CyberWire Daily - A look at cyber gangland. Sino-Australian tension in cyberspace. Vulnerabilities reported (and disputed) in a home security system. Labor Day warnings.
Episode Date: September 1, 2021Ransomware continues to hold pride-of-place in cybercrime. A look inside the mind of cyber gangland, or at least that portion of their mind they’re willing to expose. Business email compromise opera...tors look for communication skills, and the underworld seems to think university students make good money mules. Reports of vulnerabilities in a home security system. When Canberra angered Beijing. Caleb Barlow has thoughts on the FBI response to MS Exchange vulnerabilities. Our guest’s are Peter Singer and Lisa Guernsey on New America's Teaching Cyber Citizenship initiative. And CISA and the FBI advise being alert over Labor Day. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/169 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Ransomware continues to hold pride of place in cybercrime.
A look inside the mind of cyber gangland,
or at least that portion of their mind that they're willing to expose.
Business email compromise operators look for communication skills,
and the underworld seems to think university students make good money mules.
Reports of vulnerabilities in a home security system.
Canberra angers Beijing.
Caleb Barlow has thoughts on the FBI response to MS Exchange vulnerabilities.
Our guests are Peter Singer and Lisa Guernsey on New America's Teaching Cyber Citizenship Initiative.
And CISA and the FBI advise being alert over Labor Day.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 1st, 2021.
Ransomware continues to remain at or near the top of defenders' concerns.
Research released by the NCC Group has found what the security researchers characterize as a three-fold increase in targeted ransomware attacks so far this year,
and they note the now-familiar trend toward double extortion.
Ransomware incidents are now routinely also data breaches,
and both the criminals and their victims bring that expectation to their interactions.
So what are the ransomware gangs thinking?
Flashpoint looks at Russian sources in the forum OSINT who've been talking
to the Lockbitt gang, the outfit whose most recent caper has been the attack on Bangkok Airways.
Among other things, Lockbitt dismisses reports that they're under law enforcement pressure,
short of kicking down doors and slapping on the cuffs. Who cares? Lockbid explains, quote,
We did not feel the pressure of the security forces.
The pressure of the security forces can be felt only when they have already come to you with a warrant
and jumped into your window.
It is impossible to put pressure on us with other methods.
End quote.
So they take down your infrastructure.
So what?
Get more of it.
Just a cost of doing business.
Sure, it disrupts you for a while, but you get up and get back in the game.
Are the gangs concerned about the law? I mean, what if governments made it illegal for companies
to pay ransom? To gangland, that's not a problem. The hoods confidently predict that there will be
no law that prohibits companies to pay a ransom.
Information is often strategically important.
Having lost data to encryption, this means loss for a company or at least the leading position in the market.
This will cause serious damage to the country's economy.
The authorities will not take such a drastic step.
They see the insurance market as a hedge against their own risk as well as the risk
their victims face. In the U.S., they say, insurance in this area is very well developed,
and it is here that most of the richest world companies are concentrated.
They've had little difficulty recruiting talent, despite attempts by various gray market fora to
deny access to ransomware operators.
They enjoy a big reputation in criminal circles, says Lockbitt,
and they don't need mass market advertising campaigns to let people know they're hiring.
And what about the frosty relations that currently exist between Russia and most of the West?
Lockbitt says, The non-friendly relations of the West are beneficial for us.
It allows us to conduct such an aggressive business and feel calm being in the countries of the former USSR.
That is, bad relations make privateering easier.
But the main attraction Western targets hold for them, they say, is wealth.
They pick their victims on the Willie Sutton-esque grounds that they'll follow the money.
Besides, they're patriots, too, and don't like to see Russia bad-mouthed.
As Lockbitt says, all media are controlled and not apolitical.
Russia is presented in the West as an aggressor and the main enemy.
Therefore, it is beneficial for the West at any opportunity to accuse Russia of all sins
in order to form a negative opinion
about the main enemy, and it is absolutely not necessary that these accusations be substantiated.
Towards China, the West behaves the same way. Finally, they, like many others, are on a journey
of self-actualization. They love their work, they have passion, as legitimate types out in Silicon Valley
are wont to say, and money won't buy happiness. But, we might note, neither does crime appear to
beget guilt and guilt beget sadness. Whatever else is going on, there's a failure of imagination
concerning the effects of their crimes on their victims. Ransomware isn't the only criminal activity to
flourish in the underworld markets. Security firm Intel 471 has issued an account of the way in which
underworld criminal markets have commodified business email compromise attacks, now adapted
for and available to even the meanest criminal understanding. But it's not necessarily the
technical chops that are in demand when BEC gangs look for collaborators. Among the skills actively
sought in the criminal job boards are strong communication skills. Native speakers of English
are particularly valued. This is unsurprising given the place social engineering plays in business email compromise.
The scruffily composed email lacks the persuasive sheen needed to induce people to act against their interests.
So, if you're good at business communication, you may have a big criminal future ahead of you.
Not, of course, that you'd want that.
Another service in demand is the lower skill of money laundering.
