CyberWire Daily - Cyber threats to, and around, the Olympic Games. Kaseya got a decryptor, from somewhere…. NSO says it’s not responsible for Pegasus misuse. US cyber policy toward China. Fraud Family busted.
Episode Date: July 23, 2021The Olympics are underway, and the authorities are on the alert for cyberattacks. Kaseya has a decryptor for the REvil ransomware, but it hasn’t said how it got the key. NSO Group says it’s not re...sponsible for customer misuse of its Pegasus intercept tool. US policy toward Chinese cyber activities shows continuity, with some diplomatic intensification, but hawks would like to see more action. Our guest Jack Williams from Hexagon joins Dave to discuss the promises and challenges of smart cities. Podcast partner Chris Novak of Verizon talks about advancing incident response. And Dutch police make arrests in their investigation of the Fraud Family. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/141 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Olympics are underway and the authorities are on the alert for cyber attacks.
Kaseya has a decryptor for the R-Evil ransomware, but it hasn't said how they got the key.
NSO Group says it's not responsible for customer misuse of its Pegasus intercept tool.
U.S. policy toward Chinese cyber activities shows continuity with some diplomatic intensification,
but hawks would like to see more action.
Verizon's Chris Novak looks at advancing incident response.
Our guest is Jack Williams from Hexagon on the promises and challenges of smart cities.
And Dutch police make arrests in their investigation of the fraud family.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, July 23rd, 2021. The Tokyo Olympics are officially underway with the opening ceremonies held today.
The Washington Post takes due note of the risk of a disruptive cyber attack on the Games,
pointing out that the last two Olympics sustained Russian cyber attacks
in apparent retaliation for the disqualification of some of that country's athletes in a doping scandal.
Last autumn, Britain's National Cybersecurity Center reported finding signs
that Russia's GRU had conducted reconnaissance of the Games' organizers,
logistics services and sponsors.
Whether such reconnaissance will serve to prepare
attacks against the Games, originally scheduled for last year but postponed until now due to the
pandemic, remains to be seen. The U.S. FBI outlined the nature of the threat in a general way
in an advisory issued earlier this week. The Bureau said that both criminal and nation-state activity is possible.
The Record reports that an Olympic-themed wiper was discovered Wednesday, but this seems more
opportunistic use of the Olympics as bait as opposed to an attack on the Games themselves.
The Tokyo-based security firm Mitsubusan Secure Directions, who made the discovery,
said that the wiper was selective.
It doesn't indiscriminately delete everything found on a drive,
but instead concentrates on specific file types found in the user's personal Windows folder.
It deletes Microsoft Office files and also text, log, and CSV files.
The targets of the wiper appear to be confined
to Japan, but the FBI's general warning holds good. Be alert for Olympic-themed fish bait.
Such social engineering accompanies any event that attracts widespread public interest.
Kaseya has obtained a decryptor for the ransomware R-Evil deployed against it at the beginning of this month.
The company is using it to help its customers recover data affected by the incident.
Kaseya says only that it obtained the decryptor from an unnamed third party,
but adds that it's working with ransomware decryption specialist Emsisoft,
and that Emsisoft has confirmed that the decryptor is effective.
Computing speculates about who that unnamed third party might be, and it comes up with three leading
candidates, the U.S. government, the Russian government, or a ransom payment to the attackers.
One might understand why Kaseya would be reluctant to identify any of those sources.
NSO Group tells the BBC that blaming the company for abusive use of its Pegasus tool is like,
quote, criticizing a car manufacturer when a drunk driver crashes, end quote. NSO continues
to dispute any connection between the leaked list of 50,000 alleged targets.
A company representative said,
It's an insane number. Our customers have an average of 100 targets a year.
Since the beginning of the company, we didn't have 50,000 targets total.
Haaretz observes that this seems unlikely to deflect criticism of NSO Group,
which for some time has been widely criticized for its selection of customers.
