CyberWire Daily - Cyberespionage in Southeast Asia. Two young extortion gangs make their bones. Bot-herders like MikroTik devices. Log4Shell zero-day exploited in the wild. Update on the Assange case.
Episode Date: December 10, 2021Cyberespionage in support of Belt and Road, and of Beijing’s claims in the South China Sea. Karakurt ransomware skips the encryption and goes right to the doxing. Black Cat ransomware is rising. Vul...nerable MikroTik devices are bot-herders’ favorites. The Log4Shell zero-day is being exploited in the wild, and will be a tough one to remediate. Julian Assange moves closer to extradition. Johannes Ullrich on changing user behavior. Our guest is Oliver Rochford of Securonix on the affordability of good security. And shoulder-surfing as a threat to Snapchat users. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/236 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Cyber espionage in support of Belt and Road
and of Beijing's claims in the South China Sea.
Karakurt ransomware skips the encryption and goes right to the doxing.
Black cat ransomware is rising.
Vulnerable microtik devices are bot herders' favorites.
The log for shell zero days being exploited in the wild and will be a tough one to remediate.
Julian Assange moves closer to extradition.
Johannes Ulrich on changing user behavior.
Our guest is Oliver Rochford of Securonics on the affordability of good security.
And shoulder surfing as a threat to Snapchat users.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, December 10th, 2021. Threat intelligence firm Recorded Futures' study of Chinese cyber espionage outlines the ways in which the intelligence effort is designed to support Beijing's Belt and Road Initiative.
The principal targets of the campaign are Malaysia, Indonesia, and Vietnam.
The Philippines, Laos, Cambodia, and Thailand are also being prospected.
Recorded Futures' Insict Group elaborates,
quote,
The activity highlighted includes a group we track as Threat Activity Group 16,
which has compromised several high-profile military and government organizations across Southeast Asia throughout 2021
using custom malware families such as Funny Dream and Chinooksy.
The activity against targets in Laos and Cambodia are particularly concerned with supporting Belt and Road.
And the cyber espionage, while certainly bearing upon China's plans for economic
dominance, also serves to support Beijing's side in territorial disputes, especially disputes in
the South China Sea. Accenture this morning published a description of the still relatively
unknown Karakurt ransomware gang active since this June. It's still unclear where Caracurt fills in the
underworld ecosystem. Caracurt, and the self-applied name is that of a venomous spider,
is an extortion play, but it represents a kind of second-stage ransomware which doesn't bother
to encrypt or otherwise damage or degrade its victims' data. Instead, it simply steals the data and then threatens to
publish them on its dump site, Karakurt Lair. The gang counts on the embarrassment they threaten
as a sufficient goad to the victims paying up. In any case, Accenture thinks Karakurt is just
getting started. Quote, Accenture security assesses with high confidence that the group's operations have just begun
and that Karakurt activity will likely continue to proliferate in the foreseeable future, impacting additional victims, end quote.
The Black Cat ransomware affiliate program, the Malware Hunter team tells Bleeping Computer,
is deploying a sophisticated executable written in Rust.
Black Cat came to prominence in late November, and it's being hawked in Russophone criminal markets.
The ransomware itself, also known as ALF-V,
seems constructed from scratch without the use of templates or other pre-existing code.
Security firm Eclipsium describes how exploitable, vulnerable micro-tick routers and
ISP devices have become and remain popular among bot herders. The micro-tick devices are plentiful,
powerful, and where they're vulnerable, they're relatively easy to incorporate into botnets.
TrickBot reverted to them when U.S. Cyber Command disrupted its operations,
for example, and they were also the bots of choice in the Maris botnet's then-record 21.8
million records per second distributed denial-of-service attack against Russian
internet firm Yandex back in September. Eclipsium's advice to enterprise security
teams is to get scanning, identify,
and isolate vulnerable microtic devices. The U.S. Cybersecurity and Infrastructure
Security Agency, CISA, yesterday released three industrial control system advisories.
CISA also urges organizations to apply the updates Cisco has made available for multiple vulnerabilities
in Apache HTTP server affecting the company's products. While those vulnerabilities are
certainly important and while CISA's advice is worth taking seriously, another Java issue is
attracting even more attention. CVE-2021-44-228 is a zero-day affecting the Java logging package Log4j.
This is widely used in a number of software products. A partial list, according to security
firm Huntress Labs, includes products by Apple, Twitter, Steam, Tesla, a number of Apache applications like Apache Struts, Solar and Druid,
Redis, Elasticsearch, and any number of video games, Minecraft being prominent among them.
The vulnerability is undergoing active exploitation in the wild.
Late last night, Gray Noise reported that they were currently seeing two unique IPs
scanning the internet for the new Apache Log4j RCE vulnerability.
