CyberWire Daily - Blender is back, but now DBA Sinbad (still working for the Lazarus Group). Cyberespionage notes. Hacktivism. ICS threats. Valentine’s Day scams.
Episode Date: February 14, 2023"Blender" reappears as "Sinbad." A Tonto Team cyberespionage attempt against Group-IB is thwarted. DarkBit claims responsibility for a ransomware attack on Technion University. An overview of ICS and ...OT security. Ben Yelin looks at surveillance oversight at the state level. Ann Johnson from Afternoon Cyber Tea speaks with Marene Allison about the CISO transformation. And it’s Valentine's Day, that annual holiday of love, chocolate, flowers, and online scams. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/30 Selected reading. Has a Sanctioned Bitcoin Mixer Been Resurrected to Aid North Korea’s Lazarus Group? (Elliptic Connect) Nice Try Tonto Team (Group-IB) Hackers attack Israel’s Technion University, demand over $1.7 million in ransom (ARN) Israel's top tech university postpones exams after ransomware attack (The Record from Recorded Future News) Russian hackers ‘disrupt Turkey-Syria earthquake aid’ in cyber attack on Nato (The Independent) Killnet DDoS attacks disrupt Nato websites (ComputerWeekly.com) Russian Hackers Disrupt NATO Earthquake Relief Operations (Dark Reading) What Happened to #OpRussia? (Dark Reading) Russian-linked malware was close to putting U.S. electric, gas facilities ‘offline’ last year (POLITICO) 2022 ICS/OT Cybersecurity Year in Review Executive Summary (Dragos) What’s love got to do with it? 4 in 5 Valentine’s Day-themed spam emails are scams, Bitdefender Antispam Lab warns (Hot for Security) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Blender reappears as Sinbad.
A Tonto team cyber espionage attempt against Group IB is thwarted.
Darkbit claims responsibility for a ransomware attack on Technion University.
An overview of ICS and OT security.
Ben Yellen looks at surveillance oversight at the state level.
Anne Johnson from Afternoon Cyber T speaks with Maureen Allison about the CISO transformation.
And it's Valentine's Day, that annual holiday of low chocolate flowers and online scams.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your CyberWire summary for Tuesday, February 14th, 2023.
You may remember Blender, a cryptocurrency mixer used by North Korea's Lazarus Group as a money laundering tool.
It was effectively driven out of business in May of last year by U.S. Treasury Department sanctions.
It has now, however, apparently been reconstituted, researchers at Elliptic report, under the name Sinbad,
and it's once again at work for the Lazarus Group. Elliptic says, Sinbad was launched in early October 2022, and despite its relatively small size, it soon began to be used to launder the
proceeds of Lazarus hacks. Tens of millions of dollars from Horizon and other North Korea-linked hacks
have been passed through Sinbad to date and continue to do so, demonstrating confidence
and trust in the new mixer. Like Blender, Sinbad is a custodial mixer, meaning that
its operator has full control over the cryptoassets deposited within it.
Group IB says its employees were targeted by a phishing campaign
launched by the suspected Chinese threat actor Tonto Team.
During the summer of 2022,
Group IB employees received phishing emails with malicious office documents
crafted with the Royal Road weaponizer,
which is often used by Chinese state-sponsored actors.
The emails were meant to deliver Bisonal.tt, a strain of malware exclusively used by the Tonto
team. Group IB's security solution flagged the emails as malicious. During their investigation,
the security firm found that it had been targeted by the Tonto team in 2021 as well.
These attacks were also unsuccessful.
The researchers note that most Chinese state-sponsored threat actors
are focused on conducting espionage or surveillance.
Technion University in Haifa, Israel, fell victim to a ransomware attack
that forced the shutdown of all of the school's communication networks on Sunday,
the Jerusalem Post writes.
A new ransomware group, Darkbit, has claimed responsibility for the cyber attack, ARN reported today.
The university tweeted Sunday,
The Technion is under cyber attack. The scope and nature of the attack are under investigation.
The group behind the attack, Darkbit, is asking for 80 Bitcoin, or approximately $1.7 million from the university,
with a threatened 30% increase in the demand if the ransom is left unpaid for 48 hours.
Darkbit appears to be motivated by anti-Israeli or pro-Palestinian sentiment.
