Cyber phases of a hybrid war. DDoS in Romania. Flash loan caper hits a DeFi platform. Coca-Cola investigates Stormous claims. A Declaration for the Future of the Internet.
Tre Hester: Russian and Ukraine operators exchange cyberattacks. Wiper malware - contained, but a potentially resurgent threat. DDoS in Romania. Flash loan caper Hits a DeFi platform. Coca-Cola investigates Stormous breach claims. CISA issues two new ICS advisories. Caleb Barlow on cleaning up the digital exhaust of your home. Our own Rick Howard speaks with Freddy Dezeure and George Webster on reporting cyber risk to boards. And a declaration for the future of the internet.
Tre Hester: From the CyberWire studios at DataTribe, I'm Tre Hester with your CyberWire summary for Friday, April 29, 2022.
Russian and Ukrainian operators exchange cyberattacks.
Tre Hester: WIRED summarizes Ukraine's operations in cyberspace and notes that even the Ukrainian operators are surprised by their defensive success. Kyiv's cyber operations have most prominently included messaging the families of Russian soldiers killed during the invasion. It's a controversial tactic that has been criticized as a gratuitously cruel. Ukraine says it has a humanitarian dimension as well. The families, Kyiv says, are certainly not going to get the truth about their sons from the Russian authorities.
Wiper malware: contained, but a potentially resurgent threat.
Tre Hester: The most alarming Russian operations have been deployments of destructive wiper malware. The effects of such attacks, however, seem to have been quickly contained. Fortinet offers a historically informed summary of wiper malware and its employment in cyber conflict.The US Cybersecurity and Infrastructure Security Agency (CISA) yesterday updated its alert on the wiper malware Russia has deployed during its hybrid war. Quote, "this advisory has been updated to include additional indicators of compromise for WhisperGate and technical details on HermeticWiper, IsaacWiper, HermeticWizard and CaddyWiper destructive malware, all of which have been deployed against Ukraine since January 2022," end quote. Additional indicators of compromise associated with WhisperGate are provided in an appendix to the alert.
Tre Hester: Ukraine has attracted considerable hacktivist support. Hacktivism is usually ambivalent and seldom decisive, but in this case, the Anonymous collective has achieved a nuanced level of annoyance through doxing Russian organizations. Security Affairs says Anonymous has released files that appear to have come from Russian firms - first, Elektrocentromontazh, which provides electrical equipment to Russian electrical power generation and distribution centers. A 1.7 terabyte archive containing 1.23 million emails has been posted to DDoSecrets. Second, PSCB Petersburg Social Commercial Bank, was hit by Network Battalion 65, an Anonymous affiliate; 543 gigabytes of 229,000 emails and other files have been posted to DDoSecrets. Finally, ALET, a customer broker that serves the fuel and energy sectors, has lost 1.1 terabytes of data, including more than a million email addresses, all of which have also been posted to DDoSecrets.
DDoS in Romania.
Tre Hester: Balkan Insight reports that Romanian government websites came under distributed denial-of-service attacks today. Bucharest characterizes the attacks as symbolic and well within the government's ability to contain and mitigate them.
Flash loan caper hits a DeFi platform.
Tre Hester: According to the Record, Deus Finance, a decentralized finance platform, has acknowledged that it's lost more than $13 million to online theft this week. The Record describes the incident as a flash loan attack. Quote, "flash loan attacks involve hackers borrowing funds that do not require collateral, buying a significant amount of cryptocurrency to artificially raise its price and then offloading the coins. The loan is paid back, and the borrower keeps the profit."
Coca-Cola investigates Stormous breach claims.
Tre Hester: The Wall Street Journal says that Coca-Cola is still investigating the Stormous group's claim to have compromised company networks. Coca-Cola is being cautious, but many observers are skeptical. Stormous, which presents itself as a Russian criminal gang, and which appeared around the time of Russia's invasion of Ukraine, has done a fair amount of woofing about what would amount to a privateering campaign. But others see them as scavengers, as people who pick up old data from dumpsites and then claim to have obtained them from artful hacking. The investigation will tell. In the meantime, TechMonitor quotes Recorded Future's assessment, which is that Stormous is known as, quote, "a bit of a clown show," end quote. Recorded Future's Allan Liska says, quote, "that doesn't mean they didn't successfully pull off the attack. It is possible. But I think many researchers are going to need additional verification before taking this group at their word," end quote.