Bad Packets tweeted earlier this morning,
mass scanning activity detected from multiple hosts checking for servers
using Apache Log4j Java logging library vulnerable to remote code execution.
Some are calling the vulnerability Log4Shell.
The record says,
quote, discovered during a bug bounty engagement against Minecraft servers,
the vulnerability is far more impactful than some might expect, primarily because of Log4J's near-ubiquitous presence in almost all major Java-based enterprise apps and servers. Naturally,
all the companies that use any of these products
are also indirectly vulnerable to the Log4Shell exploit,
even if some of them may be aware of it or not.
Huntress Labs advises that users of Apache Log4J
should upgrade to Log4J 2.1.50..RC2 as soon as possible.
They also point out that this isn't a complete solution
and that the problem is so widely distributed
that users will have to wait for individual vendors to push fixes.
WikiLeaks impresario Julian Assange may be approaching extradition to the U.S.,
where he faces 18 counts of espionage and conspiracy
to illicitly access a military computer.
The Wall Street Journal reports that the high court
has overturned a lower court stay of extradition.
Mr. Assange isn't out of appeals.
He's expected to seek relief from the U.K.'s Supreme Court.
The lower court that had blocked his extradition held that Mr. Assange
would be at risk of suicide should he be held in the harsh conditions afforded by American prisons.
But the high court was satisfied, the journal writes, that, quote, diplomatic assurances given
by the US that Mr. Assange wouldn't be held under the strictest maximum security conditions if extradited,
were sufficient to clear the path to extradition, end quote.
Mr. Assange will remain in a British prison while his extradition process continues.
The U.S. Justice Department described itself as pleased by the decision,
but declined further comment.
Shoulder surfing may be banal, but effective.
ESET has posted a how-to Snapchat shoulder surf demo as a warning.
The hacker looks over the user's shoulder, obtains their phone number,
uses it on their own phone to tell Snapchat they've forgotten their password,
then looks back over the victim's shoulder to see the confirmation code appear as a
drop-down. So, use two-factor authentication and stay aware of your surroundings. And as a side
note, since a lot of people are up in arms nowadays about the effect of social media on
youth, Snapchat says it's marketed to the 18-24-year-old demographic. Our own teen spirit desk tells us,
okay, boomer, no way.
In fact, teens and tweens who like each other
no longer try to get one another's phone numbers,
which would be the kind of thing some Gen X granny would do.
They ask instead if they can snap someone.
We hope they're paying attention to who's around them,
but somehow we doubt it.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
The best security in the world doesn't do your organization any good if you can't afford it.
And despite security budgets trending toward increases these past few years,
many companies find themselves faced with tough security choices.
Oliver Rochford is security strategist and analyst at Securonics,
and I checked in with him for insights on security affordability.
I think that in the moment, there are quite a lot of businesses who are finding that the ceiling of entry in some industries has just risen due to security requirements. I think we talk about
good security being affordable, but the point is that there's this point of affordability which you have to reach to even be a viable business.
And if you can't, even though it might take a time until you realize it, you're not actually able to operate securely.
So the question of how much this is, I think it's an important one.
At the same time, of course, we do have ways of being able to lower that ceiling,
you know, there are strategies to be able to do that. But it has to be clear to a lot of people
that if you're using digital technologies, there's a minimum buy-in price. And what is that minimum
buy-in? What is the least that people can do and still consider themselves to be secure?
No, I think that's going to depend to a great degree on risk appetite. But the way that
it's normally calculated is normally a percentage of IT budget, and IT budget is normally a
percentage of revenue. And what's typical in that area? Well, depending on the industry, 5% to 10%
of revenue, which is normally IT budget nowadays, and some in tech, you're going to have that a lot
higher, of course. And then the security budget,
typical is somewhere around 5% again.
So if you have 50 million revenue,
you'll have maybe $250,000,
$350,000 to play with.
And that sounds like a lot,
but I mean, if you have 250 employees,
that's about $80 per employee per month.
And that has to include
all of the user-facing stuff,
the VPN, the two-factor authentication,
the endpoint protection. But more importantly, include all of the user-facing stuff, the VPN, the two-factor authentication, the endpoint protection.
But more importantly, also all of the stuff that kind of runs in the back office from disaster recovery and backups and security monitoring and so on.
So it's actually not that much money.
So are organizations being unrealistic in estimating the amount of spend that it takes for this?
I think in many cases,
they are definitely trying to stretch the budget to an unrealistic degree, right?
I mean, the biggest cost, aside from technology,
are people, as an example.
And a lot of people will tend to buy the technology
but not have the people to manage.
We can use services.
That's an ideal solution to this problem.
But then you're moving from having to run your own security
to liaising and managing these relationships,
which for some organizations doesn't seem any easier.
But you have to be able to fulfill this in some way.
And I think that because it's an invisible cost
until you're breached,
for a lot of businesses, they do underestimate it.
