CyberWire Daily - Cyber conflict in the Caucasus. Zerologon exploited in the wild. Emotet rising. The Four Horsemen of Silicon Valley. Alt-coin regulation. DDoS in Honolulu.
Episode Date: October 7, 2020Cyber ops accompany fighting in the Caucasus. Iranian threat group exploits Zerologon in the wild. The Kraken gets unleashed in Southeast Asia, of all places. Emotet is back, and it’s after state an...d local governments. The US House identifies the Four Horsemen of Silicon Valley. Monero gains criminal market share. The US Comptroller of the Currency moves for clarity in alt-coin regulation. Joe Carrigan takes a look at ransomware trends. Our guest is Mathew Newfield from Unisys with remote school safety tips for students and parents. And a cyberattack from Waikiki. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/195 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash N2K code N2K. Iranian threat group exploits zero login in the wild. The Kraken gets unleashed in Southeast Asia, of all places.
Emotet is back, and it's after state and local governments.
The U.S. House identifies the four horsemen of Silicon Valley.
Monero gains criminal market share.
The U.S. Comptroller of Currency moves for clarity in altcoin regulation.
Joe Kerrigan takes a look at ransomware trends.
Our guest is Matthew Newfield
from Unisys with remote school safety tips for students and parents, and a cyber attack
from Waikiki.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Wednesday, October 7th, 2020.
Lethal kinetic warfare now carries with it inevitable cyber operations as combat support.
warfare now carries with it inevitable cyber operations as combat support. Fighting between Armenia and Azerbaijan over the disputed territory of Nagorno-Karabakh continues.
It's increasingly accompanied by supporting cyber operations. Cisco's Talos unit finds that an
unspecified threat actor, probably a foreign espionage service, is deploying poet rat malware against
government and civil targets in Azerbaijan, often through phishing campaigns themed to take
advantage of the ongoing conflict. That foreign intelligence service need not belong to Armenia.
Many governments in the region are interested in the conflict.
Both Turkey and Russia, for example, are closely concerned with the fighting.
Microsoft has identified active exploitation of the zero logon vulnerability, CVE-2020-1472,
by the Iranian threat group Redmond Tracks as Mercury, but which is more generally known as
Muddy Water. The attacks began after public disclosure of a zero logon proof of concept,
ZDNet reports. The U.S. Department of Homeland Security's Cybersecurity and Infrastructure
Security Agency directed in Emergency Directive 20-04, issued on September 18th, that all U.S.
federal agencies patch zero logon, giving them three days to complete patching and report
compliance. The attacks appear to have begun some days after CISA's deadline expired.
Researchers at security firm Malwarebytes have blogged an account of what they've learned about
Kraken, a fileless attack mounted by an advanced persistent threat group. Kraken, which is for the most part spread by phishing,
often with workers' compensation fish bait,
injects its payload into the Windows Error Reporting Service,
the better to evade defenses.
It's not an entirely novel technique,
but it does seem new with respect to this particular threat group.
Exactly who that threat group is remains murky,
but Malwarebytes sees signs that
it may be APT32, a Vietnamese espionage outfit that's used similar tactics and tools, and that
has been most interested in regional targets, including those in the Philippines, Laos, and
Cambodia. CISA yesterday issued another warning to the effect that the long-familiar Emotet Trojan is not only back, but back in a big way.
Its principal targets, the ones CISA is concerned about anyway, are U.S. state and local governments.
Emotet has come and gone. It went quietly in February, returned from five months' occultation in July,
and began to appear in attacks against state and local governments in August.
It's also a problem of international scope.
As CISA points out,
cyber agencies and researchers alerted the public of surges of Emotet,
including compromises in Canada, France, Japan, New Zealand, Italy, and the Netherlands.
Emotet botnets were observed dropping TrickBot to deliver ransomware payloads
against some victims and QuackBot Trojans
to stealing bank credentials and data from other targets.
End quote.
Senator Sherman, thou shouldest be living in this hour.
Or something like that.
The U.S. House has released the results of its antitrust inquiry
into big tech. The subcommittee investigating concluded that Silicon Valley is a hive of
monopoly on a scale not seen since the 19th century's Gilded Age. Quote, to put it simply,
companies that once were scrappy underdog startups that challenged the status quo have become the Google's parent Alphabet, Apple, Facebook, and Amazon are singled out as the new robber barons.
150 years ago, it was Stanford, Hopkins, Huntington, and Crocker.
