CyberWire Daily - APT41 is back from its Lunar New Year break. Commodity attack tools for states and gangs. Russia takes down a domestic carding crew. Restricting misinformation.
Episode Date: March 25, 2020APT41 is back, and throwing its weight around in about twenty verticals. States and gangs swap commodity malware. The FSB--yes, that FSB--takes down a major Russian carding gang. Coronavirus-themed at...tacks are likely to outlast the pandemic. Facebook Messenger considers limiting mass message forwarding as a way of slowing the spread of COVID-19 misinformation. Joe Carrigan from JHU ISI on stimulus check scams, guest is Rachael Stockton from LogMeIn (LastPass) on the future of business network access security. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_25.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
APT 41 is back and throwing its weight around in about 20 verticals.
States and gangs swap commodity malware.
The FSB, yes, that FSB, takes down a
Russian carding gang. Coronavirus-themed attacks are likely to outlast the pandemic.
Facebook Messenger considers limiting mass message forwarding as a way of
slowing the spread of COVID-19 misinformation.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, March 25, 2020.
APT41 renewed activity this month after a February lull that corresponded to China's Lunar New Year.
In what FireEye calls a global intrusion campaign
using multiple exploits, the group is targeting vulnerabilities in Cisco routers, Citrix Netscaler
ADC, and Zoho ManageEngine Desktop Central products. The targets appear to have been
selected with some deliberation and not hit opportunistically, but they're drawn from a
wide range of verticals—telecommunications, manufacturing, healthcare, government not hit opportunistically, but they're drawn from a wide range of verticals.
Telecommunications, manufacturing, healthcare, government, oil and gas,
higher education, defense, industrial, pharmaceutical, finance, technology,
petrochemical, transportation, construction, utilities, media, not-for-profits,
law firms, realtors, and travel services.
Whew.
The campaign appears to be one of collection as opposed to disruption.
What APT41's goals are remain unclear.
The hacking group is generally thought to work on behalf of the Chinese government's
intelligence services, but it also moonlights and it's not reluctant to dip into financially
motivated cybercrime on the side.
We're accustomed to hearing about the commodification of hacking tools cybercriminals use.
They're cheap, they offer a reasonable return on investment, and above all, they don't require
much or even any skilled development, or in many cases, any development at all.
Cypherma researchers report that the commodification of attack tools has enabled less capable intelligence services in developing nations to conduct effective cyber operations, and established cyberpowers aren't
above using the commodity tools either. CyPherma sees evidence of collaboration between the big
operators and both clients and allies of convenience. In December, for example, the
security firm's researchers observed discussions in various hackers' communities of how to launch Emotet attacks.
Cypherma says,
The hacking groups were all known to be state-affiliated and funded.
The attack mechanism of choice is simply commodity malware.
Commodity malware is attractive because of the ease with which it can be repurposed and turned against various target
sets. Some of the state actors Cypherma says it's tracked in this trend will have familiar names,
Stone Panda, Lazarus Group, Gothic Panda, and Fancy Bear. Cypherma's list includes the
qualification or associated group, which suggests that of course there are state actors who have
yet to be recognized or described,
but also that there's moonlighting going on,
and that in some places criminal gangs operate with the knowledge and sufferance of the security organs,
provided naturally that the criminal gangs keep their noses clean and their hands off prohibited targets.
With that in mind, here's something a bit different.
In what CyberScoop calls a rare enforcement action,
Russia's FSB has arrested 25 individuals on charges of running the ByBest,
also known as the Golden Shop, carding and PII dark web market.
The FSB has also shuttered ByBest's online operations.
If it weren't for, well, history with the FSB,
we'd almost be tempted to say,
Bravo FSB.
The FSB is one of the old Soviet KGB's daughter agencies,
carrying its foremother's legacy into Russia's post-Soviet era.
The service's mandate extends to counterintelligence,
internal security, and surveillance.
Its activities can be difficult to distinguish from those of its sister agency, the SVR,
which is responsible for foreign intelligence and espionage.
Anywho, the biggest fish this particular dragnet pulled in was one Alexei Stroganov,
who uses the hacker name Flint24.
Mr. Stroganov, according to Cyberscoop, is apparently something of a recidivist,
having served two years of a six-year sentence for an earlier cybercrime beef.
