Dateline Moscow, Kyiv, and Minsk: Hacktivisim and privateering. Log4j vulnerabilities more widespread than initially thought. US Cyber Command deploys "hunt forward" team to Lithuania.
Tre Hester: Hacktivism and privateering in Moscow, Kyiv and Minsk. Log4j vulnerabilities are more widespread than initially thought. U.S. Cyber Command deployed a hunt forward team to Lithuania. CISA adds five vulnerabilities to its known exploited vulnerabilities catalog. Jen Miller-Osborn from Palo Alto Networks discusses the findings from the Center for Digital Government Survey on getting ahead of ransomware. Grayson Milbourne of Webroot and OpenText discusses OpenText's 2022 BrightCloud Threat Report. And Anonymous leaks emails allegedly belonging to the Nauru Police Force.
Tre Hester: From the CyberWire studios at DataTribe, I'm Tre Hester with your CyberWire summary for Thursday, May 5, 2022.
Tre Hester: The U.K. Ministry of Defense describes continuing indiscriminate bombardment. Despite Russian ground operations focusing on eastern Ukraine, missile strikes continue across the country as Russia attempts to hamper Ukrainian resupply efforts. As Russian operations have faltered, nonmilitary targets, including schools, hospitals, residential properties and transport hubs, have continued to be hit, indicating Russia's willingness to target civilian infrastructure in an attempt to weaken Ukrainian resolve. The continued targeting of key cities highlights the desire to fully control access to the Black Sea, which would enable them to control Ukraine's sea lines of communication, negatively impacting their economy.
Developments in Belarus.
Tre Hester: Belarus is also figuring in the war news today. The British MOD assesses Minsk's current round of military exercises as normal, but is offering some potential for Russian exploitation, perhaps in an economy-of-force role. Quote, "Belarusian land forces have been observed deploying from garrison to the field for exercises. This is in line with seasonal norms as Belarus enters the culmination of its winter training cycle in the month of May. Russia will likely seek to inflate the threat posed to Ukraine by these exercises in order to fix Ukrainian forces to the north, preventing them from being committed to the battle for the Donbas. Deviation from normal exercise activity that could pose a threat to the allies and partners is not currently anticipated," end quote. The Washington Post has a description of the exercises, which are being described as quick-reaction exercises.
LockBit 2.0 hits Bulgarian refugee agency.
Tre Hester: CyberScoop reports that the LockBit 2.0 ransomware gang, a Russophone privateering outfit, has hit the Bulgarian State Agency for Refugees under the Council of Ministers. Quote, "available data will be published" - end quote - the gang said on its site, giving a May 9 deadline for publication but no public ransom demand. May 9, of course, is Russia's Victory Day holiday. Bulgaria has received somewhere in excess of 200,000 Ukrainian refugees. And Bulgaria has been aligned with Ukraine in the present war.
Hacktivists working in the Ukrainian interest use compromised Docker images for DDoS.
Tre Hester: CrowdStrike reports that pro-Ukrainian hacktivists, operating probably under some form of direction or at least inspiration from Kyiv's IT Army, have been using compromised Docker images. Quote, "container and cloud-based resources are being abused to deploy disruptive tools. The use of compromised infrastructure has far-reaching consequences for organizations who may unwittingly be participating in hostile activity against Russian government, military and civilian targets. Docker Engine honeypots were compromised to execute two different Docker images targeting Russian, Belarusian and Lithuanian websites in a denial-of-service attack. Both Docker images' target lists overlap with domains reportedly shared by the Ukraine government-backed Ukraine IT Army. The two images have been downloaded over 150,000 times. But CrowdStrike Intelligence cannot assess how many of these downloads originated from compromised infrastructure. CrowdStrike customers are protected from this threat with the CrowdStrike Falcon Cloud Workload Protection module." Hacktivists and privateers have chosen sides in the war, and Cybersixgill as a summary of how those sides are shaping up.
Log4j vulnerabilities more widespread than initially thought.
Tre Hester: Researchers at Cequence warn that the Log4j vulnerability may be more widespread and harder to detect than initially thought. The researchers say they, quote, "found unpatched servers within our customers' digital supply chain that appears some 15 hours after the initial test results were received," end quote.
Cyber Command deploys "hunt forward" team to Lithuania.
Tre Hester: U.S. Cyber Command's Cyber National Mission Force recently sent a team to Lithuania to assist in the country's defensive cyber operations. Cyber Command stated, quote, "at the invitation of the Lithuanian government, U.S. Cyber Command's Cyber National Mission Force deployed a hunt forward team to conduct defensive cyber operations alongside partner cyber forces, concluding in May. For three months, the U.S. cyber operations hunted for malicious cyber activity on key Lithuanian national defense systems and Ministry of Foreign Affairs Networks, alongside its allies. This was the first shared defensive cyber operation between Lithuanian cyber forces and CNMF in their country," end quote.
