CyberWire Daily - Cyberespionage against belligerents' industry. Tornado Cash sanctions. Data breaches at Twilio and Klayvio. Intercept tools and policies in Canada.
Episode Date: August 9, 2022Tracking apparent Chinese industrial cyberespionage. Tornado Cash sanctions. Twilio discloses a breach. Social engineering exposes data at Klaviyo. Microsoft’s Ann Johnson previews the latest season... of Afternoon Cyber Tea. Joe Carrigan tracks the growth in cryptojacking. And what might the Mounties be monitoring? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/152 Selected reading. Cyberspying Aimed at Industrial Enterprises in Russia and Ukraine Linked to China (SecurityWeek) China-linked spies used six backdoors to steal defense info (Register) U.S. Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash (U.S. Department of the Treasury) Twilio hacked by phishing campaign (TechCrunch) Twilio, a texting platform popular with political campaigns, reports breach (CyberScoop) Incident Report: Employee and Customer Account Compromise - August 4, 2022 (Twilio Blog) Email marketing firm hacked to steal crypto-focused mailing lists (BleepingComputer) RCMP has used spyware to access targets’ communications as far back as 2002: Senior Mountie (Global News) RCMP says it has not used Pegasus spyware (POLITICO) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Tracking apparent Chinese industrial cyber espionage,
tornado cash sanctions,
Twilio discloses a breach,
social engineering exposes data at Klaviyo,
Microsoft's Ann Johnson previews the latest season of afternoon cyber tea,
Joe Kerrigan tracks the growth in crypto jacking,
and what might the Mounties be monitoring?
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, August 9th, 2022.
Malwarebytes reported last week that an unknown threat actor was deploying an attack tool the researchers called WoodyRat against Russian targets. Woody Rat has a range of capabilities, including writing arbitrary files, staging and executing other malware strains,
collecting information from infected devices, and deleting files.
The researchers conclude, this very capable rat falls into the category of unknown threat actors we track.
falls into the category of unknown threat actors we track. Historically, Chinese APTs such as the Tonto team, as well as North Korea with Kony, have targeted Russia. However, based on what we were
able to collect, there weren't any solid indicators to attribute this campaign to a specific threat
actor. Other activity against industrial targets in Russia, Ukraine, and Belarus is being tracked by Kaspersky and others.
Circumstantial evidence points to TA-428, a Chinese threat actor also known as Colorful Panda and Bronze Dudley.
Kaspersky concludes,
A Chinese speaking group is highly likely to be behind the attacks.
A Chinese-speaking group is highly likely to be behind the attacks.
We can see significant overlaps in tactics, techniques, and procedures with TA-428 activity. The attack analyzed used the same weaponizer, which embeds code of a CVE-2017-11-882 exploit in documents,
as in earlier TA-428 attacks that targeted enterprises in Russia's military-industrial complex.
Some indirect evidence also suggests a Chinese speaking group very likely being behind the attack.
This includes the use of hacking utilities that are popular in China, such as Ladon,
the fact that the second-stage CNC server is located in China,
the fact that the second-stage CNC server is located in China,
and the fact that the CNC server registration information includes an email address in the Chinese domain 163.com specified in the administrator's contact data.
And the timing of the activity shows the characteristic 8 to 5 workday, Shanghai time.
That's marked the clock-punching diligence of Chinese cyber operators in the past.
These incidents suggest that however closely aligned Russia and China might be,
espionage services will collect against belligerents wherever their announced sympathies may lie.
The U.S. Department of the Treasury has elaborated on the sanctions it imposed yesterday on Tornado Cash,
a cryptocurrency mixer Treasury connects to money laundering.
Treasury says that Tornado Cash has been used to launder more than $7 billion worth of virtual currency since its creation in 2019.
This includes over $455 million stolen by the Lazarus Group. The Lazarus Group,
of course, is the North Korean cyber operations group that has for years engaged in cybercrime
designed to fund Pyongyang's weapons programs and to mitigate the crippling effects of sanctions
on the North Korean economy. Under Secretary of the Treasury for Terrorism and Financial
Intelligence Brian E. Nelson said in the statement, despite public assurances otherwise,
Tornado Cash has repeatedly failed to impose effective controls designed to stop it from
laundering funds for malicious cyber actors on a regular basis and without basic measures to
address its risks.
Treasury will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them.
Tornado Cash's assets are blocked,
and U.S. persons are prohibited from doing business with the mixer.