CISA issues two new ICS advisories.
Tre Hester: The US Cybersecurity and Infrastructure Security Agency (CISA) issued two industrial control system advisories yesterday, covering Delta Electronics DIAEnergie and Johnson Controls Metasys.
A Declaration for the Future of the Internet.
Tre Hester: And, finally the US and sixty other nations yesterday issued a Declaration for the Future of the Internet. A White House factsheet says the declaration aims at securing the following principles - one, protect human rights and fundamental freedoms of all people; two, promote a global internet that advances the free flow of information; three, advance inclusive and affordable connectivity so that all people can benefit from the digital economy; four, promote trust in the global digital ecosystem, including through protection of privacy; and five, protect and strengthen the multi-stakeholder approach to governance that keeps the internet running for the benefit of all. Neither Russia nor China have signed on.
Tre Hester: Our own Rick Howard sat down with Freddy Dezeure and George Webster to discuss reporting cyber risk to boards. Here's Rick.
Rick Howard: I'm joined by Freddy Dezeure, an old friend of mine, the CEO of Freddy Dezeure BV and formerly the head of CERT-EU, and George Webster, the chief security architect at HSBC. Freddy, George, thanks for coming on the show.
Freddy Dezeure: Nice to be here.
George Webster: Pleasure.
Rick Howard: You two belong to something called the Cyber Risk Metrics Working Group. And the group has just recently published two versions of a study called Reporting Cyber Risk to Boards - Control, Measure, Report, Repeat. One version is for CISOs, and another is for board members. So, Freddy, can you explain what the Cyber Risk Metrics Working Group is, and what was the goal of the project?
Freddy Dezeure: Yeah, sure. So the project was set up about a year and a half ago. And because we saw a gap in the community in the way that people report in a quantifiable manner, in an understandable manner, how people in the community report cyber risk to their boss or to their regulators or to their supervisors. And this gap is apparently across the board geographically. Everywhere, companies have the same kind of challenge, and people have difficulties to overcome that challenge. And because we saw that gap, we thought it may be a good idea to bring together practitioners from the field and to have them share with each other what worked well in their environment - in a trust group - and extract from those exchanges the essence of what we think could be useful for the broader community. And the outcome of that discussion and this working group is the two white papers that have been published just recently - three weeks ago.
Rick Howard: So, George, I was happy to see that you all recommend reporting risk to the board as opposed to other low-level metrics. And I was also pleased to see that you show that there is a ton of metrics that the CISO might be interested in that will never be shown to the board but that are essential for the CISO's risk assessment. Can you explain the thought process there?
George Webster: Freddy kind of elaborated a little bit on it, but it's - whenever you're running a business - right? - you need to be able to speak the language of the business or to function in that way. So one of the things you want to do with the board is you want it to be able to - in you, know, just clear, concise way - explain to the board what are the key things. Like, what is the risks that they're facing? Are they making the right investment? You know, are they secure, and can the company operate? But at the same time, you really don't know where the attackers are, which means, you know, you have metrics galore in cybersecurity, which are all incredibly valuable and incredibly important, but they help drive the business, and they help drive the business - in this case, cybersecurity - to make, you know, effective and, you know, pragmatic choices on how they're actually operating and running. So you really do have to have that separation. One is, how do you effectively operate cybersecurity? And the other is, how do you explain to the board and justify your budget? Make sure everything works.
Rick Howard: So I work on a podcast called "CSO Perspectives," where we talk about first principles in cybersecurity. And one of the key tenants is boiling down everything that we do as cybersecurity professionals down to the essence, the atomic thing that we're trying to get done. And what I think it is, is reducing the probability of material impact to our organizations due to a cyber event. And all these board metrics - these metrics that you're talking about flow into that equation so that we can give a, you know, a generic sense to the board about what the risk is to the business and - and so that's an assessment we tell them, but we can use all these other low-level metrics to feed into our calculation about what we tell the board. Is that the idea you're conveying here to the readers of this report?
