CyberWire Daily - Cyberespionage in Germany. Australian network knocked off the air by a cyberattack. PHP shuts backdoor. Apple fixes a browser bug. FatFace pays up. Criminal charges: espionage and fraud.
Episode Date: March 29, 2021German politicians’ emails are under attack, and the GRU is the prime suspect. Australia’s Nine Network was knocked off the air by a cyberattack, and a nation-state operation is suspected. PHP tak...es steps to protect itself from an attempt to insert a backdoor in its source code. Apple fixes browser engine bugs. FatFace pays the ransom. Project Zero caught a Western counterterror operation. Betsy Carmelite from Booz Allen Hamilton on Zero Trust. Our guest is Tal Zamir of Hysolate on CISA's new ransomware guidelines. And a guilty plea for one, and almost five-hundred indictments for others. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/59 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
German politicians' emails are under attack and the GRU is the prime suspect.
Australia's Nine Network was knocked off the air by a cyber attack and a nation-state operator is suspected.
PHP takes steps to protect itself from an attempt to insert a backdoor in its source code.
Apple fixes browser engine bugs.
Fatface pays the ransom.
Project Zero caught a Western counter-terror operation,
Betsy Carmelite from Booz Allen Hamilton on Zero Trust,
our guest is Tiles Amir of Hycelate
on CISA's new ransomware guidelines,
and a guilty plea for one
and almost 500 indictments for others.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Monday, March 29th, 2021.
Several members of Germany's Bundestag have had their personal email accounts breached,
Cyberscoop says. The BFW and BSI security services have briefed the federal legislative body and contacted affected members. German officials have provided few details, but Tagashow reports the compromise was the work of Ghostwriter,
a threat actor associated with Russian interests,
and that spear phishing was the attack vector.
It also suggests that Russia's GRU was responsible.
Der Spiegel is calling it a Russian operation
and also specifically attributing it to the GRU, the Russian
Military Intelligence Agency. Seven members of the Bundesstaat were affected, as were 31 members of
land parliaments, that is parliaments belonging to the Federal Republic's constituent states,
roughly the equivalent of U.S. state legislatures. Several dozen other political figures were also
affected. Most of the targets
were members of the two largest German political parties, the center-right CDU-CSU and the center-left
SPD. Security firm FireEye's 2020 account of Ghostwriter described it as a disinformation
peddler. Quote, the operations have primarily targeted audiences in Lithuania,
Latvia, and Poland, with narratives critical of the North Atlantic Treaty Organization's presence
in Eastern Europe, occasionally leveraging other themes such as anti-US and COVID-19 related
narratives as part of this broader anti-NATO agenda, End quote. FireEye didn't go so far as to identify the group as a unit of the Russian government,
but objectively, as people say, Ghostwriter acted in the Russian interest.
German security services have warned that follow-on operations should be expected.
Channel 9 Australia sustained a cyber attack yesterday that knocked some programming off the air.
The Sydney Morning Herald describes the attack as some kind of ransomware likely created by a state-based actor,
with speculation suggesting either China or Russia as the country of origin.
That is, the attack looks like ransomware, but it may have been a simple destructive attack like NotPetya,
especially since no ransom demand has been received.
Sino-Australian relations have grown frostier over the past year,
and Russia has a more proximate motive to hit Nine.
They may not care for some of the outlet's reporting.
In any case, TV Black Box is calling the attack for Moscow
and says it appears to have been an attempt to disrupt the broadcast of a Nine investigative report on Russia's use of Novichok nerve agent against dissidents, spies and other undesirables.
Novichok also killed at least one entirely uninvolved person in the UK as sad collateral damage in an unusually reckless and ruthless GRU operation.
Nine seems to think it was the Russians too, or at least some of its on-air talent does.
When Nine got back on the air this morning, albeit in a somewhat degraded form,
they were using hand-drawn graphics, for example, their regular computers being unavailable,
and they experienced some brief dead air.
Computers being unavailable and they experienced some brief dead air.
Their weekend host, Karl Stefanovic, asked for the audience's understanding and indulgence.
Quote, bear with us as we try and work around these technical issues caused by Vladimir.
We're not blaming anybody in particular.
End quote.
The Australian Cyber Security Centre is helping Nine. The Australian Financial Review quotes the agency as saying,
The record by Recorded Future says that the PHP programming language's internal Git repository
was compromised over the weekend
with the insertion of a backdoor into its source code.
PHP changed its Git commit workflow
to preclude the possibility that the software supply chain
might be corrupted by propagation of the backdoor
into production systems.
Apple issued three patches late Friday.
The vulnerability found by Google's Project Zero affects WebKit, the browser engine behind Safari.
TechCrunch reports that the bug may be under active exploitation in the wild by unidentified actors.
Computing reports that lifestyle retailer Fatface has paid the Conti ransomware gang $2 million in Bitcoin,
knocked down from an original ransom of $8 million.
Conti's operators said they didn't want to bankrupt Fatface.
