The CyberWire Daily Podcast 12.12.23
Ep 1965 | 12.12.23

An internet blackout.

Transcript

Dave Bittner: A cyberattack on Ukraine's largest telecom operator. Ukraine's GUR claims a hit on Russia's tax service, while the fate of the ALPHV/BlackCat group remains shrouded in mystery. The Air Force disciplines members over a classified documents breach, and Apple releases urgent security updates. From Spain, a significant arrest in the Kelvin Security hacking group. On today’s Industry Voices segment, my conversation with Andre Durand, CEO and Founder of Ping Identity, on digital experiences, brand trust and loyalty. Plus, a cautionary tale about burning bridges.

Dave Bittner: It’s Tuesday December 12, 2023. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Kyivstar sustains disruptive cyberattack.

Dave Bittner: Ukraine's largest telecom operator, Kyivstar, faced a cyberattack on Tuesday, leaving millions of customers without cellular and internet services. The trouble started early in the morning, with Kyivstar later announcing via Facebook what they called a "powerful" cyberattack causing significant technical failures. However, they assured that customer data remained secure. Despite efforts, services remained disrupted into Tuesday afternoon, with uncertainty about when normal operations would resume.

Dave Bittner: The incident is currently under investigation by Ukraine's state cybersecurity agency and CERT-UA. VEON, Kyivstar's parent company, confirmed the attack in a news release. Internal sources revealed that the attack compromised parts of Kyivstar's systems, leading to a decision to shut down systems to contain the damage.

Dave Bittner: This disruption prompted many Ukrainians to switch to alternative mobile carriers like Vodafone and Lifecell, causing network congestion. The attack likely targeted Kyivstar's core network, essential for regional connectivity and traffic routing. The cyberattack's ripple effect was felt beyond telecoms, with PrivatBank and Monobank reporting operational disruptions due to their reliance on Kyivstar's network.

Dave Bittner: Kyivstar's service outage also impacted air raid alert systems in the Kyiv region, compelling authorities to resort to loudspeakers for warnings. The suspected perpetrator of the attack is believed to be Russian intelligence, with Ukraine's security service (SBU) launching criminal proceedings on charges including high treason and sabotage. The incident underscores the ongoing cyber warfare between Ukraine and Russia, with both sides experiencing significant attacks on their telecom and internet infrastructure.

Ukraine's GUR claims to have successfully attacked Russia's tax service.

Dave Bittner: In other news from the region, Ukraine's military intelligence service, the GUR, claims to have successfully executed a cyberattack against Russia's Federal Tax Service (FTS). According to Interfax and the GUR, the attack infiltrated a key central server of the FTS and over 2,300 regional servers across Russia, including Crimea. The cyberattack deployed malicious software, resulting in the complete destruction of configuration files vital for the tax system's operation. This included the elimination of the entire database and its backups. The attack has effectively paralyzed communication between the FTS's central office in Moscow, its territorial administrations, and Office.ed-it.ru, a data center crucial for the tax service. This operation signifies a major disruption in Russia's tax system infrastructure.

ALPHV/BlackCat takedown remains unconfirmed.

Dave Bittner: Recent reports about the takedown of servers used by the ALPHV/BlackCat ransomware group remain unconfirmed. Computing observed that the gang's dump site has been offline for five days. SC Magazine's efforts to verify the situation with law enforcement agencies yielded no confirmation. Vx-underground shared a message from ALPHV citing hardware failure as the reason for the downtime, though they noted having heard similar claims in the past. Vx-underground believes ALPHV may indeed be facing server issues but cannot confirm this. They also clarified that there are no rumors or evidence regarding the arrest of ALPHV members or seizure of their servers. The legitimacy of these claims remains unsubstantiated due to the lack of concrete evidence.

Report roundup.

Dave Bittner: Cloudflare's 2023 Year in Review revealed 180 Internet outages, many directed by governments. Notable examples include prolonged shutdowns in Manipur, India, and Amhara, Ethiopia, lasting over seven and four months, respectively. Iraq also experienced frequent, shorter outages to prevent academic exam cheating, particularly during June to August. Additionally, the report identified the two most prevalent threats of the year as malicious links and extortion attempts via phishing emails.

Dave Bittner: Separately, a joint report by Bitsight and Google on the Minimum Viable Secure Product (MVSP) framework assessed cybersecurity controls across industries. It found that while most industries passed 10 of the 16 MVSP controls, critical failings persist in areas like self-assessment, dependency patching, vulnerability prevention, and timely vulnerability resolution. This highlights ongoing challenges in cybersecurity readiness across various sectors.

Air Force disciplines chain of command in classified documents breach.

