CyberWire Daily - Apparent hacktivism exposes Iranian prison CCTV feeds. Misconfigured Power Apps expose data. FBI warns of the OnePercent Group. Mr. White Hat gives back. Dog bites man
Episode Date: August 24, 2021More hacktivism appears to have hit Iran. Misconfigured Power Apps portals expose data on millions. The FBI warns of the activities of a ransomware affiliate gang. Mr. White Hat really does seem to ha...ve given back all that stolen alt-coin. Ben Yelin checks in on Apple’s CSAM plans. Our guest is Charles DeBeck from IBM Security on the true cost Cost of a Data Breach. And, finally, dog bites man: criminals cheat other criminals. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/163 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
More hacktivism appears to have hit Iran.
Misconfigured Power Apps portals expose data on millions.
The FBI warns of the activities of a ransomware affiliate gang.
Mr. White Hat really does seem to have given back all that stolen altcoin.
Ben Yellen checks in on Apple's CSAM plans.
Our guest is Charles Debeck from IBM Security on the true cost of a data breach.
And finally, Dog Bites Man, criminals cheat other criminals.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, August 24th, 2021.
A group calling itself Adelat Ali, Justice of Ali, has posted video it says it obtained by compromising CCTV systems at Iran's Evin prison, Zero Day reports.
Adalat Ali, which may be an Iranian dissident hacktivist group, says it wished to draw the world's attention to abusive conditions in Evin.
Attribution and identification of the group remain unclear.
While it looks like a
hacktivist operation, that's a preliminary assessment. The hacked video is the second
major region operation against Iranian systems after the attack on the country's railroads.
Security firm UpGuard has disclosed that it found Microsoft Power Apps portals configured to allow public access.
The researchers notified 47 organizations that their data were vulnerable to exposure.
Some of the information at risk included personal information used for COVID-19 contact tracing,
COVID-19 vaccination appointments, social security numbers for job applicants,
employee IDs, and millions of names
and email addresses. The issue involves misconfiguration as opposed to exploitation
of a vulnerability. Users are addressing the misconfiguration. Wired puts the total of records
exposed at around 38 million. That's exposure as opposed to known compromise, but in any case, it's a lot of records.
UpGuard notified the organizations whose exposed instances it found,
but it also informed Microsoft, which is, we note in disclosure, a CyberWire sponsor.
Redmond responded by changing the default table permission.
Starting October 2021, Microsoft said,
all new provisioned portals will have strict as the default value instead of none.
Microsoft has also made a portal checking tool available
so organizations will be able to determine whether their data have inadvertently been exposed.
UpGuard thinks the principal lessons to be learned from this experience are these.
First, platform vendors might consider changing their product in response to observed user behavior,
and platform operators should, quote,
take ownership of misconfiguration issues sooner,
rather than leave third-party researchers to identify and notify all instances of such misconfigurations, end quote.
Second, software-as-a-service providers
should improve their users' visibility into access logs.
Third, anyone handling sensitive information
should be prepared to handle reports from researchers
of a data leak, breach, or exposure.
And finally, UpGuard would like to see
better understanding of the problem of data exposure.
If you've left data open to the world, accessible to anyone,
the people who find such data haven't hacked you.
The U.S. FBI yesterday warned of the activities of a ransomware gang
styling itself the 1% Group.
The record reports that the 1% Group is a criminal customer
of ransomware-as-a-service operators.
It is, or has been,
a known affiliate of REvil, Egregor, and Maze. Coveware pointed out, for example, that victims
who didn't pay the 1% group wound up mentioned in dispatches in REvil's Happy blog. The Bureau
says that the extortion demands have proceeded in three escalatory stages. First, a leak warning.
After initially gaining access to a victim network,
1% group actors leave a ransom note stating the data has been encrypted and exfiltrated.
The note states the victim needs to contact the 1% group actors on Tor
or the victim data will be leaked.
If the victim does not make prompt communication within a week of infection,
the 1% group actors follow up with emails and phone calls to the victim stating the data will be leaked.
The second stage they describe as the 1% leak.
If the victim does not pay the ransom quickly,
the 1% group actors threaten to release a portion of the stolen data to various clear net websites.
