CyberWire Daily - APT41 is back from its Lunar New Year break. Commodity attack tools for states and gangs. Russia takes down a domestic carding crew. Restricting misinformation.

Episode Date: March 25, 2020

APT41 is back, and throwing its weight around in about twenty verticals. States and gangs swap commodity malware. The FSB--yes, that FSB--takes down a major Russian carding gang. Coronavirus-themed at...tacks are likely to outlast the pandemic. Facebook Messenger considers limiting mass message forwarding as a way of slowing the spread of COVID-19 misinformation. Joe Carrigan from JHU ISI on stimulus check scams, guest is Rachael Stockton from LogMeIn (LastPass) on the future of business network access security. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_25.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.
Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.
Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.
Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. APT 41 is back and throwing its weight around in about 20 verticals. States and gangs swap commodity malware. The FSB, yes, that FSB, takes down a Russian carding gang. Coronavirus-themed attacks are likely to outlast the pandemic.
Starting point is 00:02:12 Facebook Messenger considers limiting mass message forwarding as a way of slowing the spread of COVID-19 misinformation. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, March 25, 2020. APT41 renewed activity this month after a February lull that corresponded to China's Lunar New Year. In what FireEye calls a global intrusion campaign using multiple exploits, the group is targeting vulnerabilities in Cisco routers, Citrix Netscaler ADC, and Zoho ManageEngine Desktop Central products. The targets appear to have been
Starting point is 00:02:59 selected with some deliberation and not hit opportunistically, but they're drawn from a wide range of verticals—telecommunications, manufacturing, healthcare, government not hit opportunistically, but they're drawn from a wide range of verticals. Telecommunications, manufacturing, healthcare, government, oil and gas, higher education, defense, industrial, pharmaceutical, finance, technology, petrochemical, transportation, construction, utilities, media, not-for-profits, law firms, realtors, and travel services. Whew. The campaign appears to be one of collection as opposed to disruption.
Starting point is 00:03:27 What APT41's goals are remain unclear. The hacking group is generally thought to work on behalf of the Chinese government's intelligence services, but it also moonlights and it's not reluctant to dip into financially motivated cybercrime on the side. We're accustomed to hearing about the commodification of hacking tools cybercriminals use. They're cheap, they offer a reasonable return on investment, and above all, they don't require much or even any skilled development, or in many cases, any development at all. Cypherma researchers report that the commodification of attack tools has enabled less capable intelligence services in developing nations to conduct effective cyber operations, and established cyberpowers aren't
Starting point is 00:04:10 above using the commodity tools either. CyPherma sees evidence of collaboration between the big operators and both clients and allies of convenience. In December, for example, the security firm's researchers observed discussions in various hackers' communities of how to launch Emotet attacks. Cypherma says, The hacking groups were all known to be state-affiliated and funded. The attack mechanism of choice is simply commodity malware. Commodity malware is attractive because of the ease with which it can be repurposed and turned against various target sets. Some of the state actors Cypherma says it's tracked in this trend will have familiar names,
Starting point is 00:04:52 Stone Panda, Lazarus Group, Gothic Panda, and Fancy Bear. Cypherma's list includes the qualification or associated group, which suggests that of course there are state actors who have yet to be recognized or described, but also that there's moonlighting going on, and that in some places criminal gangs operate with the knowledge and sufferance of the security organs, provided naturally that the criminal gangs keep their noses clean and their hands off prohibited targets. With that in mind, here's something a bit different. In what CyberScoop calls a rare enforcement action,
Starting point is 00:05:28 Russia's FSB has arrested 25 individuals on charges of running the ByBest, also known as the Golden Shop, carding and PII dark web market. The FSB has also shuttered ByBest's online operations. If it weren't for, well, history with the FSB, we'd almost be tempted to say, Bravo FSB. The FSB is one of the old Soviet KGB's daughter agencies, carrying its foremother's legacy into Russia's post-Soviet era.
Starting point is 00:06:00 The service's mandate extends to counterintelligence, internal security, and surveillance. Its activities can be difficult to distinguish from those of its sister agency, the SVR, which is responsible for foreign intelligence and espionage. Anywho, the biggest fish this particular dragnet pulled in was one Alexei Stroganov, who uses the hacker name Flint24. Mr. Stroganov, according to Cyberscoop, is apparently something of a recidivist, having served two years of a six-year sentence for an earlier cybercrime beef.
Starting point is 00:06:34 The FSB said their takedown netted about a million dollars in cash, server equipment used for the operation of online stores, fake identification documents including passports of Russian citizens, as well as rifles, drugs, gold bars, and precious coins. That list makes Mr. Stroganoff and his colleagues look like a collection of gangsters right out of Central Casting. The FSB noted that some of the carding data being traded belonged to Russian citizens and came from Russian banks, and that may indicate the domestic line these particular alleged crooks stepped across to draw the attention of the organs.
