The CyberWire Daily Podcast 9.21.22
Ep 1667 | 9.21.22

A call-up of Russian reserves, and more notes on the IT Army's claimed hack of the Wagner Group. Netflix phishbait. The Rockstar Games and LastPass incidents. CISA releases eight ICS Advisories.

Transcript

Dave Bittner: It's partial mobilization in Russia. Further notes on the IT Army's claimed hack of the Wagner Group. Leveraging Netflix for credential harvesting. Rockstar Games suffers a leak of new "Grand Theft Auto" footage. Ben Yelin has the latest on regulations targeting crypto. Our guest is Amy Williams from BlueVoyant discussing the value of feminine energy in the male-dominated field of cybersecurity. And CISA releases eight ICS advisories.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 21, 2022. 

A quick note on Russia’s partial mobilization.

Dave Bittner: This event belongs in the kinetic world - that is, it's happening in real life - but it has implications that will reverberate in hybrid warfare and, of course, in the form of disinformation. I'm speaking, of course, of President Putin earlier this morning announcing what media describe as a partial mobilization, a call-up of reservists. Rusty and aging as they may be, reservists constitute a pool of at least relatively trained soldiers. Up to 300,000 may be recalled to active service, the AP reports

Dave Bittner: Reuters reports heavy booking of airline flights out of Russia. And this, as Pravda used to say, is no accident. Departures are said to have sold out within hours of the call-up's announcement, and the preferred destinations are countries with permissive visa requirements. Social media posts are also reporting traffic jams at the Finnish border, the last one open in European Russia. The pictures look like California 101 northbound at rush hour, right at the Ventura County line. Of course, the scenery is not as nice. 

Dave Bittner: The call-up came as Russia advanced plans to hold votes - regarded by essentially everyone as sham votes - in those portions of Ukraine it still holds. The population will be invited to choose annexation by Russia, which in Moscow's official view would make the occupied regions permanent, organic parts of Russia. One of the Kremlin's mouthpieces, deputy chairman of the Russian Security Council, explained the thinking behind the Potemkin plebiscites, saying, the geopolitical transformation in the world will be irreversible once the referendums are held and the new territories join Russia. Encroachment into Russian territory is a crime, and if it is committed, that allows you to use all possible force in self-defense. That is why these referendums are so feared in Kyiv and in the West. That is why they need to be carried out. 

Further notes on the IT Army's claimed hack of the Wagner Group.

Dave Bittner: Returning to cyberspace proper, Ukraine's IT Army is claiming to have personal identifying information on the members of the Wagner Group, although so far it hasn't posted any as a proof of hack. But there are other indications in the form of archived website defacements that indeed the IT Army has been fiddling with Wagner's online assets. The IT Army posted a link to an archived version of a Wagner Group site that's been defaced to show pictures of Wagner Group dead beneath a welcome to Ukraine message, stating, all of your personal site data is with us. Welcome to the Ukraine. We are waiting for you. Vice, which reports the defacements, also has a characterization of the Wagner Group as a de facto, if deniable, arm of the Russian military, effectively an umbrella term for a varied class of Russian government operations. 

Leveraging Netflix for credential harvesting.

Dave Bittner: INKY this morning blogged about a phishing scheme that impersonates Netflix. Researchers report that between August 21 and August 27 of this year, Netflix customers were the target of a PII data harvesting campaign. The campaign used a malicious HTML attachment compressed in a zip file. The campaign is noteworthy because it shows that criminal social engineering is being conducted with greater polish, without some of the clumsy diction and nonstandard language that once made it easy to spot. The phishing emails targeted Netflix customers and were spoofed to look as though they came from Netflix's actual domain. The emails originated from a virtual private server in Germany and then moved to an abused mail server from a Peruvian university which allowed the email to receive a DKIM pass and make it to the recipient. 

Dave Bittner: INKY reminds users of best practices when it comes to unidentified emails. They advise being cautious of zip file attachments since there's no ability to preview them, visiting a company's website directly to resolve an account issue and using the browser's address bar to hover over links and determine that you're on a website instead of a local file. They also note that SMTP servers should be set up so that they don't accept and forward emails from nonlocal IP addresses to nonlocal mailboxes. 

Rockstar Games suffers leak of new Grand Theft Auto footage.

