CyberWire Daily - Data breaches and ransomware. Another gang says it’s retiring. New warrants against cybercrime in Australia. Roles and missions in the US. Hoosier data?
Episode Date: August 30, 2021Data breach and ransomware affect an airline’s customers. The Phorpiex botnet operators say they’re going out of business, and everything must go. New warrants for the Australian Federal Police in... cybercrime cases. US Federal cybersecurity roles and responsibilities. Rick Howard takes on adversary playbooks. Josh Ray from Accenture Security on The Biden Administration's cybersecurity executive order, what it means for product security. And Indiana warns of a COVID-19 contact tracking database exposure. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/167 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A data breach and ransomware affect an airline's customers.
The 4PX botnet operators say they're going out of business and everything must go.
New warrants for the Australian Federal Police in cybercrime cases.
U.S. federal cybersecurity roles and responsibilities.
Rick Howard takes on adversary playbooks.
Josh Ray from Accenture Security on the Biden administration's
cybersecurity executive order
and what it means for product security.
And Indiana warns of a COVID-19
contact tracking database exposure.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 30th, 2021. Bangkok Airways disclosed at the end of last week that it had been the victim of an attack
that compromised passengers' personal information, including name, nationality, gender, phone number,
email, address, contact information, passport information, historical travel information,
partial credit card information, and special meal information.
travel information, partial credit card information, and special meal information.
The airline is working with the Royal Thai Police and has offered advice,
like the familiar but nevertheless sound counsel to change potentially compromised passwords,
and the also sensible warning to be alert for phishing or vishing attempts that might impersonate Bangkok Airways. They've also offered support in the form of helplines and dedicated email hotlines
concerned customers can avail themselves of if they find they're in a jam over data
or if they're simply concerned.
ZDNet reports that the LockBit ransomware gang has claimed responsibility
and threatened to release information if their ransom demands
aren't met. An announcement Dark Tracer found on the dark web said, using title case before a final
switch to all caps, quote, Bangkok Airways, we have more files, extra plus 200 gigabytes to show,
and many more things to say. All available data will be published.
End quote.
Lockbit says the deadline will expire today,
but the gang has a track record of extending deadlines indefinitely,
like a sophomore procrastinating on a term paper.
They also have a track record of claiming to have data that they in fact do not, as they did most recently in their false claim of having hacked into Accenture.
The record reports that the 4PX botnet has shut down,
and researchers at Cyjax have found that the botnet's proprietors are offering the source code for sale.
If you're in the market, not that you would be,
know that 4PX has a mixed reputation in the underworld.
It's been profitable with its spam module and ability to hijack cryptocurrency clipboards, being consistent moneymakers.
4PX has also hired its botnet out for use by ransomware operators, among them Avidon, a gang that's recently gone into hiding.
among them Avedon, a gang that's recently gone into hiding.
On the other hand, 4PX's own security has tended toward the slipshod,
with other criminals able to either uninstall it or even substitute their own payloads for those the proprietors intend to deliver.
4PX is the most recent criminal operation to announce that it's suspending its activities,
going out of business.
It's worth remembering that this sort of announcement, as often as not, signals a
rebranding as opposed to a retirement. Krebs on Security earlier this month offered a useful
rundown of the ways in which criminal groups have morphed since this became a trend in 2014.
A lot of the names will be familiar, and the successive identities are
interesting. Vasa Locker became Babook, which turned into Payload.bin. Defray777 became the
cowboy-hatted Bandera-wearing Desperado Ransom X. Sekhmet begat Maze, which begat a Gregor.
Hermes rose to fame as Ryuk, which is connected to the equally well-known Conti.
Bitpamer got twice as bad as Doppelpamer and then turned to Grief. Cerber became Gandcrab and then
Areval, or if you prefer, so Dinokibi. Darkseid turned itself into Black Matter. And finally,
Game Over Zeus, also known as the Business Club, is now crawling the web as Indrik Spider.
This long list of name changes isn't all that surprising.