Nowadays, it's apparently Pichai, Cook, Zuckerberg, and Bezos.
The harsh report is largely reflective of the subcommittee's Democratic majority.
The Republican members, while hardly carrying water for big tech, really aren't entirely on
board. The report so far hasn't affected the stock market, where seeking alpha reports,
the companies mentioned in dispatches seem to be holding steady
digital shadows finds that monero is taking market share from bitcoin as the preferred
cryptocurrency of criminals extortionists and dealers and contraband in general what the
criminal customers want in currency are accessibility usability and anonymity the
attractiveness of those three qualities
tends to vary with circumstances,
prominently figuring in which is the extent
to which the gangs feel the heat is on.
As recent criminal cases have shown,
while Bitcoin and Monero are both appealing
because they're relatively more difficult to trace,
they can, in fact, be traced
with the right application of effort and technology.
So, while both leading alternative currencies are imperfectly anonymous, Monero is generally
thought to be better to have the edge. In any case, it seems to enjoy a lower profile in the
glare of law enforcement. From stories like this, it's easy to get the impression that altcoin is inherently shady,
and that the only people interested in cryptocurrencies are get-rich-quick tinhorns, black marketeers, pump-and-dump artists, and so on.
But that's not at all true, and we wouldn't want to leave you with that impression.
In fact, they are maturing as legitimate financial instruments, and are growing into a mature regulatory framework.
legitimate financial instruments and are growing into a mature regulatory framework.
The Office of the Comptroller of the Currency, hoping to ease financial institutions'
leeriness of cryptocurrencies, has issued interpretive letters designed,
the Wall Street Journal says, to provide some clarity with respect to regulation.
The OCC hopes, according to the Journal, to avoid the mistake that's hobbled adoption of new technologies
in the past, reliance on the most conservative possible interpretation of law and regulation.
So you thought Waikiki was all sand, sun, surf, and island relaxation, didn't you? It seems that
a gentleman who was arrested in May for carrying ammunition illegally to a Black Lives Matter protest,
one Christian Grado, is again in hot water with the law for mounting a denial-of-service campaign against the Honolulu Police Department.
Hawaii News Now reports that his public defender says Mr. Grado isn't dangerous, and maybe he's not, but the Honolulu prosecutors disagree.
Dangerous or not, his LinkedIn profile shows something of a renaissance man,
current dance instructor, former U.S. Army mortar platoon leader, West Point graduate, and so on.
What he was doing carrying ammo to a protest isn't clear, but give him an A for initiative.
He set up a GoFundMe campaign to stake him bail when he was scooped up by the police in May.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation. Like somewhere hot. Yeah, with pools. And a spa. And endless snacks. Transat South Packages
It's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
for details. Conditions apply. Air Transat. Travel moves us.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
If you've got school-aged kids, there's a good chance they are either learning at home or spending a lot less time at school than they used to.
That new reality is proving challenging to many parents, logistically, for sure,
but there are security issues as well.
Matthew Newfield is Corporate Information Security Officer at Unisys,
as well as a board member of the National Technology Security Coalition.
He joins us with remote school safety tips for students and parents.
So one of the things we recommend is you have to differentiate work and play. This is something
I think a lot of parents are not doing when it comes to cyber and technology early enough in a child's life so that it becomes
really like muscle memory for them. Most people, when they go into the corporate world, they
have to adhere to that acceptable use policy that a lot of us have heard of or even written for
corporations. And teaching a child at a young age that there is a difference between what you can do on a computer for school and what you can do on a computer for fun are different.
So let's focus on for school.
And I recommend one of two things, depending on the situation that you're in.
If you're fortunate enough to have multiple machines, let's say your child has their own laptop or desktop and the school provides one for them to use.
Explain to your child that when they're on the device for school, it is for school purposes only. There's no social media. There's no video games. There's no internet surfing. None of that can happen while you're on that device.
surfing, none of that can happen while you're on that device. And when you're on your personal device, while you can surf and maybe do the things you authorize them to do, there's no schoolwork.
And that's a foundation. Do you have any advice for working with folks who may feel a little
overwhelmed with this? I'm thinking about parents in particular who may not be that technically savvy,
and they're faced with the challenge of securing these devices, their home network, and looking
out for their kids all at the same time. It may be new ground for them. Not only is it new ground,
but it can be massively overwhelming. And we get that, I get that. A lot of us in the cyber community get that.
