CyberWire Daily - Cyberespionage around the South China Sea. Oktapus and the Twilio compromise. Notes from Russia’s hybrid war. And the LockBit gang looks beyond double extortion.
Episode Date: August 30, 2022Cyberespionage around the South China Sea. Oktapus and the Twilio compromise. Montenegro works to recover from a Russian cyber offensive. A big Russian streaming platform sustains a data leak. Ann Joh...nson of the Afternoon Cyber Tea podcast speaks with Dave DeWalt of NightDragon and Jay Leek of both Syn Ventures and Clear Sky Security about cyber capital investment. Mr. Security Answer Person John Pescatore examines the allure of the healthcare industry for ransomware operators. And the LockBit gang looks beyond double extortion. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/167 Selected reading. Rising Tide: Chasing the Currents of Espionage in the South China Sea (Proofpoint) Why the Twilio Breach Cuts So Deep (WIRED) Tentacles of ‘0ktapus’ Threat Group Victimize 130 Firms (Threatpost) Hackers used Twilio breach to intercept Okta onetime passwords (SiliconANGLE) Okta Impersonation Technique Could be Utilized by Attackers (SecurityWeek) Ukraine launches counter-offensive to retake Kherson from Russia (The Telegraph) Russia-Ukraine war: Kremlin insists invasion going to plan despite counterattacks; first grain ship docks in Africa – live (the Guardian) Montenegro says Russian cyberattacks threaten key state functions (BleepingComputer) Montenegro struggles to recover from cyberattack that officials blame on Russia (The Record by Recorded Future) Leading Russian streaming platform suffers data leak allegedly impacting 44 million users (The Record by Recorded Future) LockBit ransomware mulls triple extortion following DDoS attack (SC Media) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Cyber espionage around the South China Sea,
octopus and the Twilio compromise, Montenegro works to recover from a Russian cyber offensive, a big Russian streaming platform sustains a data leak.
Ann Johnson of the Afternoon Cyber Tea podcast speaks with Dave DeWalt of Night Dragon and Jay Leak of both Sin Ventures and Clear Sky Security about cyber capital investment.
both Sin Ventures and Clear Sky Security, about cyber capital investment.
Mr. Security Answer person John Pescatori examines the allure of the healthcare industry for ransomware operators,
and the LockBit gang looks beyond double extortion. From the Cyber Wire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Tuesday, August 30th, 2022.
Proofpoint this morning released a report on a cyber espionage campaign against nations with regional interests centered on, but not confined to, the South China Sea. The researchers call the
responsible threat group TA-423, or Red Ladon, and say that it shows an overlap with APT-40,
a Chinese government unit,
also known as Leviathan, that operates from Hainan.
Red Ladon has a close interest in the Australian government
and in anyone's wind turbines in the South China Sea.
Proofpoint says, beginning on 12 April 2022 and continuing through mid-June 2022,
Proofpoint identified several waves of a phishing campaign
resulting in the execution of the Scanbox Reconnaissance Framework,
in part based on intelligence shared by PwC Threat Intelligence
related to ongoing Scanbox activity.
The phishing campaign involved URLs delivered in phishing emails,
which redirected victims to a malicious website
posing as an Australian news media outlet.
The phishing campaign has been long-running,
and the cyber espionage serves Beijing's long-range economic interests.
ThreatPost offers an update on the Octopus phishing campaign,
in which Okta identity credentials and multi-factor authentication
codes were obtained from employees at Twilio and Cloudflare, and then used in subsequent
attempts on more than 130 companies. Wired looks at the campaign, which it sees as likely to be
one of the more successful and long-running criminal efforts in recent memory, and frames
it as a cautionary tale for the business-to-business supply chain,
writing,
Fishing has been an inveterate and consequential threat for years,
playing a role in many impactful breaches around the world,
including Russia's attack on the Democratic National Committee in 2016.
But if the next phase of the trend is fishing-fueled supply chain attacks, the scale of the collateral damage will magnify in an unprecedented way.
