The CyberWire Daily Podcast 5.9.22
Ep 1574 | 5.9.22

Mixer gets sanctioned. Reward offered for Conti hoods. Ag company hit with ransomware. Hacktivism and cyberattacks in Russia’s hybrid war. That apology? The Kremlin takes it back.


Dave Bittner: The U.S. Treasury Department sanctions a cryptocurrency mixer. Rewards for Justice is interested in Conti. U.S. tractor manufacturer AGCO was hit by a ransomware attack. Russian hacktivism hits German targets and threatens the U.K. A Russian diplomatic account was apparently hijacked; tracking Cobalt Strike servers used against Ukraine. Dinah Davis from Arctic Wolf defends against DDoS attacks. Rick Howard looks at single sign on, and no apology for you, Mr. Bennett.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, May 9, 2022. 

Dave Bittner: The U.S. Department of the Treasury has sanctioned on the grounds that the cryptocurrency mixer was involved in laundering money for the Lazarus Group, North Korea's well-known government criminal organization. Treasury says on March 23, 2022, Lazarus Group, a DPRK state-sponsored cyberhacking group, carried out the largest virtual currency heist to date, worth almost $620 million, from a blockchain project linked to the online game Axie Infinity. Blender was used in processing over $20.5 million of the illicit proceeds. The sanctions are believed to be the first levied against a mixer service. On Friday, the U.S. Department of State added members of the Conti ransomware operation to its Rewards for Justice program. They said the Department of State is offering a reward of up to $10 million for information leading to the identification and/or location of any individuals who hold a key leadership position in the Conti ransomware variant transnational organized crime group. In addition, the department is also offering a reward of up to $5 million for information leading to the arrest and/or conviction of any individual in any country conspiring to participate in or attempting to participate in a Conti variant ransomware incident. 

Dave Bittner: Reuters reports that AGCO, a major manufacturer of farm equipment, has sustained a ransomware attack that's affected production and delivery of tractors and other agricultural equipment. The company said Friday that disruptions might last several days and potentially longer. Some customers said they began to have difficulties accessing AGCO sites on Thursday. Which strain of ransomware was used and which gang was behind the operation are unknown. But the Record offers some informed speculation that it may have been a BlackMatter. The record also notes the coincidence, if you believe in such things, that AGCO had on Thursday announced plans to donate $50,000 to BORSCH, a Ukrainian relief effort devoted to helping that country's farmers. The U.S. FBI had warned back in September that the agriculture and food sector could expect ransomware attacks, and the bureau updated its warning at the end of April, saying that attacks on agriculture could be expected to coincide with planting and harvest seasons. This attack would seem to bear those warnings out. 

Dave Bittner: Der Spiegel has reported that Russian-aligned hacktivists - Putin fans as the paper's headline calls them - have claimed cyberattacks that temporarily disrupted websites belonging to airports, the defense ministry, the Bundestag, federal police and some state police authorities. The group calls itself Killnet and countered coup over its Telegram channels. Killnet is of relatively recent origin and has specialized in distributed denial-of-service attacks, mostly at a nuisance level. The threat actor has been active against Romanian targets since early in Russia's war against Ukraine. And it's recently threatened to retaliate against British support for Ukraine by shutting down ventilators in U.K. hospitals. The threat against the U.K. was prompted by the British arrest in Tottenham of a Romanian resident in Britain on charges connected with the earlier cyberattacks against Romanian targets. Killnet's communique read, if he's not released within 48 hours, I will destroy your Romania, Great Britain and Moldova. I will destroy your entire information structure and even your ministry of health. All ventilators will be attacked. Only then will you begin to realize the mistake you have made. Killnet seems unlikely to be able to make good on this particular threat. Still - shields up. 

Dave Bittner: The Telegraph reports that Russia's consul general in Edinburgh, Andrey Yakovlev, posted his opposition to Russia's war against Ukraine in his Instagram account. The now-removed post read, I categorically condemn the behavior of the military special operation of the Russian armed forces against the sovereign independent Ukraine. I fully support any assistance to the Ukrainian armed forces from EU countries. The Russian consulate told the Telegraph, our account was hacked. It has already been deleted. The consulate added in its Twitter account, false information was posted about the position of the leadership of the foreign institution. A number of news outlets cheerfully picked up Mr. Yakovlev's alleged post and retailed it with the consulate's denial well below the fold. Newsweek is one example. In this case, however, the Russian Foreign Ministry is almost certainly telling the truth. That a Russian diplomat would take such a public position in opposition to his own government is pretty far-fetched. That he would do so without immediately thereafter defecting and asking for asylum is beyond belief. Sure, strange events permit themselves the luxury of occurring, as a movie detective used to say in the 1930s. But this event would really just be too strange. 

