CyberWire Daily - Crooks and spies, together again? Hiding ad-fraud malware in an SDK. A turn to the DarkSide.
Episode Date: August 24, 2020Iranian wannabes successfully use Dharma ransomware against soft targets. SourMint hid an ad-fraud and info-stealing package in an SDK. A former US Army officer and sometime Government contractor is c...harged with working for the GRU. DarkSide ransomware rises as affiliates go into business on their own. Awais Rashid from the University of Bristol on aligning cyber security metrics with business goals. Rick Howard talks data loss prevention with members of the Hash Table. And copycat DDoS extortionists pretend to be, who else? Fancy Bear. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/164 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Iranian wannabes successfully used Dharma ransomware against soft targets.
Sour Mint hid an ad fraud and info-stealing package in an SDK.
A former U.S. Army officer and sometime government contractor is charged with working for the GRU.
DarkSide ransomware rises as affiliates go into business on their own.
Aweis Rashid from the University of Bristol on aligning cybersecurity metrics with business goals.
Rick Howard talks data loss prevention with members of the hash table.
And copycat DDoS extortionists pretend to be, who else?
Fancy Bear.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 24th, 2020.
Group IB reports that a new and inexperienced group of hackers from Iran are using Dharma ransomware against easily attacked businesses in Russia, India, China, and Japan.
They're greeners in Group IB's description, and Bleeping Computer calls them low-skilled, using commodity tools and well-worn approaches, but they've been successful nonetheless. They use MassScan to look
for organizations with internet-facing RDP and weak credentials. Again, Group IB thinks they're
a collection of noobs buying ransomware as a service to grab the easy pickings indifferently
protected enterprises offer even noobs, grifters, and skids. The group's emergence is noteworthy, Group IB thinks,
because it suggests that Iran, like other aggressive cyberpowers,
now harbors an underworld of financially motivated cybercriminals.
Russian cybergangs have long operated at the sufferance
and under the close scrutiny of the security services.
Chinese government hackers are widely believed to be allowed to moonlight
with some
cybercrime after the factory whistle blows, but this is a relatively new development for Iran.
Snyk has identified malicious code in the Mintagrel software development kit,
an SDK widely used by applications in Apple's App Store. The Sour Mint malware is adapted to ad fraud and data collection.
Mintagril is a mobile advertising platform based in China. Developers sign up as publishers and
download the SDK from Mintagril. The SDK injects code into standard iOS functions within the
application it's used to develop. The malicious code executes when the application opens a URL.
At that point, the malware has access to what Snyk describes as
a significant amount of data and even potentially private user information.
Sour Mint includes various anti-debugging protections
that Snyk believes are designed to cloak the application's behavior.
This evasiveness may have helped the SDK pass Apple's review process without being flagged.
A former U.S. Army officer, Peter Rafael Zabinsky-Debbins,
has been charged with conspiracy to gather or deliver defensive information to aid a foreign government.
The indictment alleges that Mr. Debbins worked for Russia's GRU between 1997 and 2011.
After leaving the army in 2011, Mr. Debbins worked for several government contractors,
the Washington Post reports, but the indictment is confined to his period of military service.
The very detailed indictment suggests that a lot of sources contributed to the investigation,
and the Justice Department's press release makes a point of sources contributed to the investigation, and the Justice Department's
press release makes a point of thanking the United Kingdom's Metropolitan Police and MI5.
Mr. Debbins, who is of course entitled to the presumption of innocence,
allegedly first contacted Russian intelligence services while he was still an undergraduate at
the University of Minnesota, two years before he was commissioned. He's also alleged to have traveled to Russia several times,
to have been in and out of hot water for security issues while on active duty with the U.S. Army,
and to have married a Russian citizen, hometown Chelyabinsk of meteor fireball fame,
whose father was a Russian officer.
Unless there's been some long-running attention to and exploitation of
Mr. Devens by U.S. counterintelligence and intelligence organizations, one wonders what
one would have to do to attract security managers' attention. Fire flares and holler,
I'm working for the GRU, through a bullhorn. Allegedly, of course.
And here's some research by Press Release.
A cyber gang that says it's composed of former affiliates who've already made a pile through extortion
has announced that it's now working its own strain of ransomware, which it calls DarkSide.
