CyberWire Daily - Cyberespionage campaign looks a lot like SIGINT collection. Magnitude gets more capable. VPN exploits solicited. Ransomware trends. Seven years for UPMC hacker. Plenty of Candy Corn coming.
Episode Date: October 20, 2021The LightBasin “activity cluster” has been active indeed against telecom infrastructure in what looks like an espionage campaign. The Magnitude exploit kit adds capabilities for hitting Chromium b...rowsers. An exploit broker is interested in cloud-based VPNs. Victims continue to pay in ransomware attacks. A hacker gets seven years for conspiracy to defraud and identity theft. David Dufour from Webroot looks at the coming threat landscape. Our guest is Paul Shread from eSecurity Planet on backup tools for ransomware. And a Candy Corn shortage is averted. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/202 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Light Basin activity cluster has been active indeed against telecom infrastructure in what looks like an espionage campaign.
The Magnitude Exploit Kit adds capabilities for hitting Chromium browsers.
An exploit broker is interested in cloud-based VPNs.
Victims continue to pay in ransomware attacks.
A hacker gets seven years for conspiracy to defraud and identity theft.
David DeFore from WebRoot looks at the
coming threat landscape. Our guest is Paul Shredd from eSecurityPlanet on backup tools for ransomware
and a candy corn shortage is averted.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 20th, 2021.
Security firm CrowdStrike has published a description of LightBasin, also tracked as UNC1945,
an activity cluster that's been targeting global telecommunications infrastructure since 2016.
LightBasin has been collecting user information on a large scale, showing a particular interest in call metadata and subscriber information.
The report says,
Recent findings highlight this cluster's extensive knowledge of telecommunications protocols,
including the emulation of these protocols to facilitate command and control
and utilizing scanning and packet capture tools
to retrieve highly specific information from mobile communication
infrastructure, such as subscriber information and call metadata, end quote. LightBasin showed
a solid working understanding of how telecommunications works. One of the activities
in Cluster, for example, proceeded by leveraging external DNS servers, which are part of the general
packet radio service network, and play a role in roaming between different mobile operators
to connect directly to and from other compromised telecommunication companies'
GPRS network via SSH and through previously established implants.
The LightBasin actors are compromising the telecommunications firms
Linux and Solaris boxes. Those systems are attractive for two reasons. First, a great
deal of the telcos infrastructure runs on those operating systems, and second, at the same time,
those boxes tend to receive scant attention from security teams. Active since at least 2016, CrowdStrike writes,
LightBasin employs significant operational security measures, primarily establishing
implants across Linux and Solaris servers, with a particular focus on specific telecommunication
systems and only interacting with Windows systems as needed. The researchers think it unlikely the world has seen the last of Light Basin.
Quote, CrowdStrike Intelligence assesses that Light Basin is a targeted intrusion actor
that will continue to target the telecommunications sector.
This assessment is made with high confidence and is based on tactics, techniques, and procedures,
target scope, and objectives exhibited by this activity cluster.
End quote.
Why Light Basin is collecting the data isn't entirely clear, but as the report goes on to observe,
the nature of the data targeted by the actor aligns with information likely to be of significant interest to signals intelligence organizations,
and signals intelligence is
typically something governments engage in. So while it appears to be an espionage operation,
CrowdStrike says there is not currently enough available evidence to link the cluster's activity
to a specific country nexus. Circumstantial evidence includes strings in pinyin, which suggest Chinese or at least Chinese-speaking operators,
but this falls well short of what might be required for attribution.
CyberScoop's discussion treats LightBasin as an espionage campaign probably linked to Beijing,
but the record, however, characterizes the operators simply as crims.
What payoff a classic crim would realize
from collecting SIGINT isn't clear unless they're selling it to some government, but in this case,
let crims stand in for simply threat actors and leave the further attribution to further
counterintelligence work. Avast reports that the Magnitude Exploit Kit has added capability against the Chromium
family of browsers exploiting the CVE-2021-21224 and CVE-2021-31956 vulnerabilities. The record
finds it noteworthy that Amoribund exploit kit obtained a relatively advanced capability.
On the bright side, the exploit works against a relatively small range of targets.
The well-known exploit broker Zerodium is looking for exploitable flaws in ExpressVPN,
NordVPN, and Surfshark. They're interested specifically in information disclosure, IP address leak,
or remote code execution, and the company says that local privilege escalation is out of scope.
Zerodium typically sells exploits to governments and law enforcement agencies.
All three of the VPN vendors for whom exploits are being sought are among the market leaders
in cloud-based virtual private
network offerings. The record says the three VPN vendors haven't yet replied to the outlet's
request for comments on the solicitation, but it's unlikely they're particularly happy with it.