Twilio, which TechCrunch describes as a communications giant whose platform enables
developers to build voice and SMS features into their apps, has disclosed a data breach. They say,
on August 4th, 2022, Twilio became aware of unauthorized access to information related to
a limited number of Twilio customer accounts through a sophisticated social engineering attack
designed to steal employee credentials.
This broad-based attack against our employee base
succeeded in fooling some employees into providing their credentials.
The attackers then used the stolen credentials
to gain access to some of our internal systems
where they were able to access certain customer data.
The company is working directly with affected customers, and it still has the incident under
investigation. Cyberscoop reports that Twilio is heavily used by political campaigns.
In another incident traceable to credential theft, Bleeping Computer reports that the email marketing firm Klaviyo has disclosed a data
breach. The firm wrote on its blog, on August 3rd, we identified a Klaviyo employee's login
credentials had been compromised as a result of suspicious activity from our internal logging
and a user report. This allowed a threat actor to gain access to the employee's Klaviyo account and, as a result, some of our internal support tools.
Klaviyo, much of whose business is focused on cryptocurrency, explained that the attacker seemed interested in two classes of information.
They said,
support tools to search for primary crypto-related accounts and viewed list and segment information for 44 Klaviyo accounts. For 38 of these accounts, the threat actor downloaded list or segment
information. The information downloaded contained names, email addresses, phone numbers, and some
account-specific custom profile properties for profiles in those lists or segments. All of these accounts have
been notified with the details of which profiles and profile fields were accessed or downloaded.
The Threat Actor also viewed and downloaded two of Klaviyo's internal lists used for product and
marketing updates. These exports included information such as name, address, email address,
and phone number. The download did not include any passwords, password hashes, or credit card numbers.
The download also did not include any account data for subscribers who have a Klaviyo account.
All impacted individuals have been notified.
Bleeping Computer says that it's aware of evidence that threat actors are actively looking for the data stolen in the breach.
For now, it's likely that the data will be used either by those who stole them or sold to other criminals in the C2C market.
Eventually, the information will probably simply be dumped online, but this incident is too young for that to have happened yet.
this incident is too young for that to have happened yet.
Sometimes spyware really is lawful intercept technology,
at least when it's not being abused,
so parliamentary testimony by Canadian security officials would maintain.
Global News reports that Mark Flynn,
Royal Canadian Mounted Police Assistant Commissioner responsible for national security and protective policing,
told members of House of Commons Ethics Committee yesterday that between 2002 and 2015,
the RCMP used Canadian-made technology to covertly access electronic information.
He told the committee,
As encryption started to be used by targets that we had judicial authorization
to intercept, we were unable to hear the audio, hear the phone calls, or see the messages they
were sending. That is when we developed the tool and technique to make it possible to intercept
those communications. We have evolved in the use of the tools as individuals evolved in the ways
they communicate. The House of Commons Ethics Committee was conducting an inquiry
into the use of surveillance tools against cell phones.
Mr. Flynn also stressed to the members that hostile foreign states
were certainly using tools at least as powerful,
and that members of Parliament should understand
that they themselves are the targets of foreign surveillance efforts.
that they themselves are the targets of foreign surveillance efforts.
Specifying Canadian-made rules out, of course, NSO Group's Pegasus,
which is made by an Israeli company.
Politico reports that Public Safety Minister Marco Mendocino said that intercept tools were not tools of either first resort or convenience,
rather were tools of investigative necessity.
He said the widespread use of encrypted communication
poses a challenge for law enforcement,
and spyware is used to frustrate the efforts
of sophisticated criminal organizations.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7,
365 with Black Cloak. Learn more at blackcloak.io.
And it is my pleasure to welcome back to the show, Anne Johnson. She is Corporate Vice President of Security Compliance and Identity at Microsoft.
But in addition to all that, as if that weren't enough, she is host of the podcast, Afternoon Cyber Tea.
Anne Johnson, welcome back.
Thank you, Dave. It's always great to be on.
You know, you are just about to kick off season six of your Afternoon Cyber Tea podcast.
Before we dig into what's to come with this season, can you give folks who might not be familiar with the show a brief little overview of what the show is all about?
Absolutely.
Afternoon Cyber Tea, which is, as Dave mentioned, going into season six, is a podcast that we started to try to bring cybersecurity to, as I say, the masses.
So we invite industry leaders, we invite up-and-coming professionals,
we invite folks that have even an academic view of the cybersecurity industry,
and we talk about what's relevant today, what's top of mind for executives at companies related to cyber.
