So there's a little bit of a gap there, and we were trying to understand where exactly that comes from.
Dave Bittner: What do you make of that? I mean, is - are people fooling themselves? What do you suppose is causing the disconnect?
Chase Snyder: I think something that's happening is that there has been a large focus on advanced threats, and folks are really increasing their ability to detect and respond to threats. But not everyone has done the work to clean house and shore up the foundation of their environment. So when I say clean house and shore up their environment, what I mean is many organizations still have large numbers of outdated and known-to-be-insecure protocols running in their network. Ninety-two percent admitted that they still had SMBv1 or MTLM. These are old protocols that are low-hanging fruit for attackers.
Chase Snyder: On average, these organizations also said that 29% of the devices in their environment aren't managed. So there's a large gap there. There's a blind spot, and that blind spot represents an attack surface for attackers. So the detection and response capabilities are there, but there are still these big attack surfaces that need to be cleaned up. And there's a big upside for companies that take the effort to go ahead and clean that up and shore up their foundations.
Dave Bittner: Is there a recognition that this is something that they need to be working on, or is this a matter of them knowing that but taking it as part of their risk calculation?
Chase Snyder: That's a great question, Dave. I'm not totally certain whether or not folks have fully internalized the idea that these older, insecure protocols and unmanaged devices represent an enormous amount of risk for them. They may be incorporating it into their risk calculus, but the amount of risk is going up in a nonlinear way. We see supply chain attacks occurring. We see open source vulnerabilities coming out with enormous scale and the impact that they're having across thousands of organizations, millions and millions of attempts against vulnerabilities such as the Log4Shell vulnerability that was in the news quite recently and is still being dealt with. And the fact is that while in the past you may have been able to get away with leaving some insecure protocols or having a certain amount of devices in your environment that aren't managed, now that there are these large-scale advanced attacks, supply chain attacks, ransomware - or supply chain attacks being used to deliver ransomware, the risk that is represented by these outdated protocols and unmanaged devices has gone way up. And I think that organizations and security leaders are still adjusting their threat model or their risk model to incorporate that.
Dave Bittner: All right. Well, I mean, based on the information that you gathered, what are the take-homes for you? What sort of words of wisdom do you have for folks out there?
Chase Snyder: Dave, one of the things that I would say that everyone needs to be paying more attention to and using to their advantage to reduce their risk is get a better asset inventory. A quarterly update of your asset inventory is no longer enough. You need continuous visibility into the hardware and software in your environment. It's the No. 1 control that is recommended in the CIS top 18. And there's a reason for that - because managing your attack surface can give you acceleration in your ability to respond.
Chase Snyder: If you're in a situation where you're asking yourself, how do we even find the devices with Log4j on them when the attacks are already making the news, you're already behind. Asset inventory is an accelerator for both prevention, detection and response for all types of cybersecurity attacks. And achieving that asset inventory is going to require greater cooperation between security teams and network teams and IT teams. And that is a foundational way to improve your security posture, take away that low-hanging fruit and give yourself the advantage over these advanced attackers.
Dave Bittner: That's Chase Snyder from ExtraHop.
Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host on the Caveat podcast. Hello, Ben.
Ben Yelin: Hello, Dave.
Dave Bittner: Here in our home state of Maryland - my home state, your adopted state....
Ben Yelin: You are a true Marylander.
Dave Bittner: (Laughter) That is true. They recently wrapped up their legislative session. And there were some bills regarding cybersecurity that you had a bit of a hand in. And they were successful. Share with us what went down.
Ben Yelin: They were. So this has been a multi-year effort. Maryland has suffered from cyber incidents. Most famously, there was a ransomware attack in Baltimore City in 2019 - stopped people from being able to record real estate transactions, pay water bills - cost the city an estimated $18 million. There was a ransomware attack on the Baltimore County school systems, a couple other attacks on localities. And then most recently, there was a - what we suspect was a ransomware attack on the Maryland Department of Health, which has had a terrible impact, including us being unable to access our COVID data dashboard during the height of the omicron surge. So it's a big problem here.