The Israeli National Cyber Directorate
confirmed that they were connecting
with Technion University administrators
to get a full picture of the situation,
to assist with the incident,
and to study its consequences,
the Jerusalem Post reported Sunday.
Kilnet, the prominent hacktivist group
serving as an auxiliary of Russian intelligence
and security forces,
continues to attempt distributed denial-of-service attacks against NATO sites.
Most of these have been of short duration and little effect,
but there was some inconvenience caused to the Atlantic Alliance's earthquake relief efforts.
The hacktivism has been far from one-sided.
Dark Reading reviews the history of hacktivist actions rallied loosely around the hashtag OpRussia. They've consisted largely of distributed denial-of-service attacks, defacements, media hijacking, and data breaches.
that the U.S. Agency for International Development, USAID,
will allocate $60 million to Ukraine in support of efforts to protect the country's infrastructure from cyberattacks.
Attempted Russian cyberattacks against infrastructure
have not been confined to Ukraine.
Politico cites Drago's CEO Robert M. Lee
to the effect that the Russian Chernovite threat group
undertook preparations
against roughly a dozen U.S. electrical and natural gas facilities early in Russia's war
against Ukraine. Lee said, this is the closest we've ever been to having U.S. or European
infrastructure, I'd say U.S. infrastructure, go offline. It wasn't employed on one of its targets.
They weren't ready to pull the trigger.
They were getting very close. He suggested that successful public-private cooperation
played a role in protecting U.S. infrastructure. Dragos has published its ICS and OT cybersecurity
year in review for 2022. The report found that ransomware attacks against industrial organizations nearly doubled last year, with 70% of these attacks targeting the manufacturing industry.
The report states,
There were multiple reasons for the increase in ransomware activity impacting industrial organizations, including political tensions, the introduction of LockBitBuilder, and the continued growth of ransomware as a service.
Dragos observed ransomware trends tied to political and economic events,
such as the conflict between Russia and Ukraine and Iranian and Albanian political tensions.
The security firm also discovered two new threat actors in 2022, Chernovite and Bentonite.
in 2022, Chernovite and Bentonite. Chernovite is the developer of Pipe Dream, an ICS attack framework that Dragos says represents a substantial escalation in adversarial capabilities. The
framework was likely developed by a state-sponsored actor, but Dragos says it doesn't appear to have
been deployed in the wild yet. Chernovite and its Pipe Dream tool are the ones
seen in preparations for actions against U.S. infrastructure during Russia's war against Ukraine.
Bentonite is a threat actor that's been opportunistically targeting maritime oil and gas
governments and the manufacturing sectors since 2021. Dragos says Bentonite conducts offensive operations for both espionage and
disruptive purposes. Dragos says a policy doesn't attribute activity to particular nation-states,
but the researchers note that Bentonite has overlaps with a threat actor tracked by Microsoft
as Phosphorus, which Microsoft has tied to the Iranian government.
for us, which Microsoft has tied to the Iranian government.
And finally, it's Valentine's Day.
Did you remember?
If not, hit those e-commerce sites that offer immediate delivery of candy, flowers, articles of apparel, and the like.
And hey, we reminded you, you're welcome.
So again, today is the annual holiday of love, and the scammers are using that to their advantage.
Bitdefender shared yesterday that just approximately 83%, or just over 4 out of 5 Valentine's Day spam emails on spam emails analyzed by Bitdefender from January 22nd through the 8th
of February this year, with a considerable spike observed between the 6th and 8th of this month.
English-speaking countries are by far the primary target of these attacks, with
45% targeting U.S. inboxes. Gifts and adornments for your loved one are a major subject of these emails,
though people looking for love appear to be favorable targets as well.
So love, by all means, love, but with the mind as well as the heart.
Sure, they may say that love may be blind, but we think maybe it's just squinting.
Coming up after the break,
Ben Yellen looks at surveillance oversight at the state level.
Anne Johnson from Afternoon Cyber
Tea speaks with Maureen Allison
about the CISO transformation.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Microsoft's Anne Johnson is the host of the Afternoon Cyber Tea podcast.
And in a recent episode, she spoke with Maureen Allison about the CISO transformation.
Here's part of that conversation.
I'm Anne Johnson.
And on today's episode of Afternoon Cyber Tea, I am joined by Maureen Allison.
Maureen is currently an advisory board member for Covenant Technologies,
which is a leading IT and cybersecurity staffing firm,
and also advisor at Valbix, a leading cybersecurity posture automation platform.
