CyberWire Daily - CISA on FiveHands. Connections among cybergangs, Russian intelligence services? Software supply chain security. Scripps Health incident update. Home routers. Ryuk hits research institute.
Episode Date: May 7, 2021CISA outlines the FiveHands ransomware campaign. Circumstantial evidence suggests that some cybergangs are either controlled by or are doing contract work for Russian intelligence services. US Federal... agencies turn their attention to software supply chain security. Scripps Health continues its recovery from cyberattack. Insecure home routers in the UK. Daniel Prince from Lancaster University has thoughts on cybersecurity education. Our guest Rupesh Chokshi from AT&T has suggestions for organizations who want to get SASE, but don’t know where to begin. And Ryuk ransomware throws a wrench in research at a European biomedical institute. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/88 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA outlines the Five Hands ransomware campaign.
Circumstantial evidence suggests that some cyber gangs are either controlled by or are doing contract work for Russian intelligence services.
U.S. federal agencies turn their attention to software supply chain security.
Scripps Health continues its recovery from cyber attack.
Insecure home routers in the U.K.
Daniel Prince from Lancaster University has thoughts on
cybersecurity education. Our guest Rupesh Chokshi from AT&T has suggestions for organizations who
want to get sassy but don't know where to begin. And Raya Gransomware throws a wrench in research From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, May 7th, 2021. The U.S. Cybersecurity and Infrastructure Security Agency yesterday published an analysis report on thehands ransomware, and Sombrat remote-access Trojan to steal information,
obfuscate files, and demand a ransom from the victim organization. Additionally,
the threat actors used publicly available tools for network discovery and credential access.
It's long been believed that Russian cybercriminals tend to operate at the Russian
government's sufferance,
but security firm TruSec reports that it's found evidence that the gangs may also be working for the state. Specifically, there are signs that Evil Corp is operating under the security organ's
direction. TruSec had been investigating a wasted locker ransomware infection and assisting in its
remediation when the victim received a government warning that it
had received the attentions of the state-run APT Silverfish, regarded as a Russian operation
and described earlier this year by researchers at the cyber intelligence firm Prodaft.
Trucek said that it, quote, could quickly confirm that the cyber event referred to in the warning
was the initial compromise that Trucek had found to be the start of the Wasted Locker ransomware attack.
They add that we could also determine that the Cobalt Strike beacon used in the attack was in fact the same Cobalt Strike beacon found in the ProDAFT report,
since it was using the same domains and domain fronting technique described in the report.
and domain fronting technique described in the report.
The domain used to download the PowerShell script GetSystemTime also appeared in the report from ProDaft.
End quote.
This led TruSec to the hypothesis that the gang behind the Wasted Locker attack
was identical to the Silverfish actor.
They saw other bits of circumstantial evidence,
including comparable levels of sophistication
and the ability of both groups to conduct continuous 24-hour operations. They also observed a curious
indifference on the part of Wasted Lockers operators to motivating their victims to pay.
They didn't, for example, make the now-routine threat to dox the victims if they failed to pay
the ransom demanded. So, the case is circumstantial but
suggestive. Evil Corp may simply be a front group, or it could be working as a contractor.
There's a possibility that it may be an independent criminal gang, and that the apparent
connections with Russian intelligence services are coincidental, but this possibility seems
increasingly unlikely.
According to Radio Free Europe Radio Liberty,
similar evidence is emerging in the New York trial of an alleged meth-bot ringleader, Alexander Zhukov.
According to U.S. court records, the news outlet explains, the meth-bot scam first took form in September 2014,
when Zhukov and five other men from Russia and Kazakhstan allegedly
rented more than 1,900 computer servers at commercial data centers in Texas and elsewhere
and used them to simulate humans viewing ads on fabricated web pages. In this case, it appears
that MethBot used the infrastructure that's been under scrutiny in the investigation of GRU and SVR cyber operations,
including the dissemination of the Steele dossier during the 2016 U.S. presidential election.
The U.S. Department of Justice is expanding its investigation post-SolarWinds into supply chain
security. Justice is taking a closer look at the role Russian companies or U.S. companies
that do business in Russia may have played in the compromise of the SolarWinds software.
CyberScoop quotes Assistant Attorney General for National Security John Demers as saying yesterday,
quote, if there's back-end software design and coding being done in a country where we know that
they've used sophisticated cyber means to do intrusions into
U.S. companies, then maybe U.S. companies shouldn't be doing work with those companies from Russia
or other untrusted countries. End quote. CyberScoop's sister publication FedScoop reports
that CISA now believes it has a better understanding of the risks and dependencies in the federal
government's software supply chain.