And then finally,
the full leak. If the ransom is not paid in full after the 1% leak, 1% group actors threaten to
sell the stolen data to the Sodinokibi Group 2 to publish at an auction. How do the attackers
get access to their victims? Well, phishing, of course. Mr. White Hat, as Poly Network refers to the hacker who
looted cryptocurrency held by the DeFi provider, has now returned all of the more than $600 million
stolen in the theft. Vice reports that Poly Network is now in the process of returning the
holdings to their proper owners. Poly Network reports that it's well on the way to complete
recovery,
and all things considered, the company seems surprisingly pleased with Mr. White Hat.
Mr. White Hat, whoever he is, has also, according to Vice, returned the $500,000 bounty he received
from Poly Network. So, whether it was a demonstration from the start, a goof, or the
crime it appeared to be, and whether the return of the funds was didactic, repentant,
or motivated by the sensation of the hot breath of John Law on the back of the neck,
the money's back and flowing into the wallets where it belongs.
And good afternoon, Mr. White Hat, wherever you are.
And finally, security firm Digital Shadows this morning offered a look at
fraud, contention, and mutual exploitation in the criminal underworld. The C2C market does
function like a market, but a market with some very ugly corners. Digital Shadows says, quote,
there are still some unscrupulous criminals out there, end quote, in what they would concede is an observation worthy of Captain Obvious.
But what kinds of unscrupulous criminals are out there?
What's their taxonomy?
If you're interested in the C2C market, perhaps if you're asking for a friend,
here are the two biggest families of faithless crooks.
First, exit scams.
Criminal proprietors of underworld markets close shop
and abscond with their criminal customers' ill-gotten money. And fishing. Yep, that carding
forum you, Mr. and Mrs. Criminal, were interested in may in fact just be a spoof, and the invitation
from Prince Mokale Mbembe's widow's carding shop may be designed to steal from you.
That's just two, and we trust that human wit will evolve still others.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one
third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Charles DeBeck is a senior cyber threat intelligence strategic analyst with IBM X-Force Incident Response and Intelligence Services. He and his colleagues
at IBM recently published the latest version of their
cost of a data breach report. I checked in with Charles Debeck for some of the highlights.
First off, the general cost of a data breach has continued to increase year after year as we've
done this report. So there's a bit of natural inflation to the data over time. But this was
a pretty significant jump. And I think a big part of that was probably due to the large increase in remote work that impacted operations around the globe.
The pandemic was a major factor, I think, in increasing the average cost of a data breach.
And how so? What does working from home contribute to the number going up?
Well, so the numbers show that on average, a data breach that occurred in an organization that had significant remote work operations that had to be stood up increased the average cost by about $1 million.
So right off the bat, we know quantitatively there's a significant impact.
part of it is the fact that organizations very quickly had to stand up new network infrastructure,
new endpoint infrastructure, and new capabilities to enable remote work in a very, very tight timeframe. This sort of expansion of capabilities is usually done over the course of months or years
with long-term strategic planning. By comparison, last year, we saw a lot of organizations suddenly get told,
you have to set up a brand new set of networks and capabilities, and you have until Monday,
which is a very tight timeline. Was there anything in this year's report that was unusual or stood
out as being surprising? I think one thing that really surprised me was some of the consistency
that we saw in defensive measures for things that help mitigate costs for data breaches.
Last year, we saw that automation and artificial intelligence had a major impact on reducing the average cost of a data breach, leading to a difference in average cost of about $3 million, which was pretty huge.
Again, this year, we saw the exact same sort of thing. Automation and AI coming in
and having a huge impact on organizations and reducing their average cost of a data breach.
And that, to me, is interesting because it means that not only is this a one-off thing,
this isn't just a fluke or a random data point, but it starts to emerge as a trend, to me,
for organizations that this is something that's consistently providing value and something that organizations can do to have a reasonable probability of helping protect
themselves. Where do you suppose we're headed here? I mean, you all have been at this for
quite a long time. You've been putting out this report year after year for nearly two decades now. And do you suppose we have any hope of flattening the curve?
Are there good days ahead?
I think there is hope on the horizon.