The FSB said their takedown netted about a million dollars in cash,
server equipment used for the operation of online stores,
fake identification documents including passports of Russian citizens,
as well as rifles, drugs, gold bars, and precious coins. That list makes Mr. Stroganoff and his
colleagues look like a collection of gangsters right out of Central Casting. The FSB noted that
some of the carding data being traded belonged to Russian citizens and came from Russian banks,
and that may indicate
the domestic line these particular alleged crooks stepped across to draw the attention of the organs.
Count me among those who are skeptical of using a password manager. How could adding another layer
in between me and my accounts possibly make life easier? More secure, maybe. Okay, more secure for sure. But take it from me,
once you get past the initial transition period, which really isn't that bad,
using a password manager is not only safer, but easier as well. But don't just take it from me.
Rachel Stockton is Senior Director of Marketing at LogMeIn, makers of the LastPass password
manager. We sat down for a chat at the RSA conference.
You know, I feel as if we've made progress in the past few years. I think people understand
the problem around managing both passwords as well as overall access and identities.
But I think the more you learn about it, it's like peeling back an onion. You see that there are more challenges.
So when you think about passwords,
there are the passwords that we have
for our own applications,
ones that we bring in,
the ones that the company assigns us,
the ones that we have for our own personal use.
And organizations are solving that
in a lot of different ways, right?
SSO, that's fantastic for business apps, which is great.
Provides a lot of control.
But we also know that that's only going to solve a certain percentage of applications.
It's only going to protect a certain percentage of applications.
And I like to think of things as like doors and windows.
And so when you think about the kinds of technologies that people are adopting, they look at SSO and it's going to help lock those doors for windows. Okay. And so when you think about the kinds of technologies that people are adopting,
they look at SSO,
it's going to help lock those doors for sure.
Right.
But then when you think about
what people are actually bringing into the office
to help make themselves more productive,
those are all open windows,
as well as are sort of the second tier applications
that not everybody's using
that may be more departmental.
Okay.
That may not make that sort
of top tier for integration with SSO, more open windows. And I think that's where password
management can come in. So that's a way that you're able to help close some of those windows as well.
I'm curious, as we look towards the future, how do we see this playing out as the technology continues to evolve?
And we see things like people are pushing solutions that have no passwords at all,
you know, a future without them. We see things like biometrics coming along and those sorts of
things. What is on your radar when you look down the road as to where we may be headed?
I'm aligned with everything you just said there. I think if you look at us as humans,
we don't want to have things that come between us
and what we want to get at,
whether it's our personal data, our work data,
anything along those lines.
And so passwords right now are that challenge
that we have to overcome to get it,
the price we have to pay.
And I think there's more technology out there now that helps us,
if not eliminate the concept of password,
then make the password more invisible.
So biometrics, for example.
You mentioned having to have one password
to access your entire password manager.
True.
But we also now use biometrics for everything to get into our phone.
It's second nature to us.
And you can picture that replacing that concept of that password to get you into things.
Or if not replacing, masking it.
And I think you're going to see more and more in personal life, but also in business,
where passwords may be there, they may not be, but they're not going to be the end user's concern.
It's going to be about touching, you know,
it's going to be about the fingerprint.
It's going to be about that glance at your phone,
which will now let you into your computer.
It might be the glance at your phone that lets you into your house.
And I think that's where we're going to be going.
I would hope even further, really pushing the envelope there,
really figuring out how we can make access incredibly frictionless,
invisible, transparent for the end user,
but then also on the business side, from an administrative perspective,
how do you give that same kind of ease to that administrator
who's going to be managing all of this too?
And I think that's really important from the business side.
We spend a lot of time on the end user, but you have to think about that admin as well.
You don't want to have to bring in tech that you have to be hiring lots of people to manage.
This isn't the way we want to be growing sort of in managing identity. So I think we have to be
considering that as well. How do we make sure setting it up, setting the right policies, all of those things, maintaining it is really super simple.
So I think it's simplicity all around.
That's Rachel Stockton from Log Me In.
The Wall Street Journal, noting the patience of both intelligence services and the larger criminal gangs,
points out that the fallout from coronavirus can be expected to affect cybersecurity for weeks
or months after the pandemic abates. Some bad actors won't wait, and Business World reports
that the Philippines Department of Information and Communications Technology sees a heightened
risk of attacks on hospitals and other health care facilities. Attempts against health care
facilities and organizations suggest that some criminal assurances that they'll leave essential services alone
during the pandemic are empty and idle.
The healthcare sector should by no means
relax its cyber guard.