Dave Bittner: The AP and others have been reporting a network intrusion at Rockstar Games, in which the company suffered the leak of some aspects of its new "Grand Theft Auto" game currently in early development. Someone claiming to be the hacker apparently posted 90 clips from the "Theft" and claimed also to have source code for the game, which they want to sell for at least upwards of $10,000. The Video Games Chronicle reports that Rockstar has released a public comment on its social media channels, noting that they were extremely disappointed that details of the game were shared by the hacker. And they say that there will not be delays in the project. 

Dave Bittner: The motive seems to have been extortion, which is the sort of motive that might drive a "Grand Theft Auto" game plotline, only in this case, there seems to have been less slapping and curb stomping. Rockstar said in a statement, we are extremely disappointed to have had any details of our next game shared with you all in this way. Our work on the next "Grand Theft Auto" game will continue as planned, and we remain as committed as ever to delivering an experience to you, our players, that truly exceeds your expectation. We will update everyone again soon, and of course we'll properly introduce you to this game when it's ready. We want to thank everyone for their ongoing support through this situation. 

The LastPass incident.

Dave Bittner: LastPass has published an update on the security breach it sustained last month, Naked Security reports. LastPass found no evidence that the attacker gained access to customer data. The threat actor was able to steal some source code, but the company found no evidence of attempts of code poisoning or malicious code injection. The mention of code poisoning is interesting in so far as it indicates that companies are thinking about this as a real possibility, which of course it is. 

Dave Bittner: LastPass had this to say about what they found - our investigation determined that the threat actor gained access to the development environment using a developer's compromised endpoint. While the method used for the initial endpoint compromise is inconclusive, the threat actor utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multifactor authentication. 

CISA releases eight ICS Advisories.

Dave Bittner: And finally, the U.S. Cybersecurity and Infrastructure Security Agency yesterday issued eight Industrial Control System (ICS) Advisories. See CISA's ICS site for details, and please do read them and heed them. 

Dave Bittner: Coming up after the break, Ben Yelin has the latest on regulations targeting crypto. Our guest, Amy Williams from BlueVoyant, discusses the value of feminine energy in the male-dominated field of cybersecurity. Stick around. 

Dave Bittner: The Cyber Guild's Uniting Women in Cyber event is taking place on September 27 in McLean, Va. The CyberWire is pleased to be a media partner for the event. Dr. Amy Williams is senior director of proactive services at BlueVoyant, and she's a panelist on a session titled "Shining Your Light - Unlocking Your Own Potential." We spoke about the value of feminine energy in the historically macho field of cybersecurity. 

Amy Williams: So for feminine energy, typical positive feminine attributes are intuition, creativity, vision, a collaborative nature, making decisions from your heart and wanting to connect. Those are more feminine energy attributes, whereas positive masculine attributes are qualities such as A to B-type reasoning or more mathematical analysis - and I'm intentionally avoiding the word logic 'cause the word logic is charged with some negative connotations - a competitive spirit, being purpose-driven, being strong-willed. All of those are masculine qualities. And to have an effective cybersecurity program, you really need a balance of all of those things. You can't have just a one-sided approach and be very effective. And most people, if you ask them, you know, you gave them this list of attributes, they'd say, I'm a mix of those things. I'm not purely and categorically feminine or masculine. And so I think when we talk about women versus men in cybersecurity, we're missing that nuance that women don't all look the same, and men don't all look the same. It's the feminine energy that needs to be balanced with the masculine energy within everyone and certainly within teams in order to build an effective cyber program. 

Dave Bittner: So it strikes me that, you know, we have been making some gains with just percentages of numbers of getting more women involved in cybersecurity, but it's lagging particularly at the leadership level. For folks who are leaders, how do you suggest that they make room for this, that they make sure that there's a space, that there's an opportunity to bring this energy to their organizations? 

