CyberWire Daily - $10 million reward for DarkSide info. BlackMatter members expected to resurface. Ukraine outlines Russia’s FSB cyber ops. Persistent engagement as deterrence. Arrest in Crossfire Hurricane inquiry.
Episode Date: November 5, 2021The US offers a reward of up to ten million dollars for information leading to the identification or location of the leaders of the DarkSide ransomware gang. Researchers expect BlackMatter’s nominal...ly retired operators to resurface in other criminal organizations. Ukraine outlines Russian FSB cyber operations during the hybrid war that’s been waged since 2014. Deterrence in cyberspace. Carole Theriault takes on high value targets. Our guest is Bill Mann of Styra on rising compliance regulations and security drift. An arrest is made in Special Counsel Durham’s investigation. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/214 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. offers a reward of up to $10 million
for information leading to the identification or location of the leaders of the dark side ransomware gang.
Researchers expect Black Matter's nominally retired operators to resurface in other criminal organizations.
Ukraine outlines Russian FSB cyber operations during the hybrid war that's been waged since 2014.
Deterrents in cyberspace,
Carol Terrio takes on high-value targets, our guest is Bill Mann of Styra on rising
compliance regulations and security drift, and an arrest is made in special counsel Durham's From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, November 5th, 2021.
The Dark Side Gang may have announced their retirement from cybercrime,
but the authorities don't seem willing to let them quietly disappear.
The U.S. Department of State announced a reward offer of up to $10 million for information leading to the identification or location of any individuals
who hold a key leadership position in the dark side ransomware variant
transnational organized crime group. In addition, the department is also offering a reward of up to
$5 million for information leading to the arrest and or conviction in any country of any individual conspiring to participate in or
attempting to participate in a dark side variant ransomware incident, end quote. Ransomware has
become a serious pest and has begun this year to infest targets that obviously constitute critical
infrastructure. State is clear on this point. They're offering the big reward because
of DarkSide's disruptive attack against Colonial Pipeline, which disrupted fuel deliveries through
much of the eastern United States this past May. State's announcement adds, quote,
In offering this reward, the United States demonstrates its commitment to protecting
ransomware victims around the world from exploitation by cybercriminals. The United States looks to nations who harbor ransomware criminals
that are willing to bring justice for those victim businesses and organizations affected
by ransomware. So, if you know anything about the dark side, call the State Department.
If you need your identity protected, State promises to keep it
on the QT. There's no mention of DarkSide's presumptive successor, Black Matter, or for
that matter, its apparent parent, Finn7. But since the reward is for information about the natural
persons behind the keyboards, the omission probably doesn't matter. Flashpoint looks at Black Matter
and predicts those natural persons will be back. For one thing, they've already received a standing
job offer. Flashpoint explains, quote, notably the spokesperson of the Lockbit ransomware group
took to XSS and used the opportunity to invite Black Matter members and affiliates to live in China,
where the threat actor claimed to live.
End quote.
So, okay, it's not the Riviera, but still, probably better than Chelyabinsk.
Ukraine's security service, the SSU, has identified five Russian FSB officers
as operators behind the Gamerodon threat actor,
also known as Primitive Bear.
As is often the case, the threat actor has been tracked under a number of other names,
including Winter Flounder, Blue Alpha, Blue Otso, Iron Tilden, Sector CO8, and Callisto.
The group has specialized in targeting Ukrainian critical infrastructure and classified networks.
The inquiry was an interagency one.
The SSU Cybersecurity Department, the SSU investigators, carried out the operation jointly with the main intelligence directorate of the Ministry of Defense of Ukraine and under the supervision of the Prosecutor General's office.
End quote.
and under the supervision of the Prosecutor General's Office, end quote.
Bleeping Computer has sifted through the SSU's technical report, available in several languages,
and finds some of their conclusions noteworthy.
Gamerodon uses Outlook macros and the evil gnome backdoor to compromise the systems it targets. The group has used well-known, often targeted vulnerabilities,
including the two-decades-old WinRAR CVE-2018-2250 bug and the CVE-2017-0199 remote code execution
flaw in Microsoft Office. They've used removable media to stage attack code in offline systems
and subsequently move laterally through the isolated networks
those systems connect to. The SSU describes Pteranodon, which is a modular rat sporting
good anti-analysis and information collection capabilities. Pteranodon is an evolved version
of Pterodo, a malware strain that's circulated in the criminal underworld since 2016.
The Ukrainian report offers some background on what it characterizes as a hybrid war
Russia's been waging since its seizure of Crimea in 2014. In the SSU's account,
Russian Federation special services have been running intelligence and sabotage against Ukraine
ever since. The Russian services have beefed up their cyber capabilities and not hesitated to use them.
