CyberWire Daily - Dark Side’s way into Colonial Pipeline networks may have been an old VPN. Summit agenda. DDoS hits German banks. Anonymous angry with Elon Musk? Alleged Trickbot coder arraigned.
Episode Date: June 7, 2021Dark Side seems to have attacked Colonial Pipeline through an old VPN account. Washington and Moscow prepare for this month’s summit, with cyber on the agenda. DDoS affects German banks. Anonymous m...ay be back, and out to bring to book those who would troll Bitcoiners. Rick Howard looks at process management in security. David Dufour from Webroot on lessons learned from Exchange Server vulnerabilities. And one of Trickbot’s alleged authors has been arrested and arraigned on multiple charges in a US Federal court. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/108 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
DarkSide seems to have attacked Colonial Pipeline through an old VPN account.
Washington and Moscow prepare for this month's summit with cyber on the agenda.
DDoS affects German banks.
Anonymous may be back and out to bring to book those who would troll Bitcoiners.
Rick Howard looks at process management and security.
David DeFore from WebRoot on lessons learned from exchange server vulnerabilities.
And one of TrickBot's alleged authors has been arrested and arraigned on multiple charges in a U.S. federal court.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Monday, June 7th, 2021.
There's a bit more out about the Colonial Pipeline ransomware incident, this time concerning the
entry point the attackers
appear to have followed. Citing sources at Mandiant, Bloomberg reports that dark side
ransomware operators gained access to Colonial Pipeline's networks on April 29th through a
deactivated, disused virtual private network account. The attackers are believed to have
found the password in a batch of credentials posted on the dark web.
It's unclear whether they obtained the username in a similar fashion or arrived at it by guessing.
Mandiant's investigation found no evidence of phishing,
although it doesn't discount the possibility of password reuse.
The investigators saw no signs of an attack earlier than the 29th.
As Presidents Biden and Putin prepare for their June 16th summit,
the U.S. increasingly regards ransomware as a national security crisis,
The Washington Post reports.
Last week, FBI Director Wray compared ransomware to terrorism
and went so far as to suggest analogies to 9-11.
Over the weekend, the Secretaries of Energy and Commerce both outlined measures
their respective departments were taking as part of the government's response
to the Colonial Pipeline and JBS incidents.
The U.S. is also seeking to organize an international response to the ransomware threat.
Much of that response seems headed in the direction of getting a handle on the use of cryptocurrencies and their use as a conduit for payment of ransomware. There is
nothing inherently nefarious about cryptocurrencies, of course, and governments are increasingly
bringing both recognition and regulation to altcoin. But one area in which closer scrutiny
and regulation seem likely is in the way such alternative currencies,
so well adapted to legitimate purposes like the transmission of remittances,
can be used to enable criminal transactions and extortion.
In any case, since much recent big-ticket ransomware has been attributed to Russian criminal gangs,
the matter will be taken up at this month's Russo-American summit.
The view that such Russian gangs operate with the toleration and encouragement of Moscow
is gaining currency among U.S. policymakers,
and the new category of threat actor Cisco's Talos Group introduced,
privateers, is also seeing broad adoption.
How does this all look from Moscow? Foreign
Ministry spokesman Dmitry Peskov said, quote, clearly cybercrime and challenges in the
cybersecurity field will be on the agenda one way or another, end quote. Which is surely true, but
then you didn't have to be Metternich to see that one coming. TASS further quotes the Russian
Foreign Ministry to the effect that what we have withASS further quotes the Russian foreign ministry to the effect
that what we have with cyber tension between the U.S. and Russia is a failure to communicate,
the U.S. having yet to take President Putin up on his offer of full cooperation. It's always
cool hand Luke time over at the Kremlin, and every incident is always an opportunity for high-minded negotiation and other forms of mutuality. While ransomware has justifiably drawn more attention over the
past two months, distributed denial-of-service attacks also continue. Reuters reports that
German financial tech company Fiducia GAD IT AG, provider of online services for more than 800 financial institutions,
sustained a distributed denial-of-service attack on Thursday and Friday. Its effects were felt by
the cooperative banks who used the company's IT services. After Thursday's disruptions,
Fiducia and GAD says it was able to mitigate subsequent waves of heavy traffic.
The incident remains under investigation. Fiducia and GAD says it was able to mitigate subsequent waves of heavy traffic.
The incident remains under investigation.
Anonymous may have resurfaced.
Coindesk and others report that a video representing itself as coming from the anarchist collective denounces Elon Musk for effectively trolling cryptocurrency users,
damaging their investments, and ruining lives.
After some ritualistic denunciations of labor and environmental practices,
and after characterizing Mr. Musk as nothing more than another narcissistic rich dude who
is desperate for attention, the video turned to its principal concern, which would be Mr.