Dave Bittner: The Air Force has disciplined 15 members of Airman 1st Class Jack Teixeira’s chain of command following a security breach where Teixeira, a 21-year-old National Guardsman, removed and posted classified information online. The investigation revealed that Teixeira was observed accessing intelligence beyond his role on four occasions, but his supervisors failed to report these incidents promptly. This lack of action allowed Teixeira to continue his unauthorized disclosures for several months.

Dave Bittner: The investigation highlighted inadequacies in workspace inspections, inconsistent reporting of security breaches, and a general lack of supervision and understanding of access to sensitive information. The 102nd Intelligence Support Squadron was specifically criticized for creating confusion over access to classified material in its intelligence briefings.

Dave Bittner: Teixeira, who maintained computer systems that stored sensitive information, faces six federal criminal charges under the Espionage Act and has pleaded not guilty. The incidents leading to his arrest included him accessing top-secret websites and posting classified information on a Discord server. The investigation found that the intelligence oversight program within Teixeira's wing was "compliant but lacking," with many airmen not completing necessary training and supervisors failing to enforce reporting violations. The 102nd Intelligence, Surveillance, and Reconnaissance Group, Teixeira's unit, is no longer handling sensitive information.

Apple releases emergency security updates.

Dave Bittner: Apple has released emergency security updates to address two actively exploited zero-day vulnerabilities in older iPhone models, going back to the iPhone 8, as well as some Apple Watch and Apple TV models. These vulnerabilities, discovered in the WebKit browser engine, could allow attackers to access sensitive data and execute arbitrary code through malicious web pages. The patches, improving input validation and locking, are included in the latest updates for iOS, iPadOS, tvOS, and watchOS.

Dave Bittner: Discovered by Clément Lecigne from Google's Threat Analysis Group, these flaws have been actively exploited, leading to the Cybersecurity and Infrastructure Security Agency (CISA) instructing Federal agencies to patch their devices. This brings Apple's total number of patched zero-day vulnerabilities to 20 for the year.

Kelvin Security hacking group leader arrested in Spain.

Dave Bittner: The Spanish National Police have apprehended a key leader of the 'Kelvin Security' hacking group, known for orchestrating over 300 cyberattacks across 90 countries since 2020. The arrest announcement highlights the group's focus on critical infrastructure and government institutions, with notable attacks in Spain, Germany, Italy, Argentina, Chile, Japan, and the United States. Kelvin Security, active since 2013, has exploited public-facing system vulnerabilities to steal user credentials and confidential data.

Dave Bittner: The group's activities included selling or freely leaking stolen data on hacking forums like RaidForums and BreachForums. Significant breaches by Kelvin Security include attacks on Vodafone Italia and U.S. consulting firm Frost & Sullivan. Additionally, recent findings link Kelvin Security to ARES, a cybercrime platform trading databases from state organizations.

Dave Bittner: Spanish police, coordinating with multiple units and the Alicante Prosecutor's Office, began investigating the group in December 2021. The Venezuelan national arrested was primarily engaged in laundering criminal proceeds from data sales, utilizing cryptocurrency exchanges. The arrest led to the seizure of electronic items for forensic analysis, potentially uncovering more information about the group's network and operations.

Dave Bittner: Coming up after the break, my conversation with Andre Durand, CEO and Founder of Ping Identity on digital experiences. Stay with us. [ Music ] Andre Durand is CEO and Founder of Ping Identity, a company that provides secure employee and customer experiences online. In this sponsored Industry Voices segment, Andre Durand shares insights from Ping's own research on digital experiences. You know, I could say personally, and I think lots of people have experienced this, there is a wide spectrum of experiences out there when it comes to dealing with organizations online. Can you give us an idea of that spectrum from your point of view? What represents a good experience, and what represents one that's going to lead to frustration?

Andre Durand: Well, I'll start with the registration experience. Today I would say the registration experience to create a new account, establish a relationship with a company does vary widely. You will find companies that kind of the old-school method of doing that was, "Here's a form, tell us everything you can about us, and we'll create an account for you," and so that included everything ranging from your username and password that you typically type in twice to other information about you where both the email address and phone number then need to get verified before the account gets created, and those experiences have historically, you know, been kind of fraught with friction, if you will, especially if you're typing on a phone, you're registering with a phone. The more modern way of doing that, in the last maybe four or five years, is what we refer to as "progressive profiling." So rather than ask for everything up front, it's just, "Hey, you want to create an account, what's your email address and password?" And we are on the cusp of a new method. We have not seen this at large, but the technology is now here where it is possible for an individual to, in essence, store their verifiable identity on their phone, is what we call a "digital credential," and when you hit a registration screen in the future, rather than type anything at all, you would simply, say, scan a QR code, share that information, call it "automagically," if you will, to the QR code, between your phone and the website that you're interacting with, and you'll have an account. So we've been moving from, you know, high friction, if you will, to establish trust through the registration process as a consumer to one in which, you know, it's quite a bit more frictionless. The perfect interaction, the best interactions require what we call "low-cognitive load," if you will, so they're just kind of seamless and fast versus the ones that where we get stuck, if that makes sense.