Starting point is 00:07:12 Count me among those who are skeptical of using a password manager. How could adding another layer in between me and my accounts possibly make life easier? More secure, maybe. Okay, more secure for sure. But take it from me, once you get past the initial transition period, which really isn't that bad, using a password manager is not only safer, but easier as well. But don't just take it from me. Rachel Stockton is Senior Director of Marketing at LogMeIn, makers of the LastPass password manager. We sat down for a chat at the RSA conference. You know, I feel as if we've made progress in the past few years. I think people understand the problem around managing both passwords as well as overall access and identities.
Starting point is 00:08:00 But I think the more you learn about it, it's like peeling back an onion. You see that there are more challenges. So when you think about passwords, there are the passwords that we have for our own applications, ones that we bring in, the ones that the company assigns us, the ones that we have for our own personal use. And organizations are solving that
Starting point is 00:08:20 in a lot of different ways, right? SSO, that's fantastic for business apps, which is great. Provides a lot of control. But we also know that that's only going to solve a certain percentage of applications. It's only going to protect a certain percentage of applications. And I like to think of things as like doors and windows. And so when you think about the kinds of technologies that people are adopting, they look at SSO and it's going to help lock those doors for windows. Okay. And so when you think about the kinds of technologies that people are adopting, they look at SSO,
Starting point is 00:08:46 it's going to help lock those doors for sure. Right. But then when you think about what people are actually bringing into the office to help make themselves more productive, those are all open windows, as well as are sort of the second tier applications that not everybody's using
Starting point is 00:09:02 that may be more departmental. Okay. That may not make that sort of top tier for integration with SSO, more open windows. And I think that's where password management can come in. So that's a way that you're able to help close some of those windows as well. I'm curious, as we look towards the future, how do we see this playing out as the technology continues to evolve? And we see things like people are pushing solutions that have no passwords at all, you know, a future without them. We see things like biometrics coming along and those sorts of
Starting point is 00:09:36 things. What is on your radar when you look down the road as to where we may be headed? I'm aligned with everything you just said there. I think if you look at us as humans, we don't want to have things that come between us and what we want to get at, whether it's our personal data, our work data, anything along those lines. And so passwords right now are that challenge that we have to overcome to get it,
Starting point is 00:10:02 the price we have to pay. And I think there's more technology out there now that helps us, if not eliminate the concept of password, then make the password more invisible. So biometrics, for example. You mentioned having to have one password to access your entire password manager. True.
Starting point is 00:10:21 But we also now use biometrics for everything to get into our phone. It's second nature to us. And you can picture that replacing that concept of that password to get you into things. Or if not replacing, masking it. And I think you're going to see more and more in personal life, but also in business, where passwords may be there, they may not be, but they're not going to be the end user's concern. It's going to be about touching, you know, it's going to be about the fingerprint.
Starting point is 00:10:49 It's going to be about that glance at your phone, which will now let you into your computer. It might be the glance at your phone that lets you into your house. And I think that's where we're going to be going. I would hope even further, really pushing the envelope there, really figuring out how we can make access incredibly frictionless, invisible, transparent for the end user, but then also on the business side, from an administrative perspective,
Starting point is 00:11:16 how do you give that same kind of ease to that administrator who's going to be managing all of this too? And I think that's really important from the business side. We spend a lot of time on the end user, but you have to think about that admin as well. You don't want to have to bring in tech that you have to be hiring lots of people to manage. This isn't the way we want to be growing sort of in managing identity. So I think we have to be considering that as well. How do we make sure setting it up, setting the right policies, all of those things, maintaining it is really super simple. So I think it's simplicity all around.
Starting point is 00:11:51 That's Rachel Stockton from Log Me In. The Wall Street Journal, noting the patience of both intelligence services and the larger criminal gangs, points out that the fallout from coronavirus can be expected to affect cybersecurity for weeks or months after the pandemic abates. Some bad actors won't wait, and Business World reports that the Philippines Department of Information and Communications Technology sees a heightened risk of attacks on hospitals and other health care facilities. Attempts against health care facilities and organizations suggest that some criminal assurances that they'll leave essential services alone during the pandemic are empty and idle.
Starting point is 00:12:30 The healthcare sector should by no means relax its cyber guard. The services it provides and the information it holds are more valuable than ever, and there's no reason to think this will have escaped the criminal's attention. In an attempt to inhibit the flow of misinformation about COVID-19, Facebook Messenger may limit users' ability to mass-forward messages,
Starting point is 00:12:51 Naked Security reports. The ability to quickly disseminate mass messages has been seen as a problem for Facebook before, especially in cases of mob violence incited online in various South Asian communities. The cap on distribution now being considered would, Facebook hopes, at least slow down the rate at which misinformation and disinformation spreads. And finally, we close with some good news from our community.
