CyberWire Daily - Credential theft at the UN? Intelligence services and privateers. DDoS hits a big multinational. A look at AlphaBay 2.0. Notes on the C2C marketplace.
Episode Date: September 9, 2021A cyberattack is reported at the UN, with agency data apparently lost to parties and parts unknown. The Bears are quieter, but the privateers are up and at ‘em. DDoS hits Yandex. Cyberespionage usin...g the SideWalk backdoor. TeamTNT is getting tougher to detect. A SWOT analysis of the newly reconstituted AlphaBay contraband market. The Groove Gang is a new age criminal affiliate program. Caleb Barlow describes attackers leveraging US and European infrastructure to hide in plain sight. Our guest is Brad Thies of BARR Advisory on what the next 5 years may have in store for cloud security. And irritate your online chums for just 50 bucks a pop. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/174 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A cyber attack is reported at the UN with agency data apparently lost to parties and parts unknown.
The bears are quieter, but the privateers are up and at them.
DDoS hits Yandex.
Cyber espionage using the sidewalk backdoor.
Team TNT is getting tougher to detect.
A SWAT analysis of the newly reconstituted AlphaBay contraband market.
The Groove Gang is a new age criminal affiliate program,
Caleb Barlow describes attackers leveraging U.S. and European infrastructure to hide in plain sight,
our guest is Brad Thies of Bar Advisory on what the next five years may have in store for cloud security,
and irritate your online chums for just 50 bucks a pop.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, September 9th, 2021. The United Nations has sustained a cyber attack by unknown actors. Bloomberg reports that earlier this year, stolen employee credentials, probably purchased online in a criminal forum,
were used to gain access to UN networks. The credentials were for the UN's proprietary
project management software, Umoja. The attackers were able to pivot from there to other places in
the network. In the course of the attack, the threat actor obtained data that could be used
to target United Nations
agencies. The intrusion was detected by the cybersecurity firm ReSecurity. Bloomberg quotes
Gene Yu, ReSecurity's CEO, that, quote, organizations like the UN are a high-value target for cyber
espionage activity. The actor conducted the intrusion with the goal of compromising large
numbers of users within the UN network for further long-term intelligence gathering. $1,000, sourcing the information to security firm Intel 471, which notes that various
russophone cybercriminals have offered the material for sale. Intel 471 CEO Mark Arena
told Bloomberg, quote, Since the start of 2021, we've seen multiple financially motivated
cybercriminals selling access to the Umoja system run by the United Nations.
These actors were selling a broad range of compromised credentials
from a multitude of organizations at the same time.
In a number of previous occasions,
we've seen compromised credentials being sold to other cybercriminals
who have undertaken follow-up intrusion activity within these organizations.
End quote.
CrowdStrike's threat hunting report out yesterday notes that cyber attacks that can be directly and unambiguously attributed to Russian
state actors have declined this year, especially when contrasted with the vigorous activity shown
by China, Iran, and North Korea, while Russian-speaking cybercriminal activity remains prominent.
A certain level of state-run cyber operations continues, but the Russian service's targets
have shifted, moving away from commercial organizations and toward think tanks,
dissidents, and journalists. Presumably, the commercial targets can be left to the privateers,
who provide a fig leaf to cover
national interest and state policy. Also noteworthy are the number of attacks that
look like state-run operations but that can't be clearly attributed. Those two are on the rise,
whoever's behind them. Earlier this week, financial services networks in New Zealand
were subjected to large and moderately disruptive distributed denial-of-service attacks, from which they've now largely recovered.
But another large DDoS incident has hit a major Russian firm.
Yandex is the latest big commercial organization to sustain a major distributed denial-of-service incident, Reuters reports.
The Russian multinational tech firm says it
successfully parried the attack. Researchers at Broadcom's Symantec unit attribute the campaign
using the Sidewalk malware ESET described late last month to the Chinese Greyfly cyber-espionage
group. Sidewalk is a modular backdoor that's recently been used against
telecom providers. Grayfly is also known as Wicked Panda or APT41. The recent targets have been in
Taiwan, Vietnam, Mexico, and the United States. In addition to hitting telecommunications,
Grayfly has used the Sidewalk backdoor against targets in the IT, media, and financial services sectors.
AT&T Alien Labs finds that the criminal group Team TNT is using a difficult-to-detect version of Chimera in a campaign of credential theft and cryptojacking.
Team TNT is using Chimera in a number of environments, including Windows and various Linux distributions.
The group is also infesting Kubernetes instances, and Alien Labs recommends that defenders pay particular attention to hardening Kubernetes.
