CyberWire Daily - Britain’s Labour Party sustains a “data incident.” CERT-FR describes a new affiliate gang, Lockean. US, Russian intelligence chiefs discuss cybersecurity. Gas is flowing in Iran again. Start-ups honored.
Episode Date: November 4, 2021Britain’s Labour Party is affected by a ransomware incident a third-party provider sustained. ANSSI identifies a new ransomware affiliate gang, “Lockean.” Notes on how and why BlackMatter and RE...vil went on the lam. Russo-American talks discussed cybercrime and cybersecurity. Iran’s gas stations are fully back in business, following the cyber sabotage they sustained. Kevin Magee from Microsoft has highlights from their 2021 Digital Defence Report. Our guest is Ofer Ben Noon of Talon Cyber Security addressing browser vulnerabilities. And DataTribe has announced the winners of its fourth annual Cybersecurity Start-up Challenge. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/213 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Britain's Labour Party is affected by a ransomware incident.
A third-party provider sustained.
ANSI identifies a new ransomware affiliate gang, Lokian.
Notes on how and why Black Matter and R-Evil went on the lam.
Russo-American talks discussed cybercrime and cybersecurity.
Iran's gas stations are fully back in business following the cyber sabotage they sustained.
Kevin McGee from Microsoft has highlights from their 2021 Digital Defense Report.
Our guest is Offer Ben Noon of Talon Cybersecurity, addressing browser vulnerabilities.
And Data Tribe has announced the winners of its fourth annual Cybersecurity Startup Challenge.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, November 4th, 2021. Britain's Labour Party has disclosed that it's been affected by what it characterizes as a data incident. The incident affected Labour through a third party that managed data on behalf of the party.
party. The third party, unnamed by Labor, notified its client on October 29th that a significant quantity of party data had been rendered inaccessible on their systems. That description
suggests a ransomware attack, although the party's statement doesn't characterize it as such.
Computing describes the information as having been stolen, but beyond the usual cautions,
one would expect a ransomware
victim to extend to the individuals affected. Be alert for social engineering, use multi-factor
authentication, and report suspicious activity. The grounds for thinking data were taken are a
matter of a priori probability. Data theft has become the norm in ransomware attacks,
and it's prudent to assume that it's a possibility
here. Labor says it brought in outside expertise and reported the incident to the appropriate
authorities, the National Crime Agency, the National Cybersecurity Center, and the Information
Commissioner's Office. Investigation is in progress, but Labor says that only its providers'
systems were affected, not the party's own data systems.
The Labor Party's statement adds, quote,
We understand that the data includes information provided to the party by its members,
registered and affiliated supporters, and other individuals who have provided their information
to the party. The full scope and impact of the incident is being urgently investigated, end quote.
The Guardian reports that this is the second
third-party breach Labor has sustained over the past year and a half. The party was one of the
victims of the Blackbaud compromise. It's also unclear if Labor was itself the intended target
of the attack. The principal intended victim may have been that unnamed provider of data services.
victim may have been that unnamed provider of data services.
CertFR, the French national cert operated under the direction of ANSI, has identified a new ransomware gang, Lockean, that's recently infested French companies in what CertFR
characterizes as big game hunting. Lockean is connected with several ransomware-as-a-service operations, including Doppelpamer, Maze, Prolocke, Egregor, and Sudinokibi.
The investigation began when ANSI took up a series of six QuackBot investigations that began in 2020 and continued into 2021.
Four of them shared a common QuackBot naming convention.
Five of the attacks involved deployment of Cobalt Strike,
and four of those spoofed Akamai and Azure domains. In three of the incidents, the R-Clone
exfiltration tool was used. These commonalities led ANSI to believe that the incidents were the
work of a single threat actor, and that the signs also seemed consistent with reports by security firms Intrinsec and the DFIR report.
Subsequent investigation convinced ANSI that this was so.
They've named the threat actor Lokian,
and ANSI's full report contains extensive information on the gang's tactics, techniques, and procedures.
Lokian appears to be an affiliate, a user of tools provided by other gangs in the
C2C underground market. The Record points out that Lockheed is the second big affiliate gang
to be identified. The FBI described another such group, 1%, back in August.
More has emerged on the events surrounding Areval's announced retirement. The Washington
Post reports that U.S. Cyber Command
and an unnamed foreign government took action against our evil
in a coordinated operation.
The foreign government gained access to our evil's servers this summer.
In October, Cyber Command hijacked the Rucifone gang's traffic,
effectively denying access to the group's website.
The experience apparently put the fear of
Fort Meade into the gang's members, who took the better part of valor and dispersed, scampered,
vamoosed. Until they're in custody, of course, there's the possibility that they could reform,
either by getting the band back together, by starting fresh, perhaps independently,
or by joining another established gang.