George Webster: Yeah, it's hard, right? Like, if you think of cybersecurity and if you think of metrics, you don't know where the attacker is coming from, which means, fundamentally, you don't have a denominator. You can't really say this is how much profit I'm going to generate. And it's being able to take all of those metrics together and try to distill them into something that is explainable to the board. So, like, you can talk, for instance - have I installed the antivirus product where it needs to be? Is it the right package? Does it have the right signature pack? Is it operating effectively? You know, all of a sudden you have, like, seven different metrics. You can't present just to the board - here's all these metrics for antivirus. The CISO needs it. They need to understand - is the business functioning right? - but the board doesn't. The board just needs to know, like, this risk that I have - is it being mitigated? Am I OK, right? And so that's kind of the essence of it. It's - how do you take all of those metrics - those hundreds of metrics you have - and distill it down to something that's consumable and, you know, the board can understand.
Rick Howard: So that's good stuff, guys, and we're going to have to leave it there.
Rick Howard: That's Freddy Dezeure, the CEO at Freddie Dezeure BV, and George Webster, the chief security architect at HSBC. Their group is called the Cyber Risk Metrics Working Group, and the study is called Reporting Cyber Risk to Boards: Control, Measure, Report, Repeat. Thanks for coming on the show, guys.
Tre Hester: There's a lot more to this conversation. If you want to hear more, head on over to CyberWire Pro and sign up for "Interview Selects," where you get access to this and many more extended interviews.
Dave Bittner: And joining me once again is CyberWire contributor Caleb Barlow. Caleb, it's always great to have you back on the show. You know, I wanted to touch base today about some of the things that build up over time - I think you refer to it as digital exhaust in your home. I tend to be a bit of a pack rat myself when it comes to these things because it's so easy to hold onto things, but that's probably not the best way to go about it, is it?
Caleb Barlow: Well, my house has a digital exhaust like a big 18-wheeler semitruck.
Dave Bittner: (Laughter).
Caleb Barlow: There's a lot pouring out, and...
Dave Bittner: Right.
Caleb Barlow: ...Every now and then, you want to clean it up. Well, I mean, here's the thing. You know, there's a lot of reasons why you may not want people to know where you live or what your home looks like, or, worse yet, you know, if you're like many people that have bought a home in the last five years, all the pictures of the inside of your house are posted publicly on the internet.
Dave Bittner: Right.
Caleb Barlow: So how do we get rid of all that? And believe it or not, it's actually doable.
Dave Bittner: Hmm. Go on.
Caleb Barlow: OK, so let's start with, you know, first off - just to set the - kind of the baseline here - it's probably nearly impossible to get rid of all records of where you live.
Dave Bittner: Yeah.
Caleb Barlow: But we can definitely reduce kind of the overall impact. I mean, tax records are always out there. But, interestingly enough, I mean, especially as we all get a little older, one of the things to think about is - what happens when your day comes and you punch your ticket? You know, having your house in your name directly isn't the smartest idea for tax purposes anyway. So, you know, if you've ever talked with an estate attorney, they're going to encourage you to put your home in a trust so that it becomes easier to pass it along to your children or your heirs. And, of course, when you put the name of your home in a trust, you don't have to name it the Bittner Family Trust. You know, you can call it something a little more obscure. So when those tax records show up, it's harder to find out where you live.
Dave Bittner: (Laughter) Or where I lived.
Caleb Barlow: Now, of course, you got to sell your house to do this...
Dave Bittner: (Laughter).
Caleb Barlow: ...So this isn't the easiest piece of advice I'm going to give you today, but OK.
Dave Bittner: Yeah. Go on.
Caleb Barlow: OK. So let's talk about something a little easier. So let's say you did just buy a house, and all those pictures of the inside of your house are on places like Redfin, realtor.com. You can actually make those go away.
Dave Bittner: Really?
Caleb Barlow: And I think it's a great idea because, you know, the last thing you need is a future employer or the ex-girlfriend going and digging through - where does he live, right?
Dave Bittner: Right.
Caleb Barlow: What's it look like on the inside? So if you go to those sites, you can actually claim the home as your own. It's a simple click. You put in a little bit of information, and then you're claiming the home, and then you can remove the pictures. Now, if you want to have a little more fun in the more advanced class, they also let you add pictures. And as far as I'm concerned, I don't think they have any way to figure out whether the pictures you might add are legit, so there are some really great stock images out there. I added a picture of a castle...
