CyberWire Daily - Consequence of the Taliban victory for influence operations and information security. Privateering gangs described. Data exposures, data compromises.
Episode Date: August 17, 2021Al Qaeda online sources cheer the Taliban’s ascendancy. The new rulers of Afghanistan are likely to have acquired a good deal of sensitive data along with political rule and a quantity of US-supplie...d military equipment. Terrorist watchlist data were found in an exposed server (now taken offline). Connections between gangland and Russian intelligence. T-Mobile was hacked, but it’s unclear what if any data were compromised. Joe Carrigan on FlyTrap Android Malware Compromising Thousands of Facebook Accounts. Our guest is Liam O’Murchu from Symantec on what keeps him up at night. And some personal information was exposed in the Colonial Pipeline incident. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/158 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Al-Qaeda online sources cheer the Taliban's ascendancy.
The new rulers of Afghanistan are likely to have acquired a good deal of sensitive data,
along with political rule and a quantity of U.S.-supplied military equipment.
Terrorist watch list data were found in an exposed server, now taken offline.
Connections between gangland and the Russian intelligence.
T-Mobile was hacked, but it's unclear what, if any, data were compromised.
Joe Kerrigan on fly-trap Android malware compromising thousands of Facebook accounts.
Our guest is Liam Omerchu from Symantec on what keeps him up at night.
And some personal information was exposed in the Colonial Pipeline incident.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, August 17th, 2021.
As has been widely foreseen, the Taliban victory in Afghanistan has been generally celebrated in extreme Islamist quarters of the Internet.
The Wall Street Journal has an overview of the relevant activity in social media. The faithful remnant of al-Qaeda, an ally the Taliban never repudiated
and a terrorist group that's much diminished, has been particularly prominent in hailing the
Taliban conquest of the country, seeing in the fall of Kabul a vindication of their patient
endurance. In this case, the inspiration may be at least as important as the prospect of regaining
a territorial safe haven. The sad immediate and forthcoming human toll of the Taliban's success
has rightly dominated coverage of the news from that country, but it's worth mentioning another
secondary risk, the threat to sensitive data the events present. CNN reported that on Friday, the U.S. embassy in
Kabul, anticipating trouble, instructed diplomatic staff in the country to destroy sensitive material
and anything which could be misused in propaganda efforts. The Washington Post observes that the U.S.
probably removed, rendered inaccessible and secure clouds, or simply destroyed data it held
as its forces withdrew. Emergency destruction can take many forms, including consumption by fire,
and government offices, particularly those in the Departments of State and Defense,
have long given thought about how to dispose of sensitive material quickly.
But it can be difficult to
destroy all the sensitive data, and it seems almost inevitable that some material will have
been overlooked or lost. That's to say nothing of the large amounts of information the U.S. shared
with the now-deposed Afghan government. These are now, for the most part, almost certainly in
Taliban hands, along with quantities of
military equipment also seized in the general collapse.
We mentioned the Post's note that the U.S. held a great deal of its data in cloud as
opposed to local storage, and while that would seem to provide a margin of security during
an evacuation, the cloud can also be leaky.
An unrelated incident shows how not all
sensitive data governments hold in clouds are held securely. On July 19th, researcher Bob Dychenko
found an FBI-administered terrorist screening center watch list exposed online, and that day
reported his discovery to the U.S. Department of Homeland Security. The exposed server was taken down on August 9th.
Researchers at AnalystOne, a threat intelligence shop headquartered in Reston, Virginia,
just across the Potomac River from Washington, D.C.,
outline what they've found with respect to the Russian government's toleration and enabling of ransomware gangs.
The firm says it's established connections between Russia's toleration and enabling of ransomware gangs. The firm says
it's established connections between Russia's SVR and FSB, both successor agencies of the Soviet KGB,
and some well-known gangs. They're said to have employed individual criminals and their
organizations in its operations. The FSB, Analyst One says, employed one ransomware gang and a second criminal group that specialized in banking malware.
They've also seen code similarities between RYOK ransomware and the SIDO espionage tool,
which suggests some cross-fertilization between gangland and Russian intelligence services.
SIDO was also used to collect data from the SWIFT banking system.
Operationally, the researchers perceive connections between the Evil Corp gang
and the Silverfish APT implicated, along with Cozy Bear,
in the 2020 exploitation of SolarWinds.
Several of the figures mentioned in dispatches will be familiar.
Take one, Yevgeny Mikhailik Bogachev, a well-known Russian cybercriminal associated with the Zeus malware and indicted by the U.S. on multiple counts in 2012.