Letters from Novolpina Capital, one of NSO Group's principal owners,
to Amnesty International in 2019,
describe how NSO would seek to prevent the abusive use of its tools
and ensure compliance with Israeli export laws.
Those letters make some of the same points NSO Group is making now,
notably that it doesn't operate its own tools once those are provided to its government customers.
But they also acknowledge the general soundness of investigations by Citizen Lab
and undertake to perform due diligence with respect to the company's sales.
The Wall Street Journal looks at U.S. policy with respect to the company's sales. The Wall Street Journal looks
at U.S. policy with respect to China, and specifically with respect to Chinese actions
in cyberspace, and sees both continuity with the previous administration's policy and an
intensification of that policy's hard line. The intensification comes largely through successful involvement of allies
in attributing misbehavior in cyberspace to China. An unnamed U.S. official told the journal,
quote, What gets Beijing's attention the most is not just when it's the United States doing
something, but when it's the United States rallying our allies and partners to do something together,
end quote. An editorial in the Wall Street Journal
complains that action against China is still more talk than action, and that if this continues,
the U.S. will communicate nothing but weakness. In fairness, as a breaking defense op-ed puts it,
the U.S. is playing the long game here, and more consequences may be imposed at a later stage
in the diplomatic process. Netherlands police have announced the arrest of a 24-year-old man
and a 15-year-old boy in connection with the investigation of a group, the Fraud Family,
that developed fishing kits and sold them via a telegram channel to criminal customers in Belgium
and the Netherlands.
The 24-year-old allegedly wrote the code and the 15-year-old allegedly sold it.
A third suspect, an 18-year-old man, was also taken into custody,
but his alleged role in the caper is unclear.
Group IB has been tracking the fraud family since last year,
when its alleged principals were even younger than they are now.
It's another instance of the commodification of attack tools,
in which criminals purchase relatively capable kits that are easy to use and beyond the end-user's interest in or ability to prepare their own.
Group IB's blog said,
The phishing frameworks allow attackers with minimal skills
to optimize the creation and design the phishing frameworks allow attackers with minimal skills to optimize the
creation and design of phishing campaigns to carry out massive fraudulent operations all while
bypassing 2FA, end quote. Similar kits aimed at a similar criminal market in the Netherlands
seem to have been sold since 2018. Group IB says it tipped off the Dutch police to the fraud family And we say, bravo, Group IB
And finally, InfoSecurity Magazine
Which has come under a persistent distributed denial of service attack
Has decided to take its site down temporarily
While it migrates to a new, more robust hosting provider
We wish them a quick recovery
The InfoSec space is the poorer for their temporary absence.
Good luck to InfoSecurity, and we hope to see them back soon.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI. Now that's a new
way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
The term smart cities was coined a few years ago,
and at the time it invoked all of the promise of a connected future,
benefiting citizens, businesses, and municipalities alike.
In the intervening years, many people interested in this particular area have chosen to come
at it from a decidedly practical lens.
Jack Williams is Director of Portfolio Marketing at Hexagon Safety Infrastructure and Geospatial.
I checked in with him for an update on where we stand with smart cities. Historically,
smart cities, it's a very ambiguous term. You'll see a lot of folks that, you know, they'll install
networks or technology into the city. You know, you'll see things such as intelligent street lamps
and wireless networks that allow things to connect, and they'll call that smart cities.
But I think it's just a very high-level term that really, to come to some standard definition,
is kind of challenging, to be perfectly honest. I think a smart city is basically just a city that's resilient at a high level,
a city that is maximizing the resources that it has using technology and digital technology
to really bring together the citizens.
Well, let's touch on some of the cybersecurity issues that may come into play here.
What are some of the things that, as cities implement these technologies, need to be on
their radar?
The sum of the parts is greater than each individual piece.
And so that becomes, okay, we're laying a foundation, a network.
We're defining a space that allows people to communicate.
And that's kind of the way we approach it.
And so with that comes the technical challenges of, okay, how do I integrate all these different data,
whether it's from IoT devices, whether it's from various operational systems that people might have.