The services it provides and the information it holds
are more valuable than ever,
and there's no reason to think
this will have escaped the criminal's attention.
In an attempt to inhibit the flow of misinformation about COVID-19,
Facebook Messenger may limit users' ability to mass-forward messages,
Naked Security reports.
The ability to quickly disseminate mass messages
has been seen as a problem for Facebook before,
especially in cases of mob violence incited online
in various South Asian communities.
The cap on distribution now being considered would, Facebook hopes,
at least slow down the rate at which misinformation and disinformation spreads.
And finally, we close with some good news from our community.
Exabeam's Chris Tillett, one of the cybersecurity industry's early COVID-19 sufferers,
seems to be on the road to recovery,
the local Connecticut news service Good Morning Wilton reports.
We congratulate him, hope his prognosis stays positive, and send our best wishes to his family.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1 thousand dollars off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information
Security Institute, also my co-host on the Hacking Humans podcast.
Joe, great to have you back.
Hi, Dave.
As you and I are recording this, there are bills making their way through Congress to help get stimulus checks out to U.S. citizens.
Yes, that's correct.
And it's happening fast and furious. It is. A little
behind the scenes here. You and I record these segments a day or two before they air. Right. So
there's a chance that when this airs, things may have changed already. That's correct. That's
what we know. It looks like it's likely that these checks are going to happen. Right. It's likely that
we're going to get checks sent directly to us
from the federal government.
Based on previous tax filings.
That's right.
And it is almost a certainty
that scammers are going to take advantage of this.
100% Dave.
This is a golden opportunity for scammers
and everybody should be aware of it.
So there's an article on Forbes
that actually my wife forwarded to me
today from Jim Wang, who talks about the entire stimulus package and everything, but he actually
spends a little bit of time talking about scams on this and that you should be wary about this and
look for people who are saying things like, we need some money from you to release your check,
right? Anybody that calls you up and says, we need money from you to release your check, right? Anybody that calls you up and says, we need money from you to release your check, that's a scam, right?
These checks are just going to show up in the mail, actually.
Yeah, most likely.
That's the way these things have worked in the past.
I've never had to file for a stimulus check, but I have gotten them.
Another thing they're saying is that these scams could say, get your check now.
Yes, the FTC is warning that, that they're say, get your check now. Yes. The FTC is warning that, that
they're saying, get your check now. Kind of like the tax refund things that like H&R Block and
TurboTax offer, right? They offer you an immediate tax refund based on your return for filing with
them. That's actually a loan that they're giving you, but they're basing that loan on the fact that your return
is expecting a certain value back.
Yeah.
Right?
And then they're actually charging you for that.
Yeah.
If you wait for your return, you'll get the full amount of money.
But based on that kind of information, right, based on that kind of experience that the
American people have, this kind of a scam could take off where, hey, you can get your
stimulus check now and just give us your banking information and we'll put the money in your account.
Yeah. And taking advantage of the fact that there's a lot of anxiety out there.
There is a lot of anxiety.
A lot of people who are in increasingly desperate situations as their jobs go away.
Right.
Sources of incomes dry up. So people are in need of this money. So it's a good thing.
I suppose that the money's going out, but everybody needs to be vigilant.
Everybody needs to be vigilant. And one of the things we need to do is reach out to everybody
that we know that might be susceptible to scams and give them the information that this is
something to look out for. Call your older parents that might be
susceptible to this and tell them, look out for these scams. Don't answer any emails or any phone
calls where they're promising this money or they're asking about you paying a fee to get it
released or they want your bank account details. Right, right. Anybody asking for your social
security number, any of that personal information, the feds aren't going to need that to send you your check.
They already have it.
They're the source of that information.
So they don't need to ask you for it.
Yeah, yeah.
In fact, if you don't know your social security number,
you can ask them and they'll tell you.
I just imagine you calling up every day.
Hey, listen, could you tell me my social?
I just, I can't remember it.
I can't.
It's just one more time.
Yeah, okay, Joe. Here it is. They got it written down on a sticky note next to me.
Yeah. Under no circumstances, give this man a social security number.
All right. Well, you know, we all got to stick together here. These are interesting times.
Things are changing quickly, but look out for your loved ones. Yes. Warn them. Do your best
to help them use, use the powers that you possess to sniff out these sorts of scams and spread some of that knowledge around.
Absolutely.
All right.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
Thank you. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, Thanks for listening.
We'll see you back here tomorrow. Thank you. data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and
automate your data workflows, helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.