CyberWire Daily - A threat from Ragnar Locker. GhostWriter in the Bundestag. BKA bought Pegasus. Taliban sifts data for potential opponents. France-Visas hacked. Modified apps. Privacy notes. A TrickBot arrest.
Episode Date: September 7, 2021No spectacular flurry of Labor Day ransomware, but Ragnar Locker threatens its victims. Berlin complains to Moscow about GhostWriter. Another Pegasus customer is disclosed. The Taliban is searching fo...r data on potential domestic opponents. France-Visas hacked. Modified apps in circulation. Joe Carrigan unpacks a Covid based phishing scam. Carole Theriault weighs in on the ransomware pay-or-do-not-pay discussion. ProtonMail answers a warrant, Apple delays CSAM screening, and an alleged TrickBot coder is arrested. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/172 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
There's no spectacular flurry of Labor Day ransomware,
but Ragnar Lager threatens its victims.
Berlin complains to Moscow about Ghostwriter. Another Pegasus customer is disclosed.
The Taliban is searching for data on potential domestic opponents.
France visas are hacked. Modified apps are in circulation.
Joe Kerrigan unpacks a COVID-based phishing scam.
Carol Terrio weighs in on the ransomware pay or do not pay discussion.
ProtonMail answers a warrant.
Apple delays CSAM screening.
And an alleged TrickBot coder is arrested.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, September 7th, 2021.
U.S. authorities warned that ransomware attacks could be expected to spike over the just-concluded Labor Day holiday.
While cybercriminals have remained active, there seem to have been no spectacular new capers over a weekend largely devoid of unusual ransomware drama.
Don't get us wrong, that's not a bad thing at all. But of course, there have been
some attacks that had an effect, and at least one high-profile incident has caused some disruption.
Howard University in Washington, D.C. has canceled classes for today,
after detecting what appears to be a ransomware attack Friday.
Bleeping Computer does report one interesting development. The operators of Ragnar
Locker Ransomware have warned their victims, whom the hoods cynically refer to as clients,
that they'll promptly dump stolen data should they get a whiff of the victims going to law
enforcement or indeed any third party for help. Quote, So from this moment we warn all our clients,
if you will hire any recovery company for negotiations,
or if you will send requests to the police, FBI, investigators,
we will consider this as a hostile intent,
and we will initiate a publication of whole compromise data immediately.
Don't think, please, that any negotiators will be able to deceive us.
We have enough experience and many ways to recognize such a lie. Dear clients, if you
want to resolve all issues smoothly, don't ask the police to do this for you. We will find out
and punish with all our efforts. End quote. Should you be a victim of Ragnar Laker, or indeed of any
other gang, don't be deceived.
You're not in any meaningful sense their client.
The German Foreign Ministry yesterday lodged a complaint with Russia
over ongoing attempts to stage cyber espionage and influence operations against the Bundestag
during the run-up to national elections, Deutsche Welle reports.
The activity, which is reported to have successfully compromised some federal networks,
is part of the long-running and often-described ghostwriter campaign
against Central and Eastern European targets.
Deutsche Welle summarizes the ministry's conclusions and the reactions of Bundestag members,
unhappy at what they regard as the government's failure
to keep them apprised of the situation.
The German government's communication network has been breached by hackers.
The parliament's secret supervisory body has been informed
by the chancellery and security services,
and they say it's not over.
This is an actual cyber attack on the government's information network, and it's ongoing.
The government has known about this since December.
It spent weeks observing the cyber attack to learn more about the hackers' activities.
Not even the agency responsible for intelligence services was informed.
Delegates are angry about being left out of the loop.
We would all understand if the chancellor's office said it needs to observe a critical
issue a little longer.
But the fact that no one said anything at all, on the contrary, means we are once again
in a position to learn about such incidents from the media, which I think is absurd.
That's Deutsche Welle.