According to Bleeping Computer, the gang's press release says,
quote,
We are a new product on the market, but that does not mean that we have no experience
and we came from nowhere. We received millions of dollars profit by partnering with other well-known
crypto lockers. We created DarkSide because we couldn't find the perfect product for us.
Now we have it, end quote. So there you go. It's like an ad announcing a new brand of razors.
We always appreciate a good shave and wish we could find the right blades, and so on.
The dark side gang says it won't hit healthcare organizations,
specifically hospitals or hospices, schools or universities,
not-for-profits and government organizations.
This, they say, is an expression of their principles,
but unless those principles are self-interest and calculation of criminal marketing,
one is reluctantly moved to skepticism.
Forbes reminds its readers that Mays and Doppelpamer
made similar promises back in the early days of the pandemic,
but those really didn't stand the test of time.
There's more.
They say they select their victims with discrimination
and price their extortion demands accordingly.
They want their targets able to pay, not bankrupt or defiant.
They promise to provide a fully effective decryptor upon payment and also to destroy the data they've taken,
as is now the norm with ransomware. DarkSide steals data before encrypting them.
We take our reputation very seriously, say the hoods,
and if they're paid in full, you can count on them. All guarantees will be fulfilled.
The gang has been active for a couple of weeks, and they appear to have secured at least one
million-dollar score. And finally, remember those scareware screens that used to pop up from time
to time, telling you that the FBI was on to you and that you could settle the matter by paying your fine right now, cash on the virtual barrelhead.
There's a new name in this low-grade grift.
It's occurred to someone that since Fancy Bear is in the news, why not go with that?
who security firms Akamai and Link11 independently report that since mid-August,
these characters are sending extortion emails with subject lines like,
DDoS attacks on your network?
Coming from, guess who?
Fancy Bear herself.
Akamai, who called the crooks copycats,
says they've also impersonated the Armada collective.
Unlike the we're from the FBI stuff, which were best simply ignored,
there does appear to be some risk of an actual denial of service attack,
so be on your guard accordingly.
But Fancy Bear?
Not likely.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. And joining me once again is rick howard he is the cyber wires chief analyst also our chief
security officer rick always great to have you back thank you sir uh you have another episode
of your cso perspectives podcast and uh this time uh you're talking about data loss prevention again
but you brought a bunch of cissOs to the hash table this week.
Going to be talking about data loss prevention.
I guess going to be talking about a lot of tools.
Yeah, you know, when you ever talk about DLP, which is the big acronym,
it's for those in the know, Dave.
So, you know, when you're talking about it.
Right. Yeah, exactly.
All the cool kids are using them.
Yeah, all the cool kids, right?
So tools obviously came up, and what we discovered is that the typical vendor-supplied DLP tool,
you kind of get these features, all right?
Rule-based matching, like looking for social security numbers as network traffic traverses your networks.
So social security numbers or PII, things like that.
You get fingerprinting or looking for user-supplied structured data. So, if you have
something specific in your organization, you tell the tool what to look for and it finds it.
You get file name matching, okay, which is anything you might think is material to the
business. You can give it actual names. Here's the spreadsheet with our payroll. That's right, with our super
secret recipe for Coke recipe, right? Right, okay.
Got it? And more and more machine
learning to identify unknown sensitive data. And for
what they do, they're pretty good at the traditional perimeter protection like
web traffic and email.
But check your vendor before you buy, because make sure they cover your other data islands, like SaaS and hybrid cloud deployments, and even your employees' devices, both company-provided
and personal. Well, okay, so what part do things like encryption play in this? Things like that
and deception, those kinds of things?
We did talk about those tools, and the consensus was that most people think that encryption is the most important.
But what the CISOs brought to the hash table was they don't solve all of your data loss problems, but for your material data, it's probably the most effective.