After all, it's not as if a criminal organization needs to take out a Doing Business As license or incorporate in Delaware.
Just say you're now Jittery Junebug and you're in business.
Just say you're now jittery Junebug and you're in business.
A moral of this story is to take criminal announcements of retirement or professions of contrition and reform with the proverbial grain of salt,
a big grain of salt.
Australian federal police have received extraordinary authorities
for the enforcement of laws against cybercrime
in the form of three new warrants
covering network activity, data disruption, and account takeover. The authorities extend
beyond investigation to disruption of criminal activity. IT News says that the standard for
issuing the warrants is that they be, quote, reasonably necessary and proportionate, end quote.
The Parliamentary Joint Committee on Intelligence
and Security had recommended approval of the bill, which had the support of both the liberals
and Labour. The Greens have complained that authority to seize a person's account to gather
evidence of serious crime, coupled with the ability to copy online material or even add,
delete or alter it in order to disrupt criminal operations
or collect intelligence is the royal road to a surveillance state. The government, of course,
disagrees, seeing the new authorities as necessary to dealing with the current transnational threats.
U.S. cyber czar Chris Inglis sees his role fundamentally as an exercise in soft power, Politico reports.
Among the things the National Cybersecurity Director intends to do in the budget reports he'll render OMB and Congress
will be to draw attention to investments that are not on the books, but that should be made, as well as inefficiencies in existing spending.
but that should be made, as well as inefficiencies in existing spending.
He does see a role for regulation.
Quote,
Enlightened self-interest and market forces only get you so far, he told Politico.
There are going to be some critical functions where we must consider to what degree is it not optional to achieve a certain standard.
End quote.
Organizationally, although his shop is
separate from the National Security Council and subject to closer scrutiny by Congress,
Inglis sees no fundamental tension between his role and that of Ann Neuberger of the NSC.
Their goals can be aligned, their roles and responsibilities easily deconflicted.
And finally, if you're a resident of the U.S. state of Indiana,
you may well be receiving a letter from the Indiana Department of Health warning, with apologies,
that almost 750,000 Hoosiers, that's what citizens of Indiana are called, we note for the benefit of
our international audiences, Hoosiers, they've had some of their COVID-19 online contact tracing
survey data improperly accessed. The data includes name, address, email, gender, ethnicity, and race,
and date of birth. The state of Indiana believes the risk is relatively low, but there's a small
but real chance of identity theft, and Indianapolis wants to help all Hoosiers protect themselves.
Do you know the status of your compliance controls right now? Like, right now?
now like right now we know that real-time visibility is critical for security but when it comes to our GRC programs we rely on point-in-time checks
but get this more than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta here's the gist Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
blackcloak.io.
And it is always my pleasure, I will go so far as to say, one of the highlights of my week to introduce Rick Howard, our Chief Security Officer and Chief Analyst. Rick, you have a special CSO
Perspectives this week. I know you've been looking forward to this.
And the reason I know about this is because you've been talking about this for weeks on our CyberWire Slack channels.
So why is this one so special to you?
Well, first, thanks for those kind words, Dave.
And I will keep sending the monthly checks for you to continue to say nice things for me.
So let me answer the question this way. Have you ever come across an idea to solve some really hard problem that was
so crystal clear in your mind that you just knew as soon as people heard about it, adoption of it
would be swift and unambiguous and you would all be moving on to the next thing. But later, you are
shocked to find that the entire world hasn't followed your lead.
Like what you're talking about here.
Exactly.
So, you know, things like don't iron the shirt while you're wearing it,
you know, kind of a rule of thumb, right?
You know, by the way, that's an actual warning label on some clothing
because you know somebody actually tried to do that, right?
How about a line from one of our favorite movies, The Princess never get involved in a land war in asia okay seems like
good advice all right yeah or or how about just take the damn vaccine already i'm just saying
right right okay uh once again i will put on my hosting hat and say, how is any of this related to the current CSOP episode?
Well, I run across a lot of these ideas in my career. You know, cybersecurity ideas that were great but never saw the light of day.