The long-anticipated Ukrainian counteroffensive toward Kherson near the Black Sea coast began overnight, and it's been marked by attempts at persuasion on both sides.
persuasion on both sides. Ukrainian President Zelensky said in his nightly address yesterday,
if they want to survive, it's time for the Russian military to run away. Ukraine is taking back its own. While intense fighting and breakthroughs into Russian-held positions have been reported,
Ukrainian officials have cautioned against premature optimism, predicting a long protracted struggle.
For its part, official Russia says the Ukrainian offensive has already failed.
Kremlin mouthpiece Dmitry Peskov said, the special military operation continues. It continues
methodically and in coordination with all current plans. All objectives will be fulfilled.
Given the kinetic action on the ground,
Russian cyber attacks have recently seemed more aimed at punishing nations sympathetic to Ukraine
than they've been directed against Ukrainian networks proper. The cyber attack against
Montenegrin infrastructure, for example, which the government has attributed to Russia,
appears to have been both extensive and consequential.
Bleeping computer rights, targets include electricity and water supply systems,
transportation systems, online portals that citizens use to access various state services,
and more. Power plants have switched to manual operations, and many government IT services have
been taken offline to contain the effects of the
attack. The country's Minister of Public Administration was at pains to reassure
citizens that their data was safe, stating, although certain services are currently
temporarily disabled for security reasons, the security of the accounts of citizens and
business entities and their data is not in any way endangered.
The record reports that France has responded to requests for assistance
by sending a team from the National Agency for the Security of Information Systems
to assist Montenegro with recovery efforts.
Montenegro's defense minister blamed Russia,
suggesting that only Russia had a motive to hit government IT systems.
Other Eastern European states deemed enemies of Russia have recently sustained cyberattacks,
mostly nuisance-level DDoS campaigns in recent weeks. Targets have included networks in Moldova,
Slovenia, Bulgaria, and Albania. The effects of the attack against Montenegro seem more serious than most of what's
been so far seen in Russia's hybrid war. One wonders why they haven't done as much to Ukraine
itself and can only conclude that Russian cyber works best against less thoroughly prepared and
defended targets. In fairness to Russia, that would be true of anyone else's cyber as well.
In fairness to Russia, that would be true of anyone else's cyber as well.
The Record reports that the Russian streaming service Start,
which supplies content to users in at least 174 countries,
disclosed Sunday that it had sustained a data leak.
How serious that leak was, Start hasn't said,
but the Russian telegram channel Information Leaks,
which publish screenshots purporting to be proof of hack,
says the leak amounted to 72 gigabytes and included data on 44 million customers.
According to the record, the leaked information includes usernames, email addresses, hashed passwords,
IP addresses, users' countries of registration, subscription start and end dates, and the last login to the service.
Most of the affected users are thought to be in Russia, but substantial minorities are from Kazakhstan, China, and Ukraine.
Those responsible for the incident claim they got the information from an exposed MongoDB database. And finally, the operators of LockBit ransomware
are considering a move beyond double extortion to triple extortion.
Double extortion is, of course, encryption of the victim's data
coupled with a threat to release the data publicly.
Triple extortion adds a DDoS attack.
SC Media reports that a LockBit hood posted a help-wanted notice in a dark web forum,
stating,
I am looking for DDoSers in the team.
Most likely now we will attack targets and provide triple extortion,
encryption plus data leak plus DDoS,
because I have felt the power of DDoS and how it invigorates and makes life more interesting.
So, dudes and dudettes, Lockabit wants you.
But please resist the temptation.
You can do better working in a nice government job.
Be a good guy and not a cheap goon.
Working for Lockabit is the in-real-life equivalent of the Al Pacino character sawing the tops
off of parking meters in Donnie Brasco.
Have you seen Donnie Brasco?
Good flick.
Stream it from somewhere.
Somewhere other than Stark.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000
off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one
third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io. Hi, I'm John Pescatori, Mr. Security Answer Person.
Hi, I'm John Pescatori, Mr. Security Answer Person.
