CyberWire Daily - BlackMatter hits an Iowa agricultural cooperative. US Treasury Department moves against ransomware’s support system. FBI gave Kaseya the REvil decryptor. Camorra cybercriminals arrested.
Episode Date: September 21, 2021Ransomware hits an Iowa agricultural cooperative, which doesn’t meet, the criminals say, the standard for “critical infrastructure.” US Treasury Department announces steps against ransomware’s... economic support system. Did Kaseya get its REvil decryptor from the FBI? Ben Yelin describes a major federal court victory for security researchers. Our guest is Dave Stapleton from CyberGRX on the rise of extortionware. And Europol, along with Spanish and Italian police, take down a Camorra cybercrime ring. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/182 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code
N2K at checkout. That's joindeleteme.com slash N2K, code N2K.
Ransomware hits an Iowa agricultural cooperative.
U.S. Treasury Department announces steps against ransomware's economic support system.
Did Kaseya get its R-Evil decryptor from the FBI?
Ben Yellen describes a major federal court victory for security researchers.
Our guest is Dave Stapleton from CyberGRX on the rise of extortionware.
And Europol, along with Spanish and Italian police, take down the Kimora crime ring.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, September 21st, 2021.
The Black Matter ransomware gang, which claims to be the successor to the nominally, maybe, but possibly not retired groups,
R-Evil and Darkside, has hit the Iowa-based U.S. farm services provider New Cooperative,
Reuters and others report. New Cooperative, which operates grain elevators, trades crops,
and provides other support to farmers, says it's taken its systems offline as a precaution
and that it's
working with law enforcement. The company told Bleeping Computer, quote, new cooperative recently
identified a cybersecurity incident that is impacting some of our company's devices and
systems. Out of an abundance of caution, we have proactively taken our systems offline to contain
the threat and we can confirm it has been successfully
contained, end quote. They added, we also quickly notified law enforcement and are working closely
with data security experts to investigate and remediate the situation. Black Matter has demanded
$5.9 million in ransom, Bleeping Computer says, a figure that will rise to $11.8 million if the gang isn't paid
within five days. The timing is unfortunate, coming as it does at the beginning of the U.S.
grain belt's harvest season. Some of the back and forth between criminal and victims suggest the
ways in which Black Matter understands its ethical exclusion of certain targets on more or less do-no-harm grounds.
Don't you understand, New asks, that we're supplying people with food?
Haven't you said you won't attack critical infrastructure?
Hey, forget about it, Black Matter replies. You're just making money.
As they put it in their reply to the new cooperative, quote,
You do not fall under the rules. Everyone will only incur losses. Everything is tied to the new cooperative, quote, you do not fall under the rules. Everyone will only incur losses.
Everything is tied to the commerce. The critical ones mean the vital needs of a person and you
earn money, end quote. So let's gloss that. The meaning will be apparent to anyone who's ever had
to endure a dorm bull session with these stoners in the den down the hall where it's conventional
stoner wisdom that, yeah, it's wrong to down the hall, where it's conventional stoner wisdom
that yeah, it's wrong to steal from people, but it's okay to rip off institutions, because that's
different, because they, like, make money and stuff. This gloss may give Black Matter more credit for
principled altruism than they deserve, but here's one more interesting sidelight. Black Matter is
probably usefully regarded as a Russian privateer.
And as a piece in Bloomberg points out,
the attack on the new cooperative may in part be intended to see
exactly where the U.S. is prepared to draw its new, harder line on ransomware.
As the crooks explain on their dark web page,
the new cooperative is just too small to count.
Quote, the volumes of their production do not correspond to the volume to call them critical.
End quote.
It's left alone companies that are really critical, like companies associated with oil, minerals, and many others much more serious.
Black Matter told Bloomberg, we don't see any critical areas of activity. Also,
this company only works in one state. So in essence, food's not really critical. And anyway,
New Cooperative is below the size threshold of criticality. It was once said proverbially that
Ukraine was the breadbasket of Russia. But during the decades of Soviet power,
agricultural production fell off dramatically, and it hasn't fully recovered. Sometime in the late 20th century,
the breadbasket of Russia became, well, Kansas, Nebraska, Iowa. Did we mention Iowa? It will be
interesting to see where any food shortages, should they develop, bite hardest,
and whether that affects the letters of mark and reprisal, evidently on offer from the Kremlin.