At least nine federal agencies were affected by the SolarWinds compromise. CISA hopes that increased transparency in both software development and system architecture will
serve to build a more secure supply chain. Scripps Health in Southern California is still
recovering from the unspecified cyberattack it sustained last weekend, KPBS reports.
The medical system is using workarounds as it continues to deliver care
and says that patient safety is uncompromised,
but scheduling and other IT-dependent functions continue to see disruption.
Patients are reported to be seeking care at other regional health care providers.
are reported to be seeking care at other regional health care providers.
British consumer advocacy organization that goes by the name Witch says that thousands of UK households are using outdated and vulnerable home routers.
Thirteen widely used models display such common vulnerabilities
as default passwords and outdated firmware.
Some of the routers haven't received updates or security
patches since 2016. WeLiveSecurity reports that two companies' products, at least,
deserve honorable mention. Devices produced by BT and Plusnet were found to contain none of
the easily exploited vulnerabilities that Witch and its technical partners at Red Maple Security found.
And finally, ZDNet reports, citing security firm Sophos,
that a European biomolecular research institute lost a week's worth of data to a Ryuk ransomware infestation.
The ransomware found its way in courtesy of a student
who was looking for a free version of visualization software
and settled for a cracked version,
and, worse yet, disabled Windows Defender so as not to be bothered by its alerts.
The cracked software executed a trojan on the student's device, which stole RDP credentials.
The attackers then used their access to install Raiuk.
In this case, it wasn't the unnamed institute that was responsible, but rather a user
who abused convenient but permissive access policies.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home. Black
Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
The SASE framework is a hot topic in cybersecurity these days. SASE standing for Secure Access Service Edge.
To help cut through the hype, we checked in with Rupesh Chachi,
vice president of AT&T Cybersecurity, for his take on SASE's potential.
So right now, you know, SASE is one of the hottest terms
in the market with customers in the business world as security
becomes front and center for everybody.
I think of it as we have evolved into a hyper-distributed workforce environment for the enterprise with
the hyper-connected from a capability perspective.
So the combination of these things are creating this very unique opportunity for a security-centric
framework, which SASE is all about, and bring capabilities that can drill down at a very
granular level to protect the data, protect the applications,
protect the information flows, and protect the network for that customer, for that enterprise,
for that session, for that particular identity and user.
What are the specific things that attract people to adopting a SASE framework, for example?
I think the main drivers are this ability to have security done at a very granular level, the ability to have a zero-trust network or capability, the ability to bring the entire enterprise, whether it's a branch location or a user working from anywhere or a business IoT endpoint,
all of this data and the different connectivity types, whether it is the wireless network or the wireline network, bring all of that into the framework and be able to then provide
the security policies and controls and the granularity that is needed.
With SASE being as hot as it is, of course, that means that folks who are considering
it are getting all sorts of marketing messages about it and so on.
I'm curious, what are your recommendations for folks of how to get started,
how to cut through that noise and get a real solid understanding
of what it might mean to them?
Right.
That's a great question, Dave, because, you know, as a trusted advisor,
you know, I would like to recommend a few things that says, look, sit down with the experts.
We have the security consulting offers that we provide along those lines of sassy readiness.
Literally, with that mindset to say, okay, let's better understand what is the environment.
Are you going to have a distributed workforce for a period of time?
Are you going to bring it all back into the fold or not?
Are you adding a significant amount of new devices and new users and new endpoints?
Do you have a way to secure those and what are you going to do about it?
I would say that spend the time on the
architectural, the framework aspect of it. Better understand what the business drivers are and think
of the outcome because security is not just about the technology. This is about the business.
It's a business problem in terms of, am I secure? Am I compliant? Do I have
the risk profile figured out? Have I done all of the testing that I need to do? So it's basically
lay out the blueprint, partner up with somebody you can kind of work and trust, and then get into
phased execution. Now, when you look at organizations that have successfully adopted a SASE approach, are there any things
that they have in common?
Are there any things you see that set up particular organizations for success?
I think there are two dimensions that I'm seeing more and more. So one is sort of setting it up in a way
that all of the physical locations
or the branch locations are all sort of secured
within that framework
and you're applying certain rules and policies.
So I'm seeing that more and more. One example is that we worked last year
into this year with a healthcare customer as an example, right? And that healthcare customer
is talking about, how do I do the clinics and the hospitals and get them ready? But simultaneously,
I have a workforce that I need to
be more remote and bring that into the mix. So I'm seeing the branch transformation with SASE,
and I'm seeing the remote work transformation with SASE here and now.
That's Rupesh Chachi from AT&T Cybersecurity. There's a lot more to this conversation.
If you want to hear more,
head on over to CyberWire Pro and sign up for Interview Selects, where you get access to this
and many more extended interviews.
