CyberWire Daily - Coups and comms blackouts. Fuel sale sabotage in Iran. Wslink described. Operation Dark HunTor takes down a contraband market. FTC looks into Facebook. LockBit speaks.
Episode Date: October 27, 2021Sudan is under a blackout as a military junta consolidates control over the government. Iran says a cyberattack--unattributed so far--was responsible for disrupting fuel distribution in that country. ...A novel loader is discovered. Operation Dark HunTor takes down a darkweb contraband market. The US FTC is looking into Facebook’s privacy settlement. The LockBit gang talks, and it’s insufferable. Andrea Little Limbago from Interos on government internet interventions. Carole Theriault weighs in on Facebook glasses. And Halloween is another day closer. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/207 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Sudan is under an Internet blackout
as a military junta consolidates control over the government.
Iran says a cyber attack was responsible for disrupting fuel distribution in that country.
A novel loader is discovered.
Operation Dark Hunter takes down a dark web contraband market.
The U.S. FTC is looking into Facebook's privacy settlement.
The Lockabit gang talks, and it's insufferable.
Andrea Little-Limbago from Interos
on government Internet interventions.
Carol Terrio weighs in on Facebook glasses.
And Halloween is another day closer.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 27th, 2021.
The London-based global internet monitoring organization NetBlocks has confirmed that internet service has been disrupted in Sudan.
A military coup was mounted Monday, and fighting continues in many parts of the country.
Mobile service was briefly restored yesterday afternoon,
and a few texts and images about the coup emerged,
but even that limited service was soon shut down.
The country is now effectively under a telecommunications blackout.
The U.S. Embassy in Khartoum has advised American citizens in Sudan to shelter in place.
Quote, Sudanese armed forces have announced they are in control of the government.
Demonstrations have been reported in Khartoum and around the country.
There are unverified reports of violence against protesters.
Flights are not leaving the country, end quote.
It appears that the junta has taken down the internet in the country.
Internet disruption has taken its place besides seizure of radio stations and printing presses
in the standard playbook of the coup d'etat.
We hope for the safety of all who are afflicted by the violence.
According to the Washington Post and others,
subsidized fuel sales at Iranian gas stations were disrupted yesterday
in what the government in Tehran describes as a cyber attack.
yesterday in what the government in Tehran describes as a cyber attack. Investigation is in progress, and the incident isn't yet attributed to any particular threat actor.
Observers compare the attack, if such it proves to be, with the disruption of rail services
messaging earlier this summer, generally thought to have been the work of Iranian dissident
hacktivists. While hacktivism may seem the likeliest explanation
of the point-of-distribution outages at this time, and while fuel has for some time been a
sore point in Iran, the evidence is still far too scanty for attribution. It's worth recalling that
Iran has its fair share of adversaries in the region, and not just the obvious actors like Israel, but also the
Sunni Arab powers of the Gulf region, not to mention the U.S. itself, and those Western powers
generally aligned with Washington. False flags remain a possibility, and of course, hacktivist
groups, like terrorist organizations and activist groups generally considered, have often enough
themselves been fronts for state intelligence services.
The situation in Iran is still developing.
Security firm ESET announced this morning its discovery
of a hitherto unknown malware loader, WS-Link,
that runs as a server and executes Windows binaries in memory.
Whose operating WS-Link and what exactly it's used for remains unknown.
An international dragnet made 150 arrests,
taking down a dark web contraband market.
Operation Dark Hunter also seized 234 kilograms of drugs,
45 guns, and more than $31.6 million in cash and virtual currencies, the Wall Street
Journal reports. Arrests were made in nine countries, with the U.S. and Germany accounting
for most of the callers. The successful roundup seems to have been built upon information shared
in the course of another joint international investigation, notably the takedown of Dark
Market back in January.
At that time, German authorities arrested the principal operators of that market
and took down servers in Ukraine and Moldova the group had been using.
The Wall Street Journal reported this morning that the U.S. Federal Trade Commission
had opened an investigation into whether Facebook's internal research
indicates that the company violated its 2019 settlement of privacy concerns with the FTC.
Ransomware gangs continue to represent themselves as Robin Hoods who leave important sectors alone
on humanitarian grounds, but those protestations ring hollow when organizations like Schreiber Foods are hit.
Wisconsin State Farmer reports that the dairy producer and distributor has been disrupted by
unknown criminals and that a great quantity of milk products may well be wasted if production
can't be restored quickly. One of the gangs that piously claims to avoid critical infrastructure is LockBit.
The record has interviewed a representative of the LockBit ransomware gang, formerly a Bitplayer,
now risen to prominence as it took a top slot in September's ransomware leaderboard.
The interview displays LockBit representatives every bit as smugly self-righteous as their colleagues in Conti have recently been.
When asked what the secret was to their recent market dominance,
LockBit did its best Silicon Valley unicorn imitation and replied,
quote,
We haven't started to conquer the market yet.
Now we are at the stage of developing and improving the software.
The secret is very simple, an impeccable reputation.
We are the only ones who have never scammed anyone or changed our brand.
People trust us.
Accordingly, the more affiliates, the more attacks.