Mr. Bogachev has, Analyst One concludes, prepared a new version of Zeus malware to infect government and military targets,
including intelligence agencies affiliated with Ukraine, Turkey, and Georgia. paired a new version of Zeus malware to infect government and military targets,
including intelligence agencies affiliated with Ukraine, Turkey, and Georgia.
Since his indictment, Mr. Bogachev has resided comfortably on the lam at home,
with his tracksuits and exotic cats as he remains out of the FBI's reach. By some reports, genteely rusticated to his backsea yacht.
Bogachev's colleagues in the business
club went on to organize, Analyst
1 says, Evil Corp.
And that gang has effectively
worked as a privateer for
Moscow's security and intelligence organs.
T-Mobile confirms
that it was indeed the subject
of a cyber attack, Vice reports,
but the mobile provider is still investigating whether customer data were compromised in the incident.
Data breach today covers underworld rumblings that the data will soon be offered for sale,
but the carrier's inquiry remains in progress.
And finally, the ransomware incident at Colonial Pipeline has also resulted in the compromise of some personal information.
The Daily Signal reports that almost 6,000 people, current or former employees or members of employees' families, had their data accessed during the attack.
Colonial Pipeline has notified those affected.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
My guest today is Liam Omerku, director of the security response group at Symantec.
Like a lot of security professionals these days, he's been focused on helping organizations protect themselves from ransomware.
So it started off a couple of years ago with a profit sharing model whereby if you contributed to the successful ransomware,
you got a percentage of the ransom.
So they were no longer paying $10 to get onto a machine. Now they were paying potentially millions of dollars, a percentage of the ransom at
least.
And those ransoms have been growing $40 million is an example that we saw recently.
So I think the first thing is the economic model.
There's just a huge incentive for anybody in the underground to participate in these affiliate programs to take a slice of that very large payout.
So that's one thing.
And then the other thing is the aggressiveness.
The ransomware gangs have really understood that the way they're going to make the most money is by getting the ransom paid quickly and moving on to their next victim.
So they've really stepped up the aggressiveness there all the way from, you know,
creating leak sites where they when they steal information from the victim,
they will then publish that slowly on the underground where you're leaking financial information or confidential information IP.
And so that's kind of, you know, maybe a couple of years old,
but they've also added phone calls,
getting the phone calls for your executives
and calling them up and threatening them,
doing DDoS against enterprises' websites
and just trying to leak embarrassing details.
We saw an event recently where the CEO was having an affair
and they leaked details about the affair.
That was one of the ways to wrap up the pressure and try to get the companies to pay the money as quickly as possible.
And that really means that there is more victims because they can get into an environment quickly.
They understand as well that they don't need to encrypt every machine in your environment.
If they can find the critical machines in your environment and encrypt them them then put pressure on you to pay the ransom as quickly as possible then they can
move on to their next victim so they've really sped up the whole infection to ransom payout cycle
um which again leads to more victims and then of course the the last thing is the the immunity if
you if you live in russia right we've really that's really come into play course, the last thing is the immunity if you live in Russia, right?
We've really, that's really come into play in the last while.
And we see that in the news, in politics, statements from the White House, you know,
sanctions against some of the ransomware groups like OrEvil, where they know who the attackers are, they know they're in Russia, they know their identity, but they're unable to, the
authorities are unable to get any action taken to have these people arrested or taken in.
So all of that together creates sort of a perfect storm
where ransomware is kind of out of control right now.
We're seeing so many victims pop up in the news all of the time.
The ransoms are getting huge,
and it's just a very big concern for all enterprises right now. You know, as you mentioned, I mean, we hear all these stories in the news about companies
being hit, organizations, even municipalities. Are there examples of folks who have properly
prepared, find themselves hit with ransomware, but because they've done everything right
ahead of time, are able to pretty much continue, implement their backup plans
and go on without a hitch. Yes, yes, yes. We see that all the time.
The problem is they don't make the news. So we do see that.
It's just that the bad news is what's being promoted. But there are
a lot of companies that are not properly prepared
for this. But when we see companies properly prepared, normally what we see is that they're attacked.
The attacker may get in successfully, even if the attacker gets in successfully.
The amount of damage that they do is limited to a small number of computers.
Even if they can move laterally, they're not able to move throughout the entire organization.
laterally, they're not able to move throughout the entire organization. And a small number of machines will get hit, especially for a large enterprise with 50,000 or 100,000 or more
endpoints or machines to protect. They might have 10 or 15 machines that are affected by this.
And in those cases, it's pretty straightforward for the enterprise to be able to just
rebuild those machines and can't sort of
ignore the ransom and make sure that however the attackers got in that they're blocking that in
future so that's a scenario that we see where we have unsuccessful you know apart from the all of
the ransomware attacks that are just blocked on a day-to-day basis that you know we don't even really
report on um the ones that do get, that's what we see when an enterprise
is successfully prepared for this sort of scenario.
