The CyberWire Daily Podcast 4.25.22
Ep 1564 | 4.25.22

Swapping small attacks in cyberspace. What Lapsus$ internal chatter reveals. Costa Rica won’t pay Conti’s ransom. No farms, no future. Locked Shields wraps up.


Dave Bittner: Anonymous counts coup with their #OpRussia campaign. Alternative energy suppliers in Europe sustain cyberattacks. What Lapsus$ internal chatter reveals. Costa Rica won't pay Conti's ransom. Rick Howard hits the history books. Our guest is Paul Giorgi from XM Cyber with a look at multi-cloud hopping. And Locked Shields wraps up.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 25, 2022. 

#OpRussia: Anonymous counts coup.

Dave Bittner: The Anonymous hacktivist collective has tweeted Its tally of recent successes claimed against Russian organizations: "#OpRussia: Since declaring 'cyber war' on Kremlin's criminal regime, the #Anonymous collective has now published approximately 5.8 TB of Russian data via #DDoSecrets. #Anonymous vows to release more data belonging to Russian entities and government, including a commercial bank. On Sunday, Security Affairs published the results of its sifting through the documents Anonymous had leaked over the last three days and found that files were taken from four commercial businesses - Enerpred, Accent Capital, Sawatzky, and Worldwide Invest. 

Dave Bittner: It seems beyond dispute that #OpRussia represents a successful hacktivist action, but its achievements also seem to confirm, again, that hacktivism in this ongoing hybrid war has yet to rise above nuisance levels. The nuisance is real, but it remains exactly that - a nuisance. 

"Lacryphages," privateers, and state actors. 

Dave Bittner: Anonymous has been operating in the Ukrainian interest. There has been evidence of hacktivism in the Russian interest as well, although in that case, it's difficult to distinguish from opportunistic cybercrime that exploits sympathy for Ukrainian suffering, gangland privateering and direct state action. CNN reports that humanitarian organizations working on Ukrainian relief have been the targets of phishing or, as CNN puts it, malicious links and pornographic material on their cellphones. Most aid groups are relatively poorly protected, non-governmental organizations and in many cases have difficulty even recognizing that they're under attack, still less able to respond to an attack quickly and effectively. CNN quotes Amazon Web Services as explaining that the attacks seem intended to spread confusion and cause disruption, which seems particularly odious when the activities being disrupted are the distribution of food, clothing and medical supplies. 

Alternative energy suppliers in Europe sustain cyberattacks.

Dave Bittner: The Wall Street Journal reports that three alternative energy companies in Europe have sustained cyberattacks since Russia's invasion of Ukraine began. Wind Europe, a wind power industry group based in Brussels, says it believes the attacks originate with Russia. Presumably, the goal is to make a shift from Russian oil and natural gas more difficult for European, especially German, markets. Two German turbine manufacturers, Enercon and Nordex, and one turbine maintenance firm, Windtechnik, have been affected. 

What Lapsus$ internal chatter reveals. 

Dave Bittner: KrebsOnSecurity reports that internal Lapsus$ gang chatter indicated that the gang had made multiple incursions into T-Mobile's systems. For reasons that are unclear, Lapsus$ exhibited a strong interest in source code. They compromised employee accounts either by social engineering or buying them from Russophone initial access brokers. T-Mobile told KrebsOnSecurity, several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that housed operational tools software. The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value. Our systems and processes worked as designed. The intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete. 

Costa Rica won’t pay Conti’s ransom. 

Dave Bittner: Costa Rica continues to work toward recovery from a ransomware campaign that afflicted government sites during the country's presidential transition. ABC has summarized the attack and the government's response. The Conti gang has claimed responsibility for the campaign, which appears to be a double extortion operation in which data are both encrypted and stolen. The Costa Rican government has refused to pay the ransom. 

No farms, no future.

Dave Bittner: The FBI warned last week that agricultural cooperatives should expect to become targets of ransomware operators during crucial seasonal inflection points, particularly around harvest and, right now, around planting times. 

Locked Shields wraps up.

Dave Bittner: And finally, NATO's Exercise Locked Shields has concluded. The point of the exercise is training and self-criticism with a view to improvement. But there is a competitive gamer dimension here, as there is in most military exercises. So congratulations to Finland, whose team won the competitive phase of Locked Shields. We trust that recent global events in your neck of the woods have sharpened your skills. 

