Cyber ops and a side benefit of sanctions. BlackCat wants $5 million from Carinthia. Fraudster pressures Verizon. Spain responds to surveillance scandal. CISA has 5G implementation guidelines.
Dave Bittner: Pro-Russian DDoS attacks. Sanctions and their effect on ransomware. BlackCat wants $5 million from Carinthia. A fraudster pressures Verizon. Spain will tighten judicial review of intelligence services. Johannes Ullrich looks at VSTO Office files. Our guests are Cecilia Marinier and Niloo Howe with a preview of the RSAC Innovation Sandbox. And CISA releases ICS advisories and, with its partners, issues guidelines for evaluating 5G implementation. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 27, 2022.
Pro-Russian DDoS attacks.
Dave Bittner: Microsoft cautions in an NPR interview not to dismiss the cyber phases of Russia's hybrid war as inconsequential. There has been no shortage of attempted disruption of Ukrainian networks since shortly before the Russian invasion began. Imperva offers a timeline of distributed denial-of-service attacks conducted in the Russian interest by nominally hacktivist organizations. Killnet is the most notable of those groups. Imperva's timeline shows Killnet's development. The gang first appeared on January 23 as Russia was preparing its invasion of Ukraine. On the 28 of February, four days after the Russian invasion began, Killnet issued a call to arms, seeking to rally hackers in Russia and the Commonwealth of Independent States to the Russian cause. Along with that call was an invitation to subscribe to the Telegram channel of the cyber army of Russia, the better to Killnet's exploits. Since then, Killnet has conducted various distributed denial-of-service attacks against easily accessible targets of opportunity. On April 20, the U.S. Cybersecurity and Infrastructure Security Agency included Killnet in a list of Russian criminal groups that posed a potential threat to infrastructure. Hacktivist, privateer or simply a deniable group operated by Russian intelligence or security services, Killnet's targeting has been varied, but its activities haven't risen above a nuisance level. DDos is easy to attempt, but it's proving difficult to conduct with significant effect.
Sanctions and their effect on ransomware.
Dave Bittner: Ransomware operations appear to be on the way to becoming collateral damage in the sanctions that have been imposed on Russia. CPO Magazine, citing recent remarks by NSA's cybersecurity director, Rob Joyce, describes the ways in which controls on bank transfers and other remittance mechanisms have inhibited payments to ransom gangs. They say ransom payments are more difficult to process due to lack of access to assorted banking options and inability to purchase necessary technology to set up the infrastructure for new ransomware campaigns. Collateral damage in this case may be wayward as a description of what's going on, since the effect, while not directly intended, isn't unwelcome either. Call it a side benefit. Call it gravy.
BlackCat wants $5 million from Carinthia.
Dave Bittner: The Austrian state of Carinthia, under a ransomware attack by the BlackCat gang, also known as ALPHV and which is a rebranding of DarkSide side or BlackMatter, since Tuesday, according to BleepingComputer, has received a ransom demand. BlackCat wants $5 million to restore access to systems its attack disrupted. Carinthian authorities say that its public-facing websites are down and that passport administration, collection of fines and processing of COVID tests are among the services that have been affected. They've found no evidence that BlackCat succeeded in stealing data. And indeed, none of the usual teasers have been posted to the gang's dump site. Carinthia does not intend to pay the ransom, and its services are beginning restoration today.
Fraudster pressures Verizon.
Dave Bittner: Verizon has confirmed to Vice that a scammer has contacted the phone company with the claim to have accessed sensitive internal data. Specifically, the scammer said they'd obtained an internal corporate employee database, which they threatened to release if they weren't paid a $250,000 bounty. Verizon told Vice, a fraudster recently contacted us, threatening to release readily available employee directory information in exchange for payment from Verizon. We do not believe the fraudster has any sensitive information, and we do not plan to engage with the individual further. As always, we take the security of Verizon data very seriously, and we have strong measures in place to protect our people and systems.
CISA releases ICS advisories.
Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency has released two industrial control system advisories.
Spain will tighten judicial review of intelligence services.