Digital Shadows subjects the revived version of the contraband market Alphabay to analysis and concludes that
while there's an underworld opportunity for a revival, the latest edition may have trouble
building on the original marketplace's street cred. Potential users suspect the new Alphabay's
admin may be compromised, and they mistrust the absence of exit scam protection. Digital Shadows presents their findings in the
form of a SWOT analysis, the summary of strengths, weaknesses, opportunities, and threats familiar to
those in the business world. To summarize, the strengths include street credibility, since hoods
have heard of and probably remember AlphaBay, new features, many of which are designed for better
security, including an
ability to withdraw funds should servers be seized by the police, and new rules to avoid unwanted
attention. It's like Fight Club. Don't talk about it, don't mention ransomware, and don't woof about
recruiting new members. The weaknesses include the possibility, the suspicion, that the new admin, whose hacker name is DeSnake,
has already been compromised and could even be a provocateur.
There's also the track record. Criminal comebacks are rarely successful.
They're like Hollywood sequels.
Have Sharknado 2 through 10 really lived up to the artistic standards of the original?
We don't think so either.
Although Robert Herjavec's cameo in Sharknado 4 did give us hope for the future. And the user base will be
slow to grow because of what Digital Shadows calls a mix of skepticism and traditional criminal
reluctance. All those new square rules will also be a downer. Finally, there's no exit scam protection. That was a big
problem with AlphaBay version 1, and there's no sign it's been addressed in version 2.
There are also opportunities. The new AlphaBay offers the prospect of reuniting the community,
that is, the criminal community, under one roof. People like to buy their contraband in one big convenient market,
and they miss that. There may also be an untapped market, particularly a market for cybercriminal
tools. The old Alpha Bay was heavily into illicit drugs, and its successor still is,
but there are opportunities elsewhere. And, of course, there are the threats mr de snake's reputation is as they say fragile
law enforcement remains a perennial threat and the authorities have upped their enforcement
game since they took apart the original alpha bay and in the end there's plenty of competition
in the c2c market they're unlikely to roll over with all four paws in the air. We'll watch AlphaBay's progress with interest.
If they start selling Sharknado 7,
we might even consider becoming a customer.
We're kidding, of course.
About AlphaBay, not Sharknado 7.
Zoho has patched its Manage Engine AD Self-Service Plus
against an authentication bypass vulnerability
that's currently being exploited in the wild, CISA urges users to apply the fix.
Researchers at McAfee and Intel 471 jointly describe a shake-up in the criminal-to-criminal
ransomware affiliate market being led by the Groove gang, whereas earlier ransomware-as-a-service programs had prioritized control over the code
and a systematically hierarchical organization of the affiliates,
the Groove Gang is proving more fluid and opportunistic.
It prizes not the affiliates' skills, but simply their networks.
And last but not least, Avast describes a new underworld offering, Instagram bans as a
service. If you're too dull or lazy to irritate people yourself, you can outsource the harassment
for as little as 50 bucks. U.S. What does this say about the quality of temptation nowadays?
As Baudelaire put it a century and a half ago, you know this delicate
monster, it's ennui. Or as a prominent recent U.S. president would tweet it, sad. We're confident
that Baudelaire wouldn't have been on Alpha Bay. Now, Verlaine or Rambo? Well, maybe.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at
blackcloak.io. Brad Theis is founder and president of Bar Advisory,
a security and compliance firm with specific expertise in cloud computing.
I caught up with Brad Thies recently for his insights
on the challenges and opportunities of the continuing migration to the cloud.
The pros are it reduces cost, increases agility and elasticity.
It's DevOps friendly.
And you do have improved uptime.
So security is also reliability.
If you have security and reliability, I think those go hand in hand.
And so those are the improvements of just the resiliency of pushing data into the cloud.
of pushing data into the cloud.
I personally, being in the cybersecurity space,
I think you are more secure as you push information into a cloud environment.
So I don't think it's really the cloud that's insecure.
I think it's an education piece
of some of those traditional lenses
of cybersecurity in the perimeter
don't really hold itself true in the cloud environment.
So it's more of a fear of the unknown of as I'm pushing information into this more
public cloud adoption, you know, what should I be doing differently?
You know, I think it's easy to focus on some of the high profile data breaches that we see that
I think are associated with the cloud. You know,
someone leaves an AWS bucket wide open for the world to see. Is that, I guess, to what degree
is that still a serious ongoing problem relative to the amount of attention it gets is, I guess,
where I'm getting at. Are the tools and practices in place that we're heading towards a time when that particular sort of thing is a thing of the past?
Well, that's where the tooling comes in.
And so, you know, if you look at it from, yeah, you hear these fear things that happen on, oh, my S3 bucket was exposed to the internet.
That's going to happen all the time, but that goes back to
the human element. It's a mind shift in
security. It's everybody's responsibility. You can't just think from
a centralized view of cybersecurity.
Same concept of the analogy of, I'll use the car analogy.
It's not just
one person's responsibility, not just the safety and reliability expert. The seats have to be
designed to handle a car crash. Windshields have to crack safely or shatter, not shatter when a
rock hits, headlights, seatbelt integrity, et cetera. It's everybody's responsibility.
