Cyber incidents and lessons from Russia's hybrid war. Zimbra vulnerabilities exploited. New Lazarus Group activity reported. ICS security advisories .Insider trading charges from 2017 Equifax breach.
Dave Bittner: A DDoS attack against a Ukrainian nuclear power provider. The U.S. Army draws some lessons from the cyber phases of Russia's hybrid war. Vulnerabilities in Zimbra are undergoing widespread exploitation. Reports of new Lazarus Group activity. CISA releases eight ICS security advisories. Carole Theriault looks at scammers and cryptocurrencies. Our guest is Jennifer Reed from Aviatrix on the changing landscape of cloud security. And the SEC charges three with insider trading during a 2017 Equifax breach.
Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Wednesday, August 17, 2022.
DDoS attack against Energoatom's public website.
Dave Bittner: Russian nuisance-level attacks continue against Ukrainian targets, most recently taking the form of a distributed-denial-of-service action against the website of Energoatom, the Ukrainian state corporation that operates the country's four nuclear power plants. Energoatom described the incident, which took place Monday, as the most powerful hacker attack since the beginning of the full-scale invasion of the Russian Federation. The corporation said the attack was mounted from the territory of the Russian Federation and carried out by the Russian group the popular cyber army, a hacktivist front organization. Energoatom said the attack used 7.25 million bots and lasted for about 3 hours. The corporation said it had a negligible effect on visitors to the website. Energoatom's plants include the presently occupied and besieged Zaporizhzhia nuclear facility. The DDoS had no discernible effect on operations at this or any other plant. The immediate risk to Zaporizhzhia is shellfire, not DDoS.
Lessons learned from the cyber phases of Russia's hybrid war.
Dave Bittner: Some familiar and unsurprising lessons are among those the U.S. Army is drawing from its observations of Russia's special military operation. First, nonkinetic attack techniques, including both cyber and electronic attack, are more prominent in the gray zone at the lower-intensity portion of the spectrum of conflict. When conflict moves to actual shooting, they remain useful, but they no longer have the centrality they did in the deniable gray zone.
Dave Bittner: Fed Scoop quotes Lieutenant General Maria Gervais, deputy commanding general of U.S. Army Training and Doctrine Command, as telling TechNet Augusta yesterday that, the conflict also reveals an important aspect of both EW and cyber. Neither is dominant on its own, and they work best when converged with other multidomain effects. She offered as an example of this observation that, the ability to use electronic warfare to detect an adversary is most formidable when matched with long-range precision fires.
Dave Bittner: Second, Russian information troops, which had been thought of as roughly equivalent to U.S. Cyber Command, have turned out, in fact, to be optimized more for propaganda and counterpropaganda than for cyber operations, whether offensive or defensive. Third, traditional electronic warfare, mostly jamming and radio direction finding, have increasingly come into their own as the conflict moved into conventional warfare. And while there's been a convergence of cyber operations with electronic warfare, both are valuable insofar as they're integrated into combined arms operations.
Dave Bittner: General Gervais said, now both EW and cyber have played major roles in the fighting in Ukraine. It demonstrates the types of threat the unified network will face in conflict with a peer or near-peer adversary. The unified network will need to operate in an environment where it will face significant challenges from EW and cyber. It must be resilient enough to handle these threats while providing the Army and the joint force the speed and relevancy to converge multidomain effects against an adversary. Ukraine serves as a stark reminder of this challenge.
Dave Bittner: And fourth, cyber and electronic warfare capabilities require constant adjustment in combat. Cyberspace, the fifth domain of conflict, is an artificial domain shaped by human activity in ways that the other four domains - land, sea, air and space - are not. Cyber capabilities in particular, a piece in Breaking Defense argues, unlike a weapon that can be tested, validated and put on a shelf knowing that it will work when needed, deployed information warfare and cyber capabilities have to be continually tuned and optimized in order to be relevant to the warfighter.
Vulnerabilities in Zimbra undergoing widespread exploitation.
Dave Bittner: The widely used Zimbra Collaboration Suite, which the Stack and others describe as a lower-cost alternative to Microsoft Exchange, is being widely attacked. Small- and medium-sized enterprises and schools are Zimbra's primary users, but it's also used by some banks and multinational corporations. In all, the Stack says, Zimbra is used by more than 200,000 businesses over 140 countries. As an aside, one of those countries is Ukraine, where CERT-UA warned back in April that CVE-2018-6882 vulnerability was undergoing active exploitation. Yesterday, CISA issued an alert to the effect that threat actors are exploiting multiple CVEs against Zimbra Collaboration Suite. All of these are known vulnerabilities for which Zimbra has issued patches. CISA urges all Zimbra Collaboration Suite administrators to immediately update their systems, scan for indicators of compromise and take action to remediate any compromise they find.