More evidence suggesting that official admonitions against paying ransomware operators
Danigeld may be falling on deaf ears,
Thycotic Centrify's 2021 State of Ransomware Study concludes that 83% of the victims paid their extortionists. Earlier this year, on May 20th, one Justin Sean Johnson,
resident of Michigan and formerly employed by the U.S. Federal Emergency Management Agency,
better known by its acronym FEMA, as an IT specialist,
took a guilty plea to counts 1 and 39 of a 43-count indictment.
The now 30-year-old Mr. Johnson, who used hacker names The Dirt Star, Dirty Star, TDS, and DS,
admitted improperly accessing the University of Pittsburgh's
Medical Center's Human Resources database server in 2013 and 2014. He sold the data he pilfered
in various criminal-to-criminal markets, InfoSecurity magazine reports, and Mr. Johnson's
customers used the data to file hundreds of fraudulent Form 1040 income tax returns.
The U.S. attorney for the Western District of Pennsylvania said,
These false 1040 filings claimed hundreds of thousands of dollars of false tax refunds,
which they converted into Amazon gift cards,
which were then used to purchase Amazon merchandise, which was shipped to Venezuela.
And the Internal Revenue
Service was out nearly $2 million in lost tax revenue. The two counts Mr. Johnson copped were
enough for Chief United States District Judge Mark Hornock to throw the book at him. Judge Hornock
gave Mr. Johnson the 60-month maximum for conspiracy to defraud the United States, and also the
statutory 24-month max for aggravated identity theft. The sentences will run consecutively,
which means the dearth star will spend the next seven years in club fed.
And finally, as Americans prepare for Halloween, the Chicago-based Ferrara Candy Company, makers of such trick-or-treat staples as Candy Corn, Nerds, and Laffy Taffy,
discovered on October 8th that it had been hit with a ransomware attack that temporarily disrupted manufacturing at some of its facilities.
facilities but no fears candy corn connoisseurs ferrara told the chicago tribune that they've largely restored production and in any case halloween orders had all for the most part
shipped before the ransomware hit so you'll be picking candy corn out of your bags until
well we don't know next april if our parenting desk has it right thank goodness for season creep
at last we see a good reason for
the Halloween displays that began showing up in stores as early as the last week of August.
Happy early Halloween, friends.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Ransomware has highlighted the need for backups.
Good, multiple, reliable, off-site, encrypted, hermetically sealed,
buried under Funkin' Wagnall's porch backups.
All right, I exaggerate, but you get the point.
Paul Shred is editor-in-chief at eSecurity Magazine, where backups have been top of mind.
There has been a lot of talk about air-gapped backups, and that's a very good thing to do, but it's not the only thing that you
need to do. Basically, people aren't doing nearly enough as they should, but due to all the attention
that's been focused on the major attacks this year, I think people are looking at it much more
than they used to. So I guess that's the one positive here, is people are actually finally
starting to pay attention to this stuff. You need multiple copies.
You need it to be immutable,
which means it can't be changed, can't be accessed.
I've actually seen the old 3-2-1 backup recommendation change lately,
and I've seen 4-3-2-1. You want four copies of your data.
You want it in different formats, different locations. You
want something that's air-gapped. Actually, you want multiple things that are air-gapped because
the ransomware developers are starting to show that they can access offline data too.
I think it was Lockfile Sophos found that is a little nastier than other strains.
It does a partial encryption, and it can do some offline encryption also.
This stuff is definitely getting stealthier and more dangerous,
and it's the same thing that it's always been.
It's a security arms race, and we just need to do the best we can to stay on top of it.
And that means I think in the case of backup, you really need outside help.
I think it's something very few companies can do by themselves.
So you almost always need some manner of help.
I would even say that there are some cloud companies that can do it.
But you need to just check them out carefully. There are some big names that have
been doing backup for a long time, and they seem to be well prepared to do this, you know,
without mentioning names. I suppose it comes down to a risk management approach here of balancing
the effort and resources you put into backups versus the odds of having some event
happen where you're going to need them? Well, I don't think that any of this is new. I mean,
people have always needed to backup their data. It's just that many of them haven't been doing it
properly. You know, there's always been a need for protection from disasters. You know, everyone
should have always been doing this. They should have always had
off-site backups. There's so much that needs to be done because your business really depends on
getting that data backup and running. I don't think it needs to be pricey. I think there are
some cloud and service providers that could probably do this stuff without costing a fortune. I think the added cost is probably in the need to keep multiple copies that can't be
changed.
And so that's going to run up the data storage costs more, but you could set policies that
you save them for only so long.