Among the groups the SSU lists are a number of familiar names,
APT-28, also known as Sophocie or Fancy Bear, Snake, Turla, and APT-29, Cozy Bear, the Dukes.
They also note that particular operations, including Black Energy, Indestroyer, and NotP-29, Cozy Bear, the Dukes. They also note that particular operations, including Black Energy,
Indestroyer, and NotPetya, have been mounted by those same services.
Gameradon or Armegadon is relatively young,
having flown under the radar for a few years after its founding.
They hope researchers and law enforcement organizations around the world
will take note and up their guard. Some of that guard will no doubt take the form of deterrence,
which is a natural concept to reach for. It kept the great powers out of the full-on nuclear
exchange that was widely feared in the mid-20th century after all, or so far, anywho, so why not try it out in cyberspace?
It might not be so easy. General Paul Nakasone, Director NSA and Commanding General of U.S. Cyber
Command, told an Aspen Institute session this week that he doubted whether traditional deterrence
could easily be applied to cyber operations. Breaking Defense reports that the general said something other than familiar Cold War
deterrence might be needed. Nakasone said, quote, strategic competition is alive and well in
cyberspace and we're doing it every day with persistent engagement. We're in competition
every day. We've got to somehow impact adversaries who don't get the message.
We've got to impose costs.
The important thing to emphasize here is we have the capabilities,
we have a process to enable capabilities,
and we have the people to carry out the capabilities.
End quote.
So his advocacy of persistent engagement and the ongoing imposition of costs, which are more
appropriate in a gray zone of cyber operations than Cold War massive retaliation would be.
To return to the Ukrainian report, FSB units the SSU describes are centered geographically
in Russian-occupied Ukraine. Specifically in Sevastopol and the FSB voice
chatter the SSU intercepted includes a lot of whining about getting shafted out of awards and
bonuses, recognition going to the undeserving and everybody having to get tested for COVID at work,
which is an awful lot of pissing and moaning from the sword and shield of the Russian Federation.
Kind of sad.
Still, as Dmitry Alperovich tweeted out, bureaucrats are bureaucrats.
Brothers and sisters under the skin, maybe, like Kipling's Rosie O'Grady and the Colonel's Lady.
If they'd been American phone calls that had been monitored,
we imagine there would have been more woofing about parking than about awards and recognition,
but these things are local variations.
People familiar with concerns that gurgle around other offices worldwide feel free to send them our way.
Do they complain about the cafeteria in Sheltonham?
About not being able to listen to hockey games during work hours in Ottawa?
All that irrational red tape from other offices in Paris,
procedural inequity in Berlin.
You get the picture. Inquiring minds want to know.
Finally, there's been a development in the complex, long-running U.S. investigation
into influence operations during the 2016 election cycle.
In this case, an arrest has been made
pursuant to Special Counsel John Durham's investigation
of the Steele dossier
and its place in the FBI's operation Crossfire Hurricane,
a bureau inquiry into whether the Trump campaign
had been improperly coordinating with Russian operators.
Igor Dechenko, one of the sources of the Steele dossier,
has been arrested and charged with five counts of making false statements to the FBI
about where he got the material that passed into the Steele dossier.
It now seems that some of that material, at least,
came from operators associated with the Democratic Party,
chatter and gossip associated with opposition research,
as opposed to sources inside Russian intelligence services.
The Steele dossier is important not because it was the sole source of the information
the FBI collected during Crossfire Hurricane, but rather, as the Washington Post points out,
that it was the principal source the FBI relied upon to obtain warrants it would go on to use in its investigation.
Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for
security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
Bill Mann is CEO at Styra, an organization focused on Kubernetes policy and compliance.
They are also creators of an open source project they've named Open Policy Agent,
which aims to help organizations resist the pull of security drift by making it easier to track updates, discover vulnerabilities, and complete patches.
I caught up with Bill Mann for his insights on Security Drift and the Open Policy Agent project.
Yeah, security drift is all about consequences of change that are made by various organizations within the software development lifecycle. And when you have a change, it has significant repercussions to an organization's
security posture. Some of them are manageable risks, and some of them are not. And the ones
which are not manageable risks is what's called security drift, right? And so what are your recommendations then?
How can organizations get this under control?
Sure. Well, there's a massive change happening in the industry today.
I mentioned before there's an application stack called modern applications
or what's called cloud native application stack.
So most organizations are now implementing applications with that form factor.
For the audience, it used to be client-server once upon a time.
Now it's called cloud-native.
And cloud-native means that there's multiple changes happening with the way applications are being built.
One is the way applications are being deployed.
They're being deployed in an automated way.
Number two, the actual application stack is fundamentally changing as well.