New Lazarus Group activity reported.
Dave Bittner: ESET offers the latest in its ongoing reports of North Korean Lazarus Group activity, stating, a signed Mac executable disguised as a job description for Coinbase was uploaded to VirusTotal from Brazil. This is an instance of Operation In(ter)ception by Lazarus for Mac.
CISA releases eight ICS security advisories.
Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency yesterday released eight industrial control system security advisories, including products from Yokogawa, Delta Industrial, Emerson and Siemens, among others. You can find the complete list on CISA's website.
US SEC charges three with insider trading during the 2017 Equifax hack.
Dave Bittner: And finally, yes, public relations firms called in to help a company during a crisis aren't supposed to trade on material, nonpublic information. Yesterday, the U.S. Securities and Exchange Commission announced charges against three individuals for illegally tipping and trading in the securities of Equifax in advance of the company's public announcement on September 7, 2017, that it had experienced a massive cyber intrusion and data breach. This case is a little different since it involves an officer with a PR firm, not someone from Equifax itself, who allegedly learned of the breach. She then allegedly told her significant other, who then told his brother and got his brother to do some trading so they could split the proceeds. The SEC seeks injunctive relief and civil penalties against each defendant. The SEC also seeks disgorgement of ill-gotten gains plus prejudgment interest. The SEC points out that this is the third enforcement action it's taken with respect to events surrounding the 2017 breach at Equifax. The earlier 2018 actions charged two former Equifax employees with insider trading.
Dave Bittner: So attention, PR types, you too should read and heed the insider trading laws. If you decide to short, then maybe lawyer up so you don't get caught short. Nobody likes a disgorgement - even sounds bad.
Dave Bittner: Jennifer Reed is chief information security officer at cloud security company Aviatrix. She shares her perspective on ways organizations need to adapt to the changing landscape of cloud security.
Jennifer Reed: Well, I think you have two different paradigms. You have a traditional enterprise perspective. And what I mean by that is where you have multiple layers of security defense - you know, multiple parameters that separate the public internet from the intranet and the WAN. And even when you're talking about that from an internal perspective, you know, you have different DMCs and firewalls that create additional layers to protect sensitive data. And that sensitive data can be personally identifiable data. It can be intellectual property. It can be a number of different things, right? And so usually as you go to those different layers, access has additional levels of restrictions. So not everybody has access to everything. And the reason for that is because you don't necessarily need to have access. And the more people that have access to sensitive data, the easier it is for that data to be mishandled.
Jennifer Reed: And so when you have that type of paradigm and you go into the cloud, that isn't possible the same way. What I mean by that is, like, a lot of that is physical layers where you actually have different people that have access to different things depending upon their job, and there are isolated networks that allow them to do that but not have access to, say, the interfaces with the data going across it - the data plane. And then we have access to a control plane but not the actual data running across it. Does that make sense? So what that means for the cloud is just that everything is virtual. And so you don't have a separation. The people who have access to the control plane are your cloud service providers, right? And so they maintain the instances that are running in hardware and data centers. And so they have no access to the things running across it. But if I am an enterprise, I need to deploy my services into those virtual networks. And so I have my own networking and system admins that need access, but they can't go across the CSP's control plane, right? It's completely segregated because it's infrastructure as a service. So it's all virtualized. And so then I had to put in logical controls that give me some of that separation and segmentation. But at the same time, I can't have a pure management network that I'm traditionally used to having, right? So I have to start to think about how do I provide that sort of segregation and isolation and segmentation, but I have to think about it in a way where I can't have the perfect isolation. But even in an enterprise, it's not perfect, right? But I have to think about it differently 'cause I can't institute those same things in a public cloud.
Dave Bittner: And so for the people who are charged with maintaining security in this environment, I suspect this has been a bit of an adjustment for them.
Jennifer Reed: It's an ongoing adjustment, right? 'Cause, you know, one of the big things is that - you know, especially something that's holding, you know, personally identifiable data or intellectual property - I don't want it to have a public IP, right? And that's been traditional because I normally have a DMZ. But unfortunately, how are you going to reach that asset, right? So - and how can I provide control on that so I can limit the access to it - right? - but still allow my services to run? So I start to think about things from - a control plane might have a public IP that has limited access to it, but then, internally, it may have multiple internal private IPs and interfaces that allow the data to run across, but across a private network, right?
Jennifer Reed: And so I have to start thinking about - even though if I think physically it's the same port on this virtualized machine - you know, 'cause traditionally you wouldn't think about it that way, that is indeed the case, and you have to think logically. I have these virtual interfaces that I will force the traffic down so that all data traffic will go across the private interfaces, and I'm limiting the access to this other interface for control traffic, right? And so I have to think about how I can manage that and understand how to control that at the different layers for different cloud service providers. So you have to actually think about things differently instead of being so fixed in how we always did it, right?