The LockBit blog is just a small fraction of the companies that refuse to pay the ransom.
In the past three months, we have attacked over 700 companies.
End quote.
They see the StealthBit information stealer as their competitive secret sauce,
and it's clear that they see themselves primarily as a player in the C2C market.
There's a lot of talk about the mutual trust that Lockbit has built with its affiliates.
Quote,
Then they will never leave us. The slanging of the competition is interesting, and for what it's worth, Lockbit thinks our evil's disappearance was probably an exit scam.
Quote,
Nobody really knows, but I'm sure this is a classic exit scam.
The same thing happened with Avedon and Darkseid.
As soon as a large payment comes, the owner of this partnership program thinks about whether it's worth working further and risking his life,
or is it better to exit right now and calmly spend the money for the rest of his life, end quote.
But, says Lockbitt, you can trust them because, quote,
in our case, such a case is impossible since we fundamentally do not touch the money of our affiliates, end quote.
Two refreshing bits of realism do emerge from the interview.
When asked about their banning from the criminal forum exploit, Lockbit replied sensibly enough,
It is not very clear how cybercriminals can prohibit certain types of cybercrime because, in fact, everyone on this forum is breaking the law.
It turns out that conducting a pen test with post-payment for rich companies is prohibited,
but stealing money from the bank cards of millions of individuals is allowed, end quote.
That's right, this does seem to be a distinction without a difference.
The other realistic comment concerning the gang's vulnerabilities to infrastructure takedowns by law enforcement,
Gangland has its problems here too. Quote, this is one of the most
effective methods to deal with us. No one is immune from hacking infrastructure with the help of Zero
Days. Using NSA hardware backdoors, it is possible to access any server on the planet. Therefore,
the risk of being hacked is always present. End quote. Still, they say, talking basically to their criminal client audience,
At the moment, we are absolutely confident in the security system for storing decryption keys and stolen data.
No competitor has any analogs.
In addition to this, we have several backups of stolen company data on servers in various parts of the world,
as well as encrypted offline backups held by trusted parties who receive a salary for safekeeping the data.
End quote.
So, more irritating and smug than truly scary, but may the cops close in on them soon.
But finally, because Halloween is almost upon us,
here's something scarier, courtesy of Bitglass, who say that as recently as 2019,
some 38% of the Fortune 500 didn't have a chief information security officer. When they were hit
with a cyber attack, the reputational damage was such that stock prices took an average of 46 days to return to their pre-disclosure levels.
So happy Halloween and stay safe out there, kids.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Facebook recently revealed their latest consumer product, and given the bad time Facebook has had
in the press lately, it's not surprising that their latest offering has, at best,
received mixed reviews.
Our UK correspondent Carol Theriault files this report.
Do you remember Google Glass, the wearable smart glasses way back in 2014? They were available to
buy for a bucket full of money, really, $1,500. And the product garnered quite a bit of criticism
with concerns about its price, obviously, but also about safety and privacy.
The thing was, Google Glass apparently didn't do any single action especially well,
and they were also pretty dorky looking. At the time, the public also
weren't comfy cozy with the idea of people having clandestine computers that could record and take
pictures, simply strapped to people's faces. Even some bars and restaurants barred wearers from
entry if they were wearing Google Glass. But that was then, and this is now. And like the space race spate that seems to be happening
between Bezos and Musk, we may also be witnessing a kerfuffle when it comes to who's going to be
the market leader in smart eyewear, because Facebook has now decided to join the smart
eyewear party. So these smart glasses made by Facebook are actually a collaboration
with Ray-Ban and are on sale for $299. I mean, you can find these now at LensCrafters and
Sunglass Hut stores, and they're called Ray-Ban Stories. Weirdly, Facebook's name's not even on
the glasses. Is Facebook not cool enough? Or will it make people
more aware that the glasses are smart glasses, not just typical Ray-Bans and cause more kerfuffle?
So basically you've got these Ray-Ban frames and they feature two front-facing cameras for
capturing video and photos. And they sync with a companion camera roll app called Facebook View.
Yes, you need to have a Facebook account in order to use these.
Now, in Facebook View, this is where clips can be edited and shared to other apps on your phone.
There's a physical button on the glasses for recording,
or you can say, hey, Facebook, take a video.
And that way you can control these Ray-Bans hands-free. And of course,
you can also use these speakers that are inside the glasses to listen to music or a podcast.
And perhaps most importantly, they're not dorky like some have been in the past. Google.
So I haven't tried these Facebook Ray-Ban stories glasses yet, but a reporter at The Verge did.
And they wrote, after testing a pair of Ray-Ban Stories for the past week, I'm impressed with the build quality and how well they work.
Initial pairing was easy and syncing footage from the glasses back to the view app only took a few seconds through a Wi-Fi connection the glasses initiate.
However, Mashable were not fans. They claim that
this is just an expensive toy for influencers seemingly designed to make Facebook look cool
again. Well, it's going to take a while for me to think that these are anywhere close to being cool.
I don't like that there's a camera on the glasses. I also don't like that the camera is so
small as to feel virtually camouflaged into the frame. Again, that might be a cool decision.