You can listen to the whole thing there. As the sound clip
suggests, this isn't a fresh discovery, but the complaint to Russia is new, as is the acknowledgement
of the possible extent of the compromise. The information Ghostwriter obtained does not,
by initial reports, seem to be highly sensitive, but its potential for disinformation and influence operations is regarded as significant.
In an unrelated development, Germany's Federal Police, the BKA,
are reported to have been among the customers of NSO Group,
quietly purchasing its controversial Pegasus intercept tool.
Takachow says that authorities will report on the purchase to a
Watchdog Bundestag committee today. There are no specific allegations of the BKA having abused the
tool, but Pegasus has been in such bad odor due to its abuse by repressive regimes that suspicion
inevitably accompanies its adoption by any law enforcement agency.
Die Zeit reports that the capabilities of Pegasus outrun the kinds of surveillance permissible under German law.
When the tool was purchased, German authorities are said to have insisted
that only such functions as were compatible with the law would be activated,
but Die Zeit says it's unclear not only how,
but even if such selective enablement would
have been possible. Reuters reports that the Taliban is actively seeking access to the emails
of former government officials and that Google has, temporarily at least, locked down access to
such accounts. Google didn't directly confirm their move to deny the Taliban access to the accounts,
saying only it was monitoring events and was taking temporary actions to secure relevant accounts.
The concern over email accounts and other data belonging to the fallen government coming into the possession of the Taliban
is that the information gained would be used to track and arrest former government officials,
or indeed anyone else of suspect loyalty.
The Taliban's control over the country is now generally regarded as complete.
Less than a week after the U.S. departure,
the last stronghold of resistance, the Panjshir Valley,
has been secured by the Taliban.
According to the Washington Post,
the National Resistance Front of Afghanistan,
the anti-Taliban resistance organization that had held the valley against both Soviet and Taliban attempts to conquer it, confirmed that the Taliban was now in control of the region.
France's Interior Ministry disclosed Friday that its visa platform, France Visas, has sustained a cyber attack that exposed personal
information of visa applicants. The ministry said it quickly contained the attack and the
information compromised was neither sensitive, as defined under GDPR, nor financial and that
it would have been insufficient for the attackers to fraudulently obtain government services.
the attackers to fraudulently obtain government services. Modified apps, legitimate applications criminals have copied and modified to deliver adware, spyware, and other malicious payloads,
are, according to security firm Pradeo, continuing to circulate. The problem isn't entirely new,
but it's growing in prominence as some large trusted apps are copied and modified.
Pradeo draws particular attention to bogus Netflix apps that are afflicting the unwary.
Users should apply the usual skeptical cautions before installing an app. If the offer arrived
by smishing, it's no good. If the offer looks too good to be true, you can bet it is, and so on.
But they have some advice for app developers.
Obfuscate and encrypt your code to discourage hackers.
Enhance your app with tamper detection features that will react appropriately at runtime to a code integrity violation.
Your users will thank you.
Privacy-friendly end-to-end encrypted email service ProtonMail has acceded to a legally binding order from the Swiss Federal Department of Justice,
originating with Europol that required it to turn over the IP address and certain device information used by a group called Youth for Climate,
characterized as anti-gentrification activists, to access their ProtonMail account.
The information surrendered led to the arrest of some members of the group in France,
according to Hacker News.
Various observers aren't happy about the company's action,
which they regard as betrayal of the service's brand essence.
ProtonMail, based in Switzerland, isn't happy about it either, but explains that they had no choice.
Founder and CEO Andy Yen tweeted,
Proton must comply with Swiss law.
As soon as a crime is committed, privacy protections can be suspended
and we are required by Swiss law to answer requests from Swiss authorities.
He added,
Some thoughts on the French climate activist incident. It's deplorable
that legal tools for serious crimes are being used in this way, but by law, ProtonMail must
comply with Swiss criminal investigations. This is obviously not done by default, but only if
legally enforced, end quote. It's unfortunate that Youth for Climate technically broke Swiss law, he said,
noting that ProtonMail's people are also activists at heart
and that the company routinely fights such requests.