Dave Bittner: And I suppose if I'm an online retailer, I want to reduce that friction as much as possible. I don't want to give my consumer time to have second thoughts.

Andre Durand: That's exactly correct, and it's not just at the new account creation, or what we call "registration phase," where frustration hits, and a lot of people abandon that, but on a repetitive basis, once you've created the account, logins can also be fairly friction-prone, if you will, and especially it's true with passwords. We're all advised to use unique and strong passwords, and so unless you have, say, a password manager, doing that is challenging, obviously requires a lot of cognitive load, and again, for long, strong passwords on a mobile phone, that's not a great login experience. That also is going through a bit of a renaissance right now as we move towards password lists and this notion called "passkeys," which is this concept that your phone can store these keys that are essentially long numbers, but you don't have to remember anything, and in subsequent logins, once you kind of establish, you know, the key, if you will, that opens up a website, all you have to do is your face ID, in essence, so your biometric is used to share these very long, very strong keys that are stored on your mobile phone, and from a user experience point of view, all you had to do was the face ID. So it's a very strong phishing-resistant way to authenticate and it's a much better experience. So it's kind of the Holy Grail that we seek, which is both higher security and less friction.

Dave Bittner: I know you and your colleagues there at Ping have gathered some interesting information when it comes to people's digital experiences here. What are some of the items that caught your eye?

Andre Durand: So, you know, we broke the survey up into several categories, but it was obvious that a few themes emerged. Number one is that the login and registration experience really does matter. There is a fickleness, with as much choice as we have online, you might as well say competitors are measured in keystrokes in the online world, right, which is milliseconds, not miles, and so a frustrating login experience sets the tone for what the rest of the experience is going to look like. Over 60% of consumers said that they've stopped using an online service due to frustration with the login process. I mean, that's just massive. Sixty-five percent said that they would be willing to switch to a comparable brand if it offered a password-less experience. So you can't underestimate how significant the friction is to, in essence, establish an online connection with a third party and keep it secure. So everything related to brand loyalty as related to the login and identity experience, there was a tight correlation there. The second thing that really stood out was that consumers are definitely concerned about the safety of their identity. They do not have high trust that corporations in general are going to be good stewards of identity information that could be leaked in a breach. There have just been too many breaches over the years. They do appreciate, even though it does include a little bit more friction, they do appreciate companies that offer higher levels of security, such as two-factor authentication and others. They are willing to put up with a little bit more friction if in return they feel as if the company that they're interacting with does value their privacy, values their security, and offers the security that they feel is appropriate. So there just was a very, very kind of high, I guess, correlation, if you will, of the intersection of, we say, of ease of use, desire for ease of use and willingness to change if ease of use was not there combined with concern around their security and is their data being protected and is the company being a good steward.

Dave Bittner: So the folks that you work with who are finding success here, what are the common elements? What are the things that you consider to be best practices?

Andre Durand: The companies that are actively pursuing the intersection of seamless experience and security, not one or the other, but both at the same time, those are the companies that are pushing the boundaries of what's possible here, and, I mean, you'll find companies where it's all about the user experience and security is a secondary priority, others that security is the primary priority, user experience takes second, and neither one of those are wrong. They're just not complete, and so the companies that are having the best experience are the ones that, like I said, are pushing the boundaries of password lists. They're pushing the boundaries of new technology that allow customers and consumers to, in essence, register a new account without filling out a form to do so. They are pushing the boundaries of leveraging risk and fraud signals to strengthen authentication and reduce fraud without the user actually ever having to do anything. It's all behind the scenes and under the covers.

Dave Bittner: That's Andre Durand, CEO and Founder of Ping Identity. [ Music ] And finally, Miklos Daniel Brody, a former cloud engineer at First Republic Bank, received a two-year prison sentence and a restitution order of $529,000 for his destructive farewell gift to his ex-employer. Brody's vengeful coding spree was triggered by his firing for violating company policies, which included using a USB drive containing pornography on company computers. Post-dismissal, Brody went on a digital rampage, deleting the bank's code repositories, erasing logs, inserting taunts in the code, impersonating colleagues, and even emailing himself proprietary code. His digital tantrum included running a script named "dar.sh" to wipe the bank's servers and meddling with the bank's GitHub repository. Caught in his web of lies, Brody falsely reported his work laptop stolen and maintained this story even when interrogated by the Secret Service, until his arrest in March 2021. In April 2023, he pleaded guilty to lying and two counts of violating the Computer Fraud and Abuse Act. His sentence also includes three years of supervised release. So much for leave no trace. Brody left enough digital footprints to warrant a virtual marathon and a real-world sentence. [ Music ] And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin. Our mixer is Tre Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [ Music ]