And I've generated a few of them myself over the years.
But there's this one concept that I've helped develop that I refuse to give up on. It's
called proactive defense and adversary playbooks. Rick, I have known you for years now, and you and
I have talked about many of your ideas, your interesting ideas, ideas of varying levels of
merit. So why is this particular idea so special?
Why, well, some would say stick with it.
Others would say, why can't you let it go?
Oh, it's a good, I should be following your advice.
The concept of proactive defense and adversary playbooks,
it represents this idea that instead of focusing
on blocking individual tools that bad guys use,
you know, like malware or zero-day exploits,
we instead build proactive defensive plans
designed to defeat how specific bad guys operate in cyberspace.
So, in other words, we just don't only block a tool like Eternal Blue
that Sandworm used during the NotPetchy campaigns.
Instead, we block the entire Sandworm attack sequence
at every stage of the intrusion kill chain.
So with that elevated thinking,
we are trying to defeat the adversaries
like Black Matter, you know, a ransomware group,
or Stone Panda out of China,
or even Cozy Bear out of Russia,
not just the tools that they use.
So in this episode,
we explain with more detail about what this means,
and we talk about the current state in our industry and why we've been slow to adopt it.
All right.
Well, I'm intrigued, and I look forward to hearing the rest of the story.
That is the upcoming episode of CSO Perspectives.
It is part of CyberWire Pro, which you can find on our website, thecyberwire.com.
Rick Howard, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
And I'm pleased to be joined once again by Josh Ray.
He's Managing Director and Global Cyber Defense Lead at Accenture Security.
Josh, it is always great to have you back.
As you and I are recording this, it's not that long after the Biden administration released their cybersecurity executive order.
And I wanted to check in with you to see what in that order in particular caught your eye.
Yeah, thanks, Dave, and glad to be back.
So, you know, really, we believe at Accenture that this executive order is probably the most ambitious U.S. cyber policy directive we've seen. We really expect it to have significant impact on federal government, private sector, and the local government.
But one of the things that really has jumped out to me is the product security aspect of it, right?
The ability for this EO to drive significant changes in companies' secure software design and readiness operations.
And we think that if the industry and government really follow through on this promise, it will definitely raise a security bar for everybody, both improving the resilience for U.S. companies and subsequently the resilience of our country at large.
Well, based on what you've seen in the executive order itself, how do you suppose those specific things might be rolled out? What might we see?
Yeah, so one of the things I'm very encouraged about is as part of the order that focuses on
software and hardware product design requirements and really requiring companies to provide the
government and other customers with that bill of materials that details the various code and
components in a given product. This move, which I applaud the transparency, we really hope,
hopefully give both the government and customers a better chance to proactively mitigate
vulnerabilities before they get exploited. What do you suppose a realistic timeline is here?
When might we see actual things, you know, hit the here? When might we see actual things hit the ground?
When might we see real effects take place?
The hope is that companies are out waiting for the stopwatch to start.
And we think that product manufacturers and vendors and CISOs and CIOs
really need to start taking a hard look at their strategy and their capabilities to meet these standards now.
And this is a very complex challenge, Dave, and we've observed clients who do this well focus on a couple of things.
They integrate product security into their strategy, their roadmaps, and their current and future business objectives.
So they're aligning their product security with the ultimate success of their business.
And secondly, they embed product security practices into their engineering life cycles
from early planning through launch, right?
So that all of the generations of their product remain secure and reliable.
And this really ultimately helps them extract the most value out of that product as well.
Do you suppose this is going to be a competitive advantage
for the companies who are able to take the lead in this?
Absolutely.
Yeah, no, first movers on this, I think, are going to benefit.
It's going to accelerate their time to market.
I think it's going to definitely increase the trust that the government
as well as customers have
in their product.
And it's also an opportunity, right,
to really build,
improve security capabilities
that can support
future business models.
And this will allow
for really more direct focus
on innovation
and ultimately
product differentiation.
Well, Josh Ray, thanks for joining us.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Bilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.