CyberWire Daily - A US broadcaster sustains a ransomware attack. North Korean catphis expelled from Twitter. REvil’s Tor sites are hijacked. Hacking back. Prosecution and responsible disclosure?
Episode Date: October 18, 2021The Sinclair Broadcast Group discloses that it sustained a ransomware attack over the weekend. Twitter kicks out two North Korean catphish deployed in a cyberespionage campaign. REvil goes offline, ag...ain, perhaps this time for good. Hacking back, at least insofar as you let the hoods know you can see them. Rick Howard previews the newest season of CSO Perspectives. Johannes Ullrich from SANS on Expired Domain Dumpster Diving. And an update on the Missouri disclosure and proposed hacking prosecution. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/200 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Sinclair Broadcast Group discloses that it sustained a ransomware attack over the weekend.
Twitter kicks out two North Korean catfish deployed in a cyber espionage campaign.
Our evil goes offline again, perhaps this time for good.
Hacking back, at least insofar as you let the hoods know you can see them.
Rick Howard previews the newest season of CSO Perspectives.
Johannes Ulrich from SANS on expired domain dumpster diving.
And an update on the Missouri disclosure and proposed hacking prosecution.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday,
October 18th, 2021.
The Sinclair Broadcast Group, which operates 185 television stations with 620 channels in 86 U.S. media markets,
has disclosed that it determined yesterday that it had been subjected to a ransomware attack.
The media company detected what it regarded as a potential security incident on Saturday
and is now in the process of recovery. An announcement issued publicly this morning
and filed with the U.S.
Securities and Exchange Commission read in part, quote, as the company is in the early stages of
its investigation and assessment of the security event, the company cannot determine at this time
whether or not such event will have a material impact on its business, operations, or financial results. End quote.
Much of Sinclair's network shares the same active directory,
and the record suggests that this may have been the route through which local stations were affected.
Some viewers appear to have noticed that the NFL football games
they were expecting to watch yesterday weren't available where or when they expected,
as Sinclair worked to resolve the ransomware-induced
service issues. There's no word yet, CNN reported late this morning, which gang or strain of
ransomware was implicated in the incident. The Hollywood Reporter says that some service
disruptions have continued into today. New York One reports that the attack involved,
as is now routine in such criminal
operations, a data breach of thus far unknown scope. That, too, remains under investigation.
Sinclair is working with law enforcement and has brought in an outside cybersecurity firm
to assist with recovery. Twitter has suspended two accounts established by North Korean operators with the apparent purpose of catfishing security researchers.
The record reports that the two accounts are part of an espionage campaign that began last year.
A member of Google's threat analysis group says the two accounts are part of a cluster, some of whose members were taken down in August.
some of whose members were taken down in August.
The R-Evil ransomware gang appears to have again withdrawn from active operations,
this time bleeping computer reports,
because unknown parties hijacked the Tor sites the gang used for receiving payments and leaking stolen data.
The data dump site had been known as the Happy Blog.
R-Evil appears to have detected the hijacking yesterday.
Security firm Flashpoint posted a description of this latest occultation to its blog this morning.
They note that the gang's former spokesman, a known unknown who went by the predictable hacker name Unknown, had private keys for access to the sites and that the unknown hijackers had used Unknown's private keys to take control of them.
A different REvil representative, hacker name OneDay,
with a coy zero at the beginning of the word one,
announced the hijacking on the Russophone forum XSS,
made an ineffectual gesture in the direction of conciliating our evil's criminal affiliates,
wished everyone good luck, and signed off.
Flashpoints see the incident as an unexpected turn in our evil's attempt to reconstitute their operations,
as the group had just begun recruiting new affiliates on the R.A.M.P. Forum
and offering unusually high commissions of 90% to attract affiliates.
XSS moderators reacted to the incident this morning
by closing the thread in which R-Evil announced their troubles.
The moderators also advised XSS users to block R-Evil accounts.
There's some speculation, and we repeat this with caution
because it may represent wishful thinking,
that law enforcement authorities may in fact be the hijackers,
and observers think that this time the gang may be down for the count,
although of course it's possible members will resurface in other criminal or privateering organizations.
It's interesting that some of the speculation about law enforcement involvement
comes from REvil's criminal competitors. Users on XSS were generally incredulous at this new
announcement, Flashpoint said, adding, quote, the spokesperson of the LockBit ransomware gang
claimed this new disappearance is proof that the REvil reemergence in September was part of an
elaborate FBI plot to catch R-Evil
affiliates. Several threat actors agreed with the LockBit representative and added that they believe
that R-Evil will re-emerge again under a totally new name, leaving behind recent scandals without
having to pay out old affiliates. Another threat actor added, paraphrasing Shakespeare,
something is rotten in the state of ransomware.