Researchers at security firm Mimecast report seeing an increase in spam campaigns seeking
to recruit university students as money mules. Recruiting is often a two-step process. First,
the criminals compromise a student's email account, including their address book, and then
send the student's contacts emails,
offering them a future in the exciting world of, well, however you describe being a money mule.
I don't know. They seem nice, and the work seems easy, right?
Rapid7 yesterday disclosed that multiple vulnerabilities affect the Fortress SO3
Wi-Fi home security system.
Rapid7 disclosed the vulnerabilities three months after reporting them to Fortress,
during which time Rapid7 says it received no acknowledgement from Fortress.
Lawyers representing Fortress told TechCrunch that Rapid7's claims were
false, purposely misleading, and defamatory, but they were short on details.
Bloomberg has an account of an upsurge in cyberattacks against Australian targets,
largely government agencies and universities. Their conclusions point to China and see the
precipitating event as Prime Minister Morrison's call in April of 2020 for an international
investigation into the origins of the coronavirus.
The call was not to Beijing's pleasure, and the response was delivered in cyberspace.
Les Devoirs reports that Quebec's Ministry of Health is assuring citizens of the province
that the QR codes used in its vaccine tracking system are safe. The reassurance comes after Crypto.Quebec
reported that QR codes associated with prominent political figures had been compromised
with attendant exposure of personal data. And finally, the FBI and CISA warned, as the U.S.
Labor Day holiday approaches this weekend, that holidays have commonly been occasions for
heightened rates of cyber attack. Leaping Computer offers a rundown of such correlations.
Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA,
said in an email that we and other outlets received, quote,
Ransomware continues to be a national security threat and a critical challenge, but it is not insurmountable.
With our FBI partners, we continue to collaborate daily to ensure we provide timely,
useful, and actionable advisories that help industry and government partners of all sizes
adopt defensible network strategies and strengthen their resilience.
All organizations must continue to be vigilant against this ongoing threat, end quote.
So, as Labor Day approaches, enjoy, but be on your guard.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
A group of scholars and researchers from the think tank New America recently released an
education policy initiative titled Teaching Cyber Citizenship, Bridging Education and
National Security to Build Resilience to New Online Threats. On the CyberWire's Caveat podcast,
I recently caught up with two of the report's co-authors, Lisa Guernsey, Director of New
America's Teaching, Learning, and Tech Program, and Peter W. Singer, Strategist and Senior Fellow.
Lisa Guernsey starts our conversation.
My colleague and co-author on this report, Peter Singer, he's in the national security world,
I'm in the education world, and the two of us were both recognizing at around the same time
that there were some really big issues to grapple with when it comes to the way students, today's youth, but also adults,
are taught about how to see and verify what's coming across their screens online and the social
media platforms that they're experiencing. And that this has real repercussions for national
security, but it also has a lot of repercussions for what we're teaching students in school and
how teachers are equipped to do that kind of teaching?
So we obviously face major, major challenges when it comes to information threats. There's
the traditional cyber threat, so to speak, hacking the networks. But we also have what I've called
in the past, like war, hacking people on the networks. It's the threat of misinformation, deliberate disinformation, conspiracy theory, hate speech, how that all
comes together to damage our democracy, how it threatens public health, how it threatens
individuals, how it expresses itself in extremism and terrorism, how it's also, though, just challenging to youth if,
you know, they're trying to figure out, I've got an assignment to do a school report on who built
the pyramids and where do they go? They don't go to the world book on a shelf. They now go online,
they go on YouTube and, you know, within a couple hops, they're being told that the aliens built the pyramids, and they didn't, for our listeners.
Lisa, can we do a little defining of terms here?
I mean, what does the term cyber citizenship embrace?
How broad a spectrum of things are we covering here?
Yeah, we see cyber citizenship at the intersection of three fields that are really starting to come together.
One is media literacy, which involves everything from algorithmic literacy to just understanding authorship and who created what and why.
But then the second field is civics and citizenship and increasingly digital citizenship.
What does it mean to be a responsible participant
in today's society? How do we do that online? And then the third field is cybersecurity and
cybersecurity awareness. And the threats that Peter's just noted and that I know your audience
knows so well, they involve everything from, of course, privacy and security and encryption,
but increasingly are also about various kind of
individual actors online trying to funnel people into places where they might be seeing more and
more disinformation, conspiracy theories. And so how do we understand that threat?
So at the intersection of those three fields, that's where we see cyber citizenship. And it's that ability to have the resilience to understand and to fend off
disinformation, misinformation, and also increasingly malinformation, where it may be
information that is in fact true, but was put out there to harm others. So it's starting to
really understand that fully and escape, and that's what we define as cyber citizenship.
So it's challenge to find a
common denominator, to find a starting point for this sort of thing that everyone can agree on?
You know, it's a great point. And that's why I'm usually a pessimistic guy, but I'm very optimistic
about this approach. And so, you know, let's look at the challenges of mis- and disinformation.
You know, they play out in lots of different ways. The calls to deal with them get sucked
into those divisive debates. So if you are expecting legal code change to solve this
problem, good luck. We have an incredibly divided Congress that can't even agree on the problem,
let alone the approach of it. In turn, if you are looking for the platform companies to solve this on their own,
they're not going to. That's just the hard reality of it. So where does that leave us?