And then for deception, the commercial market has definitely made it easier
to deploy these kinds of things. But all of our CISOs this week said that they would not tackle
deception as a key plank in their InfoSec program until they got a handle on some of the more
important strategies like intrusion kill chains and zero trust and resilience. The one tool that
popped up that I wasn't aware of before is something called UEBA
tools or user and entity behavioral analytics. Have you heard of that before? Go on. Well, I'm not
smart enough to explain it. So here's Don Capelli. She's the Rockwell Automation CISO explaining what these tools do? So UEBA is User and Entity Behavioral Analytics. Basically, it's a tool
that you can bring in diverse data sources and integrate them together, sort of on the order of
a SIM, but it's people-based or entity-based. So you can go into Don Capelli and look at all of my activity from all of these various logs.
And you can bring in contextual data about the person or about the organization. So for instance,
my termination date, if I have a termination date set, that greatly increases my insider risk. And so the risk models,
once they see a termination date set, it increases my risk score, especially if there's any
suspicious activity associated with me. You also can build watch lists. If you have something happening in your organization, like a reduction
in force, you can integrate that into those risk models. So it's a very comprehensive technology
for an insider risk program. All right. Well, that is interesting indeed. So what happens from
the vendor's point of view? How are they delivering these sorts of things?
So like other security services, you can get these UEBA,
and I slowed down to say that acronym,
either on-prem devices or from SaaS providers.
But what's interesting is the market for UEBA tools has been shifting these past few years.
More and more, you're starting to see the functionality of UEBA
end up in SIEM vendors, which I think is interesting.
What are the implications of that?
It just means that for something we thought was going to be a standalone tool, the bigger tools like SIMs, and I'm guessing you're going to see it pop up in SOAR also,
that it's just going to be sucked up into those bigger platforms as a feature and not just a point product that you buy.
All right. Interesting stuff.
Well, you can check out the entire episode of CSO Perspectives.
Head on over to thecyberwire.com.
Rick Howard, thanks for joining us.
Thank you. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And I'm pleased to be joined once again by Professor Awais Rashid.
He's a professor of cybersecurity at Bristol University.
Awais, it's great to have you back.
You know, it seems to me like quite often there's a little bit of tension
between cybersecurity
and the goals of a business.
You know, you want to have
as little friction as possible,
but things need to be secure as well.
What are your thoughts on that?
So, you know, there is the old cliche
that, you know, the security investment,
if there are no attacks, then does that mean that you are not going to face any attacks anyway,
or that the security investment actually made sure that those attacks couldn't take place?
So the key challenge with regards to security tends to be the investment in security is not
always visible in terms of business
benefits. So while a regular product can make the case that this will, for example, bring in
an investment in that product, will bring in a tenfold increase in revenue, that is not something
that security has been able to do. I think the other challenge comes from the fact is that a lot
of the security metrics that we use are very, very low
level. So we often talk about, you know, sort of, for example, the number of viruses detected,
the number of, you know, potential malicious scans and things like that. And when we are talking
about security for an organization, they don't always easily translate into those kind of top
level strategic goals and how do they relate
to them. So, for example, if you had 1,000 viruses detected, what does that mean overall in terms of
business strategy and business goals? And I think one of the key things is that work needs to be
done to try and understand what the overall business objectives are and how they relate to particular security actions
that an organization might be taking.
And then how do those things actually translate
into those low-level metrics?
Isn't that something that is really the responsibility
of the security team of being able to translate all of that
into language that the business leaders can understand?
Yes and no. So yes, there is a
responsibility of the security team. But one of the things that we always say with regards to
risk management and this sort of thing we teach in Risk Management 101 nowadays is that
cybersecurity risk should be a board-level concern, right? And as a result, I think it's
very important for boards to think
about the problem in a strategic fashion and actually highlighting as to what they are trying
to achieve with regards to their cyber security posture what is the level of risk that is
acceptable what kind of risks they are trying to mitigate and then of course it's part of the job
of the cyber security team is to actually to actually implement those strategic directions, but then also be able to then feed back as to how the metrics that they collect align with those strategic level goals.
So I think the key here is that this is a two-way relationship. So there has to be top-down strategy setting from all the way from the board level to the C-suite down to the security team and actually throughout an organization as its culture.
But then there has to be systematic ways of actually collecting that information and reporting
back towards those strategic goals as to whether those strategic goals are being met and whether
the risks that the organization was trying to mitigate are being effectively mitigated.
All right. Well, Professor Awais Rashid, thanks for joining us.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time, keep you informed, and it'll keep your hair nice and shiny.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Errol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.