U.S. Cyber Command is understandably reticent about sharing details, but according to CNN,
U.S. Cyber Command Head General Nakasone yesterday said his command had for the past
three months been engaged in a surge against ransomware operators. General Nakasone said, quote, while I won't comment
on specific operations, I will say that we've made a lot of progress. I'm pleased with the
progress we've made, and we've got a lot more to do, end quote. ZDNet says the other major gang
to recently close up shop, Black Matter, has seen its affiliates migrate to a competitor,
Lockbit. Black Matter,
itself generally regarded as a rebranding of the dark side, said its decision to shut down was
prompted by recent events. ZDNet speculates that those events included not only the action against
our evil, but also the Europol-coordinated roundup of 12 high-profile individuals involved in spreading ransomware, including Locker-Goga, Metacortex, and Dharma.
Reuters has confirmed that this week's high-level Russo-American talks in Moscow touched upon the activities of Russian gangs and privateers.
U.S. Director of Central Intelligence Burns spoke with SVR Chief Sergei Naryshkin.
He also talked with Nikolai Pakuchov, Secretary to Russia's Security Council and former head of the FSB.
Any cooperation between the two countries remains a long-term work in progress,
but it will be interesting to watch the aftermath of the conversations.
but it will be interesting to watch the aftermath of the conversations.
Iran's fuel stations have recovered from the cyber sabotage they sustained more than a week ago,
Security Week reports.
Tehran's investigation is apparently still in progress.
There's been no recent update to informal statements by officials blaming Israel and the United States for the attack.
And finally, DataTribe held its fourth annual
cybersecurity startup challenge yesterday, and we're pleased to announce the results.
Gray Market Labs, a secure virtual enclave deployment platform, ContraForce, a security
orchestration platform, and QuickCode, a data labeling technology for machine learning datasets,
were the three finalists,
and each came into the finals having already been awarded $20,000.
ContraForce and QuickCode were named the winners, each receiving a $2 million investment,
double what the competition had originally planned to award.
DataTribe is a global cyber foundry based in Maryland.
It supports early-stage companies and runs the annual competition, quote,
to identify and curate pre-Series A seed high-technology startups with a vision to disrupt cybersecurity and data science, end quote.
Full disclosure, the CyberWire is a DataTribe portfolio company.
Wire is a Datatribe portfolio company. The judges of the competition were Bob Ackerman, founder,
Allegis Cyber, co-founder, Datatribe, Shamla Naidoo, head of cloud security, Netscope, former global CISO IBM, Naveen Maharaj, director, Koch Disruptive Technologies, Ron Gula, president and
co-founder, Gula Tech Adventures and co-founder of Tenable, and Arno van der Walt, CISO of Marriott International.
It was good to get together for an in-person pitch event after so many months of relative isolation.
Those who attended received a special preview of the CyberWire's upcoming miniseries,
Hacking Humans Goes to the Movies.
Watch for it on our website.
Congratulations to all the companies who competed,
and especially to the three finalists,
Gray Market Labs, Contraforce, QuickCode,
and of course, the two winners, Contraforce and QuickCode.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak.
Learn more at blackcloak.io.
Think about how much of your day-to-day computing experience happens through your browser.
As more and more services migrate to the cloud,
it's likely you're making use of your browser to access those services. So what about the security
of the browser itself? Offer Ben Noon is co-founder and CEO of Talon Cybersecurity.
Over the last three years, pretty much the number one vulnerable application in terms of CVE is browser.
And the number two most exploited application is the browser.
Exploited in the wild, I mean.
So that has led us to the understanding that,
A, we need to secure a lot more the browser,
and two, it's the best focal point to secure the new distributed and hybrid workforce,
which is becoming more and more SaaS-oriented, obviously.
So the focus is not only capabilities around protecting the browser,
but, for example, also capabilities around data leakage prevention
and a lot of some capabilities about network monitoring
and how do you reduce the chances that employees will browse
from the first place to websites that contain vulnerabilities
and by that obviously you reduce the chances that the malware will get compromised
and also identifying shadow SaaS where data is then leaking outside of the organization.
shadow SaaS, where data is then leaking outside of the organization. So while browser security is a very key component of the story, it does not end there. So the scope is a bit bigger.
It strikes me that, you know, while folks do have choices when it comes to the browser they want to
use, I mean, at their core, there are only a couple of places where people build their browsers,
and it seems to me that most of them these days are using Chromium as their source.
What is your take on that? I think that part of the reason that Chromium is becoming so
focal and core is that building a browser is a very complex task in terms of the usability,
in terms of the user experience,
and in terms of the amount of edge cases
that they need pretty much to be able to resolve.
And I think that this type of a consolidation play,
which got pretty much its stamp
when Microsoft have migrated
from Internet Explorer to Edge, was what really made Chromium so popular.
We have two of the biggest software organizations in the world maintaining one code or one core
of a code.
This brings a unique advantage for Chromium
over every other alternative as a browser.
And so what are your recommendations for organizations looking to secure
folks who are using those browsers for so many things?
So there are a few things here.
First one, which is the core of everything, is to make sure that
a browser which is not patched to the latest version may not access the critical resources
of the organization. And here it means two things. The first one is to make sure that indeed
at every single moment we are tracking what endpoints,
and specifically in this case what browsers,
having the access to the organization resources.