There have been some U.S. moves against the infrastructure that supports the ransomware underworld.
The U.S. Treasury Department this morning announced that it was taking steps to disrupt the financial structures
that sustain the ransomware criminal economy. Cryptocurrency exchanges engaged in money
laundering and processing ransom payments are being singled out for special attention.
The first of those to come under sanction is Suex. As Treasury notes, most cryptocurrency
exchanges and transactions are licit. They're going after
the ones engaged in specifically criminal conduct. The Treasury announcement also details a lot of
collaborative enforcement actions it's taking in conjunction with interagency and international
partners. How to handle the details of a ransomware incident aren't always clear,
even from the perspective of the law enforcement organizations charged with investigation and enforcement.
In the case of the attack Areval made against Kaseya in early July,
the company was able to recover its files with a decryptor it obtained from an undisclosed source.
The Washington Post this morning disclosed the source.
It was the FBI.
The Bureau gave Kaseya a decryptor 19 days after the company was hit. The Washington Post this morning disclosed the source. It was the FBI.
The Bureau gave Kaseya a decryptor 19 days after the company was hit.
The FBI and its partners were hoping to be able to use the decryptor in the course of a bigger, more permanent strike against our evil.
But then our evil went into occultation,
and the FBI decided its best course of action was to help Kaseya unlock its files.
Why the delay? There would be several reasons. The best one, the one that is probably most
persuasive to Kaseya and the others who suffered losses from the incident, would be that a decryptor
needs to be checked and tested to ensure that it works as advertised and that it won't do any harm
on the side.
Other reasons for the delay involve the inherent difficulty of working things out with the various partners that inevitably participate in this sort of investigation.
Those are not only other U.S. law enforcement and intelligence agencies,
but also private sector and international partners.
That may seem like unnecessary dancing over equities,
but if you're serious about a whole-of-nation approach,
such coordination is probably just part of the cost of doing business.
And of course, there was the hope that the Bureau might be able to take down our evil once and for all.
Maybe later, and good hunting to the G-men.
Finally, European police have rounded up about a hundred mobsters,
and these are traditional Al Capone-esque gangsters associated with the Neapolitan Camorra,
for cybercrimes that include SIM swapping, business email compromise, and the like.
Most of the hoods were collared in Spain, others in Italy, the Register reports,
as it also observes that the mob is now apparently just as much into remote work as the rest of us
are. Europol's press release announced the raids put the tally of alleged mobsters taken into
custody at 106. Congratulations to Europol and their Spanish and Italian partners for a righteous bust.
A gangland note, a lot of the press coverage says those arrested were in the mafia,
which is probably close enough for journalistic work,
or close enough if you were writing a screenplay for Warner Brothers in the 1930s.
But as we noted above, the hoods were associated with the Camorra,
centered largely in Naples, and not the Sicilian mafia of American imagination.
For what it's worth, while La Cosa Nostra has been traditionally active in North America, so too has Camorra.
Al Capone's Chicago outfit, for example, was connected with the Camorra, but that's probably inside baseball, and as they say up in New Jersey, forget about it.
The low-grade, cheap grifting quality of the crime might serve as a useful corrective to those who think of gangsters as romantic figures.
Phishing and SIM swapping seem like the digital equivalents of Lefty Ruggiero, Al Pacino's character, and Donnie Brasco,
sitting in a dingy social club trying to beat a parking meter open to get the quarters it might hold.
Open Sesame. Forget about it.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Dave Stapleton is CISO at cyber risk management firm CyberGRX. He's had his eye on ransomware
and the growing range of issues victims have to be concerned about.
It's not necessarily just about encryption anymore.
It can be exfiltration and public sharing of private data.
Initially, ransomware was a pretty straightforward thing.
The first attack was executed using floppy disks.
And you had to mail the ransom payments to a P.O. box.