Well, we hope so.
According to the Wall Street Journal, some security firms see a middle ground in incident response
between supine victimhood and aggressive hacking back.
Hacking back is also probably illegal, at least under the U.S. Computer Fraud and Abuse Act of 1986.
The alternative approach involves both information gathering and direct legal menacing confrontation.
The journal writes, quote,
That often means persuading a hacker to give consent to access the computer or database being used in the suspected cyber attack,
for instance,
by posing as a customer for stolen data. The CEO of security firm Redacted, Max Kelly,
told the reporters that cyber criminals often operate with an unreflective and unwarranted
sense of immunity, the belief that they can't be identified or tracked. Confronting them with
knowledge of the tools and infrastructure they used
can sometimes be useful in spooking the criminals and scaring them off.
Redacted's Kelly explained, quote,
as soon as you come and poke at them and they're able to connect that
to the activity they're involved with, they disappear, end quote.
Missouri Governor Parson still apparently wishes to hold the St. Louis Post-Dispatch and its reporter criminally or at least civilly liable for their discovery of teachers' social security numbers in the HTML of the state's Department of Elementary and Secondary Education teacher credential website.
heard back from either the governor's office or the office of the Cole County prosecutor,
but it seems that the governor's position is attracting few adherents. KWOS News Radio interviewed a representative of the conservative and libertarian think tank Americans for Progress,
who points out that anyone could have looked up the site and that the information the state posted was publicly available.
So again, a state agency published the private information, albeit in all probability unwittingly,
and the legal theory under which the journalist might be prosecuted or sued remains unclear.
If a government organization wants to encourage responsible disclosure,
threatening those who quietly tell
you you've got a problem is probably not the way to do it.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for
security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Rick Howard.
He is the CyberWire's chief analyst, also our chief security officer.
Rick, welcome back.
Thank you, sir.
So your podcast, CSO Perspectives, which is available on the pro side of the Cyber Wire, has been on hiatus for a few weeks now. But today, our national nightmare is over, and Season 7.
Season 7.
You start Season 7 of CSO Perspectives.
So first of all, congratulations on six complete seasons.
Hard to believe that that has happened, right?
It's amazing.
It's amazing.
Yeah.
So bring us up to date here.
What do you have in store for us this week
as you launch this next season?
Well, that's right, Dave, and thanks for that.
And it's amazing that we've done over 60 episodes so far.
You know, it's just incredible.
And for your daily listeners
who still haven't ponied up for the subscription site, this is a subtle reminder, right?
They can get a taste of what the show is about by listening to CSO Perspectives Public.
We've released the first two seasons over there, and you can find links to the shows on the CyberWire website and in whatever podcast app you like to use.
The downside to that is that it has commercials.
And if you're anything like me,
I hate commercials. So the subscription gets you not only my podcast commercial free,
but all of the great CyberWire content commercial free. So that's a great deal.
Yeah. Kind of ironic that you just did a commercial for CyberWire Pro complaining about commercials. I never thought of it. That's really meta, man. That's totally meta.
I never thought of that. That's really meta, man.
That's totally meta.
Anyway.
All right.
So back to the purpose of this, right?
For this episode, okay, the first one of season seven, we're doing a deep dive on cybersecurity compliance.
Okay.
So, you know, there's been a long-lasting debate about compliance in the cybersecurity community about whether or not
compliance actually improves your cybersecurity posture. Well, you're right about that. That
debate's been going on for well over two decades, and most security people don't think that
compliance laws improve their individual situations that much. They might concede that at least they
prove a minimal baseline for the community, but that's not what we're going to talk about in this episode.
Instead, we're trying to understand if your organization's compliance strategy is a first principle strategy, you know, on the same level of importance as the other key pillars we've been talking about in this podcast.
Zero trust, intrusion kill chain prevention, resilience, and risk forecasting.
In other words, what's the probability of material impact to your organization for failure to comply with one of the 50-plus international, U.S. federal, and individual U.S. state laws on the books right now?
Yeah, that's interesting. I mean, I remember just this past summer, Amazon got hit by a huge fine for failure to comply with GDPR.
Yeah, that's right.
The European Parliament fined Amazon in July $877 million.
