The CyberWire Daily Podcast 5.11.22
Ep 1576 | 5.11.22

Consensus on the Viasat hack: Russia did it. Kaspersky remains under investigation. The Nerbian RAT is out. NPM dependencies exploited, but to what end? Advisories from CISA and its partners.


Dave Bittner: There's international consensus on the cyberattack against Viasat. Kaspersky remains under investigation. The Nerbian RAT is out. NPM dependencies are exploited, but to what end? Caleb Barlow examines Russia's future on the internet. Our guest is Deepen Desai from Zscaler with the latest phishing research and new advisories from CISA and its partners.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 11, 2022. 

Dave Bittner: We saw yesterday that the European Union had formally attributed the cyberattack against Viasat's KA-SAT Network, which took place an hour before combat operations began in Ukraine, to Russia. Other allied governments were quick to second that attribution. The U.S. Department of State said, after drawing attention to Russian use of wiper malware in its cyber prep, today in support of the European Union and other partners, the United States is sharing publicly its assessment that Russia launched cyberattacks in late February against commercial satellite communications networks to disrupt Ukrainian command and control during the invasion, and those actions had spillover impacts into other European countries. The activity disabled very small aperture terminals in Ukraine and across Europe. This includes tens of thousands of terminals outside of Ukraine that, among other things, support wind turbines and provide internet services to private citizens. 

Dave Bittner: CISA updated their March 17th alert, "Strengthening Cybersecurity of SATCOM Network Providers and Customers," to explain that the threat to SATCOM networks they warned about was indeed a Russian threat. The attribution offered by Britain's NCSC is more specific. It calls out Russian military intelligence, the GRU, as the organization responsible for the cyberattack. Estonia is equally specific. They say, it can be stated with high certainty that the GRU was behind these attacks. According to the Telegraph, the British government also sees the cyberattacks against the German wind turbine sector as collateral damage of the prep fire directed against Ukraine's internet. 

Dave Bittner: Both the British foreign minister and the U.S. secretary of state emphasized this indiscriminate aspect of the Russian cyberattack. NBC News quotes British Foreign Secretary Liz Truss as saying in a news release, "This is clear and shocking evidence of a deliberate and malicious attack by Russia against Ukraine, which had significant consequences on ordinary people and businesses in Ukraine and across Europe." U.S. Secretary of State Antony Blinken made the same point. He said, Russia launched cyberattacks in late February against commercial satellite communications networks to disrupt Ukraine command and control during the invasion, and those actions had spillover impacts into other European countries. 

Dave Bittner: Both Canada and Australia joined the other five eyes in the condemnation of Russia's disruption of Viasat's KA-SAT network. For governments that aren't parties to the conflict, their open hostility to Russia's special military operation and their support for Ukraine are striking and unambiguous. 

Dave Bittner: MIT Technology Review's coverage of the cyberattack on Viasat terminals concludes that further attacks are possible, perhaps probable. The Russians used the AcidRain wiper against the systems, and AcidRain is striking in its general purpose adaptability. Technology Review quotes SentinelOne researcher Andres Guerrero-Saade, who says, what's massively concerning about AcidRain is that they've taken all the safety checks off. With previous wipers, the Russians were careful to only execute on specific devices. Now those safety checks are gone, and they are brute-forcing. They have a capability they can reuse. The question is, what supply chain attack will we see next? 

Dave Bittner: Bloomberg covers the ongoing investigation of Kaspersky security software as a potential security threat, quoting Rob Joyce, head of NSA's Cybersecurity Directorate, on the risk he thinks Kaspersky poses to U.S. companies. Joyce stated, I am still very worried about U.S. companies that are using Kaspersky. We think that it is ill-advised with this global situation. In one respect, this is a supply chain issue. Kaspersky software is white-labeled inside many widely used devices. Joyce said, so there are routers, for example, that come with a Kaspersky engine inside them, and it's not clear people understand that that's buried inside a product that looks U.S. or Western. So we're trying to understand where those risks are in the supply chain and where the biggest ones exist. Kaspersky, it's fair to note, has long denied that it's under Kremlin control. 

Dave Bittner: Proofpoint issued a report this morning which describes a new OS-agnostic RAT written in the increasingly popular Go language. The researchers call it Nerbian and say that it leverages multiple anti-analysis components spread across several stages, including multiple open-source libraries. 