Part of what Conti gave the retailer in exchange for the payment was advice, mostly bromides.
Implementing email filtering, reviewing active directory password policy, conducting employee phishing tests,
and investing in better endpoint detection and response technology.
Sure, good enough advice, albeit probably not worth two million bucks.
Whether the Conti gang will be as good as its word
and refrain from dumping or selling the data they stole remains to be seen.
A flaw in the website established by the
new Scottish independence party ALBA leaked personal data of some 4,000 people who'd registered
for party-sponsored events over the weekend. The exposure occurred within hours of the new party's
formation, ITPro reports. Google's Project Zero on March 18 announced that it had discovered and responsibly disclosed 11 zero-days being actively exploited in the wild by an unknown actor.
It turns out, MIT Technology Review reports, that the unknown actor was an unspecified Western security service engaged in an unspecified counterterrorist operation.
A former senior
U.S. intelligence official told Technology Review that, quote, there are certain hallmarks in Western
operations that are not present in other entities. You can see it translate down into the code.
And this is where I think one of the key ethical dimensions comes in. How one treats intelligence
activity or law enforcement activity driven under democratic
oversight within a lawfully elected representative government is very different from that of an
authoritarian regime, end quote. So the stigmata of oversight are visible all the way down to the
software level. A former contract linguist for the U.S. Department of Defense has taken a guilty plea to a single
count of delivering national defense information to aid a foreign government.
The U.S. Justice Department said on Friday that Miriam Taha Thompson admitted in her
allocution that she shared names of U.S. government assets with a Lebanese man who had connections
to Hezbollah.
She was arrested by the FBI in February of 2020
and will be sentenced this summer.
The maximum sentence she faces is life in prison.
The story is a sad one
because she was recruited in a romance scam.
The Justice Department said Friday,
quote,
During today's plea hearing,
Thompson admitted that beginning in 2017,
she started communicating with their unindicted co-conspirator using a video chat feature
on a secure text and voice messaging application.
Over time, Thompson developed a romantic interest in her co-conspirator.
End quote.
Her continuing cooperation with the officer who was running her as an agent
were driven, Military Times reports,
by her hope of an eventual marriage and by her fear that her contact would end the relationship
should she have stopped providing information. And finally, in other news out of the U.S.
Justice Department, COVID-19 scammers are being vigorously prosecuted. As of Friday,
COVID-19 scammers are being vigorously prosecuted.
As of Friday, Justice said that it had publicly charged 474 defendants with crimes related to COVID-19 fraud.
The cases represent, in the aggregate, an attempt to fraudulently obtain some $569 million.
The three biggest classes of scam Justice has taken action against
are schemes targeting the Paycheck
Protection Program, PPP, the Economic Injury Disaster Loan Program, and of course, unemployment
insurance fraud. It's a safe bet that there are more than 474 scammers out and about,
so stay safe and wary out there.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now. We know that real-time
visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. Ransomware continues to be on the rise, and in response, the U.S. Cybersecurity and Infrastructure
Security Agency, that's CISA, launched a campaign to reduce the risk of ransomware,
including tips for best practices for home users, organizations, and technical staff. Tal Zamir is founder and CTO at Hycelate,
a provider of secure workspace products, and he joins us with reactions to CISA's guidance.
So they practically started a campaign to raise their awareness to ransomware and kind of
a guide, a detailed guide on what to
do around ransomware in certain aspects, right? Things like reducing the probability to get
infected by malware like ransomware to begin with, and how to respond when an incident happens.
And I think that while the guide provides, and this campaign provides good basic tips and basic cyber hygiene,
which is, of course, welcome in kind of a concentrated way,
I think it misses some aspects that are beyond just preparing for an incident and what to do when you get hit
do when you get hit, or how to kind of backup your systems in case you get hit, or hardening your endpoints to prevent users from making mistakes.
I think what it's missing is talking about how to reduce the impact when you get hit
so that you don't need to do all of those after-the-fact mitigations.
all of those after-the-fact mitigations.
So I think how you isolate the problem, how you make sure that the blast radius is limited when you'll get hit
and you'll probably get hit, I think that's a very important aspect
that is, I think, to some extent, missing in the
campaign. Well, let's go through that together.
What are some of the specific things that
you recommend? Sure. So first, just to explain what I mean, you know, but you know, how the
advice that they give there is limited because, you know, if you're a kind of a mid-sized organization
and the advice there is, okay, you need to patch all of your software immediately as soon as you
can. That's advice that for non-huge organizations
is tough to follow, right?
Patching everything on your machine immediately
across the operating system and applications
and agents and drivers and what have you is tough, right?
Other than that, training users not to make mistakes.
It's good best practice, but we're all human.
We make mistakes.
So it's kind of not very practical to really close the gaps there.
And hardening the endpoints and limiting what users can do,
from what we know from our prospects, is limiting business productivity.