And so looking at the tooling, going back to the tooling factor,
that's just getting into visibility.
And so that's where I think we'll see more proliferation of cloud CASBs
or cloud service access brokers that gives you some of that visibility
into open S3 buckets all the way to more security
and compliance automation platforms that start
to automate some of these testing and starts to give us a little bit greater visibility
in what's going on in our environment to allow, I think, from a board level and executive
level and cybersecurity expert level, greater focus on how quickly our threat models are
evolving over time by pushing data
into a cloud.
Do you suppose that this is enabling a lot more people to have a higher level of security
than they would otherwise have?
Sort of by taking it out of their hands, it's protecting them against the things they don't
even know they should know.
Yeah, because again, you can't centralize security.
And yes, you can put a culture in place,
but that decentralization of it,
even though we talked about earlier with the cloud being that centralized aspect,
it's enabling more of this decentralized view of how we protect the internet.
And getting to those more decentralized
architectures and allows us to feel more safe because you have smaller teams being able to
push changes more quickly versus the traditional way of everything has to go through a change
advisory board or a cab. And that old model doesn't work well because you can't assume that some centralized
authority has every bit of understanding that maybe some of these smaller team sets might have
and more intimately as they're looking at it from a cybersecurity lens.
That's Brad Thies from Bar Advisory. Our advisory. with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Caleb Barlow. He is the CEO at Synergist Tech.
Caleb, always great to have you back.
You know, we've been seeing some attackers who've been leveraging infrastructure in both the U.S. and in Europe kind of hiding out in plain sight.
I wanted to get your take on this.
What's going on here?
Well, you know, I mean, you and I both have had young kids, Dave.
And, you know, when the kid was always scared that there was a monster in the attic or whatever.
In this case, the monster is indeed under the bed.
It's really close, and they've realized that hiding under the bed is a better place than hiding in another country.
There's a couple of reasons why, which is we've built legislation to protect them if they hide under the bed and hide in our own backyard.
I'll give you a great example of where GDPR just goes sideways.
If a bad guy takes over systems inside of Europe, and usually they'll choose infrastructure in Germany,
a company cannot easily go in and deploy security solutions
because those security solutions have privacy ramifications. So they actually have to get
permission from a works council to go deploy things like EDR. I've literally seen it happen
where you've got a server that you are pretty sure is infiltrated, and it's going to take a
month or two to get EDR on it, where in most environments, you go deploy it in
the next hour, right? Because you've got to get permission because that tool
can gather data, and the bad guys know this. Literally, they're
sitting there going, oh, okay, you found us. Great. It's going to take
you 30 to 60 days before you can get rid of us, so we're just going to keep doing what we're doing.
I think also in the case of, you know, if we look at SolarWinds,
if we look at the Microsoft Exchange breach, you know, granted, these
examples also came kind of with that Trojan horse method
of getting inside companies, but they also gave adversaries
you know, environments in which to operate inside the U.S.
where intelligence agencies are less likely to
look at them. Law enforcement has to jump through a whole bunch of hoops to get there. I mean,
if you're, let's say, the FBI and you need to go get a search warrant on a particular server
or server farm, it could take weeks to months to be able to execute on that search warrant.
And the bad guys are starting to realize
this. There's protection in hiding under the bed. What's the solution here? I mean, is this a matter
of proper legislation or rolling back regulations? What direction do you think we should come at this
from? Well, I mean, there's two pieces of this, right? One is we've all got to realize that,
like every, we talk about this all the time, we've got to actually pay attention to our defenses and realize that a strong defense not only protects our own organization, but protects us from becoming the beachhead to attack somebody else.
But the second piece of this is we really do need to look at our legislation to allow capabilities for information security and to ensure that we're protected.
And the place we often run awry with this is privacy, right?
But here's the point.
You cannot have good privacy without having good security.
You can have really great security
and have really lousy privacy.
And we have to keep that in mind, right?
Our privacy regulations cannot be built
and done in a vacuum. We have to
recognize that they need to have the corresponding security component, not only to ensure defense,
but also to allow proper security research along the way.
Is there anybody doing this right? I mean, if we compare ourselves to the Europeans with GDPR,
are they in better shape than we are?
No, actually, and I've said this many times before, I actually believe that GDPR has caused some of the biggest security failures for a variety of reasons.
One, it gives the bad guys a place to hide out.
But the second thing is that GDPR really took away our ability to access DNS records,
which is one of the primary tools for security investigations.
And what's unfortunate is this issue has been well publicized,
but nobody's fixed it yet because it's a different swim lane.
So honestly, Dave, I don't really think anybody's doing this right yet,
but I do have hope because I think people are starting to realize that
this is a problem and we have to enable legitimate security researchers
and law enforcement to do their job. All right. Well, Caleb Barlow, thanks for joining us. Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.