Dave Bittner: IronNet has followed up on CERT-UA's April 18 alert 4490, which described a Russian Trickbot campaign using an urgent message about Mariupol's Azovstal steel works as fish bait. IronNet explains, the goal was the installation of a Cobalt Strike and Beacon on the victim's system through the use of an MS office macro. The researchers offer an account of how the threat actors used Cobalt Strike and do so with a view to understanding how this tool is likely to be turned to malicious use in the future. They found that malleable profiles were used by the threat actors, and they observed both a jQuery profile - commonplace - and a minimal defender bypass profile - more novel and only recently observed in the wild - in use. 

Dave Bittner: And finally, that apology, President Putin was said to have offered Israel last week - the one that regretted Foreign Minister Lavrov's comments on Hitler's supposed Jewish blood - never happened, the Kremlin effectively said, releasing what it insisted was a complete transcript of the call between President Putin and Prime Minister Bennett. There was no apology in that transcript, Newsweek reports. A statement by Israel's Foreign Ministry after the call had said the prime minister accepted President Putin's apology for Lavrov's remarks and thanked him for clarifying his attitude toward the Jewish people and the memory of the Holocaust. And that, the Kremlin now seems to say, never really happened. 

Dave Bittner: And it's always my pleasure to welcome back to the show the CyberWire's own chief security officer and chief analyst Rick Howard. Rick, welcome back. 

Rick Howard: Hey, Dave. 

Dave Bittner: You know, in our Slack channel, I was reading the summary of this week's CSO Perspectives episode. And I have to say, I am glad that you came on the show today to talk about it because it's been a while now that I've noticed that when I'm bopping around on the internet and trying to log in to a site - let's say, I don't know, Twitter, for example... 

Rick Howard: Yeah. 

Dave Bittner: It gives me a few options. It says, I can enter my credentials right onto Twitter, which is what I normally do. But then there are this list of other options to choose from where you can use one of the many big Silicon Valley giant companies, like Google or Apple or - I mean, I refer to them as the usual suspects. 

Rick Howard: (Laughter) That's exactly right. 

Dave Bittner: Yeah. And you can use them to log in. Now, I never do that because I'm afraid that they're just trying to collect more information. Honestly, I have to say, I feel snakebit from back in the early days when... 

Rick Howard: Oh, yeah. 

Dave Bittner: ...I took Facebook at its word, and I uploaded my entire address book 'cause I thought, well, that'd be convenient. 

Rick Howard: Sure. Yeah. 

Dave Bittner: And we all know how that worked out. 

Rick Howard: Yeah. 


Dave Bittner: So that's a long way to ask you, is that fear legitimate? Are they collecting my credentials for some ad campaign? Are they tracking me as I go around the web? Like, to what degree do I need to be worried about these folks offering up, you know, making it easy for me to log in? Is there a penalty there? 

Rick Howard: Well, I totally understand that feeling. And, you know, I thought that, too, in the past. I've really been worried about it. So for this week's CSO Perspectives podcast, I looked into it. And come to find out, that's not what's going on here. Thank goodness, right? So what you're looking at is one version of a concept called single sign-on - one of the holy grails that the infosec community has been chasing since the beginning of the internet days, right? And it looks like we finally got it. 

Dave Bittner: So Google is not collecting my Twitter credentials then. 

Rick Howard: No, they're not doing that - OK - but Twitter is taking advantage of the situation that you most likely have already logged in to your Google account before you try to access Twitter through a standards protocol called OAuth - and you've probably heard this - people talking about this, you know, in the hallways, you know, getting water and stuff. 

Dave Bittner: Yeah. 

Rick Howard: Twitter asks you to go get an asymmetric key from Google that will vouch for your digital identification at Google. So you ask Google for the key when you click that button on the Twitter log on site, Google sends it through you to Twitter. And since Twitter trusts Google to be the authoritative source for your digital identity, Twitter logs you in - no fuss, no muss, and you don't have to remember your Twitter credentials or any of the other thousands of other website credentials that you probably have. 

Dave Bittner: So in this week's "CSO Perspectives" episode, you're going to give us all the details on all - how this works, all the nitty-gritty, right? 

Rick Howard: Yeah, and that's right. And we're also going to discuss OAuth's big sister called SAML, OK - or Security Assertion Markup Language. And it's the way to do single sign-on in your enterprise. It doesn't work exactly the same way, but it's the same concept. 

Dave Bittner: All right, well, I'll look forward to that. Listen, before I let you go, why don't we check in here on what the word of the week is on your "Word Notes" podcast? 

Rick Howard: Yeah, this is a good one. It's one of my favorite topics of all time. We're going to talk about the MITRE ATT&CK framework. So if you've been leery about what that thing is, come listen. I think you will enjoy it. 

Dave Bittner: You know, Rick, my recollection is one of the first conversations you and I ever had... 

Rick Howard: (Laughter) I know. 

Dave Bittner: I think we were sitting together at RSA a few years ago, long before - this is when you were still at Palo Alto, before being a member of the CyberWire team was just a gleam in your eye. 


Dave Bittner: We talked about the MITRE ATT&CK framework, and you were cheerleading it, you know, all those years ago. 

