CyberWire Daily - A $600 million alt-coin heist. LockBit claims it hit Accenture. A false-flag cyberespionage campaign. A REvil key is posted. AlphaBay is back. Facebook takes down vaccine disinfo campaign.
Episode Date: August 11, 2021Cross-chain attack steals millions in cryptocurrency. LockBit claims to have hit Accenture, but Accenture says with negligible consequences. Emissary Panda flies a false Iranian flag. Ekranoplan posts... a key for the REvil strain used against Kaseya. AlphaBay has risen from the grave, sort of. Johannes Ullrich has thoughts on resetting 2FA. Our guest is Idan Plotnik from Apiiro on their win of the 2021 RSAC Innovation Sandbox Contest. And you can’t fool us, you bought-and-paid-for influencers you: no vaccine is going to turn us into monkeys. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/154 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code
N2K at checkout. That's joindeleteme.com slash N2K, code N2K.
A cross-chain attack steals millions in cryptocurrency.
LockBit claims to have hit Accenture, but Accenture says with negligible consequences.
Emissary Panda flies a false Iranian flag.
Ekronoplan posts a key for the R-Evil strain used against Kaseya.
AlphaBay has risen from the grave, sort of.
Johannes Ulrich has thoughts on resetting 2FA. Our guest is Idan Plotnik from
Apiro on their win of the 2021 RSAC Innovation Sandbox Contest. And you can't fool us, you
bought and paid for influencers, you. No vaccine is going to turn us into monkeys.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, August 11th, 2021. A cross-chain attack has hit decentralized finance provider Polynetwork with more than $600 million in altcoins stolen. The block assesses the total theft is greater than $611 million.
is greater than $611 million. The BBC puts the losses at $267 million of Ether, $252 million of Binance, and about $85 million in USDC. Poly Network appealed to the thieves to return the
stolen coin, and their dear hacker plea appears to have fallen on mildly repentant or at least slightly fearful ears.
Poly Network tweeted that so far they've received a total value of just over $4.7 million in assets
returned by the hacker. So that leaves $599,227,000 and change out there still missing.
$7,000 and change out there still missing. Decentralized finance providers, or DeFi for short, enable users to shift tokens from one chain to another. The theft from Poly Network
is probably the largest theft from a DeFi organization to date. Why the crooks would
have returned even a fraction of their take, assuming it wasn't clawed back through misconfigured
criminal wallets, is unclear, especially since it amounts to just a fraction of the total haul.
There's plenty of speculation in Twitter. Poly Network told the crooks they know who they are,
and so on, but really nothing is known for sure so far. The Block, which keeps tabs on this sort
of thing, says the blockchain security outfit
Slowmist said it knows the attacker's email address, IP information, and device fingerprint,
and that it's offered to share these with Poly Network in the hope of achieving what Slowmist
calls a happy ending. In the meantime, efforts are underway to block the stolen funds.
time, efforts are underway to block the stolen funds.
Les Parisiennes reports that LockBits operators claim to have executed a ransomware attack against Accenture.
According to CNBC Washington correspondent Iman James, the attackers said they would
shortly release some of the files they obtained and have offered to sell unspecified insider
Accenture information
to interested buyers. Since these early reports emerged, Accenture late this morning told ZDNet
that, quote, through our security controls and protocols, we identified irregular activity in
one of our environments. We immediately contained the matter and isolated the affected servers. We fully restored our affected systems from backup.
There was no impact on Accenture's operations or on our clients' systems.
End quote.
Security firm Mandiant describes a Chinese false flag cyber espionage operation against Israeli targets. The UNC-215 group, also tracked as APTA-27 or Emissary Panda,
represented itself as an Iranian threat actor working from Tehran. UNC-215 was fastidious in
its efforts to clean up its spore, taking care to remove as many forensic artifacts of its activity as possible. It also sought to avoid
attribution by flying a false Iranian flag, one that would likely be taken as genuine given the
deep mutual distrust between Israel and Iran. Mandiant says, quote, the use of Farsi strings,
file paths containing Iran, and web shells publicly associated with Iranian APT groups
may have been intended to mislead analysts and suggest an attribution to Iran.
Notably, in 2019, the government of Iran accused APT27 of attacking its government networks
and released a detection and removal tool for Hyperbro malware.
In any case, the researchers unambiguously attribute the
activity to Beijing, not Tehran, and explain that, quote, UNC215 has compromised organizations in the
government, technology, telecommunications, defense, finance, entertainment, and healthcare sectors.
The group targets data and organizations which are of great interest to Beijing's financial, diplomatic, and strategic objectives.
Security firm Flashpoint believes it's found a R-Evil decryptor posted to the Rucifone XSS forum by a threat actor going by the hacker name Ekranoplan.
going by the hacker name Ekronoplan.