I really think it comes down to how can organizations reduce the time it takes to identify and contain
data breaches.
And it is a cat and mouse game, right?
Threat actors are constantly trying to make it tougher for us to do this, and net defenders are constantly trying to do this faster and faster. But I think
that we're finding new tools in our arsenal here. And again, going back to that sort of artificial
intelligence and automation component, I think that's one of the key ways we can help reduce
that timeline for identifying and containing breaches. Because automation allows you to work
at computer speed. It allows you to do things in a matter of moments,
whereas an actual person would take a matter of minutes.
But minutes in computer time is an eternity.
And so I think using analytics and using automation
does, to me at least, provide a good sense of hope
that organizations can do a lot
to help reduce the cost of a data breach.
But it is a very conscious investment.
It's something that may not return on the investment immediately,
but in the long term will provide significant benefits for an organization.
Based on the information you've gathered here,
are there any specific recommendations you can make
for organizations to better defend themselves?
I think one specific recommendation I want to make for an organization
is if you're engaging in cloud migration, make sure that you're doing it in a smart and safe
manner. One thing we found in this report that I thought was very interesting was that cloud
migration was actually a major cost amplifier. So if an organization was breached while migrating
to the cloud, that actually significantly increased the average cost of a data breach for them.
So to me, the takeaway here is that organizations should still be moving to the cloud.
There's a lot of security benefits.
So we could talk for a really long time about all the great reasons why organizations should
move into cloud environments.
But I think what it means to me is we should continue that movement, but we need to make
sure we're doing it safely and securely.
We don't want to just sort of haphazardly move our stuff into a cloud and say,
okay, great, there it is. Hopefully everything's all right. You know, we want to make sure that
we're doing this in a way that makes sense so that we don't have a breach that happens during
this migration process, which could be very costly for an organization. That's Charles DeBeck from
IBM X-Force. with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Ben Yellen. He's from the University of Maryland Center for Health and Homeland Security and also my co-host on the podcast, Caveat, which if you have not checked out yet, what are you waiting for?
It's worth a listen.
Ben, welcome back.
Thanks, Dave. the recent hubbub from Apple's announcement that they're going to be scanning iOS devices for
CSAM, which is child sexual abuse materials. Can we just do a quick overview here from your
point of view? What's going on here? So Apple is doing two things. They are both scanning iMessages.
If a parent opts in, they're scanning the messaging application on iOS devices for nude images for minors.
So if a minor is between 13 and 18 years old, the minor would be notified, would get an alert, would tell them you're about to send or receive a nude image.
This is a warning.
That message would go to the parents if it's a child under 13.
I think there are fewer civil liberties objections to that particular announcement from Apple.
The announcement that presents more significant civil liberties concerns,
in my view, is the announcement that Apple is going to scan photos
in the iCloud against a known database of child pornographic images.
And if they discover that an image matches one that's in that database,
they could potentially share that information with the government,
and that would lead to a criminal prosecution.
Right. Now, the sticky wicket here is that there are plenty of tech companies
who are scanning their cloud services for these sorts of images.
That is routine at this point.
Facebook, Google, Dropbox, they all do that.
What sets Apple apart is their plan is to do the scanning on device.
Right.
So it's not just in the cloud.
It's on the device itself.
And there's no technological reason they couldn't scan a hard drive, for example.
They're making a policy choice to confine this right now to photos that are posted on an iCloud,
but the technology exists to search it on somebody's device, even if they don't post that photo to the iCloud.
So this presents many potential civil liberties concerns.
It's not per se a Fourth Amendment violation because this is a private company.
But the government, of course, knowing that Apple has instituted this practice, this policy, is going to know that they probably have access to information that would be valuable for criminal prosecutions.
And we know the government has tried hard to get Apple to reveal encrypted communications, to give the government access to encrypted communications.
encrypted communications, to give the government access to encrypted communications. And it's not just our government. Even though this program is being piloted in the United States, it certainly
eventually will be available to overseas governments that are far less concerned with
civil rights and civil liberties. And even though it's being used right now for CSAM,
it could be used for other purposes, to scan images, to scan messages for disfavored political content or for censorship purposes.