But I do think you need multiple copies because it's just a matter of time
until they figure out how to encrypt those too.
So I think we just need to treat these people as the very smart actors
that they are with backing from nation states.
There's some really wild stuff going on here.
Data is the lifeblood of companies now,
so you really want to be able to get that back up and running as quickly as possible because your business depends on it.
Yeah, and I suppose we hear these stories all the time about companies who put this off.
I suspect for a lot of folks it's an easy thing to put off, but then the worst happens and they find themselves
in a jam. Well, that's the problem. You know, people think that it's not going to happen to
them. They think they can put it off. But I got to tell you, it's got to be the scariest thing
that I've seen in security. So if you're not taking it seriously, you're really asking for
trouble. But, you know, that said, if you do get hit, there are options
out there. There are data recovery services. There are tools that can help you decrypt the
data. So there are options. You aren't totally lost if you get hit. But if you want to be
on top of this and back up and running quickly, you really need to take those preemptive steps.
That's Paul Shredd. He's editor-in-chief
at eSecurity magazine.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
and joining me once again is david defoe he's the vice president of engineering and cyber security at webroot david always a treat to have you join us here uh i don't know about you but i am having
a hard time um uh reconciling how quickly this year has gone by. And we are, like 2022 is right on
the horizon here. I was curious, you know, can you be the first person that I ask about what
sort of things you're expecting to see as we careen towards 2022? Yeah, you're right, David.
This year is just, I don't know what's happened. It's been a pretty good
year, actually. So I'm glad of that. But David, there's this brand new threat out there that not
many people have heard of, and we're going to really break it open on the podcast today.
It's called ransomware. I bet most people haven't heard of it, but that's what's coming in 2022.
Ransomware, really? Go on with that, David. What exactly goes into
this ransomware thing you mentioned? Well, the cyber criminals put some piece of malware on your
computer and it encrypts all your files and you have to pay a ransom through crypto.
Wow, interesting. So basically, the bold prediction that you're making for 2022 is more of the same.
Is that what I'm hearing?
That's exactly right.
Look, last year, we saw an average of around each attack costing about $200,000.
That's on average.
Believe it or not, this year, with all the high-profile ones, you'd think the average was up.
But the average is actually down to about $150,000 per attack we're seeing this year.
But that's just because of the sheer volume of attacks that's occurring.
Oh, interesting.
I'm on a pretty thick limb here.
I'm not really going out too far when I say ransomware is going to continue to be the problem next year.
Yeah, it's fascinating to me also because I think when we look back a couple years, probably back to 2018 or so,
I think a lot of us thought that we were going to see crypto mining really take off.
That was the thing a lot of us had our eye on.
But then it seems like that sort of fizzled out or didn't take off the way that ransomware did.
Yeah, I'm going to pat myself on the back on that one because I literally said there's probably not a lot to worry about there.
The bad
actors got to see a good business model. And I know they were trying to insert things in browsers
to mine when you were on websites and things like that, but it kind of petered out. It's just easier,
David, to do a tax with ransomware, infect the computer, and then charge a ton of money for it.
And, you know, I want to segue into something else that we need to think about, which, you know, kind of leads to that ransomware infection. Another thing we're
going to continue to see, we saw a lot of last year, it's growing this year. There's a lot of
really good tools that we all use in cybersecurity for remote protection, you know, our MDM software
that helps us manage, you know, with all the remote, us all working from home due to COVID, things like that,
those tools are getting attacked so that the purveyors of ransomware can deploy it in a
broader area. So that's another thing. This one, I am going out a little bit on a limb saying,
we're going to see a lot more of the good software turn bad.
More of those insider threats or supply chain threats, I suppose.
Well, exactly. And if you're, you know, I don't want to name any names, but if you're using something inside your organization to manage your infrastructure, even to manage your business, like an ERP or something, you could see, you know, a lot of attacks start and get deployed through that kind of software.
So everyone really has to start paying attention to this.
really has to start paying attention to this. Is it really a matter of these days you have to have something that's keeping an eye on the behavioral aspects of your network that's,
you know, not just looking for indicators, but looking for what's going on?
That is absolutely right. And a lot of it is behavior now, which unfortunately typically
takes a lot of resources. There's not many resources in the security industry.
So good for you if you're in this industry,
you're going to have a job for a while.
But it is about looking, not just locking down.
You do need to lock down the basics of backup antivirus patch.
But the real focus after you've gotten past those three
is to look at what's going on
so you can catch it before it happens.
All right. Good insights as always.
David DeFore, thanks for joining us.
Great being here, David.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Puru Prakash, Justin Sebi, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.