Dave Bittner: (Laughter).
Caleb Barlow: ...As my house. Why not?
Dave Bittner: (Laughter) Right, right.
Caleb Barlow: You know?
Dave Bittner: So make the inside of your house bigger than the outside.
Caleb Barlow: Look, if you're going to go figure out where I live, then you're going to have to, you know, see some stock images, and it's much better than it really is.
Dave Bittner: I like the subversive nature of that. That's very good, Caleb.
Caleb Barlow: We might as well have some fun with this, Dave. OK, now, in addition to that, we've talked in this show before about the importance of changing your Wi-Fi SSID. And I'm not going to get into all the details now. You can go listen to those past episodes. If someone knows your SSID, which your phone's broadcasting all the time, it's really easy to figure out where you live. Change your SSID, and change it to something like a car name or something that is not unique so you can't look it up on a map.
Dave Bittner: Hmm.
Caleb Barlow: You can also remove the image of your home from mapping services. And this was a fun one to play with. So literally, Google Maps and Bing, you can remove the image of your home. So...
Dave Bittner: I've seen where you can get it blurred.
Caleb Barlow: Yeah, you get it blurred. So literally, you go out and, you know, they all have a little setting of report this. And one of the options on reporting it is as home. And apparently, it's irreversible, but the next thing you know, your home is blurred, which - you know, there was a time period where the - my house on Google Maps had a giant dumpster in front of it because I'd been doing some work on my house.
Dave Bittner: (Laughter).
Caleb Barlow: But also, no one needs to see where I live. Like, get that stuff out of there.
Dave Bittner: OK.
Caleb Barlow: So those are a couple of really quick things you can do to kind of clean up your digital exhaust on where you live and make it a little harder for someone to cyberstalk you.
Dave Bittner: Do you think we're ever going to reach this utopia that people imagine where in order for these things to happen at all, they're going to have to get permission, that it's going to be opt in rather than just vacuuming up everything and posting it, and it's up to you to ask them to remove it?
Caleb Barlow: Dave, we live in the United States. There's no way.
Dave Bittner: (Laughter) Right.
Caleb Barlow: Maybe there's a European utopian with GDPR, but there is no way, right? I mean...
Dave Bittner: Yeah.
Caleb Barlow: ...This is unfortunately going to be a constant battle. And I think honestly, it's something we have to educate our kids on early on. Every now and then, there are these moments in life where you've got to go back and clean up your digital exhaust. And, you know, one of those moments - when you graduate from college. Make it all go away. Everything you've done up to that point - there is no need for it to be out on the internet. Clean it out of what's publicly accessible. No future employer needs to be seeing your photos from your eighth grade soccer team, right?
Dave Bittner: Yeah.
Caleb Barlow: Get them out of there.
Dave Bittner: Yeah.
Caleb Barlow: Or worse yet, whatever else you got in there from your fun time in college.
Dave Bittner: No, that's true. I've run into that of hiring folks who are recently graduated and, you know, do a Google search and interesting photos come up sometimes, and you try not to make that too much of part of your hiring decision. But, you know, I mean, it crosses your mind, right?
Caleb Barlow: Well, and let's face it. Everybody's looking at it. So...
Dave Bittner: Yeah.
Caleb Barlow: ...Clearing out - you know, again, right back to the same point with your house, too. You can tell a lot by looking at where somebody lives. You know, creepiest thing is you can even see the inside of the house, right? Clear that stuff out of there. There's no reason for that to be out of there. And have a control over who you are and what people see about you.
Dave Bittner: Yeah. All right. It's good advice. Caleb Barlow, thanks for joining us.
Tre Hester: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out this weekend's episode of Research Saturday," where Dave Bittner sits down with Vikram Thakur of the Symantec Threat Hunter team to discuss their work on Daxin, stealthy backdoor designed for attacks against hardened networks. That's "Research Saturday." Check it out.
Tre Hester: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Tre Hester filling in for Dave Bittner. Thanks for listening. We'll see you back here next week.