Dave Bittner: ReversingLabs blogged yesterday about an NPM dependency confusion that's been exploited recently in attacks against large German firms. ReversingLabs said, new NPM packages discovered last week by ReversingLabs appears to target a major German media conglomerate, as well as a major rail and logistics operator. The packages are similar to those discovered by researchers at the firm Snyk and disclosed in late April. It's unclear who was behind the attacks, what their objectives were, or even how successful they were, but it seems clear that NPM attacks are more widespread than previously believed. JFrog, which has also been tracking the incidents, sees similar ambiguity and thinks the attacks could be the work of either a sophisticated threat actor or an unusually aggressive penetration tester. 

Dave Bittner: CISA yesterday released six industrial control systems security advisories. CISA also added two vulnerabilities to its Known Exploited Vulnerabilities Catalog - the Microsoft Windows LSA spoofing vulnerability and F5's BIG-IP missing authentication vulnerability. Fixes are available for both of them. 

Dave Bittner: And finally, concerned about a growing threat to managed service providers, the Five Eyes have issued a joint alert with advice to MSPs and their customers on preventing and responding to cyberattacks staged against and through MSPs. The advice is a familiar set of best practices, but no less valuable for that. 

Dave Bittner: Zscaler recently released the latest edition of their annual phishing report, documenting the trends they track using a combination of their own internal telemetry and outside sources. It's no surprise that phishing continues to be an attractive and effective technique for threat actors. Deepen Desai is chief information security officer at Zscaler. 

Deepen Desai: So what we noticed was retail and wholesale industries were among the most targeted ones, experiencing over 400% increase in phishing attacks over the last 12 months. The team also saw - you know, dissected the data based on the regions that were being targeted by the attackers. We noticed United States being at the top, accounting for more than 60% of all the phishing attacks that were seen, followed by Singapore, Germany, Netherlands and the U.K. 

Deepen Desai: The third key finding that I'll call out is new phishing delivery vectors, such as SMS phishing. It's also called smishing, right? This is where the threat actors are using SMS to deliver the phishing link to the end user. And this is because, I mean, more and more users are becoming wary of suspicious emails, you know, looking at different telltale signs on their computer. But they're often more, you know, lenient when they're clicking on links that they see from a user on their cellphone. And these are SMSs arriving from banks, retail vendors and so on and so forth. So we saw a 700% increase in the first half of 2021 in smishing attacks as well. 

Dave Bittner: You know, one of the things that you highlight here is this notion of phishing as a service, where, you know, folks can go and basically buy these prepackaged kits. Can you take me through this? I mean, suppose I'm someone who's looking to, I don't know, you know, branch out on my own and do this sort of thing. How would I go about it? 

Deepen Desai: Yeah, it's very easy. And I hope you're not going to do that, but it's really easy with this phishing as a service offering, right? So what - essentially it provides the cybercriminals an easy way to deploy, you know, phishing sites at scale. And I'm not talking about you deploying a phishing page on one website, but hundreds of sites at a given time that are pre-cooked templates based on the brand that you're trying to target. No spelling mistakes, right? They've taken care of all the, you know, fields that make those pages look really authentic. So making it more professional, making it easier to deploy at scale and honestly creating a greater chance for making those phishing campaigns successful, as far as, you know, the end user clicking on the link and entering the information is concerned. 

Dave Bittner: What are your recommendations for folks to best protect themselves against this? 

Deepen Desai: Yeah. So I mean, just like any attack campaigns, phishing involves - I mean, it starts with your end user, right? So they're targeting - end users are often referred to as weakest link, right? They target the social engineering aspect where they're trying to convince a user into believing that the link or the page that they're visiting is indeed the service for which they're trying to harvest credentials or, at times, are trying to plant a malware payload. So No. 1 thing I would recommend is, you know, continue to make your security awareness training course as dynamic as possible, right? You need to update the training content to make the user aware of all the newer techniques. The one that I mentioned, smishing, for instance - right? - there should be some level of training on that part as well. 

Deepen Desai: The second most important thing is, test it, right? All the security controls that you have in place, all the training that you do for your end users, you need to have simulated phishing attacks, right? It's a - you know, or you could call it red teaming, right? You need to have those simulations done to see whether your users are still making those mistakes, whether your security controls are doing the job of blocking those attacks. And training the user at the time of incident is critical, right? You could do all the training beforehand or after an incident. But when the incident is happening, if your security stack is able to train the user, notify the user, assist the user in not making mistakes, I think that's the third piece that I would mention. 

Dave Bittner: That's Deepen Desai from Zscaler. 

Dave Bittner: And joining me once again is our CyberWire contributor Caleb Barlow. Caleb, always great to welcome you back to the show. You know, we're all tracking the situation going on here with the Russian invasion of Ukraine, and some of the fallout from that is more and more services seem to be decoupling themselves from interacting with the Russian economy. I want to check in with you on this. Where do you think we're headed here? 