But this time, he says, their hands were tied.
Influenced by adverse reaction from privacy hawks,
Apple has decided to suspend its plans to incorporate screens for child sexual abuse material, CSAM, in iCloud.
The company told TechCrunch on Friday, quote,
Last month, we announced plans for features intended to help protect children from predators
who use communication tools to recruit and exploit them and limit the spread of child sexual abuse material.
Based on feedback from customers, advocacy groups, researchers, and others,
we have decided to take additional time over the coming months to collect input
and make improvements before releasing these critically important child safety features.
So, Cupertino will take another run at the problem later,
after discussion with those who have objected to the approach they announced in August.
Apple has regarded the criticism as arising from a failure to communicate,
and that it could have been clearer about what it regarded as an important safety feature
that posed no real threat to privacy.
But critics have seen at the very least a slippery slope of best practices,
riding the toboggan toward full-fledged intrusive surveillance.
A man suspected of writing code for the criminal enterprise that runs TrickBot
has been arrested by authorities in Seoul on a U.S. warrant, the record reports.
The alleged criminal coder, referred to so far only as Mr. A., had been unable to leave the Republic of Korea for the past year and a half, stranded by COVID-19 travel restrictions.
Mr. A is expected to contest extradition on the grounds that American justice would impose a disproportionate penalty on him should he be convicted.
penalty on him should he be convicted. This is the second alleged trick bot coder to be taken into custody, the first being Ala Witt, a Latvian national arraigned in a U.S. federal district court
on June 4th.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
For quite a while now, the accepted best practice on ransomware was to not pay the ransom unless
there was no other option available.
Payment as a last resort, if you will.
Lately, it seems, all parties advise a more practical approach.
Our UK correspondent Carol Terrio addresses the ongoing dilemma of ransomware payment.
So when you think about ransomware, if you put yourself in the situation where your data is locked or stolen
and being threatened to be revealed or sold, what do you do? Do you pay the bad guys or do you not
pay the bad guys? And, you know, it seems very easy to answer, but actually it's not.
On the one side, the moral approach seems to be, of course, do not pay the ransom, guys.
To my mind, every single action film that involved a kidnapping was a success if the
hero got away without rewarding the bad guys for their bad behavior.
Good guys don't give bad guys stuff. But what if you're
responsible for the welfare of people? Perhaps you're a health center, government services,
authorities. What if you get hit by ransomware and you can't actually get ambulances out to people
or people that are on benefits can't actually claim their checks? What happens then?
or people that are on benefits can't actually claim their checks.
What happens then?
According to TechTarget, of the 10 biggest ransomwares of 2021 so far,
two of them run public services.
One was Buffalo Public Schools, where the private info of 34,000 students was at risk and the entire school system was shut down for more than a week,
which meant no in-class or remote learning for the kids. The other biggie was Ireland's
health service executive, HSC, which in May got hit by a massive ransomware attack.
Getting operations back to normal has been no easy task. It wasn't until two months later that online registration for medical cards was restored.
And additionally, health care centers were asking patients to bring in paper documents
since computer records were inaccessible.
And it seems like the market's kind of in flux,
because on one side you have insurance, cybersecurity insurance,
which would have policies to cover
you in case of a ransomware attack. On the other hand, you have governments considering banning
companies from legally paying ransoms, even at the highest levels, we don't agree. And this
obviously benefits the hackers. According to a BBC article published earlier this year,
benefits the hackers. According to a BBC article published earlier this year, hackers responsible for the Colonial Pipeline hack, DarkSide, made at least $90 million in ransom payments based on
their Bitcoin records. And that's a lot of wonga. I mean, in short, right now it is super messy and
the best thing to do is not get hit by ransomware. I know, easier said than done. But by putting in place
all the things that you need to lower your risk to a ransomware attack, I say the better.