Bleeping Computer reports that the key is specific to the variant used in the Kaseya attack and not a universal decryptor.
The identity of Ekronoplan, which had no previous presence in the forum
and which left soon after it posted the key, is unknown.
Why Ekronoplan as a nom de hack?
Well, an Ekronoplan is or was a wing-in-ground effect vehicle,
neither aircraft nor ship nor hovercraft,
but officially classified as a maritime vessel
that was used in the late Soviet Union and early post-Soviet Russia.
It looks like a big snazzy flying boat, but it really isn't,
since it's designed to fly in ground effect at an altitude of just a couple of meters.
The most famous Ekronoplan was a 550-ton job U.S. intelligence services admiringly called the Caspian Sea Monster.
Remember AlphaBay, the big darknet marketplace that flourished from 2014 through 2017,
until it was taken down by an international law enforcement operation?
One of its principal administrators, who goes by the hacker name AlphaO2,
real name Alexandre Cazas, was arrested and died by his own hand in a Thai prison while awaiting extradition and trial.
AlphaBay sold all manner of contraband. Now, Flashpoint says, AlphaBay is being
reconstituted by one of its other administrators, hacker name DaSnake. It's in part an homage to
AlphaO2, in part, of course, a money-making operation. DeSnake hopes to keep the market's virtual nose relatively clean
with bans on advertising hitman services,
guns, erotica, fentanyl, ransomware, or COVID vaccines,
which is pretty much everything.
Also, no doxing allowed,
which leads one to wonder what kind of contraband
this reconstituted Alpha Bay
is actually going to amount to. What are they going to sell? Counterfeit Tupperware? Scalp
tickets to curling events? Oh, and one other restriction, no activity related to Russia,
Belarus, Kazakhstan, Armenia, or Kyrgyzstan, which suggests something about which law enforcement operations
DeSnake takes seriously going forward.
And finally, Facebook reported yesterday that in July,
it took down 65 Facebook and 243 Instagram accounts,
originating in Russia but using the services of the UK marketing firm Faze,
which had been engaged in a coordinated effort to recruit influencers to spread COVID vaccine information.
Faze itself is now also unwelcome on Facebook's platforms.
The effort apparently enjoyed only indifferent success,
but the concentration on influencers was an interesting wrinkle.
It's also how the campaign was unearthed. Reuters reports that Fossey approached various influencers with offers to pay
them for distributing anti-vaccine content, and two of the influencers, one French, the other
German, blew the gaffe by complaining publicly about the approach. That prompted investigation and
eventually ejection. The anti-vaccine themes were the familiar Russian wheezes about how the shots
would for sure be turning people into chimpanzees, which of course, we hasten to say, doesn't
actually happen. The campaign went Hollywood a bit and sought to use Planet of the Apes-themed memes.
And again, you can take it from us straight, whatever the effects of COVID vaccines are,
morphing recipients into apes would not be among them. We've kept a sharp eye out around Johns
Hopkins, for example, and we're pretty sure we would have noticed any ape women or chimp men
out and about. So nice try, Vladimir Vladimirovich, but no banana for you.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io. and make their case in front of a panel of seasoned industry luminaries as judges.
This year's winner was CodeRisk platform developer Apiro. Joining us to share what that winning experience was like is Apiro CEO Idan Plotnik.
So, as you know, and everyone knows that the RSA Innovation Sandbox is the place to get recognition
from professionals, top-tier leaders in the cybersecurity industry.
I can tell you a secret.
I tried in my previous startup, Erato, that was acquired by Microsoft in 2015,
and we didn't even get to the top 10.
So it was exciting to pass the top 10 and finally win the contest.
What sort of preparation goes into that presentation? I mean, it's not a small task.
It's not.
It was an orchestration of at least four or five people at the company. on recording and on the messaging and on the text itself,
on the demo, that it will be super clear
and it will resonate to all the practitioners
and the leaders that will hear or see the video.
And we did a lot of work, like day and night.
And eventually, you know, you saw the outcome.
What are your recommendations to other organizations
who are considering entering the innovation sandbox?
So one, they need to take into consideration
that it's, I would say,
I want to say a life-changing event
because the amount of traction that we got
after winning the RSA Innovation Sandbox
was amazing.
Both from, you know, customers after winning the RSA Innovation Sandbox was amazing, both from customers and venture capitalists,
and also from talent, new talent that, you know,
it's kind of a very important recognition for the company.
This is one thing.
Second thing is to take into consideration that you need to invest a lot of resources.
And it's not just yet another presentation that you prepare for, you know, a sales presentation.
You need to differentiate yourself, not only in the technical capabilities, but also in the big picture. Like why the problem that you are solving is much bigger than all others in the competition.
And we had an amazing, you know, companies out there.