Dave Bittner: The AP reports that Spain will increase judicial supervision of its intelligence agencies after investigation revealed abuse of NSO Group intercept tools for domestic surveillance. The AP writes, the Spanish government will tighten judicial control over the country's intelligence agency, Prime Minister Pedro Sanchez said Thursday, weeks after the agency admitted it had spied on several pro-independence supporters in the region of Catalonia with judicial authorization. The country's National Intelligence Centre, or CNI, has been under fire since April, after Canada-based digital rights group CitizenLab alleged that the phones of more than 60 Catalan politicians, lawyers and activists had been hacked with controversial spyware. The CNI later acknowledged in a closed-door meeting with Spanish lawmakers that it had hacked into the cell phones of some of those politicians.
CISA and its partners issue guidelines for evaluating 5G implementation.
Dave Bittner: Finally, as U.S. federal agencies move, like other organizations, toward 5G technology, CISA and its partners in the Department of Homeland Security's Science and Technology Directorate and the Office of the Under Secretary of Defense for Research and Engineering have released version one of its 5G Security Evaluation Process Investigation. It outlines a five-step process organizations should follow as they implement 5G. Step one calls for a use-case definition to identify 5G subsystems that are part of the system - component configurations, applications and interfaces involved in the operation of the system. In step two, agencies should define the boundary to identify the technologies and systems requiring assessment and authorization, taking into consideration the ownership and deployment of the products and services that comprise the use-case. The third step, after determining the scope of the assessment, is to perform a threat analysis of each 5G subsystem, with a view to mitigating the risks associated with it. At step four, an agency should consult relevant federal security guidelines and create a catalog of that guidance. And finally, in the fifth step, the agency applies the guidelines, identifies any gaps in security guidance or ways to address them. It seems a common-sense approach with an appropriately bureaucratic bent, but CISA hopes that it will provide an approach that's both uniform and flexible. CSA invites feedback, and the deadline for comment is June 27.
Dave Bittner: One of the highlights of the upcoming RSA Conference in San Francisco is the RSAC Innovation Sandbox Contest, which puts 10 promising security companies in front of a panel of judges and a live audience in hopes of winning the title most innovative startup. As part of the CyberWire's media partnership with RSAC, I spoke with Cecilia Marinier, program director for Innovation from RSAC, and Niloo Howe, senior operating partner with Energy Impact Partners and one of this year's judges. We hear first from Cecilia.
Cecilia Marinier: So the RSA Conference Innovation Sandbox Contest actually started in 2005. It has been ongoing, with one year exception, from 2005 to today. So we've had 17 years of selecting top innovators in our field. And the goal of the contest is to actually celebrate what's happening in innovation. We see a lot of adversaries innovating, while we have a lot of amazing people on the positive side also innovating. And this competition, actually, is very competitive, and it selects the top companies that are bringing out some highly important innovation in our field.
Dave Bittner: Niloo, you are on board as one of the judges this year. What attracts you to the Innovation Sandbox? Why is this something that you choose to participate in?
Niloo Howe: It's an incredible opportunity to spend time with entrepreneurs, people who are really going after the leading-edge problems in cyberspace, hear them out. And I'll tell you, being a judge is incredibly hard because we get - you know, when we start with over a hundred companies and trying to select down to the top 10, there are so many amazing entrepreneurs in our space. Every year, we duke it out because there's amazing people. There's amazing solutions. There's really big problems. Some of them are problems that have been there for a while. Some of them are newer problems as technology innovates and we transform. But it's just a remarkable opportunity to spend time thinking about these problems and speaking with the entrepreneurs.
Dave Bittner: Cecilia, beyond the Innovation Sandbox itself, there's also the early-stage startup area at the RSA Conference. Can you give us some insights on that?
Cecilia Marinier: So the Early Stage Expo is situated on the second floor in Moscone South, and it will host 35 different companies. They'll have 17 briefing sessions in the space. And it's just a very cool area. It has a lot of companies that are coming from outside the U.S. which is also really nice to kind of see what the breadth of what's happening outside the - outside of our country. But that area is interesting. I would also recommend that the other thing that we're doing on our 365 is this innovation showcase where we partner with venture capitalists and each month celebrate innovation in different parts of the globe. And that's something else people who are interested in innovation should be following. If they're - if they want to follow it, it's great.