And then there is everything that is complementary around it, which is extensions.
Are we monitoring all of the extensions of the browser?
So even if the browser is not at all compromised, but a malware extension is on the browser and only a couple of months ago
there were tens of millions of instances of a malware extension over Chrome, that's a big thing
obviously. And the third layer would be the edit security that you can implement on top of the
browser. Now, this comes in multiple flavors. The first one would be to make sure that we indeed
control to which websites, hopefully not malware websites, our employees are able to access.
That also helps in terms of reducing the amount of potential phishing that they are going
to be exposed to, the amount of drive-by-download tax that they will be exposed to.
And the fourth layer is really protecting the browser itself.
That's Ofer Ben-Nun from Talon Cybersecurity.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. Thank you. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Kevin McGee.
He is the Chief Security Officer at Microsoft Canada.
Kevin, you and your colleagues recently released the 2021 version of your digital defense report and a lot of interesting stuff in there.
I wanted to check in with you and see what some of the highlights for you were in the new report.
Thanks for having me back, Dave. I'm really pleased to be here again. This year's report is our second report. It's 128 pages, so
it's not a light read, but it's a chop full of details. It really covers five major focus areas,
the state of cybercrime, nation-state threats, supply chain and IoT security, hybrid workforce,
chain and IoT security, hybrid workforce, and then disinformation. This is really not a report that sort of you really have to be a deep technical person to read, even though there is quite a bit
of technical details in there. In fact, it's really an report that I'm recommending you give
to your CEO, your CFO, or your board, because it does a great job of providing a lot of technical
depth and detail, but with context and visual diagrams
and whatnot that can really help explain some of the major threats we're facing to these business
decision makers. Well, what are some of the actual highlights for you? I mean, are there any things
that stood out for you as really deserving attention? I think one of the neat things was
just the numbers initially from the Microsoft perspective, we're basing this report on 24 trillion security signals.
That's up from 8 trillion we saw last year.
So we're seeing exponential growth in the number of security signals
for data points we're able to pull from.
9 billion blocked endpoint threats,
31 billion identity threats,
32 billion email threats.
The numbers are pretty mind-boggling.
Pretty soon you're talking about real numbers, right?
Yeah, it starts to bring out incredible patterns that we may not have been able to see before.
So I guess the two major things that really jumped out at me was, one, just how cybercrime
is now becoming a national security threat.
And we're not just seeing that in the data and in the TTP threat actors are using, but
we're also seeing that move into our user discussions and also policy discussions across the globe as well.
And then also, from a technical perspective, attacks on machine learning models were of really interest to me.
And it's an area that I don't have a lot of background in, but it's becoming an emerging threat vector for attackers to leverage.
Well, let's dig into the both of those one at a time, because I think they are both interesting
and worthy of discussion. And when it comes to national security, I'm curious, you know,
the conversations that you're having with the folks you speak to, is there a growing expectation
that the nations themselves step up and do more to defend organizations here or even, I don't know, moving towards more partnership on that realm?
I think so.
I mean, we've moved well beyond the point where criminal gangs are just doing virtual smash and grabs, and we're starting to see coordinated attacks.
coordinated attacks. We're starting to see an emerging almost cybercrime industrial complex where there's integrated supply chain specializations and whatnot. So organized
cybercrime in itself is becoming a major problem. But a lot of the attacks are based on critical
infrastructure, hospitals, power grids and whatnot. It's not just businesses that are being attacked.
power grids and whatnot. It's not just businesses that are being attacked. And we're also seeing the overlap more and more with cyber criminal gangs and potential nation state actors using
cybercrime techniques or proxies for attacks as well. I think we started to see in the policy
documents for governments, this idea of persistent engagement or, you know or defend forward start to prop up the last couple of years.
It was quietly inserted into some of these strategic documents.
More and more, we're having an open discussion now that cybercrime is not just a financial
crime.
It is a potential national security threat.
And I'm very pleased to see that we're having more policy discussions or more open discussions
about it at that level.
Let's talk about what you mentioned there about attacks on machine learning.
What exactly is going on there?
This is an area where I was really interested in reading
because it was something I really didn't know quite a bit about
and had a chance to reach out to my colleagues
in the data side of the house as well.
We've identified four major attacks on machine learning models.
One is the invasion
attack, which think about causing a misclassification of data. For example, if you
had a self-driving car and you turned a stop sign into something different so that it was confused,
that would be an example of an evasion attack. A poison attack can be an attack that contaminates
the training phase of the machine learning. So you can actually insert something into the model as it's being developed to get the answer out information like an individual's health information or whatnot out of the model and extract that from the model.
Or flat out model stealing.
We see attackers now looking at stealing the proprietary algorithms, which may be for day trading or whatnot as well.
And these algorithms have intellectual property value.
So that's another attack vector.
All right.
Well, Kevin McGee from Microsoft, the report is the 2021 Digital Defense Report.
Thanks so much for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karpf,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.