Starting point is 00:13:18 Exabeam's Chris Tillett, one of the cybersecurity industry's early COVID-19 sufferers, seems to be on the road to recovery, the local Connecticut news service Good Morning Wilton reports. We congratulate him, hope his prognosis stays positive, and send our best wishes to his family. Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Starting point is 00:14:00 Head to salesforce.com slash careers to learn more. Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting and helps you get security questionnaires done five times faster with AI.
Starting point is 00:14:53 Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1 thousand dollars off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Starting point is 00:15:36 Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io. And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host on the Hacking Humans podcast. Joe, great to have you back. Hi, Dave. As you and I are recording this, there are bills making their way through Congress to help get stimulus checks out to U.S. citizens.
Starting point is 00:16:22 Yes, that's correct. And it's happening fast and furious. It is. A little behind the scenes here. You and I record these segments a day or two before they air. Right. So there's a chance that when this airs, things may have changed already. That's correct. That's what we know. It looks like it's likely that these checks are going to happen. Right. It's likely that we're going to get checks sent directly to us from the federal government. Based on previous tax filings.
Starting point is 00:16:48 That's right. And it is almost a certainty that scammers are going to take advantage of this. 100% Dave. This is a golden opportunity for scammers and everybody should be aware of it. So there's an article on Forbes that actually my wife forwarded to me
Starting point is 00:17:05 today from Jim Wang, who talks about the entire stimulus package and everything, but he actually spends a little bit of time talking about scams on this and that you should be wary about this and look for people who are saying things like, we need some money from you to release your check, right? Anybody that calls you up and says, we need money from you to release your check, right? Anybody that calls you up and says, we need money from you to release your check, that's a scam, right? These checks are just going to show up in the mail, actually. Yeah, most likely. That's the way these things have worked in the past. I've never had to file for a stimulus check, but I have gotten them.
Starting point is 00:17:39 Another thing they're saying is that these scams could say, get your check now. Yes, the FTC is warning that, that they're say, get your check now. Yes. The FTC is warning that, that they're saying, get your check now. Kind of like the tax refund things that like H&R Block and TurboTax offer, right? They offer you an immediate tax refund based on your return for filing with them. That's actually a loan that they're giving you, but they're basing that loan on the fact that your return is expecting a certain value back. Yeah. Right?
Starting point is 00:18:08 And then they're actually charging you for that. Yeah. If you wait for your return, you'll get the full amount of money. But based on that kind of information, right, based on that kind of experience that the American people have, this kind of a scam could take off where, hey, you can get your stimulus check now and just give us your banking information and we'll put the money in your account. Yeah. And taking advantage of the fact that there's a lot of anxiety out there. There is a lot of anxiety.
Starting point is 00:18:34 A lot of people who are in increasingly desperate situations as their jobs go away. Right. Sources of incomes dry up. So people are in need of this money. So it's a good thing. I suppose that the money's going out, but everybody needs to be vigilant. Everybody needs to be vigilant. And one of the things we need to do is reach out to everybody that we know that might be susceptible to scams and give them the information that this is something to look out for. Call your older parents that might be susceptible to this and tell them, look out for these scams. Don't answer any emails or any phone
Starting point is 00:19:12 calls where they're promising this money or they're asking about you paying a fee to get it released or they want your bank account details. Right, right. Anybody asking for your social security number, any of that personal information, the feds aren't going to need that to send you your check. They already have it. They're the source of that information. So they don't need to ask you for it. Yeah, yeah. In fact, if you don't know your social security number,
Starting point is 00:19:34 you can ask them and they'll tell you. I just imagine you calling up every day. Hey, listen, could you tell me my social? I just, I can't remember it. I can't. It's just one more time. Yeah, okay, Joe. Here it is. They got it written down on a sticky note next to me. Yeah. Under no circumstances, give this man a social security number.
Starting point is 00:19:52 All right. Well, you know, we all got to stick together here. These are interesting times. Things are changing quickly, but look out for your loved ones. Yes. Warn them. Do your best to help them use, use the powers that you possess to sniff out these sorts of scams and spread some of that knowledge around. Absolutely. All right. Joe Kerrigan, thanks for joining us. My pleasure, Dave. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
Starting point is 00:20:26 It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Starting point is 00:21:25 Thank you. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, Thanks for listening.
Starting point is 00:21:52 We'll see you back here tomorrow. Thank you. data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.