It leaves us with this third space. What's great about it is that it's nonpartisan and it respects
people's First Amendment rights.
So the First Amendment rights element of it, it doesn't tell people what to say or what not to say.
It's not about that. You fully respect your First Amendment rights. It's rather about equipping people with the skills to navigate this increasingly digital world safely and effectively.
navigate this increasingly digital world safely and effectively. And those skills into the nonpartisan side, and this is why I think, you know, whether you're a D or an R, you can get
after this, is that they matter, whether it's someone who's searching for information on the
news to public health to, I think we can all agree, we care about just our kids. I want the
kids to have those skills.
My thanks to Lisa Guernsey and Peter W. Singer for joining us.
There is much more to this conversation.
I hope you will check it out over on the Caveat podcast.
You can find that on our website, thecyberwire.com. Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
And joining me once again is Caleb Barlow.
He is the CEO at Synergistech.
Caleb, it's always great to have you back.
You know, this recent story about the FBI's response to the Microsoft Exchange server issues,
how they went and removed the back door, been gathering a lot of attention.
I wanted to check in with you to get your take on it.
What do you think?
Well, first of all, I mean, the geeky side of me, Dave, just thinks it's awesome.
In that, like, it's hard to come up with an opinion on this. On one hand, you can't not be impressed with the legal argument.
And okay, yes, I said lawyers were impressive in this case, not something you normally hear me say.
Okay, don't let it happen again.
It don't happen again, but it is really impressive in the legal argument. On the other hand,
it's really kind of scary of the, what door did we just walk through and did we consciously do it?
But here's the thing I think it really underscores.
First of all, part of the reason why they did this is because it was going to be too hard and take too long to notify potential victims.
And I think we all have to kind of take a pause at that and say, wait a second.
How is it that it's too hard for government to notify victims?
Well, and I agree with him.
It probably would be.
We almost, you know, we're not, this isn't like the roadway where cars have a license
plate.
Half the time, you have no idea where these servers are operating from.
And that's, you know, that's the first thing that's a real problem.
But the second thing that I think it really underscores
as we start to think about IoT
and all these rogue devices
that could have some malicious software installed on them.
We've seen examples of, you know,
like in the DynDNS attack
where lots of IoT devices were taken over.
Now what happens if you can't get to these devices? If you can't turn these things off? If they
turn into some massive botnet, do we rely on government
to go in and do the things that security researchers can't do?
Remember, in this case, you knew how to get access
to the device. You could either go in the same way the bad guy did, or like in the
IoT case, usually it's default credentials, default user ID and password.
We thought for years, shouldn't security researchers
be able to enumerate where these devices are that have a default
user ID and password? The problem is, to figure that out, you have to
violate laws because you're up against the Computer Fraud and Abuse
Act if you try to
log into a system without permission. The bad guys can do it, but the good guys can't. And I think
this was the first example of where we saw the good guys kind of stepping forward a little,
like saying, yeah, I'm getting on that system and I'm going to fix this mess. And maybe we need to
think about stretching our wings a little bit and allowing more of that to happen to at least enumerate where these rogue devices or endpoints or Microsoft Exchange servers might be in the future.
A couple of things come to mind as I try to wrap my head around this.
I mean, there's the analogy of if my house is on fire and I'm not home, the fire department's not going to wait for me to get home before they start fighting the fire, right? They're not going to wait to get
my permission to start putting out that fire. That's clearly an emergency situation. But I
guess at a lesser degree, what if you have an abandoned property and it's full of rats and
problems and, you know, just it's a blight on a neighborhood? Well, the government could come
along and try to get that building condemned and torn down and
or whatever you know which of those analogies do you think if either of them fits best for what
we're seeing here well i think both of them do right so in the case of the house on fire
let's say somebody's upstairs out the window screaming for help the neighbor runs into help
right they weren't worried about breaking in the window or anything else. They ran into help. In the same way,
security researchers, when you can go out on Shodan and figure
out where there's a whole bunch of devices that are likely vulnerable, the question is, which ones
have default credentials? And my argument is, should we maybe
take it to the next step and actually allow people to try logging in to go,
wait a second,
this device is not only vulnerable, it's out there with default credentials. I need to blacklist it. So this takes me right into your blight example, right? Of I want to be able to declare this
neighborhood bad. And the question is, who gets to do that? Does government get to do that?
Do security researchers get to do that?
And there's a whole bunch of ramifications of who gets to do that.
But here's the interesting point that I think the FBI demonstrate in this case.
Somebody needs to have the ability to do that.
And up to this point, nobody really has.
Yeah.
Who are your cyber firefighters?
Exactly.
Yeah. Yeah. All right your cyber firefighters? Exactly. Yeah.
Yeah.
All right.
Well, food for thought.
Kayla Barlow, thanks for joining us.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado. Cozy up with the familiar flavors of pistachio. Or shake up your mood. We'll be right back. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technology.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Puru Prakash, Justin Sabey, We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.