So we're moving towards technologies like Kubernetes, service mesh, and developers are
trying to decouple as much of the core or common components of an application to be
common services.
So to address the question of what can be done, Styra is the creators of an open source project called Open Policy Agent,
which is now the de facto policy as code solution for this modern application stack.
And briefly, let me give you an example of policy and control within an organization.
Authentication, we all are very familiar with that term.
It's who a person is.
Authorization is what a person or service can do.
And if you think of authorization, authorization is defined with policies.
And the way we've been defining policies from year dot in the software industry has been
very proprietary.
You typically use some sort of user interface
or some sort of proprietary way of defining
what a service can do
or what service can talk to another service.
Even can this user have access to a particular resource
has been defined in a proprietary way.
That is not going to work
in the modern application architecture.
So Styra invented this project called Open Policy Agent. It's an
open source project. It's got a lot of following in the developer and DevOps community now. It's
a graduated project within CNCF. And this project is really about changing the way we think about
policy. One of the fundamental cause of it is to think about policy as code, just like we think of application code, which has to be put into Git and change management of that code and so forth.
So this is what we've invented for the industry.
And like I said, it's got a big following out there.
And a lot of organizations implementing cloud native applications are using OPA as part of the stack.
Now, to give you an example back to security drift of how OPA can be used to reduce the risk of security drift, here's an example for you.
So within an organization, when a DevOps engineer makes a change, within Kubernetes, there's
something called the admission controller.
But essentially what happens is OPA can be used to define a set of guardrail policies.
So if the application change actually is outside of those policies that have been defined by the security and risk team,
then the app developer or the DevOps engineer would receive feedback from the system saying,
app developer or the DevOps engineer would receive feedback from the system saying,
this is not going to be able to go forward throughout the lifecycle because you're violating,
let's say, a PCI regulation or a HIPAA regulation and so forth. So these are now new ways of limiting security drift for organizations by actually implementing policies and controls at different levels of the workflow,
using technologies like OPA,
which itself is an open source policy as code solution.
And it really fits into the way
that the new modern application stack is built as well.
One point for you in terms of how it's relevant
for the application stack is,
you've probably heard of the term infrastructure for the application stack is you probably heard the
term infrastructure as code, which is the way you describe an infrastructure object before it can be
implemented in the runtime environment. That is as code as well. So this is now the natural extension
for how we manage policy within an organization. That's Bill Mann from Styra. There's a lot more to this conversation. If you
want to hear the full interview, head on over to CyberWire Pro and sign up for Interview Selects,
where you'll get access to this and many more extended interviews.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. Our UK correspondent Carol Terrio brings us this report on the increased
targeting of high-value individuals and what that means for organizations.
Here's Carol Terrio. Recently, I was asked to be part of a panel, and the audience were mostly
made up of law firms. More specifically, people that work at law firms that are looking to protect the information, the systems, the network, clients, the boss.
And in speaking to a few people, they talked about a stress that I think we're feeling across
all industries. And that is having to manage this hybrid environment where workers want to be able to work from anywhere, anytime, and still have
a streamlined access to all the files, documents, services that they require.
And it's interesting because law firms are an ideal target for criminals for a number of reasons. One, they are perceived as wealthy.
Two, law firms control tons of money, often on behalf of clients. And if you target the right
law firm, you're more than likely to have rich, rich clients. So being able to also access information on those clients could be
lucrative. For example, could be used for ransomware, blackmail, phishing. I mean, take your pick.
And so it's no surprise that the most prestigious law firms that control tons of cash and have lots
of wealthy clients also operate with high cyber security and indeed physical security
in order to keep their clients' information and the company secure. So how is a fraudster going
to get in? I can see two approaches being used most often. One, try and take advantage of a
zero-day vulnerability. So for example, if Microsoft announced that there's a critical vulnerability in Teams
or a piece of software that is used by a law firm and they are working on a patch,
that is an opportune time for a fraudster to try and attack the systems.
And two, try and dupe a person, either someone in the supply chain, an employee,
to part with snippets of information that once all gathered together would allow them to break in
undetected. So the latter could prove easier to pull off, especially if someone has an up-to-date and deliciously detailed, rich LinkedIn profile or other social
media profile. Perhaps their CV is online as well, or they have a website with loads of information.
All these tidbits can help grease the wheels on the first interaction. The name of the game is gain trust and get information. You see, if you're a high
value target, you're worth the time and investment, especially from someone who's got nothing to lose.
Be safe out there. This was Carol Theriault for the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't miss this weekend's Research Saturday and my conversation with Maure Levy from Cyber Reason.
We're going to be discussing Operation Ghost Shell,
the novel rat that targets global aerospace and telecoms firms.
That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week.
Thank you.