Dave Bittner: Yeah. Are there common places where folks trip up?
Jennifer Reed: Yeah. They allow developers to go into the cloud to do the development. They don't understand how they may have initially deployed a instance. And what I mean by that is any cookbook that you use for any cloud service provider - Amazon, Google, Azure - doesn't really matter - they try to make it easy for you to get something going and running. And there will always be this asterisk - please limit this IAM policy, which is your Identity Access Management policy for this instance - right? - before you go into production. And that's because they don't know how you're going to use it, so they can't preformulate that for you. And so they expect you to understand how that is. But of course, developers just want to make stuff work, right? And so (laughter) they're like, I don't know how to restrict it, right?
Dave Bittner: (Laughter) Right.
Jennifer Reed: I know. And it's like, well, I don't know. If I restrict it, it break something. That's the most common thing. And they'll want to go all the way to the CIO and say, hey, if I restrict this, I don't know what it can break, and we have this deadline. It's this revenue. And someone will sign off on it because, you know, it's - they're like, well what's the real risk? The problem is is the security teams don't really understand what their risk actually is to help inform the CIO in that process, right? And so they come around to security last. And so there's this drive, really, with people I've talked to - other CISOs - desire to really start to embed security in the app teams, right? And so as they're developing and iterating and creating these applications - to really help them start with a limited, restricted policy as they're going and add the permissions as they need them, right? And you don't want to be the naysayer...
Dave Bittner: Right.
Jennifer Reed: ...You know, to hold up a project. Or, you know, someone's going to get an exception, which puts the company at risk, but more importantly, customer data at risk, which is what we don't want, right? We don't want someone's PII to be at risk. And what I mean by that is, you know, it's the thing that, you know, keeps a lot of people up at night. It's not that, you know, you have a hack of your data. It's that someone's grandmother's data - right? - gets used, and they then steal that person's identity. And how much more...
Dave Bittner: Right.
Jennifer Reed: ...Difficult is it for that person to try to fix that, right? They don't have the skills or understanding of even what happened. And so that's the real person that, you know, you want to kind of protect. Protect their data. And to protect their data, you have to protect the enterprise, right? And also be able to train people to do the right thing because I think app developers want to do the right thing. But unless you pair them up with a security person to work collaboratively, you're not enabling them as effectively as you could to do it right the first time.
Dave Bittner: That's Jennifer Reed from Aviatrix.
Dave Bittner: Our U.K. correspondent, Carole Theriault, has been looking into scammers and cryptocurrencies - two things that sadly seem to go together more than anyone would like. She files this report.
Carole Theriault: Is it any surprise that scammers are cashing in big on the crypto craze? A recent report from the FTC says that since the start of 2021, more than 46,000 people have reported losing over $1 billion in crypto to scams. That's about 1 in every $4 reported loss - more than any other payment method. And can you guess what the top cryptocurrency used to pay scammers was? Seventy percent of payments to scammers were done in bitcoin.
Carole Theriault: Now, crypto has several features that are attractive to scammers, says the FTC, which may help to explain why the reported losses in 2021 were nearly 60 times what they were in 2018. They list three biggies. One, there is no bank or other centralized authority to flag suspicious transactions and attempt to stop fraud before it happens. Two, crypto transfers can't be reversed. Once the money's gone, there's no getting it back. And three, most people are still unfamiliar with how crypto really works.
Carole Theriault: And - perhaps no surprise - social media sites don't get off easy here. Nearly half the people who reported losing crypto to a scam since 2021 said it started with an ad, a post or a message on a social media platform. And can you guess the top platforms identified in this report? Instagram and Facebook. And another interesting little tidbit is that of the reported crypto fraud losses that began on social media, most are investment scams. Basically, we're talking bogus investment opportunities. And these scammers claim that they can make huge returns for investors. But those crypto investments don't end up in your wallet, but in the scammer's wallet. When they do really try to cash out, they are simply told to send more crypto for fake fees, and of course, they don't get any money back.
Carole Theriault: The FTC capped off with a few reminders. One, only scammers will guarantee profits or big return. No cryptocurrency investment is ever guaranteed to make money, let alone big money. And two, nobody legit will require you to buy cryptocurrency - not to sort out a problem, not to protect your money. That's all a scam. And, you know, I'll add on to that - it's really important to be honest with yourself. Before you dabble into crypto and get all excited, make sure you know your onions from your bitcoins - because for every single person that claims to have won big, there is a huge number that have lost their shirts. This was Carole Theriault for the CyberWire.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.