You know, attackers are using a lot of different techniques.
They're still using Packers, they're still customizing their payloads,
and they're still doing memory injection.
They're still doing a lot of traditional things.
They may have wrapped them up in slightly new clothes, but they're doing a lot of traditional things. They may have wrapped them up in slightly
new clothes, but they're doing a lot of traditional things, which security products are able to
protect against. And something that, you know, in security response, in Symantec, that's what we do
on a daily basis is we monitor for all the changes in the threat landscape and protect against all
of those. So, you know, you really want to make sure that you are running some sort of endpoint protection
that's going to be able to protect
against all of the traditional attacks
that are all culminating
in what ransomware attackers are doing right now.
Our thanks to Symantec's Liam O'Murku for joining us. Thank you. to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Some interesting research from the folks over at Zimperium.
This is titled Flytrap Android Malware Compromises Thousands of Facebook Accounts.
What's going on here, Joe?
Well, they think this is a threat actor out of Vietnam.
And they have this Trojan that initially spread through the Google Play Store and third-party app stores.
Okay.
And the hook was a coupon app.
Oh, okay.
Get some coupons, like get some free Netflix or maybe get some Google AdWords coupon codes.
Or there was also the opportunity to vote for your favorite soccer team.
I mean, I don't know who has favorite soccer team.
Okay.
But once you started interacting with this app,
it would lead you through a process that would eventually say,
okay, well, in order to collect your coupon,
you need to log into Facebook.
And that was just a credential harvesting app
that would then exfiltrate your data
out to the command
and control servers.
But they also had
an interesting
way of stealing
credentials here as well.
They didn't just steal
just the credentials,
but they had a
way of
injecting JavaScript
into a WebView
component
that
is a legitimate
component on Android.
And then the injected JavaScript
will also exfiltrate your session tokens
out to the command and control server,
which I think is really interesting
on how that works.
I mean, not that it's great
that these people are losing their session cookies.
Right, but it's clever.
But it's clever.
Yeah.
It gets better, Dave.
By better, do you mean worse? Yes, of course. Okay, and it's clever. But it's clever. Yeah. It gets better, Dave. By better, do you mean
worse? Yes, of course. Okay, go on. Do I ever actually mean better when I say that? No.
Zimperium found the command and control server. Okay. Right now, it's secured by a password,
but guess what? There's a vulnerability on that server that, if you exploit it,
just shows you all of the database of all of the compromised credentials and tokens out there.
So if you've been victimized by this account, or by this Trojan rather, all of your information is available to anybody who has the wherewithal to go look for it.
Wow.
Not just the attackers, but anybody who wants to attack the attackers.
What are they recommending in terms of protecting yourself against this thing?
Okay, well, good question. The first thing that's happening right now is this thing is spreading
via messages sent from compromised phones. So if you get a message from somebody, don't click the
link. Yeah. Somebody says, hey, check out this great app where I can vote on my favorite soccer
team. Right. Yeah. Don't do that. Okay. Don't do that because that's going to lead you to some
third-party site with another version of the infected Trojan. So don't click
on any links that somebody sends you. The other thing you can do is always, always, always have
multi-factor authentication on your social media accounts. There are some indicators of compromise
on here as well. But if you don't have a malware detection application on your phone,
you'll probably never know that you've been compromised.
You can go into your Facebook account
and log yourself out of everything
if you still have control over it.
That's a good way to kill those session tokens
that may have been exfiltrated.
Right, and then change your password.
And then change your password
and enable two-factor authentication,
and you should be good.
Huh.
If you're worried that you've been compromised, you can do that.
Yeah, yeah.
One thing I thought was go curious, I guess, is the way to say it.
The Zemperium folks include a map of all the areas that have been hit by this,
and one area is conspicuous in its absence.
What is that, Joe?
China.
China.
China has not been hit by this.
Neither has anybody in Iran. Yeah. What a crazy random Joe? China. China. China has not been hit by this. Neither has anybody in Iran.
Yeah.
What a crazy random happenstance.
Yeah.
There are a couple other countries that aren't on the list as well, like Ireland, not notorious for being an oppressive regime.
Right.
But China and Iran both have strict controls on what their people say.
And actually, in China, WeChat is much bigger than Facebook is.
Right, right.
So it may not be that the folks who are running this are specifically avoiding those areas, although it could be.
Oh, it could be, absolutely.
Yeah, yeah.
All right.
Well, again, this is from the folks over at Zimperium, and it's titled Flytrap Android Malware Compromises Thousands of Facebook Accounts.
Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Thanks for listening.
We'll see you back here tomorrow. Thank you. but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses
that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.