CISA adds five vulnerabilities to its Known Exploited Vulnerabilities Catalog.
Tre Hester: The U.S. Cybersecurity and Infrastructure Security Agency, or CISA, has added five vulnerabilities to its Known Exploited Vulnerabilities Catalog. Two of the vulnerabilities affect Apple products. One affects Microsoft's Win32k driver. One impacts Internet Explorer. And one affects OpenSSL. Agencies are required to patch the vulnerabilities by May 25.
Anonymous leaks emails allegedly belonging to the Nauru Police Force.
Tre Hester: And finally, HackRead reports that the hacker collective Anonymous has leaked 82 gigabytes worth of emails allegedly belonging to the Nauru Police Force. Anonymous claims the leak is meant to expose alleged abuses committed by the police on the island, which has been used as an immigration detention center by the Australian government.
Dave Bittner: Palo Alto Networks' Unit 42 research team recently surveyed state and local government IT leaders to get a sense for where things stand when it comes to their cybersecurity, and in particular, how they are bracing themselves against the threat of ransomware. Jen Miller-Osborn is deputy director of threat intelligence with Unit 42 at Palo Alto.
Jen Miller-Osborn: One of the most interesting thing is that - at least to me - was the note that more and more for the state and local organizations as special. They're getting bigger cybersecurity budgets, which for a long time has really been the biggest thing hampering their security postures is just they didn't have the kind of budgets they needed for the protections against the kind of attacks that we were facing. So it's been really heartening to see that that's changing. And now they're able to, you know, kind of put the investment into defense that they've really needed.
Dave Bittner: Yeah, that is good news. And I had not heard that, so nice to hear that that recognition is actually happening. What is their status in terms of how they think the ransomware threat is going to change in the near term?
Jen Miller-Osborn: Most of them think that the attacks are probably going to rise. They're not expecting to necessarily see a downturn in ransomware attacks. They're actually expecting to see them ramp up over the next year and a year and a half. And that's also helping to drive both the budgetary increases and then the protections being put in place because there's the recognition that not only is that a problem now, but we're foreseeing, in especially the short term, it's going to become a much larger problem, so we really need to get ahead of it and start putting those protections in place.
Dave Bittner: Where do educational institutions stand when it comes to incident response plans?
Jen Miller-Osborn: We've seen an uptick that are actually putting plans into place for a ransomware or other kind of incident response plan, which is incredibly important. One of the most difficult things any organization can face going into a ransomware incident is not actually having a plan for how to respond to it or not having practiced it. You know, the last thing you want when you're struggling to restore any level of connectivity is, you know, oh, half of the people in the plan, if we had one, don't work here anymore, and no one knows who to contact now, or we don't have an incident response vendor or plan. So you're having to figure all of that out in the heat of the moment. And that is just a level of stress that no organization needs on top of what they're already having to respond to. So seeing that planning coming into play as well is also another really, really heartening thing to see.
Dave Bittner: Yeah. One of the things in this report that caught my eye was that there seems to be a pretty positive attitude among the respondents in terms of, you know, feeling as though they are properly prepared.
Jen Miller-Osborn: I agree. I think there's a lot of education and outreach that's been done now, especially in the public space, for letting organizations - you know, educational and otherwise - know what kind of threats they're facing - you know, how ransomware operates, who they're targeting, the kind of money that they're asking for, how they're operating. And that allows for that level of, you know, user education and security staff education to understand what parts of the kind of attack life cycle that they have a good handle on, and then conversely, which ones they maybe don't.
Dave Bittner: What did you see in terms of the kinds of things that they're saying they need? What sort of stuff would they like to see more investment in?
Jen Miller-Osborn: The two that they were the most interested in were better security for home networks for employees, which is intriguing to me. And I think we're actually going to start seeing more and more - especially as remote work is becoming kind of the norm - is what does that look like from a corporate protection perspective when a lot of your employees are coming from work, you know? Or how do you need to extend your protection bubble? Is it a VPN, or is it some things in addition to the VPN that are run on the home network side?
Jen Miller-Osborn: And then the second component - and I think this is really true for most organizations - is more investment into being able to hire more IT and security staff. And that's particularly challenging for education because their budgets tend to be lower. And it's - you know, that's an area where a lot of people are struggling to recruit and retain staff, so it's - it makes sense that that's something where they really need to see some more people as well.
Dave Bittner: That's Jen Miller-Osborn from Palo Alto Networks' Unit 42.
Dave Bittner: Researchers at OpenText recently released their 2022 BrightCloud Threat Report, outlining security trends affecting businesses worldwide, both large and small. Grayson Milbourne is security intelligence director for OpenText Security Solutions.