This was Carol Theriault for The Cyber Wire. Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute and also my co-host
over on the Hacking Humans podcast.
Hello, Joe. Hi, Dave.
Interesting publication here from the folks over at Inky, and it's titled Fresh Fish,
Fake Mandatory COVID-19 Vaccine Form.
Right.
Kind of stuff we cover over on Hacking Humans, and I thought it's an interesting story to share here with our CyberWire listeners. What's going on here, Joe?
So I don't know about here at the CyberWire, you're a small business, but at Hopkins, I had to provide information that demonstrated that I had
been vaccinated, right? A large employer and a lot of employers are going to require this
information from their employees as well. Right. Well, these bad guys know that. So they are using
that as a lure for a phishing email. And this email comes in, these emails are coming in from
compromised external accounts.
They're not coming from internal accounts.
But because they're coming from the external accounts, they are getting through standard
email authentication like DMARC.
Oh.
Right?
They go right through.
And here's a sample of the email.
Good morning, all.
We are learning of a new strict requirement from the county with regards to COVID vaccinations.
All employees are required to complete the COVID vaccination form
and return to HR as soon as possible.
This is a mandatory requirement, and it goes on and on and on,
but here's the hook.
It says it is mandatory that you complete this form by the end of today.
And one of the things we always say over on Hacking Humans
and in social engineering circles is that one of the biggest red flags you should look for
is an artificial timeline, time constraint.
Right, a call to action.
Call to action.
This is a call to action
and a very short artificial time constraint.
Yeah.
All right, so once you click on the link,
you go to a credential harvesting site
that tries to harvest your Microsoft 365 credentials through an
Outlook page that's really convincing, a very good site in terms of how well it's done. It's an
absolutely evil site, but it looks really, really authentic. Once you do that, to add insult to
injury, it asks the victim to enter some more personal information like your birthday and your mailing address.
So not only is it credential harvesting, but they're also getting some personal identifiable information.
So maybe they can start building records they can sell to other people on the web for identity theft.
Yeah.
Once you complete that portion, you're actually sent to a Santa Clara County government website that has a PDF about submitting a form that demonstrates you've been vaccinated.
So a legit form.
A legit form, yeah.
Is the final step.
That's the final step.
And that is to confuse the person and hopefully distract them from what they just did and not realize that they entered their information in properly.
Hmm.
Wow. Are there any tells here, anything giving this away that folks can look out for?
Number one, it's coming from an email that's not internal. So it's not coming from your HR department. Number two, when you click on the link, you're taken to a login site, which really
shouldn't happen, right? You shouldn't be asked to log in. You're looking at your email already,
even if you're looking at a web interface of your email,
like the Outlook web client,
you're already logged into that.
So when you click on a link and you're asked to log in again,
that should be a red flag.
Right.
But it isn't.
A lot of times it's somebody going,
well, the system just glitched.
I'll just enter my credentials.
Sure, yeah.
A couple of things you can do as an
enterprise to protect this, multi-factor authentication, multi-factor authentication,
and multi-factor authentication, right? Right. And you as a person, if you have a personal account,
multi-factor authentication, always enable that. It makes this exponentially more difficult for
these bad guys. If you don't have that enabled, then it makes it very easy for them. Also strikes me that if you have a password manager,
it's going to point out that,
hey, this isn't actually Office.
You're asking me to fill these credentials in.
Yeah, it won't even do it.
If it's a browser integrated password manager,
it won't even enter the credentials.
Right, right.
All right.
Well, interesting example of this.
Certainly playing off some of the topical stuff in the news here.
Yeah, they're always reading the paper, Dave.
It's worth checking out.
Again, this is from the folks over at Inky.
And Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Databe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Puru Prakash, Justin Sabey, Tim
Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris
Russell, John Patrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. Data Products Platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.