How do you recommend that organizations go
and do their shopping around
for these sorts of things if i'm looking at two different providers and their prices are very
different from each other how do i go about that evaluation so you know this is a typical lemon
market especially for services you know you know the original lemon market is because you can't
tell how sour a lemon is before you bite into it. So why would you pay more for one over the other?
And it's the same with services.
I can remember when I was an industry analyst,
from the time that somebody had started with a provider
to the time that they were giving references for industry research,
which might have been three to four months,
the satisfaction level had dropped tremendously.
And that's because they started to learn that,
okay, what was included, what wasn't included, how much elimination of false positives, for example, a provider will do using threat intelligence before they forward it to you and eliminate work for you.
All of these things you don't necessarily know until you vet a service provider in terms of speaking to the
actual service delivery managers, to the actual analysts, to see what their process looks like
in detail, which points their responsibility end and yours begin. And ask them what kind of
companies in your industry and your size they already have. Try to speak to references who've
been there longer, not new customers, because they're still a bit bleary-eyed, the ones who've
renewed. And ask them about the ones who've renewed.
And ask them about the renewal rate as well.
I think these are important points.
And lastly, they're going to be in an ivory tower.
They're never going to get to know your business in particular because they're managing maybe a couple of hundred organizations.
But you can ask them how they try to mitigate that problem.
If they're not even aware it's a problem, I'd run a mile.
But they should know your type of business
if you can't get to know your business specifically, for example.
That's Oliver Rochford from Securonics.
There's a lot more to this conversation.
If you want to hear the full interview,
head on over to CyberWire Pro
and sign up for Interview Selects,
where you'll get access to this and many more extended interviews.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute and also the host of the ISC Stormcast podcast.
Johannes, it's always great to have you back.
You know, Johannes, people are starting to move around the country
and indeed the globe these days,
and that means that those of us who are
trying to keep track of them for security reasons are faced with some new patterns.
What are you all seeing there? Yeah, one thing that sort of, you know,
I ran into myself is starting to travel in particular internationally again. Companies
over the last year or so got used to people pretty much staying put.
And of course, at the same time, we also had a lot of attacks against VPN servers and such.
So there are really two options that an administrator has at this point.
They can find a real solution like multi-factor authentication, but that's hard.
Or they can do something simple that will at least keep the
noise down in the logs, and that's blocking certain IP address ranges or only allow a limited set of
IP address ranges to connect to the VPN concentrator. And that worked well as long as
people pretty much connected from home. Maybe they connected from a mobile phone or such,
Maybe they connect it from a mobile phone or such,
but they didn't, for example, connect from abroad to your VPN.
And now as they start traveling again, you'll have a lot of unhappy users.
Yes, I would imagine so. I mean, is this a matter of checking in with your users
and, I don't know, putting geofences around certain people?
Like, you know, I know Johannes is a traveler, but, you know, Dave likes to stay at home.
That can work, but really I want to get people away
from those geolocation blocks based on IP address.
They're really not doing you much good.
They cut down a little bit of the noise in the logs,
but an attacker with any kind of sophistication
knows how to use a VPN themselves,
make themselves appear to come from whatever country
they would like to appear to come from,
maybe even from a particular ISP
they would like to appear to come from.
These IP blocks that people are putting in place
are really what's often referred to as
security through obscurity.
They help a little bit, but in the end,
you have to do the work, you have to put the time in
and do something real like patch your systems
and set up multi-factor authentication.
Anything else is really just giving you the appearance of security
and in the end, probably causing more pain
to your users than to the attacker.
Is that really the take-home here,
that we should just be jettisoning this particular type of security
or trying to geofence users?
Yeah, it really doesn't do too much good.
The potential of denial of service,
if, for example, a certain user's ISP is down
and they have all of a sudden to use quickly another ISP for a backup and such.
You're pretty much causing more pain to users than you would cause to a real-ed hacker.
That's not a situation we'd usually like to be in.
Where do you strike that balance when you have a user who is a frequent traveler
and they're going all over the world?
Is multi-factor authentication the easiest answer there?
Yeah, multi-factor authentication is pretty much it at this point.
Also, secure endpoints, in particular for travelers
that you harden their endpoints, the systems they're connecting from,
so those systems themselves don't get compromised.
That's probably one of the larger risks for frequent travelers,
in particular abroad. All right. Well, Johannes Ulrich, thanks for joining us.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado. Cozy up with the familiar flavors of pistachio or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't miss this weekend's Research Saturday and my conversation with Ilya Volovik from Gemini Advisory.
We're discussing how Fin7 recruits talent for a push into ransomware.
That's Research Saturday.
Check it out.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is
Elliot Peltzman, Trey Hester, Brandon Karp,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan,
Kirill Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Thanks for listening.
We'll see you back here next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.