And that's the largest GDPR fine to date.
The interesting question is whether or not that fine is material to the Amazon business, whose annual revenue is somewhere north of $113 billion?
That's billion with a big capital B.
Or, you know, is the fine just the cost of doing business?
But more importantly, what are the chances that small, medium, and large-sized businesses
that are not the size of Amazon will be hit with a compliance fine that will be material?
Yeah, yeah.
Well, it's interesting stuff for sure. And
you can check that out over on CyberWire Pro. It is CSO Perspectives. Rick Howard,
thanks for joining us. Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant. And I'm pleased to be joined once again by Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute
and also the host of the ISC Stormcast podcast.
Johannes, it's always great to have you back. We want to
touch today on a research paper that one of your SANS students had put out recently, and they were
talking about expired domain dumpster diving. You've piqued my interest here. What's going on?
Yeah, this was a pretty interesting paper. And the problem here is really that
companies and entities are just registering
domains and then sort of forgetting about it. Not sure, Dave,
how it's with you, but I know for
myself, you have this great idea
and you say, hey, it's only $10, let's
register a domain.
Sure, yeah, yeah. A million dollar idea,
right? Yeah, a million dollar idea. You register
a $10 domain and then
every year you sort you get the renewal.
Eventually, it wasn't that great of an idea. Let's stop it.
So the students of our graduate school, Christopher Weiss, he took a closer look at what are the security implications of this.
And what he did is he looked at expired domains, and you can get sort of a daily feed of that.
It's about 200,000 great ideas that expire every day.
Wow.
And there are really sort of two risks here, or two kinds of risks.
First of all, the entity releasing the domain.
the entity releasing the domain.
And we have seen this in the past, for example,
where big brand names just outright forgot to renew their domain,
and then someone else picks it up.
That's probably the most obvious part of it.
But what's actually a little bit more dangerous
and more subtle is quite often organizations
end up with these large numbers of domains
as part of a merger, for example, and they never really figure out what these domains are really used for.
And one way how a domain may be used is just as a name server for another domain.
So as soon as you're releasing that domain and then someone else picks it up, they not only now own the domain that you released,
they also own the name server record that may still be used by some of your other domains.
So now they basically are able to advertise false information for some of your other domains.
And this has been an ongoing issue. I believe even one African country-level domain
essentially lost access of their country-level domain because someone forgot to renew a domain
name that was used as a name server for that country-level domain. So that's the first part.
You, by not tracking what you're using domains for, you may release the wrong domain. And then,
tracking what you're using domains for, you may release the wrong domain.
And then, of course, things like, hey, someone may have still an email address that they were using.
Now you can do password reset if you own the domain name and they used an email address with that domain on some random website.
So that's another risk of this.
So what's the solution here? I mean, I suppose some of the registrars have things in place to keep these domains from just falling into other folks' hands.
Well, registrars just want you to renew your domains indefinitely.
And that's definitely one solution, of course, that can be a little bit costly.
What you really need to know is you need to figure out what of your domains are really used,
what they're used for.
Don't accumulate domains that you really are never going to use.
That's certainly one way of doing that.
But like we all know, it's a little bit hard sometimes.
The other side to this is,
if you're not registering a domain
that used to be owned by someone else,
then you're also exposing yourself to risk
because, well, now you are actually receiving traffic
that you never really asked for.
And actually, I believe we talked about this last year
in our paper from one of our graduate students
about the cyber bunker incident
where we actually got hold of some IP address
and domains and such that were associated
with a criminal organization, of course. And now we basically got a lot of their IP addresses and domains and such that were associated with a criminal organization, of course,
and now we basically got a lot of their email and web traffic and such,
you may now end up with someone else's traffic.
And actually, just today, I had someone send me an email
that they're essentially under denial of service attack
because a domain that's no longer being used
still resolves to one of their IP addresses
and they can't get rid of the traffic.
So it happened to be a popular BitTorrent tracker.
And so everybody who wants to download that video
is now going to this particular university's IP address,
which amounted to pretty much a denial of service to them.
So if you are registering a new domain,
double check.
There are various tools like archive.org and such.
Was this domain used in the past?
What was it used for?
Anything malicious here?
Anything overly popular that you don't really want to be exposed to?
Yeah, yeah.
All right, well, good advice as always.
Johannes Ulrich, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security, ha!
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
And check out the Recorded Future podcast, which I also host. The subject there is threat intelligence. Thank you. Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Bilecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Thank you. that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.