I think it was like $180 or something like that. And then of course, over the years, as people have found different defenses or ways to
prevent that from being a successful type of attack, that's evolved. So we've got really
kind of interesting things going on where they talk about the two-stage attack now. It used to be
the primary vector for ransomware was encrypt all this data,
thereby rendering systems useless and that kind of thing,
and then demand a ransom to get a decryption key to unlock everything.
Well, people started to get wise to that.
They're making offline backups, practicing restoring from backup, that kind of thing.
And so they kind of just say, eh, never mind.
We're not going to pay the ransom.
We're just going to restore our systems ourselves and move on.
So, you know, adversary got hip to that and said, well, what can I do to really force
their hand?
And so what we're seeing more of now in this kind of a two-stage attack is before encrypting
that data, the threat actor is actually exfiltrating a copy of sensitive data.
And so then they're hitting you with one, okay, I've
encrypted your systems and probably had a major impact on operations, at least temporarily.
So that's kind of bad, but let's just say you were prepared for that and you can restore.
I'm going to hit you with another threat. And that would be to, you know, either release that data
that I stole from you. That could be, you know, intellectual property, something like that,
that could have an impact on your sort of competitive advantage.
Or offer to sell it on dark web.
Or even in some cases, I'm just going to name and shame.
I'm just going to let people know that I was able to successfully hack your environment.
And that reputational risk will take a hit.
So yeah, a lot of evolution over the years in these types of attacks.
in these types of attacks.
Yeah, it's interesting to me because I think along with the ransomware itself,
by exfiltrating data, you are being noisier as an adversary, right?
You're doing something else.
And it's another thing for folks to detect. And so it's interesting to me that the degree to which that strategy still pays off despite the increased noisiness of it.
Yeah, it's a good point.
And I think that's one of the reasons that we're starting to see these criminal organizations.
It's interesting to think of them conceptually like any business.
They have a certain set of objectives that would render success for their mission, if you will.
It's an illicit mission, if you will. It's an
illicit mission, no doubt. But they operate not too dissimilarly from a lot of businesses that
we work in. And one of the things that they've started to do is specialize. And so ransomware
as a service is something that's really gained a lot of popularity lately. And I think it's because
of that kind of thing. Some of these attack types are getting more complicated and you have to have better skills or techniques.
What's your sense on where things are headed with this? I mean, this cat and mouse game, any ideas what the next steps may likely be?
I think more of attacks that are really just based on threatening behavior.
I mean, we already see this.
You'll get a message that says, hey, we're going to launch a distributed denial of service attack against your organization unless you pay us X.
They don't actually have to have any capability to execute that attack in order to make that threat.
So as we're starting to see a trickle of these things coming in, you know, hey, I got this data of yours, I'm going to release it unless you pay me.
Maybe they do, maybe they don't. Maybe some organizations, particularly, you know, small
and medium-sized businesses whose security maturity might not be all the way up to snuff,
may not be able to confirm that. And so then you face a very complicated decision of,
do I take this threat seriously and then act on it by potentially paying the ransom? So my guess is that we'll start to see more of those types of things that really, truly require almost zero cost in order to execute and zero skill. with real APT-driven, highly sophisticated, highly targeted attacks, particularly against
critical infrastructure, because that threat is so critical, I guess is the right word for it.
It's very hard, for example, if a hospital system is taken offline, you've got people
who are literally on operating cables. It's very tempting to tempting to say well shoot we've just got to do what we got to do to get this back as quickly as we can
let's just pay this ransom so i think you know attacks against you know ci um and more of these
just you know reputational type uh you know low skill low cost threats will probably be on the
rise that's dave stapleton from CyberGRX. It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant. And I'm pleased to be joined once again by Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security.
But more important than that, he is my co-host on the Caveat podcast.
Hello, Ben.
Hello, Dave.
More important than anything, I should say.
You can call me husband, father.
Nothing is as much of an honor as your co-host.
So what you're saying is your wife does not listen to this podcast.