Prior to Maureen's current role, she was the vice president and chief information security officer for Johnson & Johnson,
and has had a magnificent and storied career in the military,
in intelligence and technology, and has had a magnificent and storied career in the military, in intelligence,
in technology, and in health and life sciences.
Welcome to Afternoon Cyber Team, Maureen.
I am absolutely thrilled to have you on.
Oh, Anne, it's great to see you.
What excites you about the technology we have today and the promise of the technology today?
And on the flip side of that, what do you worry about?
What do you think the criminals can do based on the technology we are leveraging today?
I have seen technology change all the way from RACF and mainframe computing and no internet to internet voice over IP.
And it would be very easy for Austin security to worry about all the gremlins that are going to be there.
Austin security to worry about all the gremlins that are going to be there. I think we have to understand how the gremlins might attack the technology. But if we were to do that,
we'd still have rotary phones and we'd have no connected computer devices. And we can't.
We have to lean into the future. And especially as data and AI and ML become the way of the universe.
But think of what can happen.
A doctor can read, I think I saw 80,000 articles in their entire life.
But can you imagine what a computer can read and all the data it can pull forward.
So as we're trying to solve disease states, you're going to have to have this huge computing power that's going to be able to look at all this data and look at correlations like humans can never look at correlations.
can never look at correlations. Yes, maybe with 5G or quantum computing, it's, oh, somebody's going to crack encryption codes. Yeah, they will. It just is going to happen. Let's plan for it.
And let's move to the future where we can overcome that. Because when you can use quantum for bad,
Because when you can use quantum for bad, you will also use it for good in security and in healthcare and banking.
All the different areas is going to help us as well as create a potential risk.
But we've lived our entire lives and for centuries, that's how people have lived.
You see the new risk and you move through it to protect. And that's what we do as cyber professionals. We get to come up with all those solutions now.
What does it take to be a CISO today? There are some folks that feel like being a CISO, you need to be deeply technical. There's other folks that believe you need to be a really great business person.
But what are the requirements? What does it take today to be a CISO, to talk to the board, to talk to regulators, to even be external and talk to customers or partners? Yeah, you know, we grew
out of being security engineers. And so a lot of us that are at the senior levels of the CISO ranks,
we started out as security engineers. But the ones that have risen into the large company CISOs,
have risen into the large company CISOs, it's because they understand the business they're in.
And, you know, for a while there, CISOs were 18 months was as long in the CISO suite.
All of my engagements have been, I had one for three years, but for the most part,
10-year engagements. And the reason is, is understanding the business and what it's doing and why it's doing it.
And it's also understanding regulatory.
You have to be a Jill of all trades.
It can't be one thing.
And the folks that are very IT security engineer focused also have to understand that we're the department of yes and here's how,
not the department of no. And that's where the CISOs become enablers of their business so that they can lean in. Why are you optimistic about the future of cyber? What would you send off
our audience with? You know, I'm so optimistic is because of the youth, the people coming up
in the industry. I came in with an electrical engineering degree. There was no cyber.
And if I can do it, then what can you imagine that the individuals that are in college today
or technical school today or military are going to bring to the table in 20
years. And so I love the talent that's out there and growing this talent and seeing where they're
going to go. And I truly believe in it. And, you know, as a gray haired, you know, moves on to an
advisory role, I'm just excited about this exuberance and intellectual capacity
of the next generations coming after us.
You can hear the rest of this conversation as part of the Afternoon Cyber Tea podcast.
You can find that on our website, thecyberwire.com, or wherever you find your podcasts. And joining me once again is Ben Yellen.
He is from the University of Maryland Center for Health and Homeland Security
and also my co-host over on the Caveat podcast.
Hello, Ben.
Hello, Dave.
Interesting bit of business that came to my attention
from a friend of the show, Cyrus Farivar, a journalist.
And he wrote, I actually found this over on Mastodon.
Hey, this may be our first Mastodon link, Ben.
Ah, all right.
It's a new day.
That's right.
He says, Maryland has proposed
a state-level privacy technology board
which would act as a watchdog, similar to Oakland's Privacy Advisory Commission.
He says, I think if enacted, it would be the first state-level board of its kind.
So you and I are here in Maryland, so yay us.
Always good to see our great state taking the lead on something like this.