So you close the endpoint. You can't do that and that and that,
you can't browse the web, you can't install applications,
and you end up with very frustrated users,
especially when those are knowledge workers and the likes.
That's Tal Zamir from Hycelate.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Betsy Carmelite. She's a senior associate at Booz Allen Hamilton.
And joining me once again is Betsy Carmelite.
She's a senior associate at Booz Allen Hamilton.
Betsy, it's always great to have you back. I want to touch base with you today on zero-trust architecture,
the types of things that you and your team are tracking when it comes to that.
Let's start, Dave, with some conceptual definitions around zero-trust approach or architecture
as we hear this term more and more, particularly in relation to
protection against a future solar winds or similar supply chain attack scenario. This is where we've
seen organizations we work with show interest in zero trust, the need to change how we view
proactive risk reduction. We've also seen the recommendation for adoption of zero trust concepts
that NSA published last month. And it's
been described as a security model. So let's take that a little further and how we've been talking
to our organizations about it. There are three ways to look at zero trust as a mindset to adopt.
First, the mindset builds off three key concepts. Assume breach, never trust, always verify, and finally
use least privilege access. So this can be a real mindset shift for those enterprises who are
working merely towards security compliance. Secondly, changing the mindset of an organization
to assume bad actors have already breached your network changes how you apply security controls.
Keeping up your defensive guard is important,
but we need to also apply security controls
to reduce the impact with the
they're already in our network mentality.
So we need to think lateral movement, pivoting,
privilege escalation, credential hijacking.
And finally, it's about the data. Zero Trust places focus
on data and helps organizations focus on controls and steps needed to protect the most sensitive
data on their networks. Risk-based decisions are paramount to ensure the right level of rigor
is applied based on the inherent sensitivity and value of that data being protected.
Now, in terms of that mindset shift, I mean, is there a hurdle when it comes to, I don't know,
I guess the best word for it is ego with some organizations. If you say to them,
assume that you've been breached, are there some people who have a problem with that mindset on
principle? No, I don't think we're necessarily seeing that
hurdle. One of the questions we see most often is where do we start? And maybe more on the ego,
like does my organization have what it takes to start adopting zero trust? We get right down to
these questions in workshops and try to understand the organization's maturity and describe the use cases that will resonate with them.
So first, we like to convey that breaking down barriers is probably the first thing that they need to consider.
Am I ready to start this?
The heart of that is clear communication strategies at all levels for
adopting zero trust. I mention all these levels because zero trust is looking at cybersecurity
as a whole, not in silos or in cybersecurity functions individually. It requires a lot of
coordination between infrastructure and engineering, security, and all of the implementation teams.
And sometimes we have to orchestrate that participation
as buzalan to get the information flowing and be very intentional about prompting for information
you'll always have the people who respond and don't respond and the people who like to talk
and we really need everybody talking to get that that full participation. Secondly, gaining and maintaining leadership engagement,
finding that champion, finding the advocate,
we see that need at really the highest levels
for successful implementation.
Even in highly effective or mature organizations,
the move to zero trust is a multi-year journey,
requiring upfront and continuous commitments from current
and future leadership. And finally, we do say a process designed and adhered to conduct discovery,
baseline existing capabilities, mitigate critical gaps, and design solutions for long-term
sustainability. That process is really key to establishing that early.
So it really is a culture shift, but also a long-term journey that organizations have to go on.
It is, it is.
And this shift really has been triggered by the industry mindset for many years that perimeter security provided
organizations a level of protection to keep threats out of the network. There is the trusted domain,
the untrusted domain, the DMZ. And if you were on the trusted side of that perimeter, there is a
sense of comfort to communicate, exchange, and access information freely. Basically, we're good,
we're secure. And over the years, we've seen organizations' perimeters
continue to lose their value in providing that overall security.
Technologies and human behaviors are testing those boundaries,
and the perimeter is becoming non-existent
as organizations adopt software-as-a-service technologies
or remote users as the norm.
And in the case of the insider threat, the threat's already inside the perimeter.
So, again, changing environments require changing mindsets.
All right.
Well, Betsy Carmelite, thanks for joining us.
Anytime, Dave. And that's the Cyber Wire
For links to all of today's stories
Check out our daily briefing at thecyberwire.com
And for professionals and cybersecurity leaders
Who want to stay abreast of this rapidly evolving field
Sign up for CyberWire Pro.
It'll save you time and keep you informed.
People can see the difference.
Listen for us on your Alexa smart speaker, too.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment called Security Up.
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
And check out the Recorded Future podcast, which I also host.
The subject there is threat intelligence, and every week we talk to interesting people about timely cybersecurity topics.
That's at recordedfuture.com slash podcast.
future.com slash podcast.
The Cyber Wire podcast is proudly produced in Maryland out of the
startup studios of DataTribe, where
they're co-building the next generation of
cybersecurity teams and technologies.
Our amazing Cyber Wire team
is Elliot Peltzman, Puru Prakash,
Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Falecki, Gina Johnson,
Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilby,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.