Yeah, I think we can say that relatively safely. Safe enough. Well, I wanted to touch base with you this article from
CPO Magazine. They're covering a story here. It's titled, In a Major Victory for Security
Researchers, Federal Court Rules that Virtual iOS Devices Are Not a Copyright Violation. This is
written by Scott Aikida. This is a pretty
interesting development here, Ben. What's going on? This is a very interesting development. So
these two individuals, Amanda Gordon and Chris Wade, founded a company in 2017 called Corellium.
It is a product that emulates iPhones so that you can view them on desktop computers.
Right. And it's supposed to be a tool for security researchers who are hunting for vulnerabilities.
Right.
They are not trying to replicate iOS software, you know, and sell it on the open market for
people to use it the way one would use an iOS device.
That's not what they're doing.
They created this as a research tool.
So Apple, as a company with their stature, is want to do, first tried to buy them off.
Always a good strategy. They were not able to do that.
Let's throw money at the problem.
Yeah, that usually works for them. I mean, they are very good at buying off their competitors.
When you have all the money, you have that privilege, right?
Yeah, exactly. I would do that if I were in their position. Yeah. Here's a billion dollars,
please go away. Right.
But they were not able to successfully purchase them.
So they filed lawsuit in federal court alleging a copyright violation.
So there's this doctrine in the legal world called fair use.
It's not a copyright violation if the alleged copier is using the thing they've copied for a good reason,
what we call fair use.
So the court in this case determined is that
replicating the software to do research on security vulnerabilities is fair use.
Just the way that reading an online article on something
and commenting on it during a lecture for an academic course is also fair use.
Right.
Because it's furthering the ends of academic research
and not furthering the ends of trying to make a profit off of the product.
There's a public benefit there.
Exactly.
You see fair use in a bunch of other different contexts,
things like parodies.
Generally, that would be a copyright violation,
but Weird Al, he's adding things to the marketplace of ideas, if you will.
So that generally qualifies as fair use.
There's a separate allegation as part of this lawsuit that Corellium, this company, is violating the Digital Millennium Copyright Act.
That's going to be examined separately.
But in terms of a common law copyright violation, we now have a precedent that if you emulate a product to use
for security research, that's going to be fair use. That will not subject you to a copyright
claim. And the result of that should be we'll see many more products like this where individuals
who are interested in research, interested in security, emulate products for the purpose of
finding vulnerabilities,
which I think is going to have a very robust public benefit. So I think this is a perfect
use of the fair use doctrine. These individuals are not trying to make a buck out of the iOS
server on its own terms. They're trying to do academic research on security vulnerabilities.
And that's exactly what the fair use doctrine is all about.
Yeah, it's interesting too.
I mean, this article points out that the judge in the ruling
made note that it's really a limited number of people
who can even make use of Corellium software.
This isn't a broadly applicable thing.
Right, and that's a relatively limited universe of people.
This is not something that's going to be widely used.
It's people who are interested in the security vulnerabilities of Apple.
And as you and I know, most people are not interested in the security
and vulnerabilities of their iOS devices.
They just want to get to the next cool application and talk to their friends.
I'll also say, though, this is a pretty prominent organization
in the cybersecurity world.
Corellium won an award from Forbes magazine
for the cybersecurity product for the year 2020,
saying it was crucially important to app developers
to let them know that their products work properly on iOS devices.
And it's backed by some major venture capital investors,
some big banks.
So this isn't just a nobody that's able to win this lawsuit.
It's a relatively prominent company in this field.
And I think it sets a really interesting precedent.
I think we're going to see more security-minded startups
come into the market and say,
let's recreate this operating system,
not to present it as an alternative
to actually buying an Apple device,
but to foster research into security vulnerabilities.
Right, right.
So if you're a security researcher
interested in iOS, for example,
this is good news
and sort of clears the path for more tools like this.
Yeah, not just iOS. I mean, if you're a security researcher interested in any product from one of
the big tech companies, I think this case is going to be very valuable precedent for your endeavor.
All right. Well, again, the article is over on CPO Magazine, written by Scott Aikida.
Ben Yellen, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing
at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karpf,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Thanks for listening. We'll see you back here tomorrow. Thank you. guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.