Maybe there's different ecosystems and departments, maybe at a federal level that you need to communicate with,
and then there's citizens.
So you've got the technical challenges of integrating and interfacing,
and then you've got this deluge of data.
And that brings a lot of great possibilities, but it also opens yourself up to a lot of risk.
What are you doing with this data?
How are you going to make sure that it's secure and you're maintaining
privacy laws? Cybersecurity is at the forefront. And so the way we have tackled that is instead of
historically, Dave, I would say there has been a lot of, okay, I'm going to, you know, I'm this
regional, it's usually a public entity. And they're going to say, okay, I want to share data.
Why don't everybody, you know, I call it forced cooperation, right? It's, why don't you share
your data with me? And I'll throw it all in a big data lake or some big central repository.
And we'll hire some big consultant and some, you know, one of these big firms to come in and set up this big citywide
ecosystem.
And we'll have this big central repository.
And the world will be great, right?
First off, that takes a lot of time, a lot of money.
And second off, it opens yourself to a lot of data governance challenges, a lot of privacy
and security risk, because you're sort of managing that.
And one entity is getting all the benefit. And so the angle that we've tried to accentuate it and push
is, hey, how about instead of one entity sort of driving the train, you create a space, a neutral
space by which people can participate how they want, when they want,
and with what data they want, they can share. What about for the citizens themselves and their interaction with a city that has enabled these sorts of things? What are the upsides for them?
So when it comes to upsides for citizens, a lot of what you'll see cities doing today is they will, and citizens, and I'm thinking business owners as well, throwing them all into this bucket.
What you'll see cities doing today, and I've noticed quite a few, is creating these urban data exchanges.
So this is the concept of people publishing out their data and making it available. And I'm
not talking about an open data portal like a lot of cities have where they'll just publish
monthly crime stats and where the fire hydrants are and where the dog parks are. I'm talking
real-time streams of information. And what they do is they provide, the city can normalize and
sort of get all this information into what I'll call
common language and expose that as, and basically acting as a facilitator, expose those as services
so that people can build applications on top of that. And so these applications could be anything.
I mean, it could deal with parking. It could deal with tourism. It could deal with where the lines are, where traffic is. I mean, from a citizen perspective, by a city becoming smart, and by smart I mean enabling and laying a foundation for people, entities to connect, share data, collaborate.
They can also provide a layer, an application layer, that people can build on top of and develop applications that benefit the
citizens themselves as well as the broader community. And then you also have other aspects
where, you know, departments, other departments outside of public safety or city government,
but health and human services, things like that. If these agencies become more connected within city government, because believe it or not,
a lot of these agencies in the same city don't even talk to each other very well,
better service can be provided to the citizens themselves.
So there's a lot of benefit.
And with all that, there always is a data privacy concern.
So like I said, you always have to have that at the forefront.
But I do believe there's ways to mitigate the exposure to risk. Let the people take it from
there. I mean, like I said, you can only lay that foundation, but ultimately it's a community effort.
That's Jack Williams from Hexagon. Thank you. trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default deny approach can
keep your company safe and compliant.
And joining me once again is Chris Novak.
He's the global director of Verizon's Threat Research Advisory Center.
Chris, it's always great to have you back.
I wanted to touch today on incident response. I know you and your team have been focused on this lately. It's something where you're looking on advancing your capabilities there. What can you share with us?
Sure. Yeah, always great to be on the show, Dave. Thanks again. So yeah, we're always looking to
try to figure out what it is that we can be doing to evolve our capabilities, evolve the kind
of outcomes that we can bring to clients when they're looking for help from an incident response
perspective. And, you know, when we look at things, you know, there's been the historical,
traditional way of doing things. You'd go on site, you'd grab disk images. Heck, I remember back in
the early days, I mean, these are real early days, I'm dating myself here. But we'd go on site with a binder full of floppy disks to boot up a system. And then you'd have a hard drive you'd try to pull that data down on. And it would take seemingly weeks to grab a forensic image. And obviously, things have evolved substantially since then. Things have gotten so much faster.