Our question for today's episode?
It seems like every breach we see in the news these days is against healthcare.
Have attackers abandoned going after good old retail targets?
Or is it just the ongoing pandemic causing the press to focus on all healthcare-related bad news? Well, that's a
timely question. First, let me dazzle you with some data courtesy of the Identity Theft Resource Center.
In the U.S., during the first half of 2022, we've seen 161 public breaches in the healthcare sector,
compared to only 31 in retail, predicting about 320 and 62 respectively for full year 2022. The pandemic years of 2020
and 2021 showed similar ratios, 330 healthcare breaches versus 102 in retail during 2021,
and 306 to 53 in 2020. But healthcare actually had more breaches overall in 2019,
Healthcare actually had more breaches overall in 2019, 525, which was before COVID.
The ITRC numbers didn't show retail before 2020, but there were likely a similar number of retail breaches as in following years.
The bottom line?
Retail breaches are definitely down from years ago, but healthcare breaches are really not up.
Press attention has been magnified because of the continuing pandemic. More importantly,
the lower level of successful retail breaches does not mean that attackers aren't still going
after retail. I think retail has gotten better, a lot better, at protecting itself.
From 2007 to 2015 or so, retail breaches dominated the news, as Target, TJX, Hannaford, Home Depot,
and others had breaches that compromised
close to 200 million retail customers. Retail, much like healthcare, has a complicated mix of
IT and distributed devices, and credit card data is a lucrative target. No coincidence that over
that same period, the payment card industry data security standards program evolved from PCI 1.0 to PCI 3.1, moving from focusing mostly
on reducing risk for the card brands to emphasizing actually protecting cardholders' data.
The retail industry has long dealt with loss prevention from a shrinkage point of view,
employee theft and shoplifting, as their major security risk because it was a 3% impact on their bottom line,
1.5% due to the actual loss of inventory,
and 1.5% of revenue being spent on loss prevention to keep shrinkage to 1.5%.
That level of security spending didn't work very well
when the big brick-and-mortar retailers first crafted on online selling
and Internet access to in-person sales,
and Target was really the first one to feel
the pain. After that incident, the retail sector finally started to move on addressing a lot of
basic security hygiene issues, along with big improvements on authentication of customers
and encryption of sensitive data. I credit much of this progress to what, in the Mr. Security Answer Person dictionary,
is defined as the target effect.
The target effect.
1. Something that is produced by using a bullseye as your corporate logo.
Example usage.
If both your company's name and its logo invite attacks,
you might want to avoid the target effect by at least paying attention to basic security hygiene.
2. A mental or emotional impression produced by the rapid resignation of both the CIO and the CEO.
As in, the target effect has many CISOs wondering if getting LinkedIn requests from the CEO and the
CIO is really a good thing. Three, impact of an incident that causes boards of directors to see that compliance does not equate to meaningful reduction in liability.
Example, the $500,000 fine from the card brands is a lot smaller than the $300 million in hard costs when we neglected to protect our 70 million customers.
In 2015, Anthem Incorporated had a medical data records breach that was about the same size as Target's and cost Anthem, who ended up changing their name, about as much.
But there is no healthcare industry-driven data security standards regime,
only creaky, largely toothless, slow to change, government-driven HIPAA.
Even more importantly, the Anthem CEO and CIO were not fired. To my knowledge, there were no
firings after Anthem's humongous breach. Avoiding the target effect should be the goal for every
vertical. Each industry has unique, hard-to-solve problems, but one truth has spanned all verticals.
The cost of dealing with a breach
almost invariably exceeds how much it would have cost to avoid or at least greatly mitigate the
successful attack. To sum it up, attackers will go after anything lucrative and vulnerable.
The best way to not be next year's clickbait headline is to be way less vulnerable.
That's a much better choice than no longer being a lucrative target.
Mr. Security Answer Person. Thanks for listening. I'm John Pescatori, Mr. Security Answer Person.
Mr. Security Answer Person.