Caleb Barlow: Well, for years, we've all talked about, what does a cyberwar look like? And, you know, I remember once even on CNN being asked, you know, hey, is there a future of cyber Armageddon coming? And I think people often thought about, you know, the crossover from the cyber realm into the kinetic realm - you know, letting loose the water to dam, shutting off a city's electricity. I mean, we've all - anyone in the cybersecurity space has had this conversation, have been asked the question of, you know, is this in the art of the possible? You know, we've even seen the Russians try that historically in Ukraine - turning the power off and things like that. And I don't want to be little that that is not a possibility. I mean, critical infrastructure attacks are certainly a real possibility. But I don't think what we ever thought about was the impact of private services just getting turned off during wartime, where either government action or private sector companies saying, hey, I'm not going to do work with this entity anymore and, you know, this kind of cancel culture of these things being turned off. 

Caleb Barlow: And where Russia is fighting a kinetic war - you know, tanks and soldiers on the ground - the U.S. and Western allies are clearly fighting an economic war - right? - sanctions and, you know, things that are very devastating to the Russian economy in the long term. But cyber is unfolding in a very intriguing way, which is kind of this cancel culture, in the - you know, imagine the impact long-term of not being able to get access to silicon, not being able to get access to new computers or routers - all these things that can't be sold in Russia anymore, either because of government sanctions or just simply because private sector companies are saying, hey, I'm pulling out. I'm not doing business there anymore. This is a part of the playbook I don't think anybody really thought through. And where this could get more interesting is, up to this point, most of the dialogue has been about the purchase of physical devices - you know, a router, a computer, computer chips, things like that. You know, the telcos, for example, have said, hey, we're not going to do new business in Russia. But they're not shutting off existing business to date. You know, if you take AT&T, Verizon, Lumen - I mean, they move a very large percentage of global internet traffic. 

Dave Bittner: Right. 

Caleb Barlow: If we ever got to the point, either through a large-scale cyberattack, an action from government or some other factor where one of these companies said, hey, we're just not going to route this traffic anymore; we're going to stop the peering relationships, that's going to force the Russian economy back to the days of a 1,200-baud modem. I mean, it wouldn't disconnect them from the internet, I don't think. But it would degrade services to a point that would be mind-numbing. I mean, I was looking around this morning. The No. 1 used app in Russia - the No. 1 visited website is YouTube. What happens if you can't get to that anymore? Ninety-one million Russians are using YouTube. 

Dave Bittner: Does Russia have a future that looks like North Korea's, where, you know, they're - the rest of the world community makes it so that they have to be self-contained? 

Caleb Barlow: I don't know. I mean, I think - but I think these are the kinds of questions we have to start asking ourselves, both government and private sector, because there's a new tool here we really never thought about. We never thought about, how do we use it? When do we use it? Where do we use it? Is it even a good idea to use it? I mean, the better access Russians have to the internet, the better our ability to, you know, push past Russian propaganda for a whole variety of reasons, right? 

Dave Bittner: Right. 

Caleb Barlow: So there's a lot of reasons to say, hey, you want to keep these activities moving as much as you can. But in many cases, the decision of to do or not to do business is going to actually be held with the CEOs of private sector companies. And that's a part of this kind of new genre of warfare that I don't think anybody ever thought through. Also, it adds a level of coercion, if you will, into the equation that I don't think we've ever thought about. I mean, when we think about coercion relative to an attack, whether it be a cyberattack or a kinetic attack, the normal ways we thought about that is, you know, someone - you know, person A launches a missile into person B's territory, and person B fights back with another missile... 

Dave Bittner: Right. 

Caleb Barlow: ...Or maybe economic sanctions or maybe something else. We never thought about the idea of, oh, yeah, you just - you can't get to YouTube; you can't get to Amazon; you can't get to Microsoft. Like, that's a whole new realm of discussion as the world now operates largely remotely, thanks to the pandemic, in the cyber realm. And we've got to really start thinking about what that means. 

Dave Bittner: Right. So perhaps a global conversation here. You know, these are the - as we talk about things like the norms of war and so on and so forth, does this need to be part of future conversations? 

Caleb Barlow: Absolutely. You know, much like economic sanctions have a huge impact, so do these - and I don't even know what you call it - but cyber sanctions. Right? A lack of ability to take it to cloud environments or network at speed will definitely have an impact on any economy. 

Dave Bittner: All right. Well, Caleb Barlow, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: Our amazing cyber wire team is Rachel Gelfand, Liz Ervin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Seby, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.