And we're here to help. We're doing things like this and having these conversations to try to
educate people on what they should be doing. And there are a lot of online resources.
If you think about the companies that you've bought services from, your home internet,
going to their official website and looking for their
guides on how do you lock down their security guides or how do you harden the devices you bought
is a good start. And doing some basic research online of good cyber hygiene for the home
is key. And then understanding that they're not at it alone.
There are enough of us in this community. We want to help. So reach out to me, to others,
to people you may know in this field and ask for assistance. There are no dumb questions here.
And to your point, this is new ground. None of us have been dealing with this full-time school from home before. So ask people
who at least have the basic understanding of cybersecurity methodologies what they should do.
That's Matthew Newfield from Unisys. Thank you. solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Interesting article caught my eye.
This is from ZDNet from Steve Ranger.
It's titled, Ransomware.
Gangs are shifting targets and upping their ransom demands.
Give us the skinny here, Joe.
What's going on?
This is coming from IBM X-Force,
which is their incident response team.
And IBM has said their responses to ransomware attacks have tripled from the last quarter to the previous quarter.
And I don't know if that's because ransomware is on the rise.
It's probably a combination of these factors.
Ransomware is on the rise, and IBM is probably good at responding to these things, so their sales are going up as well.
But tripling is pretty good.
That can't all be just because
IBM is making more sales. This is actually because the crimes are becoming committed at a higher
rate. The biggest three industries they target are manufacturing, and they get hit by 25% of
the ransomware attacks that IBM responds to. Professional services and government. And these
are organizations with low tolerances for downtime.
If you think back to the Baltimore ransomware attack and the chaos that that
worked on that city because of the downtime, it's devastating. It's tough.
IBM has seen the trend where these ransomware attacks are also becoming data breaches, and they're saying, we're going to sell your data on the black market. And when their data gets sold, IBM is reporting that they've seen prices
ranging from $5,000 to $20 million as a sale price for a company's data.
So Dino Kibi is the ransomware group responsible for at least a third of the incidents that IBM
responds to. And IBM estimates that
Sedina Kibi has victimized about 140 organizations with about a third of them paying up. And that
makes their revenue at about at least $81 million. That's how much Sedina Kibi has made with ransomware.
So that's really why they do this, right? There's $81 million to be had.
Talking about real money.
Right, exactly. This is not small potatoes anymore. They are getting more sophisticated
about how they calculate their ransom requests, which is smart, right? I talk about how all of
this is an economic situation. There are economic forces at work, and their requests range from 0.08% to about 9.1%
of the victim company's annual revenue. And those dollar amounts range from $1,500 to $42 million,
depending on what your annual revenue is and where you fall in that percentage spectrum.
I guess the $1,500 incident is probably somebody who runs a small business who got hit by
it. And what do you do if you're a small business who gets hit by ransomware? Your best bet is
probably just to pay up, right? $1,500, it's not that big of a deal. You don't have the resources
to have a security response team come in. Probably not going to put you out of business.
Probably not going to put you out of business, but losing your data may very well do that. So it's kind of an easy decision.
But $42 million is a pretty big ransom to pay. And even if that's high on the spectrum of
percentages of annual revenue, I mean, 10% of annual revenue is not going to be payable by a
lot of companies, unless they have a big stockpile of cash. Revenue is way more than the disposable cash that a company has on hand.
Yeah, well, and some of these are getting paid by insurance companies, right?
Yeah, some of them probably are getting paid by insurance companies. That's right.
And, you know, maybe they're offloading that risk to the insurance company and they're helping out.
Yeah, it's interesting to me with this continued sort of
professionalization of ransomware and its place in the ecosystem, if you will, as people
are grow accustomed to it. Insurance companies have policies for it. You know, businesses have
plans against it to deal with it. Doesn't seem like it's going anywhere anytime soon.
No, it doesn't.
And Caleb Barlow on an upcoming episode of Hacking Humans talks about this
and talks about the possibility of outlawing payments.
And we discussed that a little bit and what kind of impact that would have.
If it became illegal to pay a ransom,
if there was a law that said you're subject to more fines and you're also
maybe subject to prison time for doing this, I think that might have an impact on it. I'm not
saying that we should definitely do that right now, but I think it's definitely time to have
this conversation. All right. Well, the article again is titled Ransomware. Gangs are shifting
targets and upping their ransom demands.
That's over on ZDNet.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time, keep you informed, and it will get its peanut butter in your chocolate.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Dina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.