Thank you. solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. And joining me once again is Daniel Prince.
He's a senior lecturer in cybersecurity at Lancaster University.
Daniel, it's always great to have you back.
I want to touch base with you today about cybersecurity education,
certainly something that is near and dear to you and part of your every day, but just sort of check in, you know,
where do things stand today? Well, I say as a senior lecturer at a university, cybersecurity
education is a passion of mine. And it's the reason why I wanted to talk about it really is it's a massively changing industry at the moment.
From my point of view, cybersecurity has gone through an incredible change in terms of the professionalism that sits around it.
And we're seeing in the UK the rollout of the UK Cybersecurity Council, who's really meant to be there to establish
cybersecurity as a professional body. And so that changes the nature of education.
And I'm looking at it from the point of view of the university. And this year, we're celebrating
the 10th year of our multidisciplinary cybersecurity program. And looking back from where we started to
where we are now and how the
industry's changed is it's quite a remarkable journey and thinking back 10 years where there
was a lot of push around industry certifications and and all you know the types of tests that we
were doing then to assess the quality of cybersecurity profession professionals to
where we are now with lots of informed practical based assessments and then
the role of academia within that as well as has changed and within the uk and that the national
cyber security center has recently rolled out the academic centers of excellence in cyber security
education and i know in the us they've got a similar scheme to recognize centers, academic centers, which are really trying to be at the forefront of cybersecurity education.
And Lancaster has submitted and is fortunate to be awarded one of those statuses. about educating professionals, but what are we doing in the academic community
to teach historians or English language specialists
or how are we reaching out across
and improving cybersecurity awareness
for a variety of different disciplines and roles?
And I think that's reflecting really the criticality
of digital technology in every single role
and then the importance that cybersecurity has with those roles,
not just this isolated profession of protecting a few computers.
Yeah, that's fascinating to me.
I mean, I think back to my own university days.
I mean, is this a situation where you could have classes
that are cybersecurity for non-majors, you know, that sort of thing?
Yeah, that's certainly something that we are looking to move out of, you know, really the kind of extracurricular activities and certainly something to put into almost like professional studies for these other disciplines.
You know, there's always been a tie with like management
sciences so we do a little bit in there but you know when you get into some of the humanities
certainly you know it would be the last thing that you think about and in some ways it's almost like
data science type of skills and we're seeing a big push to uh to embed data science in in a lot of other kind of disciplines and roles because it's such an
essential skill and cybersecurity is such an essential skill and it shouldn't just be left to
a select few. I mean, I likened it to, you know, 300. It's not about, you know, 300 Spartans
sealing the breach. Everybody's got a role to play in
protecting the whole system and our society. And I think because the technology is now so
expansive, we can't take that for granted and we all have a role in protecting it.
What's the response of the university been? Are they supportive here? Do they recognize that this is something that needs broader attention?
Well, yeah.
So as part of our application process to become a center of excellence,
we required high-level support from our vice chancellor down.
So they're very supportive.
And we're looking at how we actually start to integrate some of this education
into some of our other
degree programs not to try and displace the you know the essential curriculum they're teaching
but to help them to understand the role within the roles that they are going to take on because
for me it's about having them the the students and and then the future employees empowered to
be able to ask that question and challenge are we doing the right thing with the systems, the data that we have?
And if we can start to get people to ask those types of questions as an employee,
that will then start to hopefully lead to answers in terms of increased protection for us all.
Is there an intimidation factor that you need to get past?
You know, your student who's doing their course of studies in the humanities,
might they find themselves put off a bit by this computer science topic?
Yeah, I mean, we've had conversations like this internally within the university,
but it's a fundamental truth that our students can't do their studies now without their computers,
right? They are, you know, just look at the global pandemic and the role that that technology has
played in ensuring that educationists and students have stayed connected, that we've still been able
to teach, and that those students have also been able to maintain contact with their families.
It's so interwoven in the way that we work and the way that we live
that it just becomes vital that they have some basic skills
that's suitable for their discipline.
In the same way that we teach basic road safety,
it's got to be there because it's such an essential part.
And specifically, we don't want them to be able to go and configure firewalls
and, you know, make sure that they're right patches themselves.
That's not what I'm advocating.
I think the important thing is to spark that curiosity
so that they can go away and find the answers or at least not be intimidated.
And I think that goes back to your point, at least not be intimidated to try and tackle some
of these problems. All right. Well, Daniel Prince, thanks for joining us. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
If you're looking for something to do this weekend, be sure to check out Research Saturday
and my conversation with Mike McClellan from SecureWorks.
We're going to be discussing supernova web shell deployment that's linked to the spiral threat group.
That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Kirill Terrio, Ben Yellen, Nick Valecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.