Ben Yelin: A friend of our show - she was on it a couple of years ago - is a state senator named Katie Fry Hester. And she has made it her mission during her term in the state Senate to change cybersecurity policy in the state of Maryland. She's the co-chair of a joint committee on cybersecurity and biotechnology at the state legislature. And for the past several years, through collaborative efforts with various Maryland agencies, she's put together bills to try and change our cybersecurity governance structure, the way our local units of government interact with state agencies on cybersecurity-related measures. And every year until this year, we've come up a little bit short. So in preparation for this year, this senator decided to commission a study. She's part of what's called the Maryland Cybersecurity Council, which is an advisory group at the - within our state government, a quasi-government agency...
Dave Bittner: Yeah.
Ben Yelin: ...That develops cyber policy. So she formed an ad hoc committee to do a study on how we can improve the cybersecurity posture within our state government and our units of local government. And she - I have to say, she made a terrible choice on the co-author of the study, which was some guy named Ben Yelin...
Dave Bittner: Well, la-di-da (laughter).
Ben Yelin: ...From University of Maryland Center for Health and Homeland Security.
Dave Bittner: OK (laughter).
Ben Yelin: So we co-authored the study with experts in the field. There were three sections on it - one on governance, one on units of state government. We got help on that one from the state chief information security officer. And then we did a survey of units of local government on what they want and what they need to improve their cybersecurity posture. And that led to the proposal of three pieces of legislation. One of the bills is a cybersecurity governance bill, which codifies practices that already exists, in terms of the state chief information security officer and the Office of Security Management. But those only existed via executive order. So now those are - assuming these bills are signed, that's going to be the law of the land in the state of Maryland. It also introduces new measures to make sure that we are keeping up to date on the latest security practices, making sure that we are meeting minimum standards as established by NIST. So that's going to be done through a couple of different organizing entities that will have oversight over the Department of Information Technology in Maryland. And the Department of Information Technology will have more of a hand in having kind of a centralized enterprise of cybersecurity across state agencies.
Ben Yelin: In terms of local governments, there's a unit within the Maryland Department of Emergency Management, the Cyber Preparedness Unit, which exists but wasn't codified into law. That, as part of these pieces of legislation, is now going to be codified. So these are a group of individuals with our Department of Emergency Management who are giving units of local government preparedness resources, updating them on the latest cyberthreats, and making sure that our school systems, our public health departments and our county governments are getting all of the information and training resources they need to protect themselves against cyberattacks. That shop was only two guys. They were contractors. With these bills, it's going to be vastly expanded.
Ben Yelin: We're going to have additional staff as part of this preparedness unit, including potentially regional coordinator - so a guy in charge of going to western Maryland and making sure those counties have everything they need. We're also going to have a local cybersecurity support fund. So if units of local government here in Maryland need help updating their networks, updating their systems, hiring contractors, doing trainings and exercises, there's going to be a pool of money available that they can apply for. As long as they're meeting minimum cybersecurity standards, they will be able to have access to that money. So it's a package of three bills. The Maryland state Legislature adjourned sine die. As we're recording this, it was last night. It's always a mad dash at the end of the session. Everybody wants to get their bills through. So there was some uncertainty as to...
Dave Bittner: I saw you tweeting about it. You had your fingers crossed. Are we going to make it across the finish line?
Ben Yelin: Yeah.
Dave Bittner: (Laughter).
Ben Yelin: And there are all sorts of delay tactics that people try and use if they don't want pieces of legislation to get passed. You can just kind of try and run out the clock. The amount of work that's gone into this - and without getting into too many of the details, there were basically 15 hours of hearings at the relevant Senate committee to really perfect these bills, figure out which agencies have authority over which particular issues. And to see it get across the finish line and hopefully to be signed into law by our governor here is a huge accomplishment. I do think it's going to have a significant impact on cybersecurity here in Maryland. I think it'll leave our state agencies better prepared, part of a more cohesive cybersecurity enterprise. And I think we'll now have the type of resources available to our units of local government to prevent the types of things that have happened in the past, these ransomware attacks on governments and school systems, etc. So as a point of personal privilege, I was glad to work on these issues. And it was kind of like watching a sporting event to see if, you know, your team can score...
Dave Bittner: (Laughter) That's right. That's right.
Ben Yelin: ...A touchdown within 2 minutes. And so just watching and seeing these bills cross the finish line was personally exciting for me.
Dave Bittner: Yeah. And perhaps a template for other states to follow.
Ben Yelin: I sure hope so, yes.
Dave Bittner: Yeah. All right. Well, Ben Yelin, thanks for joining us.
Ben Yelin: Thank you.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.