So the idea is once you build this technology and once you put it into practice, as Apple plans to do over the next several months, then you have created this backdoor.
then you have created this backdoor.
And even though you are claiming to confine the use of this technology in the short term,
once the technology is created, Apple is going to be under enormous pressure from governments around the world to use it for more expanded purposes.
And so that's the inherent danger here.
We should mention that users do have the ability to opt out.
We should mention that users do have the ability to opt out. If you don't use Apple's iCloud Photos service, your photos on your device, according to Apple, won't even be scanned.
They won't be looked at unless you're using their cloud services.
But that doesn't seem to be putting people at ease.
Yeah, so first of all, as I said before, that's a policy choice.
That's not a technological choice. Apple, of course, still could scan your device. They do it
for a bunch of other purposes. You know, you can find malware on your MacBook, for example. Right.
So that's not necessarily anything new. That's a policy choice that they're making now. And I think
the concern is that this is going to be a slippery slope where a government says, if you really care about stopping child exploitation, why can't find these searches just to photos that have been posted on the iCloud?
Why can't you also search, you know, photos that have been saved on a hard drive or even, you know, have been, you know, just saved on a single device?
So I think that's the concern, that it's more of a slippery slope.
I also think the fact that this is Apple carries, you know,
an increased weight as opposed to another service provider.
Apple presents itself as, you know, being very committed to user privacy,
the protection of users' information.
That's how it sells themselves.
That's how they sells themselves. That's how they present themselves
publicly. And so I think this cuts against one of their professed corporate values, which is the
protection of private information. They're put in a tough place because obviously to be against this,
it's seemingly to be against rooting out sexual exploitation of minors. The intentions here are
very noble.
And I think we have to acknowledge that.
I think we have to acknowledge that the problem that they're trying to solve is, of course,
of the utmost importance.
Right.
But, you know, I think the method in which they're engaging in this type of surveillance
of their own users could come back to haunt those users.
And so I think we have to be honest about that as well.
Yeah, it also strikes me that this is, in some ways, Apple has a corporate culture,
I believe, of kind of knowing what's best for our users.
Yes.
Right?
And it's that old, you know, like Henry Ford said, you know, if I'd asked my users what
they wanted, they would have said they needed, you know, better, faster horses or better buggy whips or,
you know, something along those lines. But, and so Apple along in their history has said, you know,
you don't need that floppy drive anymore. You don't need that headphone jack anymore.
And I think that aligns with Apple's surprise at the backlash here. I think Apple thought that they did the hard work of designing what is, I think most people agree, a very clever technological solution to this.
And yet, people are still having a very strong reaction.
Yeah, I think a couple of things go into that.
strong reaction. Yeah, I think a couple of things go into that. One is we have values in this country about protecting private information. Some of that is inherent in our legal system.
The Fourth Amendment protects us against unreasonable searches and seizures. So even
though this, you know, as of now isn't an action the government is taking, it does seem contrary to our values where we don't want anybody in our protected private spaces.
And that certainly includes technological spaces,
including the iCloud where we store our photos.
So I think that's a huge part of it.
The other part of it, like I said,
is the fact that this is supposed to be the company
that most stringently protects user privacy.
And so if Apple is doing it, then what does that mean for every other company that doesn't present
themselves as protecting our private information? And what does it mean for technological companies
that are based overseas in more authoritarian countries? Are they going to learn from Apple
and deploy this technology in a way that doesn't just target sensitive, exploitative images, that sort of thing.
Yeah.
That it's used to go into messaging applications, to go into photos, and try and crack down
on free speech or political dissent.
And I think those are, that's kind of the nature of the backlash as I see it.
Yeah.
All right.
Well, there's much more to this conversation.
And in fact, we spend the entire episode of Caveat this week discussing this.
We're joined by David Derajotis.
He's from Burns and Wilcox.
And we would take a little unusual route where we'd take on one topic for this week's Caveat.
So if this is something that interests you, please check it out.
That's the Caveat podcast.
Ben Yellen, thanks for joining us.
Thank you.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar
oat shaken espresso.
Whatever you choose, your espresso
will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Puru Prakash, Justin Sabe, Tim Nodar, Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.