This is basically what you need to take into consideration. One, the impact
of winning. You need to have the fundamentals or maybe even more than the fundamentals,
but you need a way to collect all this feedback that you will get after winning. And before that,
you need to take into consideration that you need to invest a lot of resources.
What was that day like when you were waiting for the results to come back?
How were you feeling that day?
This was very emotional for all the company.
Not only for me personally.
A lot of people invested a lot of resources.
And the culture in Apiro is that everyone feels that it's kind of their baby. They invested a
lot of resources in the product, in the engineering, in the messaging, in everything around, you know, the success.
And we were stressed and everyone wanted to be there with me.
I was sitting with a glass of wine in my house, just watching the, you know, the results.
It was an emotional tipping point, you know, to get this result.
And, you know, we had a lot of top-notch leaders as judges.
Everyone in the judges are top-notch,
and it was exciting eventually to see the outcome.
That's Adan Plotnik, CEO at Apiro. Thank you. fault-deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute and also the host of the ISC Stormcast podcast.
Johannes, always great to have you back.
We want to talk today about two-factor authentication.
And in particular, what happens when you have to reset those passwords?
What can you share with us today?
Yeah, so, you know, we all like two-factor, multi-factor authentication, and we
all have these little apps with dozens of tokens stored in them. But what happens when you lose
your second factor? And that actually sort of happened to me a while ago with my online banking.
They actually gave me one of those physical tokens that sort of has the different number that shows up every 30 seconds. And it failed.
It literally failed. I think I washed it.
Sent it on a trip through the washing machine.
Washing machine, it no longer worked. So I still, for some reason, want to get
to my money. So I called up the bank and figured out,
how do I replace this? And what I sort of expected is that they're just going to mail me a new one.
But of course, the problem here that you run into is that it takes a couple days or so to receive that new token.
So they actually just disabled the token and then allowed me via their website to order a new one.
But the process to disabling the token, well,
it was good old password reset questions, which we know don't really work well for passwords.
And it's a real hard problem, I think, to solve. I also saw this a few years ago with Apple.
Again, my phone broke down and I used my phone as my second factor for Apple.
Again, my phone broke down, and I used my phone as my second factor for Apple.
And I couldn't find right away that reset code they give you.
Now, they give you one of those reset codes, but of course I had it stored on my phone.
Right, of course.
It's convenient there. I don't remember exactly where I had it printed out at the end, so it wasn't that bad.
But actually what Apple back then told me was, hey, just set up a new Apple account, kind of. Never mind all sort of the different software
and such that I had associated with the old account. So that doesn't really seem to be a
great solution for this. Everybody uses these emergency codes, but then again,
you're going to lose them as likely as you're going to lose your primary token. And I feel like if you never use
those emergency codes, then once you need them, you forgot where you put them. So one workaround
here may be if you're using these emergency backup codes, ever so often ask the user for one of them
just to remind them where they are while they still have their primary token. And then at that point, if they can't find them, if they lost them or whatever,
they can always issue new ones because they still have their primary token.
But that's sort of one little measure here to implement
to make it less likely that these backup factors get lost.
Then when you implement two-factor authentication, definitely think through that process.
What are we going to do that's reasonable from a cost perspective?
I heard some rumors that with Apple, you can go with your ID to the Apple store.
I haven't tried that yet.
But that's a fairly costly process.
Not every company has stores all over the country where you can do that.
Maybe banks could do that with branches, but how many banks still have branches out there?
And even then, you're not necessarily close or convenient to one of those locations.
So think that through, in particular when you're relying on a hardware token like these
YubiKeys or things like this for WebAuthn,
allow users to register two or three tokens
because they tend to break.
If you expect people to carry them around with them all the time,
they'll fall into the pool or stuff like this.
So stuff happens to them
and you need to allow for a backup to exist.
Yeah, that's interesting. I mean,
what I've taken to do is I have a backup version of YubiKey and there's a place in my house that
is sort of an out of the way place, but I actually have it stuck to the wall, you know, hanging off
of a hook so that if I need it, that's where it is. But I'm curious, I want to swing back though with your bank.
I mean, what good is two-factor if you can just call them up
and answer a few questions and they disable it?
Correct, and that's pretty much the same question they would ask me
if I would have lost my password, for example.
So it was pretty much, I didn't push it,
so to check whether I could use the same answers to also reset my password at the same time and sort of completely take over my account.
Now, the questions weren't bad, kind of.
They were sort of, you know, your last transaction, your bank balance, and what banks typically do for these questions.
But again, you're trying to defend against a little bit more sophisticated attackers here with these tokens.
So you're kind of getting back to a single factor, things that you know again.
So that thing you have really doesn't have that much value in the end.
Yeah, no, it's definitely something worth thinking about when you implement these sorts of things.
Johannes Ulrich, thanks so much for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Thanks for listening. We'll see you back here tomorrow. Thank you. solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.