Mr. Security Answer Person with John Pescatori airs the last Tuesday of each month right here on The Cyber Wire. Send your questions for Mr. Security Answer Person to questions at thecyberwire.com.
Thank you. a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. Thank you. and host of the Afternoon Cyber Tea podcast right here on the Cyber Wire Network. She recently spoke with Dave DeWalt of Night Dragon and Jay Leak of both Sin Ventures and Clear Sky Security
about what's influencing cyber capital investment.
You know, it's an interesting time. We talked about that.
In the last few years, we've seen venture capital investment in cyber really balloon,
and now experts are reporting economic slowdown.
And we're starting to see some signs of slowdown throughout the world, and then it's impacting the venture capital world.
So if you could talk to us about the last few years and actually what you're seeing now and how quickly things are changing.
Dave, let's start with you.
Yeah, and I mean, it's a great question, right?
I mean, it's kind of the question of the day.
You know, I start out and talk a little bit about what I call cyber super cycles, kind
of a mouthful.
But in the 20 years or so that I've been, you know, sort of monitoring this market segment,
you could almost track the cyber industry by the threat cycle.
So I call them cyber super cycles because whenever you see a highly
elevated threat environment, you typically right behind the highly elevated threat environment,
you see a highly elevated spending environment. Customers spend more, many more threats,
and ultimately behind the spending cycle comes the investment cycle.
Before we look ahead for a second, can we go all the way back a couple
of years? Tell me as investors, you know, what your thesis was, what made a company attractive
to you? Why did you choose to invest in some companies versus others? What type of criteria
were you looking at? Yeah, I can start, Anne. You know, I've been investing, you know, pretty heavily
since 2012 in Night Dragon. This is our 10th anniversary here of investing.
I think 41 companies now all total, you know, probably not near the breadth that Jay has.
But, you know, we've been looking at, largely I look for, at least in the cyber markets,
a major threat problem that has yet to be solved.
It's one of the reasons I became CEO of FireEye.
I mean, at the time, 2012 window, FireEye was a 10 million revenue company and nobody
really heard of an APT.
Well, they had, but not by much at that point.
But advanced persistent threats became a new vector of attack, especially in which ways
that the attacks were coming in.
And I was looking for technology that could solve a major threat problem.
My largest thesis with Night Dragon has been all around that. Where are the biggest threats and risks in the world?
And what commercial defense can meet that threat in a way that we could hyperscale it with growth
capital to kind of meet the valuation opportunity that's out there? So what advice do you have for
founders that are starting this journey? What can they show you when they're doing their VC pitch, the shuffle around to try to get
dollars? And is it that, and how does someone, and I'm going to ask a little pointy question,
how does someone that doesn't have that proven track record, right? They're a first-time founder
or a first-time CEO, how do they actually convince the firms to invest?
Jay, why don't we start this one with you?
Yeah, so for me, it's, are they coachable?
Are they giving you lip service
to any kind of advice that you may have?
It doesn't mean they have to take the advice,
but the best first-time founders I've ever worked with,
they'll go and actively seek advice from Dave.
They'll seek it from me,
even though they probably shouldn't talk to me because I'll probably give them bad advice. They'll seek it from me, even though they probably should talk to me
because I'll probably give them bad advice.
They'll seek it from, you know, 10 other people,
you know, and then they'll bring all that in.
They'll synthesize it, make it their own
and come up with the right direction to go, right?
And to me, that's like a quality
that it's hard to learn that, you know,
you can learn it, but it's also, it's in your DNA,
you know, but you can break out
like I have. We've backed true introvert CEOs that know they're introverts. And so they wake up every
day to try to be an extrovert and they work really hard. They're never going to be your go to market
CEO, but they can become damn good leaders and build great companies if they surround themselves
with the next level that can actually compensate for that.
That is Anne Johnson from Microsoft. She is the host of the Afternoon Cyber Tea podcast.
You can find that right here on the CyberWire network.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks. studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back
here tomorrow. Thank you. and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can
channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.