Dave Bittner: Niloo, I want to give you the last word here. I mean, for folks who are coming to the conference who perhaps have never attended the actual Innovation Sandbox event, make your pitch here. Why is this something in a busy week that they should carve out their time to include on their schedule?
Niloo Howe: We are going to have 10 incredible entrepreneurs that are thinking about leading-edge technology issues in the cybersecurity domain. Get on stage. Make a fast pitch. Get ganged up on by, you know, a series of seasoned judges, and they'll get a great sense of what it's like to pitch and to be questioned and also get a really good, broad sense of what's happening in the community. So it's a really fun, fast-paced, high-energy event. It's my favorite event, whether to watch or be a judge or participate in.
Dave Bittner: That's Cecilia Marinier from RSAC and Niloo Howe from Energy Impact Partners. This year's Innovation Sandbox competition takes place Monday, June 6 in Mosconi South. There's a lot more to this conversation. If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects, where you get access to this and many more extended interviews.
Dave Bittner: And I'm pleased to be joined once again by Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the "ISC StormCast" podcast. Johannes, you and I have talked many times about the issues with macros within Microsoft Office files. I know there's some stuff you've been tracking along these lines lately. What's the latest?
Johannes Ullrich: Yes. So macros, of course, are still, I think, the predominant way how malware enters Windows systems these days. But it's getting more difficult. Microsoft made it more difficult to use macros. And, you know, some users actually caught on to the idea that whenever they open a macro, their system gets encrypted. So there are some correlations here that show up sometimes. But it turns out that with macros kind of becoming more difficult to use, there are actually some other techniques that people have discussed in the past. Like, this goes back to sort of 2018, but now it's sort of getting more steam because it's sort of a replacement for macros. And it is these Visual Studio for Office files, which is sort of a macro technique. It's more an add-in to a Word document. What better than receiving a Word document that includes a binary add-in to Office? I can use it every day, you know, when I'm writing reports and things like that. Not really (laughter), but it's one of those features.
Dave Bittner: Yeah. Every Word file needs an executable, right?
Johannes Ullrich: Every Word file needs an executable. Yes.
Dave Bittner: (Laughter).
Johannes Ullrich: And Adele Escelle (ph) sort of revived that a little bit and wrote a blog about this recently in April discussing how to create these documents. As the name implies, you need Visual Studio. So it's a little bit more work than your standard macro, but the tools are being developed now to make it easy enough for even an attacker is able to create those documents pretty easily. Now, there's still some restrictions around these documents like they have to be loaded from the right website. But that's all a matter of actually how you disguise the macro - or not macro. I should say the add-in. And it has some interesting features like for example, automatic updates where I can send you a little document that may not really look all that malicious, but it will update itself once you open it and basically pull in additional code from a URL that I probably put up with some cloud provider or whatever kids these days like to post their malware.
Dave Bittner: Right. So a way to maybe bypass that, you know, that first look at the file itself.
Johannes Ullrich: Correct. Bypass that for a look and then the next download will come from a source that you may even have whitelisted, like some Office 365 file share or some Google Cloud servers, whatever you may want to use here. It's deposit of five can really come from anywhere. And the users aren't yet at least used to that kind of interaction so it hasn't really sort of made it into our awareness training that right now is of a time in this type of attack probably will work best because our defenses aren't ready for it yet.
Dave Bittner: Is this the kind of thing where similar to macros that users can disable them by default?
Johannes Ullrich: They're a little bit more difficult to outright disable, but typically you may see prompts, but it all depends on where you exactly download them from. If I manage to load a document into like a trusted file share or something like this, then things are different. If you are saving it first to your local disk, like if it arrives as a email attachment, then again different rules apply. So it's something I think it's still open to research exactly how to best defend against this and also what the exact warnings users will be seeing and when they'll be seeing it.
Dave Bittner: I see. All right. Well, Johannes Ullrich, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's "Research Saturday" and my conversation with Symantec's Dick O'Brien. We're discussing "Stonefly: North Korea-Linked Spying Operation Continues To Hit High-Value Targets." That's "Research Saturday." Check it out. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand, Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.