And we always leave the episodes with practical advice for our audience,
things that you can do today to improve the security posture of your organization.
One of the things that I really appreciate about the show is that this is a podcast
that folks who are in cybersecurity on the technical side,
they can share with their friends, their family, their colleagues
who may be interested in cyber,
but not necessarily steeped in it day by day.
Yeah, that was our goal.
We really, it is not a show that if you're a deep cyber practitioner
and you want deep cyber expertise,
we have some episodes that get a bit more technical,
but it really is more on the business and industry trends and the up and coming and attacks and things that are happening side so that you can share it with your parents.
You can share it with your partner.
You can share it with your kids, whoever, and they can learn a lot just about the industry as a whole.
Well, you are just kicking off season six of Afternoon Cyber Tea.
Can you give us a little bit of a preview?
Who do you have lined up this season?
So we are launching with the extraordinary MK Palmore, who is now at Google, but he has
had just this amazing career in the FBI, and he was in the military, and with Palo Alto,
and is just this incredible, really well-respected industry expert.
We're talking about cyber. with Palo Alto and is just this incredible, really well-respected industry expert.
We're talking about cyber.
We're also talking about Cyversity, which is a diversity initiative that he has been involved with for many years.
We have up and coming, the incomparable Ira Winkler is going to be on the show.
He is going to be talking about securing the metaverse.
Really excited about that conversation.
We have Sunil Yu is going to be
on the show. He is going to be talking about the paradigm shift that he sees in cybersecurity and
how we need to start thinking about cyber in a very different way. And we have our own Mahal
Braverman-Bloomenshtik, who leads the Microsoft Israeli Development Center All Up, but she is also
the CTO for the cybersecurity business at
Microsoft. And she is this incredible expert. So those are just a few of the guests. We have a few
more that we're rounding up. And I am absolutely thrilled about the guests that we have up and
coming. One that I didn't mention, by the way, or a pair of them is we have Dave DeWalt and Jay
Leak, who are going to come and talk about the trends, right? The industry has changed a lot
just in the past two months.
So they're going to talk about the change in the industry from an investment standpoint.
You know, as you head into your sixth season here, has anything changed since you started?
Has your approach, have you refined anything along the way?
You know, this is a really friendly podcast.
It's not a gotcha podcast.
So we've maintained that ethos with the podcast.
But I will tell you that one of the things that we have refined is that making sure that we always have an industry up and comer on the show, making sure that we're talking about a wide variety of topics.
So we appeal to a lot of folks.
You can find a little bit of everything with regards to the podcast.
And just for me, right, this was the first podcast I hosted.
I had been a guest on many, but I hadn't been a host.
So I've refined my own style and how I interact with my guests.
It's really been a fun experience, Dave.
And we've seen just a significant increase in listenership
and people who subscribe.
So we believe we're hitting the mark,
but we're always looking for feedback,
and we take that feedback very seriously
and incorporate it in the show as we go.
Well, the podcast is titled Afternoon Cyber Tea,
and definitely worth your time.
Please do check it out.
Anne Johnson from Microsoft, thanks so much for joining us.
Thank you, Dave. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute, also my co-host over on the Hacking Humans podcast. Hello, Joe.
Hi, Dave.
You know, a couple years back, I remember when cryptojacking was really – seemed like it was on its way up, and there were a lot of folks saying that cryptojacking was going to be the thing because it was kind of non-confrontational, right?
Yes.
Like, I thought you compared cryptojacking and ransomware, which were both kind of in
parallel ascendancy at the time, but it didn't really work out that way.
It seems like the ransomware folks upped their game, started going after bigger targets.
I came across this article. This is
from outlookindia.com, and it's titled, Crypto Jacking Cases Are Rising Globally.
Why so, and should this worry you? What's going on here, Joe?
So crypto jacking, if I can go down to the base level and do the explanation of what it is,
basically it's without permission,
you are mining cryptocurrency, proof of work cryptocurrency on somebody else's computer.
The idea of mining cryptocurrency with proof of work is that this is a hard math problem,
and it requires a lot of processing power to do that. It can be expensive, so why not offload that to some unsuspecting person and have them pay for the electricity and I just get to keep the cryptocurrency? That would be 100% profit, right?
Sonic Wall researchers have observed that cryptojacking incidents rose by 30%
last year, or in the first, I'm sorry, in the first half of this year over the same period last
year to 66.7 million attacks, which is a lot. An interesting statistic in this article is that the
financial sector has suffered the greatest increase here of 269% year to date. And they
suffer about five times as many cyber attacks or these crypto jacking attacks as the retail industry, which is second.