Dave Bittner: XM Cyber recently released research outlining security risks they've encountered on multiple customers' networks, including multicloud hopping and third-party risk to Azure environments. Paul Giorgi is director of sales engineering at XM Cyber, and I checked in with him for details on their findings. 

Paul Giorgi: So most organizations have a variation of multiple cloud services. I think that if we look at what we see most commonly, there's a mixture of maybe a little bit of Microsoft 365, whether it's Azure Active Directory or maybe a couple of, like, just Exchange Online, but there's services within that environment. And then maybe there's a little bit of the IaaS services within AWS and maybe a little bit of GCP. So these large organizations have multiple clouds, and it's not easy to replicate security posture or security defenses around each one of these the same way. So when we look at how maybe an Azure Active Directory account could be the start of the breach and then within four or five stops end up reading data from an S3 bucket within AWS, there's not a lot of correlation of risk from an Azure Active Directory account to an AWS S3 bucket. And what we're finding in our results is there is a lot of correlation. It usually doesn't take a lot of steps. And a lot of organizations are dealing with this risk and not even aware of it. So because we're aware that most organizations are some sort of multicloud variant but still assessing risk maybe just within their own individual clouds and not really considering the risk of how one entity could impact another entity, that was a really interesting finding for us, making sure people were aware of these risks from multicloud because most large organizations are some sort of variation of multicloud and need to start assessing risk holistically across all the entities and not just within those individual cloud environments. 

Dave Bittner: And how do you propose they go about doing that? 

Paul Giorgi: Yeah, so that's really where attack path management comes in. Attack path management assesses the telemetry, whether it's vulnerabilities, misconfigurations or user activity, and assessing that telemetry and then simulating what an attacker can do in that environment and not just within laptops or servers or domain controllers but how something like a lambda function could play a role within AWS and then provide additional privilege escalation or additional assume-role-compromise capabilities within different environments. So that really is the heart of attack path management - looking at all of your entities, all the configuration and then stringing together the realm of possibility from an attacker's perspective, identifying things like chokepoints. If I know an entity's risk to all the other assets in my environment, I can identify it as a chokepoint and remediate and prioritize risks tied to that entity quicker than maybe an entity that - there may be a lot of risk tied to it, but the risk it introduces to my critical assets is much smaller. So that's really the heart of attack path management - is dealing with holistic entity assessment and then stringing together the possibilities from an attacker's perspective. 

Dave Bittner: And one of the other things you highlight in the report is risk to Azure environments, particularly coming from third parties. What did you find here? 

Paul Giorgi: Yeah, so we live in the world where third-party access is just - it's something that we have to deal with, whether it is a partner portal access. Maybe sometimes it's a contractor doing development work. We know that we live in this world where there's going to be some sort of third-party access, but we're seeing these risks start to manifest themselves within Colonial Pipeline or as the contractor accessing VPN with Kaseya. So we know that there are definitely these things that are coming up as risks that are starting to play out in real attacks that we're seeing hit the news. But unfortunately, what we're doing to address them is just doubling down on our old legacy processes - more questionnaires. We're going to now start putting them in their own AWS account instead of, like, their own grouping. And that's not really the right approach. What we need to start assessing is really the risk from those third parties and using this concept of assumed breach. And that is something that we do at XM Cyber - is really every breach point is the starting point of an attack, and then assuming those third parties are an assumed breach entity. Maybe it is just a disgruntled employee from that third party or some sort of insider threat, but we need to assess all of the ways that third party could potentially introduce risk to my critical assets. And still, we start looking at all the different ways that that could happen. I think we're going to just start seeing this more and more commonly appear in the news through these manifestations of public breaches like we've seen the last - unfortunately, the last year or so. 

Dave Bittner: I mean, is that really sort of the through line, through the things that this research has uncovered - is this that folks need to really take a look at how they're assessing risk? 