Musk's retreat from Bitcoin. The person behind the
Guy Fawkes mask said, quote, It is now widely believed you have been forced to denounce your
company's involvement with Bitcoin in order to keep that green government money flowing into
Tesla's coffers, end quote. The reputational damage done to Bitcoin apparently hurt. As the video said,
millions of retail investors were really counting on their crypto gains to improve apparently hurt. As the video said, millions of retail investors
were really counting on their crypto gains
to improve their lives.
As hardworking people have their dreams liquidated
over your public temper tantrums,
you continue to mock them with memes
from one of your million-dollar mansions.
End quote.
So, memes can hurt.
Noted. No doubt they can, and there are some hedge funds still licking their
wounds from the GameStop squeeze. Any anonymous video always gets us into the realm of metaphysics.
How do you specify identity conditions for an anarchist collective? The anarchists themselves
have difficulty doing so. With something like
Anonymous, how do you recognize them when they show up again? But whoever prepared the video,
it's worth taking it as an index of dissatisfaction on the part of some people
who've got considerable altcoin exposure. And finally, one of the authors of TrickBot,
the ransomware tool that rose from the ashes of Dyer in 2015 and has been a nuisance ever since, has been arrested.
U.S. authorities in Miami arrested Ala Vita, who went by the hacker name Max, a 55-year-old Latvian national recently residing in Suriname in connection with crimes committed using TrickBot.
Ms. Vita is alleged to have been
one of the original TrickBot coders. The indictment charges that Vita worked as a malware developer
for the TrickBot group and wrote code related to the controlled deployment and payments of
ransomware. The ransomware informed victims that their computer was encrypted and that they would
need to purchase special software through a Bitcoin address controlled by the TrickBot group to decrypt their files.
In addition, Vita allegedly provided code to the TrickBot group that monitored and tracked
authorized users of the malware and developed tools and protocols to store stolen login
credentials. She's been charged with one count of conspiracy to commit computer fraud and aggregated
identity theft one count of conspiracy to commit wire fraud and bank fraud affecting a financial
institution eight counts of bank fraud affecting a financial institution eight counts of aggravated
identity theft and one count of conspiracy to commit money laundering she was arraigned friday
in the u.s. District Court for the Northern
District of Ohio. Ms. Vita is, of course, presumed innocent, but should she be convicted,
she faces maximum penalties of five years on the first charge, 30 years for conspiracy to commit
wire and bank fraud, 30 years for each aggravated substantive bank fraud charge, a two-year
mandatory sentence for each charge of
aggravated identity theft, and these would have to be served consecutively for a total of 16 years,
and 20 years for conspiracy to commit money laundering.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And it is my pleasure to welcome back to the show Rick Howard, the CyberWire's Chief Security Officer and also our Chief Analyst.
Rick, always great to have you back.
Thanks, Dave.
You know, here at the CyberWire, one of the things that pops up a lot is this constant stream of cyber adversary attacks, but also how the victims and supporting governments respond to those attacks. And I'm thinking of things like SolarWinds and the Colonial Pipeline,
and then most recently this JBS meat company situation. What? I haven't heard of any of that.
What are you talking about? Those things haven't totally dominated the headlines over the past
couple of weeks. You know, one of the common mantras for the security
community is that we try to prevent these things, usually with some kind of combination of people,
process, and technology. Well, it strikes me that the technology leg of that three-legged
cyber stool is substantive. And it's something that each of us spends a whole lot of time doing,
but not a whole lot of time talking about, discussing how to manage that process.
And I say all that to say that I understand that's what you're covering in this week's episode of CSO Perspectives.
Yeah, that's right, Dave. Ever since I was a wee lad, you know, running my first Unix lab, you know, back in the day, our community has always had this notion of a security
stack protecting our environments. And that stack consisted of all of the security tools used in the
organization. And in the early days, that stack was pretty small. You know, we had firewalls,
intrusion detection systems, and some kind of antivirus system. But today, the number of tools
in the security stack can be anywhere from 15 to 300, depending on how big you
are. And somebody has to monitor and manage all of those tools every day, decide when they have
reached end of life and need to be replaced, and then choose the tools that we want to replace
them with, or, you know, just bring in some new tech to give us some needed functionality. So in
this episode, we bring two CISOs to the CyberWire hash table and discuss that process.
Helen Patton, the advisory CISO for Cisco Duo, and Nick Gilbert, the Cherokee Nation Businesses CISO.
Wow. All right. Well, that's quite a lineup.
Now, that is what's going on on the pro side, and you are currently in Season 5 of the show there.
But over on the ad-supported side, we're releasing the Season 1 episodes,
so everybody can check those out. What's in store for us this week?
So we continue down our cybersecurity first principle journey. And so far, we've talked
about what exactly is the ultimate first principle for all cybersecurity practitioners.
And then we said, if that was true, what are the immediate strategies to pursue
in order to accomplish that first
principle goal?
Last week, we talked about zero trust as a pillar strategy.
But this week, we're talking about my passion strategy.
Out of all the things that I do, I love this one the most, and it's called intrusion kill
chain prevention.