So it's interesting to me that these guys are hitting finance companies more than they're
hitting retail, because I would think finance companies would be harder to get into than a
retail company. I would agree. I wonder, do finance companies have more available computational
power sitting around?
They might. That's a good point. They might have that.
They might actually have some kind of computer sitting around with a bunch of graphics cards sitting in them.
And graphics cards are very good at mining particular cryptocurrencies.
I mean, the best thing to mine a cryptocurrency is an ASIC.
If you have a cryptocurrency like Bitcoin, it can be mined with what's called an application-specific integrated circuit.
Nothing faster than that.
But most cryptocurrencies, including Bitcoin, can be mined on graphics cards.
It is generally not cost-effective.
But again, if you're not paying for the electricity, it's 100% profit.
cost-effective. But again, if you're not paying for the electricity, it's 100% profit. So there are some theories in the article as to why this is happening and why these cryptojacking attacks
are on the rise. The researchers attributed the rise to a crackdown on ransomware attacks,
which we've seen here recently. There are governments that have stepped up to ransomware
awareness and enforcement efforts. The attack against the Colonial Pipeline resulted in a
recovery of 70% of the net proceeds of that because the affiliate program, not the actual
ransomware gang, but the gang that brokered the access, left their keys out on a server that the
feds got access to, and the feds just transferred all the Bitcoin to themselves, which was a way to recover it.
So they're also going around arresting these people, which is happening.
And criminals don't want to get arrested, so they're opting for the quieter life.
Also, in a ransomware attack, the article notes that you have to make it clear to somebody
that they've suffered a ransomware attack and then demand
the ransom and then begin the communicating.
But in cryptojacking, you're very quiet and the victim may never be aware of it.
The researchers are saying that they don't want the heat.
They don't want the law enforcement coming after them.
So they say the lower risk is worth sacrificing the higher payoff.
I have my own theories as to why this is
on the rise recently. And my theory centers around cryptocurrency prices. People like mining
cryptocurrencies. And if the cryptocurrency price drops like it has with Bitcoin and just about
everything out there, really, it's gone down about two-thirds.
Bitcoin was trading at like $60,000. And as of this recording, it's somewhere in the $20,000 range,
I think. Anyway, I haven't looked at it recently. But it's gone down a lot. That's the point.
You still want to mine your cryptocurrency and get the rewards and hope that it goes back. Or
maybe you're liquidating everything as you get it. I don't know. But now you cannot pay for the electricity
with the cryptocurrency that you're mining. So it has become not profitable to actually run a
mining rig. So I think people are actually out there looking for other ways to mine cryptocurrency.
And like I described earlier, this 100% profit model is very attractive. If I can get somebody
else to pay for the electricity, it's all profit.
Also, it's far less destructive and thus far less attention gathering, which is what the article mentioned.
I think that has a lot to do with it as well.
If somebody finds out they're the victim of a cryptojacking attack, they're probably just going to uninstall the software and move on.
It's kind of a nuisance level attack.
There's no government in the world that's going to go, all right, well, let's see if we can get that money
back for you. Because first off, the amount of money that you're getting from any individual
victim is going to be very, very small. Recovery is not going to be worthwhile. Compare that to
a ransomware attack where you're talking about millions or tens of millions of dollars. That
can be, that might be something that a law
enforcement organization might be like, okay, we're going after that one for no other reason
to demonstrate to people that they can't just get away with this. Right, right. I would suspect also
because so much of this can be automated. If they're out there looking for vulnerable systems
and they have bots that are running around searching and poking and prodding and trying to install things. And
then, as you say, you know, in the middle of the night, the machine sitting on your desk at the
office when you're at home asleep comes to life and starts mining cryptocurrency and then is done
by the time you come in in the morning. There's a good chance you may not even know. Right. And if
these guys are smart enough to lay that low, they may be able to mine cryptocurrency
on a machine for years.
Right, right.
All right.
Well, interesting development.
Again, kind of different from,
I guess, my own expectation.
It's different than how things were going.
I guess I'm a little surprised
that cryptojacking is on the rise again.
But as this article explains,
there are some good reasons for it.
Kind of makes sense.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Clear your schedule for you time
with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio or shake up your mood with an
iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Justin Sabey, Liz Ervin, Rachel Gelfand, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.