Grayson Milbourne: One of the things that I'm happy to see is we saw a 58% year-over-year decrease in the net new malware that we saw at the endpoint. And so for me, like, yeah, OK, like, we're starting to see less malware, maybe, at the endpoints that we're protecting, but, you know, that's influenced, again, like I said, by improvements that we're constantly trying to prevent, right? I mean, of course, there's detect and respond, but if you can prevent an attack through user education, through better network protection and preventing a file transfer from getting to the actual endpoint - you know, our telemetry, when it comes to malware, literally comes from our, you know, 20-plus-million endpoint subscribers that are giving us that intelligence. And so for us, we see, hey, you know, yes, it seems like it's going down, but then when we kind of step back a little bit, what we really realize is that the attack surfaces have shifted, and how compromises occur doesn't always necessarily require a - you know, a delivery of malware, though. Or it might and be ransomware, but that's often, like, the very last stage of an attack. And so, you know, we'll see compromise occur.
Grayson Milbourne: Perhaps it's just remote credentials or somebody's, you know, logging information has been phished. And especially in the SMB space, we see a lot of improper management of their IT infrastructure, which isn't that surprising. You know, a recent survey I read showed that of businesses with 100 or fewer employees, they average 81% of them have just one single IT resource. So we see a lot of focus still on attacking. Even though there might be less malware, what we still see is that ransomware is targeting SMBs, and we're seeing a disturbing trend in that.
Grayson Milbourne: You know, we hear about ransomware on the news. We - you know, we see these very large-scale, kind of like the top-of-the-pyramid attacks, and that's what the media focuses on because, well, these businesses are - you know, they're Fortune-500 companies. The ransom demands are often millions or tens of millions. I mean, we saw hundred-million-dollar ransoms last year and - but the reality is, like, those are the outliers, right? Like, the vast majority of where this problem exists is really in the SMB, and our data show that attackers are moving downstream because they know there's fewer defenses. And maybe you're not going to get that huge payout, but also in the last year, we did see - again, to give CISA some credit, we saw some retaliatory, coordinated, multinational attempts to disrupt and arrest some of the members behind these more advanced - or, I guess, more organized cybercrime organizations. So, you know, that's a disincentive to go after the big fish. You're much more likely to garner attention and may risk going to jail or having your operation are greatly disrupted.
Dave Bittner: Well, let's talk about what you tracked when it comes to some of the regional differences here. That was one of the things when I was looking through the report that caught my eye.
Grayson Milbourne: Yeah, absolutely. And, you know, like for me too because it really just shows that if you invest in cybersecurity, your defenses are much better, right? And we see this when we look at infection rates in the United States or if we look at them in Japan or a lot of Western Europe. Those regions have dramatically lower infection rates than when we look at places like South America or the Middle East or Asia. You know, we see five times as many infections coming from these regions.
Grayson Milbourne: And beyond that, there's a really big difference between consumers and business endpoint devices, which I think really resonates because, you know, during this pandemic, I know a lot of businesses really scrambled to support the remote workforce, which ultimately led with a lot of remote users using their own personal devices to connect to corporate resources. And our data shows, even in the highly secured places like, you know, where we saw some of the lower infection rates in the United States, when we looked at the consumer versus business split, almost everywhere it's almost twice as many infections on a consumer device versus a business device.
Grayson Milbourne: You know, I think that makes sense to some degree, right? Like, I use my personal PC in a different way. It's - you know, my kids can use it. I use it for fun. You know, it's not a work PC. And so it's - you're more likely to encounter risk. Whereas on my business laptop, I, you know, I use it for work, right? It has one purpose. And so I think, like, what we see in that data is, you know, when you look at, you know, a cyber resilience posture in identifying your assets, you really have to look at access because, I mean, let's face it, today, a lot of us are connecting - even though I'm on my corporate laptop, you know, I'm connecting through my home internet into a VPN, so more secure, using two-factor, improving security. But a lot of businesses, you know, they don't go through those extra steps to ensure security.
Grayson Milbourne: You know, we think that, you know, between the identify, protect, detect, respond, recover and educate, those six steps really allow you to understand your business and any weaknesses it might have. And then if something bad happens, you have a plan. And you're not going to be offline for days or weeks, which can be really devastating for a business. And so really, you know, I look at cyber resilience as a sort of just resilience in general. It's, you know, it's your business' ability to defend itself and to stay online.
Dave Bittner: That's Grayson Milbourne from OpenText Security Solutions.
Tre Hester: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com.
Tre Hester: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Tre Hester, filling in for Dave Bittner. Thanks for listening. We'll see you back here tomorrow.