And I guess you have to ask yourself if you think it's cool that people can take pictures of you
whenever you're in a public or non-public place without your consent.
I mean, they're all at it.
Facebook, Google, Amazon, Snapchat.
Call me cynical, but I see two main motivators here.
Both money makers.
Data collection and targeted ad generation.
I just wish I knew who out there wants to be on the receiving end of yet more targeted ads.
I certainly don't.
This was Carol Theriault for The Cyber Wire.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely.
Visit ThreatLimbago.
She is Vice President of Research and Analysis at Interos.
Andrea, it's always great to have you back.
I want to touch today on something that I know you are tracking,
and that is how various governments around the world put their finger on the scale
when it comes to internet access in their countries. What can you share with us today?
It's something that I have been watching for a while, and I still, it's one of those things that
I want to continue to elevate because there is this big movement towards privacy that we hear
about a lot as far as federal privacy regulations, and that's phenomenal. We hear almost, you know,
anecdotally
and through narratives are what different governments across the globe are doing. And so
I've worked on a recent research project that will continue to expand on basically quantifying,
you know, how much governments are intervening for government access on one end and then individual
data protection and privacy on the other. And it really is, you know, there's good news and bad
news along those lines. It's not only important for, you know, those of us that are online right now, but, you know, as more and more people,
you know, as the rest of the globe, you know, the next billion people come online in the very near
future, when you think about what those implications are, especially as they're coming online,
oftentimes in countries where the government is either impeding an access or really doing a lot
of manipulation as far as what is accessible and
what those implications may be. So I do think that as we look ahead, as more and more folks
do come online, it's going to be really important to figure out under what systems and regimes
they're going to be having that internet access. Yeah, I saw an example yesterday, and forgive me,
I don't recall exactly which country it was. Maybe you have it top of mind. But it was a nation where
they were saying that they're moving towards
having all of their internet traffic
run through one central place.
And that place is run by the government.
And they're going to be both analyzing
and filtering what their citizens have access to.
Yeah, so that is one of the,
you know, if you think about the tool
and the tool belt of the techno dictators,
one of them is basically creating a man-in-the-middle means for all data flowing in and out so they can monitor it.
It's something that Kazakhstan had explored about three different times by requiring certificates to be on their computers.
More recently, Mauritius is one in Africa.
It's another one that basically was trying to do something very similar to what Kazakhstan had talked about.
We're seeing that more and more. And it's always under the auspices of, oh, it's for national
securities, or it's to make sure that we're not seeing that violent content, or in some
cases, content that is disrespectful of the government is not allowed through. But really,
what it does open up is just enormous surveillance and mean for manipulation, for censorship.
It's really a means for information control and controlling the narrative of what goes on within that country.
And so that is one of the many different trends that we're seeing leaning towards the area of government intervention.
When you think about that, when those governments have access to it, a lot of times those governments aren't the only ones that maintain that access. And there's a good example from earlier this summer where Cambodia was having a contact tracing app and
almost like a tit-for-tat, you know, as far as relationships with China, China wanted access to
that data. And so China was going to provide some carrot, and in return Cambodia would give the
access that they have through their government contact tracing app and give that data abroad.
And so with governments having so much access to data, it is not unimaginable and it's not unprecedented at this point where other countries are going to
demand access to that data as well. And so what happens locally is not going to stay locally as
well when it comes to that kind of access. So it's very disconcerting, the notion of the
splinter net and all these different internets may be popping up, but absolutely one person's
experience online is going to be very different depending on where they are in the world and depending on these various kinds of regulations.
Now, on the positive side, there are over 100 countries now that do have data privacy laws.
And so they have more.
They propose them and are very close to getting enacted.
And so I think that we have these two trends that are going on. about, you can, as a security community, what role we can play to help push it towards the, you know, push it towards the edge of, you know, individual data protection and data rights and
security and away from government access to that data. When a nation does this and puts in place
this sort of filtering and monitoring, to what degree are the citizens successful in finding
workarounds?
Yeah, so it varies.
And what's interesting is even in some of their new cases,
if you broaden the umbrella of citizens to also being some of the hacktivists going on,
do you see what's going on in Belarus
where some of the government data itself
was exposed and released?
And so there are ways that citizens are pushing back
and just very significantly based on where they are
and what they're up against.
What's going to work in some countries
probably wouldn't work in, say, Hong Kong
that has a much different environment.
But still citizens are finding ways to work around.
And that's, again, where we'll see some innovation occur.
And so that's great.
But it'd be great if they didn't have to innovate
in those areas.
They could instead have the access, have the data protections that's great. But it'd be great if they didn't have to innovate in those areas. They could instead have
the access, have the data
protections that they need.
But for sure, we're seeing
sort of an uptick in creativity and how to
circumvent them. But still, at the end of the day,
it's very hard with minimal resources
to do so. Right.
Right. Absolutely.
All right. Well, interesting stuff as always.
Andrea Little-Limbago, thanks for joining us. All right. Well, interesting stuff as always. Andrea Little-Limbago,
thanks for joining us. Thank you.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Thanks for listening. We'll see you back here tomorrow. Thank you. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.