But we're trying to obviously move away from that entire model altogether.
Now almost everything we do is able to be done remotely. We're able to extract a lot of triage data from systems without ever having to actually physically lay hands on them.
But one of the things we're trying to extend beyond that is, you know, obviously everybody knows Verizon as a giant telco.
One of the things we're trying to take advantage of is some of our new capabilities around things like 5G and how we might be able to integrate 5G connectivity and the speeds that that brings with our ability to provide a client with out-of-band data collection.
data out of an environment for incident response purposes, or we wanted to stream data out while there was maybe a live incident going on and we didn't want it going in and out the same pipes
or crossing the same east-west corridors within their network because, you know, maybe the threat
actor is looking at it. Maybe the threat actor has access to some of their infrastructure.
Being able to drop in essentially a 5G transmitter will allow us to actually be able to take that data
and provide that organization with a complete out-of-band mechanism of us being able to interact
with them and them being able to interact with us and being able to do it at gigabit plus speeds.
And that's something that just historically you just couldn't do before.
Yeah. How much of this, you know, the shift we've seen, I'd say the accelerated shift that
we've seen to the cloud, thanks to so many organizations responding to COVID, does that
make your life easier as well? As you say, you don't necessarily have to be on site.
Yeah, it actually does. So I think that it makes our life easier in a couple of ways. One is,
you know, we're finding an increasing number of organizations have either already moved or in the process of moving to cloud and replicating data
from their instance to ours for purposes of doing, you know, incident response or investigations.
I mean, that is almost as simple as a button click and the speed to do that is tremendous.
So that has been, you know, I'd say a huge improvement that I think probably all of us
in the incident response community have seen and same for our clients.
But then the other benefit we get out of that as well is Verizon had announced that we've got a pretty extensive partnership with Amazon Web Services as it relates to our 5G MEC capabilities.
And so that actually goes one step further and says,
we not only have the ability to pull data at incredible speeds over 5G,
but our 5G radio is literally connected right to the edge of an AWS environment.
So we can either push or pull data between, think of it as a cloud environment,
over a gigabit plus out of band, in and out of a customer environment,
just as seamlessly as we would do anything else.
Hmm.
Yeah, that's fascinating.
I mean, I have to say it's nice to hear of a specific use case for 5G.
I think for a lot of us, that's been a little fuzzy till now. So it's interesting to hear a specific description like that.
Yeah.
I mean, that was something that our team was always looking for as we said, hey, this is
fantastic.
You know, it's great for, you know, streaming more
movies or all the other things people have talked about, but for us and my team, as it relates to
security, that out of band piece is critical. I mean, I'll give you a, for example, we had
an organization that was suffering a fairly massive incident and they needed some really bad help.
And they were basically saying, look, they got to the point where they were basically saying that
they were going to just shut down all of their internet connections worldwide.
They said, look, we need to get this under control before this gets worse. We're just going to shut
down all of our internet connections. But then the next question they had was, how do we get all of
the necessary incident response data now out of the environment? Trying to do that all via sneaker
net is really just not feasible. And we said, well, we could drop in wireless connectivity.
And so we did some proof of concept around some of these areas to be able to say, all right, a sneaker net is really just not feasible. And we said, well, we could drop in wireless connectivity.
And so we did some proof of concept around some of these areas to be able to say, all right,
let's see what we can actually move in and out. We can drop in some of these things in strategic locations where we know we already have the 5G infrastructure in certain cities to be able to
essentially pull that data out. And so that proof of concept was fantastic for us. I expect that
that'll be something that will be integrated more formally into, you know, a lot of our offerings going forward, especially as it relates to incident response.
All right. Well, Chris Novak, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Be sure to check out my conversation this weekend with Christopher Budd from Avast Threat Labs. We're going to be talking about their research into Crackanoosh, a new malware distributed in cracked software.
That's Research Saturday. Check it out.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John
Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. Thank you. not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.