All right.
So if I could just take a little trip down memory lane, I remember the very first time that you and I met. This was years ago. It was at the RSA conference. And you were chief security officer at Palo Alto Networks at the time.
And I was very impressed that someone of your status in the industry was, A, willing to talk to me, and B, a fan of the Cyber Wire podcasts.
And so, oh, how time has changed, and if I'd only known you then the way I know you now.
Things could be so much different.
But all, again, I say all that to point out that I remember from that very first conversation you and I had talking about the intrusion kill chain.
Yeah, so here's the thing.
I love the cybersecurity community,
and there are so many things I love about it, but one of the things that annoys me the most
is our focus on each individual technical thing. We love talking about the latest malware from,
say, the Revol ransomware gang or the latest zero-day exploit disclosure for some critical
piece of software, and all of that is well and
good, and we should pay attention to it. But as a first principle strategy, worrying about the
latest bad guy tool is not the most important thing. What is the most important thing is whether
or not you can stop the success of an offensive adversary campaign, which can consist of anywhere
between like 30 steps to 300 steps.
So blocking one piece of malware is just not going to get it done.
But deploying a defensive campaign designed to specifically stop the entire attack sequence of the Revol ransomware gang will.
So I love this topic.
And that's what we'll be covering in this ad-supported CSO Perspectives episode.
All right.
Well, you can check all of that out on our website, cyberwire.com.
Rick Howard, thanks for joining us.
Thank you, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your And I'm pleased to be joined once again by David DeFore.
He's the Vice President of Engineering and Cybersecurity at WebRoot.
David, good to have you back.
Great to be back, David.
I want to touch base with you about the recent incident we had with the Exchange servers
and just your takeaways from
that. What sort of things can people learn from this whole experience? You know, it's one, it's
interesting. And, you know, as we've talked at different times, there's different types of
attacks out there. And this is definitely a pointed attack that kind of takes advantage of
flaws into a very commonly used piece of software, which we're talking about Microsoft Exchange
servers, 2013, 2019, not the Office 365. And there were some flaws in there. And really,
the attackers just went all in on stealing information from those servers and funneling off emails. So it was a pretty big deal.
that they used to use their exchange servers for,
you can understand that impulse to just leave the exchange server running in the background
because why not, right?
I mean, if you turn that thing off,
you might break something.
That's exactly right.
And there is a philosophy,
and I somewhat subscribe to it.
Sometimes it's worth turning it off,
see what breaks, and then go from there.
And this would have been an example
where really if you stopped patching it, if you stopped paying attention to it,
you really did leave yourself open and exposed in this instance. And this can happen a lot.
You've got to be doing those inventories of your back-end systems and knowing what you can,
you know, deprecate or even retire. Yeah. What are the takeaways here? How do you think folks are
going to approach this sort of thing going forward? Well, what I hope they do and what I think they'll
do are two different things. What I think is people will forget about this inside of two or
three months because they're going to get busy with their day-to-day jobs. But this is one of
those cases, David, that, you know, I've talked about quite often where the more mundane something is, the better it is for
security. And to be very specific here, in this case, if people had been applying patches and
immediately applied them once it was discovered, and then more importantly, if they were doing
logging and auditing and analyzing all of that logging and auditing, I know it's a big ask,
but they would
have seen what was going on and been able to prevent it sooner. So this points back to,
you know, we all want to find the next big hack. We want to, you know, steer a car off the road
into a ditch from a cell phone. But, well, maybe everybody doesn't want to do that, but it sounds exciting. But the real security work starts at monitoring logs,
making sure patches are made, and a big one is backing up your data. And I know those things
sound boring, but that's really where it starts. And if you're not doing that, these things are
going to continue to happen. Another thing that struck me about this one in particular was
how quickly the amount of vigor that the bad guys came at this one, that they just started pounding away on these exchange servers around the world.
Absolutely correct.
But believe it or not, this is something like when we first saw the first types of ransomware and we saw the first botnets back in the 2000s.
What happens is this stuff goes on for a while
and nobody knows about it.
And so it's actually happening a lot longer than we think.
But the minute there's media coverage,
they literally turn the volume up to 11
and just blast through as much stuff as they can
because they know their window's closing.
So unfortunately, what happens,
there's a lot of these things going on for a period of time,
and then it gets amped up the minute there's a ton of coverage, which there should a period of time. And then it gets amped up
the minute there's a ton of coverage, which there should be coverage. I'm not saying there shouldn't
be, but that's what we see happen always. Yeah. All right. Well, David DeFore, thanks for joining
us. Great being here, David. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security, Ha!
I join Jason and Brian on their show for a lively discussion
of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
And check out the Recorded Future podcast, which I also host.
The subject there is threat intelligence,
and every week we talk to interesting people about timely cybersecurity topics.
That's at recordedfuture.com slash podcast. The Cyber Wire podcast is proudly produced in Maryland Thank you. Thanks for listening.
We'll see you all back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.