Amy Williams: You know, that's a great question. And there's some very nuanced, complex characteristics that come into the answer on that solution. One is that cybersecurity at the top is viewed as a cost center that we need to reduce and that we need to make sure that we have our assets covered but that we don't spend any more on it than we absolutely have to, instead of looking at cybersecurity as a strategic initiative. So that keeps us minimizing cybersecurity to begin with. If it can be understood universally that cybersecurity is a holistic, strategic approach to managing the organization and ensuring that there aren't any gaps in the protection of all of the assets, then that's going to open up not only more funds but a better understanding of what an effective cybersecurity program takes. And an effective cybersecurity program requires that we have a complete, inclusive inventory of our assets, that we have good communication across the organization of what is allowed and what's not allowed. We also have to have those more, you know, masculine attributes of network segmentation and, you know, a SIM that analyzes data and immediately responds. But, you know, just having MDR in place without having an effective, well-built, well-designed architecture is not effective because if you're only monitoring half of your network, then you're not doing a very good job with cybersecurity. So I think people in cybersecurity need to be more communicative with the executive suite about what a holistic cybersecurity program is, and then that will help us move in the right direction. 

Dave Bittner: What are your recommendations for organizations who want to do a better job with this? I mean, how do they take stock and establish what their own ground truth is? 

Amy Williams: Cybersecurity programs need to be funded better, and the executive team needs to understand better what they need to include in order to have the most effective program. And the reality is that it requires a broad range of skills, and so being inclusive of a variety of different people with different skill sets into the program is critically important. I mean, one of the reasons why I love the Cyber Guild so much is because they are dedicated to inclusivity of everyone. It's not - you know, if you read carefully on their website what they talk about - they don't talk about, we're going to elevate this one group of people who look a certain way. They're interested in championing inclusivity. And cybersecurity is a very complex, nuanced issue to tackle. And we can't do it by having a one-size-fits-all set of people managing the cybersecurity program. 

Dave Bittner: Any advice for women in particular of strategies for best taking their place? 

Amy Williams: I think that the best advice would be to align yourself with people who are going to have your best interests at heart. And sometimes that's going to be other women, and sometimes it's not, unfortunately. But I've always had the good fortune to have good mentors. And sometimes there were women, and sometimes they weren't. But you want to be on the best team. You also want to know what your strengths are and play to those. And, like, my background is math and computer science and all of that. And so it was difficult for me to - I did - I dressed like a man for the first - in my 20s. I wore a tie and a suit most of the time. And it was just so I would look like everybody else, so that I would just be taken seriously for my brain. And I used to feel bad about that, but I don't feel bad about that anymore because I did what I needed to do to be seen the way that I wanted to be seen, even though it was a little odd at the time. So I would say that that's what you need to do. If you are interested in cybersecurity, but you haven't had a ton of programming and all of that, figure out what it is that you are interested in and figure out a way to have a path forward and try to surround yourself with people who will welcome you into the fold on that. 

Dave Bittner: That's Dr. Amy Williams from BlueVoyant. The Cyber Guild's Uniting Women in Cyber Event is coming up September 27. You can find more on our website, thecyberwire.com, in the events section. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: So interesting story came by in the past few days. This is from The Washington Post article by Jeff Stein and Tory Newmyer, and it's titled "Treasury Will Warn White House That Crypto Needs Major Regulations." What's going on here, Ben? 

Ben Yelin: So the Biden administration has had its eyes on the threats that crypto poses to personal - data privacy, data security and also the economy writ large. President Biden released an executive order on digital currency, I think, in 2021. And now the Treasury Department is trying to effectuate some of what the president was expressing by issuing those executive orders. So the Treasury Department is planning on issuing four separate reports to make clear that, quote, "the Biden administration's top economic officials believe crypto needs strong oversight as lawmakers weigh new rules for digital assets." So there's a bunch of things happening here. One is - I think because of the performance of the stock market this year in particular, there's new concern about the economic danger of cryptocurrencies. There is certainly some fraud risk they pose for investors because there is a lack of oversight. And I think investors were scared off by the fact that cryptocurrencies lost so much value this year that there's kind of doubt about their long-term economic viability. 

Dave Bittner: Right. Once people start losing money, oh, we need oversight (laughter). 

Ben Yelin: Yeah, exactly. Please help us, government. 

Dave Bittner: Right, right, right. 

Ben Yelin: We're going to create this amazing currency that's not - you know, doesn't rely on traditional banks or... 

Dave Bittner: Right. 

Ben Yelin: ...Government regulators. And then everything goes to H-E double hockey sticks, and they want the government to come in and help them. 

Dave Bittner: OK. 