Rick Howard: I know. You know, it's become the de facto standard for open-source cyber intelligence on all known adversary campaigns, right? And if you're looking to improve your defenses, that's the place to get the info. And I'm happy to be a cheerleader on the sideline to get people to use this. 

Dave Bittner: Yeah, absolutely. All right, well, the show is "CSO Perspectives." It is part of CyberWire Pro. You can find that on our website, While you're there, check out "Word Notes" as well. Rick Howard, thanks for joining us. 

Dave Bittner: And I'm pleased to be joined once again by Dinah Davis. She is the VP of R&D Operations at Arctic Wolf. Dinah, always great to welcome you back to the show. You know, you and I recently spoke about some DDoS attacks. We were chatting about reflection amplification attacks. I want to continue that conversation and get your take on what organizations should be doing to best defend themselves against DDoS attacks. 

Dinah Davis: Yeah, so they pretty much are - they're very overwhelming, right? You get hit by all kinds of packets. How do you come out from under that, right? And so, you know, there's three or four different things you can do depending on, you know, what stage you're at, right? So let's say you haven't put much in place at all. Well, you might want to do something, like - and you're getting attacked - you might want to do something called blackholing or sinkholing, which is basically you just block all the traffic and drive it into, like, a black hole where it's basically discarded, right? And so that at least that stops the attack on your site. The problem with that is it also stops all the good traffic from coming to your site as well. So you're still DDoS'd, but you're not - you're not handling that flow or maybe getting charged for all the Amazon - like, if you're using Amazon Cloud, and you're trying to process all that data, you're not getting charged with overages on high data rates and stuff like that, right? So at least that stops, you know, that kind of thing from happening. It stops overloading your servers on the inside. And so it can be a good thing to do. 

Dinah Davis: You should always have routers and firewalls set up - right? - to limit the data that you allow to your website and your organization. They can at least filter out the nonessential protocols and stop stuff from invalid IP addresses. The problem is that firewalls and routers can block from specific IP addresses, but they can't easily protect from a spoofing - IP spoofing - where they might be changing the IP address constantly in the code that they're using to attack you. So you can't easily just block, like, one IP address and make it end, right? So they're good to have in place, but they don't always help you out of the situation if they're using IP address spoofing, right? 

Dave Bittner: What else? 

Dinah Davis: You can set up your servers to be configured so that they only talk with specific applications. So if your servers are trying to - are getting - so let's say you're getting some random DDoS, like, where you're just getting all kinds of traffic. Well, if your servers only talk to specific types of packets because they only talk to specific types of applications, they're just going to ignore the cruft. So that's another good thing. And even, like, that's also a really good thing just from a security perspective, right? Like, if you know your server should only be talking to specific applications with specific packet types, don't let them talk to anything else. That's just asking for trouble, right? 

Dinah Davis: There are some DDoS mitigation appliances that you can get that, you know, they're dedicated to sanitizing traffic and building DDoS, you know, mitigation functionality. Oftentimes, some of your legitimate traffic can get dropped with these as well. So there's - you know, I don't think there's one, like, you know, wipe the magic wand. But one last thing you can do is you can overprovision. So one of the - like, the best thing would be, can your service just handle that traffic, right? If you are able to scale your service up in a way that it just handles it, the good stuff will still come through, and you just handle the load, right? And one of the problems with that is if you're - especially if you're building your own infrastructure, that's a high capital - right? - to... 

Dave Bittner: Right. 

Dinah Davis: Yeah. 

Dave Bittner: And as you mentioned at the outset, the cost, if you - even if you're using cloud services, your costs that are, you know, being provisioned on the fly, you could get a big bill at the end of the month. 

Dinah Davis: Right. Exactly. So there are some services that you can work with that will - that you can, you know, get a better deal for when this might happen. So, you know, it lets you buy on demand, but not premium on demand. And, you know, you can make them more cost-effective, and you can expense, you know, instead of buying all that stuff from - in the beginning, right? So it depends what... 

Dave Bittner: Yeah. 

Dinah Davis: It also - like, in my opinion, like, which route you take here depends on what your website does, right? If you're a critical infrastructure - like, for example, maybe you're the 911 dispatch. Well, then you want to make sure that the good traffic can still come in, and so you might go with the overprovisioning and pay those costs if that happens. If you're a site that if you went down for a day, your customers are still going to be fine - like, you're - maybe you're a store, and you're selling stuff. You're going to lose some revenue, but you wouldn't sell as much as it's going to cost you to keep that data running through. Then the answer might be to black hole it. 

Dave Bittner: Yeah. I mean, it's an interesting, I guess, sort of risk analysis, right? Is my perception correct that, you know, we - that the tools are out there, that, as you just mentioned here, there are a number of options that people have. So if you have the means, DDoS doesn't necessarily have to be the crippling thing that it once was. 

Dinah Davis: Correct. That's true. That's true. 

Dave Bittner: All right. Well, Dinah Davis, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called "Security, Ha." I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Rachel Gelfand, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.