Paul Giorgi: Yeah, I think that is the main point of this document we call the Attack Path Management Impact Report. We're going to start releasing this pretty regularly, but it is, like, our perspective that we're sharing with every organization. And hopefully, people start realizing that the way that we're doing things - whether it's just legacy vulnerability management scanning, whether it's assessing risk within the cloud - it's not working. And we need to holistically address our risk and assess all of the entities within our organization and then string together those realms of possibilities from an attacker's perspective. So while we hope this report is informational and makes people more aware of what's going on, we also like to introduce people to attack path management because I get the pleasure of doing a lot of POCs and demos, and you wouldn't believe how many people have never heard of attack path management. And from my perspective, I think that it's something that it seems so obvious, and organizations have been doing in old ways, like pen tests and stringing together what happened during a breach and learning from those exercises but never proactively running through those exercises to determine how they could better defend or architect better defenses and respond more efficiently when they actually arise. 

Dave Bittner: That's Paul Giorgi from XM Cyber. 

Dave Bittner: And it's always my pleasure to welcome back to the show Rick Howard. He is the CyberWire's chief security officer, also our chief analyst. Rick, great to have you back. 

Rick Howard: Hey, Dave. 

Dave Bittner: I am happy to report that your coming on the daily podcast today means one thing, and that means that your podcast, "CSO Perspectives," which is over on the CyberWire Pro side, is back. 

Rick Howard: Yes, indeed (laughter). 

Dave Bittner: Our long national nightmare is over. You're starting with season nine this week, so give us a preview here. What have you got in store for us? 

Rick Howard: Well, that's right, Dave. And it's great to be back. And along with my army of crack interns - OK? - we've had a blast working on these episodes. I've had them all locked up in the past few weeks deep in the subbasement of the CyberWire's secret sanctum sanctorum studios, located under water somewhere along the Patapsco River, near Baltimore Harbor. And I've been really pleased with their efforts this week. 

Dave Bittner: Yes, I do enjoy our new underwater lair. It's delightfully soundproof. Have you tried the new espresso machine? 

Rick Howard: I have, and you're right. 


Dave Bittner: I think it's that Patapsco River water that really... 

Rick Howard: Oh, yes. Yeah - puts a little spin on it. 

Dave Bittner: ...Puts the nice little icing on the cake. 

Rick Howard: Yeah, it really does. Well, we've cranked out some really interesting content for this season. We have a few Rick the Toolman episodes this season on software building materials, single sign-on, two-factor authentication, software-defined perimeter and intelligence sharing. We're going to do a case study on the Netflix resiliency system called Chaos Monkey. I love that name. 

Dave Bittner: Oh, yeah. 

Rick Howard: And - isn't that great? And we're going to do one cyber sand table exercise - this time on the Colonial Pipeline attacks of 2019. But for this first episode, we're going to break out the Wayback Machine and cover the history of InfoSec from the invention of the password back in the 1960s all the way to the next extensions to the intrusion kill chain prevention strategy in 2020. 

Dave Bittner: Wow. You know, in preparation for our conversation today, I was trying to remember if I'm - trying to remember what my first password was ever, and I couldn't remember. I - you know, this is back - for me, it was probably around 1980 or so when I first started getting into computers - you know, 8-bit computers, TRS-80s and that sort of thing. And it was BBS systems, right? 

Rick Howard: Oh, yeah. 

Dave Bittner: It was the first time that I was required to use a password for anything. But for the life of me, I don't remember what it was. You know, it was probably - you know, I was - what? - 11, so it was probably something crass and inappropriate, but... 

Rick Howard: I'm sure. 

Dave Bittner: (Laughter). 

Rick Howard: Those are my best passwords (laughter). 

Dave Bittner: Do you have any recollection for yourself? 

Rick Howard: I don't remember my first password, but I know I am stuck with my first-ever username, you know, 'cause, you know, you think, oh, I'm just going to pick a username. And I picked, you know, a old cartoon character from my past - Race Bannon from the old "Jonny Quest" show. But... 

Dave Bittner: Right. 

Rick Howard: Now I can't get rid of that thing 'cause it's - you know, I use it for Twitter and LinkedIn and all that stuff, and so everybody knows me as a cartoon character. So I got that going for me. 

Dave Bittner: Well, my first alias on a BBS system was Ziggy Stardust, so... 

Rick Howard: Well, there we go. 

Dave Bittner: ...Really not terribly original. But again, I was, like, 12, so I thought it was pretty cool at the time (laughter). 

Rick Howard: Yeah, that's what I thought, too. 

Dave Bittner: All right. Well, CSO Perspectives is part of CyberWire Pro, so do check that out. That is on our website, Rick Howard, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.