Ben Yelin: So Treasury is saying that these cryptocurrencies don't pose a stability risk to the broader financial system. This is not housing in 2008, but they think that as crypto gains more of a foothold, that situation could change. And they focused on stablecoins, so those coins that are pegged to the U.S. dollar. 

Dave Bittner: Right. 

Ben Yelin: They want Congress to give banking regulators new authority to police these digital tokens. But Congress being Congress, despite the collapse of stablecoin in this year's stock market, have been unable to agree on how to provide proper oversight. There are a couple of tertiary issues, the sector itself - so the actual industry that controls crypto and their lobbying groups - want to establish regulation under the Commodity Futures Trading Commission. And one of the reasons they want to do that is they think that the CFTC is going to be less hostile to crypto interest than the Securities and Exchange Commission. So there's a big debate going on in Congress behind the scenes about which one of those agencies is going to get that type of regulatory power. I think it's worth noting that Janet Yellen, the treasury secretary - no relation, spelled differently - is just very skeptical of cryptocurrencies and always has been. So it's not a surprise that Treasury is putting out these warnings, but I wonder if the warnings themselves will have a significant impact on, a, the value of cryptocurrency and, b, what happens in terms of congressional regulations. 

Dave Bittner: Seems like this is all been a long time coming, don't - I mean, that's my sense. 

Ben Yelin: Yeah, I mean, we're more than a decade into this. I think the CEOs in the industry have been preparing for some type of regulatory regime to emerge. 

Dave Bittner: Right. 

Ben Yelin: And they want to shape it in their - they want to mold it in their preferred way. To minimize risk to themselves, but also, if you're going to have oversight, make it something where the government actually can root out fraud and protect against the backdrop of the economic house of cards falling down because some cryptocurrency goes off the deep end. So I think they have been - regulators at least have been considering how to deal with this new animal, and they've been doing it in a variety of ways. And it's not just Treasury. I mean, every agency within the government has had to deal with cryptocurrency one way or another because it is a national security issue. 

Dave Bittner: Right. 

Ben Yelin: There were sanctions on a crypto company that was doing business primarily with North Korea, so that comes into play. It affects our foreign policy. And then something like tax enforcement with the IRS - that was the big issue for the first several years, is how to categorize income from cryptocurrency. So that's obviously been a debate that's been ongoing as well. And I think we'll continue to see that until Congress steps in, and knowing Congress, there's no guarantee that that's going to happen in the short term. 

Dave Bittner: It's interesting to me how - and help me if my perception is correct here or not - that, with a situation like this, where when things are riding high - when everybody's making money hand over fist - there's this notion of leave us alone. You know, don't interfere with this tremendous success that we're all enjoying, right? 

Ben Yelin: Right. 

Dave Bittner: Right? But like, that would be the perfect time to talk about this, to put - rather than taking that opportunity when everybody's happy, doing well, to say, what are some smart regulations or oversight or whatever we can put in here? No, no, no, no. Don't - government, stay out of this. But then when things get bad... 

Ben Yelin: Dave, bubbles never burst. 

Dave Bittner: (Laughter). 

Ben Yelin: You just have to be aware that... 

Dave Bittner: I know. I'm sure there are people out there listening to me - listening right now who are saying, oh, Dave, you're so adorable, like, with your oversimplified ideas of how all this works. And I will absolutely take the hit on that. 

Ben Yelin: Me, too. But we've seen these too-good-to-be-true types of things in the past. 

Dave Bittner: Right. 

Ben Yelin: Like cheap housing to people who couldn't afford to pay mortgages. 

Dave Bittner: Right. 

Ben Yelin: It was - that, too, was a financial instrument that benefited a lot of people. It seemed like it was free lunch money, and then the whole house of cards collapsed because it wasn't actually pegged to anything particularly secure. I'm not a financial expert, so maybe we should include that as a disclaimer. This is not investment advice. But I think... 

Dave Bittner: Dare I say a caveat? 

Ben Yelin: Exactly. 

Dave Bittner: (Laughter). 

Ben Yelin: That's a nice plug for our show there. 

Dave Bittner: Thank you. 

Ben Yelin: But I do think this is something where - yeah, you want Congress and regulators to step in before it becomes a threat to the stability of the economy, the nationwide economy. 

Dave Bittner: Yeah, fair enough. All right. Well, Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.