That's right. So can you unpack what is going on here, Ben?
Sure. So this is a proposed piece of legislation currently in front of the Maryland
State Senate. The sponsor is a guy named Charles Sidnor, who's really been a leader on these
issues. He was previously a member of the House of Delegates. So this bill would create what they
call a privacy technology board. It would be a multi-stakeholder board within the State Department of Public Safety
and Correctional Services. So you'd have representatives from the Police Association,
Sheriff's Association, Department of Corrections, from privacy and civil liberties groups, really
running the gamut in terms of representation. And the board, once it's convened and adopts rules for conducting its business, would evaluate and would have authority to approve or disapprove the purchase use or continued use of surveillance technology by law enforcement agencies.
So that would really give this new governing board a little bit of teeth. So a law enforcement agency would have
to obtain authorization from the board before they accept any state funds, federal funds,
or any other private donations for acquiring new surveillance technology or using that technology
or using existing surveillance technology or the information from that surveillance for a purpose not previously
authorized by the board. There are a couple of exceptions here. One of them, I think, is a
common-sex exception for exigent circumstances. There's some type of ongoing investigation,
terrorist attack, people's lives are at stake, and there's some type of technology out there
that would allow law enforcement to do its job. Then an exception could be made, and there's some type of technology out there that would allow law enforcement to do its job,
then an exception could be made and there would be post hoc approval on the part of this privacy board.
And then the other is for large scale events, of which there are certainly many in the state of Maryland.
And it makes sense why you might want to deploy novel surveillance methods for that.
deploy novel surveillance methods for that. But you would only be able to use that surveillance technology to respond to that exigent circumstances or that large event. Then it would have to go
through the normal authorization process. I don't like to handicap legislation, but I happen to know
a good deal about how the Maryland General Assembly works. And sometimes it takes like two
or three years to get your good idea across the finish line. They meet in three-month sessions,
and you kind of take trial runs with various bills. And I think that's kind of what's happening
here. You introduce it, you get it in front of a committee. There's going to be a committee
hearing on this bill. You kind of take the temperature of how various stakeholders would feel about this.
I think we'll learn from this committee hearing how local law enforcement agencies would react to something like this.
I'm going to go ahead and guess negatively.
Right.
And you kind of take a measure of whether this would be a feasible policy idea in the long run. So whether or not
it passes this year, I think this certainly raises the prospect that we could see something like this
get enacted in Maryland in the near future, and it could be a model for other states.
This, what are we calling it, a mastodon? Yes. It's a toot.
Yes, it's a toot. They really picked the worst name for that.
But this toot notes that the city of Oakland has a similar Privacy Advisory Commission,
but we have not seen it at the state level.
Yeah, I mean, there are going to be entities who fight this tooth and nail,
largely with the context that there is a major violent crime problem in the state of Maryland at present. And, you know, this would make life marginally
more difficult for law enforcement. But I certainly think it's a very promising idea.
So this would aim to come at sort of day-to-day surveillance. You're,
you know, using facial recognition on your pole cameras that you have out on the street,
that sort of thing. Exactly. Or, you know, if there's like a new type of infrared technology
or a new novel license plate reader, I mean, any novel surveillance method, a stingray device
that hasn't previously been used and adopted by law enforcement would have to go in front of this multi-stakeholder
review board. Would this have any effect on federal agencies operating within the state of Maryland?
I don't think it does because this applies to state and local law enforcement agencies.
I see. The Maryland state government does not have jurisdiction over federal law enforcement
agencies that happen to be operating in Maryland.
So the FBI can do whatever it wants.
Subject to federal law, the Maryland General Assembly is not going to be able to constrain that.
I see.
All right.
Well, again, interesting development here.
Maybe this is the shape of things to come.
Absolutely.
There's also a provision here before we finish that would allow a person
who has been subjected to a surveillance technology or who has had personal information obtained,
retained, access shared in violation of this statute could actually sue the law enforcement
agency and be entitled to recover actual damages of $100 per day. Again, that's not going to be,
actual damages of $100 per day.
Again, that's not going to be, you know, that's not going to make anybody rich, but it might be an extra disincentive for these law enforcement agencies and might be a reason why they would
comply with the provisions of the statute.
Yeah, interesting.
All right.
Well, again, a tip of the hat to Cyrus Farivar for bringing our attention to this.
Ben Yelland, thanks so much for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.