CyberWire Daily - DDoS in hybrid war. Accellion compromise attributed. Initial access brokers. Agile C2 for botnets. US Senate’s SolarWinds hearing. US DHS cyber strategy. Shiny new phishbait.
Episode Date: February 23, 2021Ukrainian security services complain of DDoS from Russia. The Accellion compromise is attributed to an extortion gang. Digital Shadow tracks the rise of initial access brokers, new middlemen in the cr...iminal-to-criminal market. A botmaster uses an agile C2 infrastructure to avoid takedowns. IT executives to appear at US Senate hearings on Solorigate. US DHS talks up its cyber strategies. Ben Yelin comments on the latest court ruling on device searches at the border. Rick Howard speaks with Ariel Assaraf from Coralogix on SOAR and SIEM. And don’t be deceived by bogus FedEx and DHL phishbait. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/35 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Ukrainian security services complain of DDoS from Russia.
The Excellion compromise is attributed to an extortion gang.
Digital shadow tracks the rise of initial access brokers, new middlemen in the criminal-to-criminal market.
A bot master uses an agile C2 infrastructure to avoid takedowns.
IT executives to appear at U.S. Senate hearings on Solaragate.
U.S. DHS talks up its cyber strategies.
Ben Yellen comments on the latest court ruling
on device searches at the border,
Rick Howard speaks with Ariel Asara
from Coralogix on SOAR and SIM,
and don't be deceived by bogus FedEx
and DHL fish bait.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, February 23, 2021. Ukrainian news agency Unian reports that Ukraine's SBU security services says it's been under distributed denial of service attack for several days.
SBU representatives told Ukrainska Pravda that the attack is obviously connected
with Russia's ongoing hybrid war against Ukraine.
The attack against secure file-sharing service provider Excellion
has been attributed to the FIN11 and CLOP ransomware gangs.
FireEye's Mandiant unit, which has been working with Excellion to respond to the incident,
says that exploitation began in mid-December
and that the victims began receiving extortion notices in January.
It appears to have been a pure extortion campaign. The Klopp ransomware itself seems not to have
been deployed. FireEye has remarked in the past that FIN11's successes have been predicated more
on volume than on technical sophistication. So as the old Crazy Eddie commercials used to ask,
what's your secret? And then gave the immediate answer, volume.
Accelion has issued guidelines for its customers to help protect themselves against further damage from the compromise of its FTA service.
In particular, the company recommends that FTA customers migrate to the company's KiteWorks service.
company's KiteWorks service. Researchers at security firm Digital Shadows this morning released a report on initial access brokers, which they see as a relatively young emerging
sector of the criminal-to-criminal market. While they've been monitoring initial access brokers
since 2014, during this past year they've found some 500 criminals or criminal gangs selling initial access in underworld markets.
The brokers serve, for the most part, ransomware operators.
Initial access brokers find vulnerable organizations and then, acting as a middleman,
sell access to potential victims to criminals who use that access to conduct ransomware attacks.
who use that access to conduct ransomware attacks.
The growth of this criminal market represents another stage in lowering the barriers to entry for less skilled cybercriminals.
The middlemen have also learned from experience to obscure and redact the identities
of the accessible networks they're hawking,
the better to escape the attention of law enforcement organizations.
The brokers rely on scanning tools to identify accessible networks,
should you have entertained any hope that they would regard certain targets,
let us say, for example, healthcare organizations or essential services,
well, put such hope aside.
They don't appear to regard any targets as off-limits.
Digital shadows suggest that companies use threat intelligence, and in
particular threat intelligence designed to detect when their own network's compromise might be up
for sale to disrupt the criminal's approach. Security firm Akamai reports that it's tracking
a criminal botnet operator that's started leveraging Bitcoin blockchain transactions in order to hide its backup C2 IP address.
It's a simple yet effective way to defeat takedown attempts.
The group is able to fetch real-time data from a decentralized source
in a way that enables it to generate command-and-control IP addresses
in simple and quick pivots.
Akamai has made a comprehensive list of indicators of compromise available.
SolarWinds' still-relatively-new CEO Sudhakar Ramakrishna will appear before a congressional
committee investigating Solarigate this week, according to The Washington Post. His public
statements foreshadow the testimony he's believed likely to give. FCW reports that he told the Center for
Strategic and International Studies virtual meeting yesterday that what happened to SolarWinds could
have happened to anyone. He's also advocated, NextGov says, incentivized risk information
sharing with some protection against liability. Some such protections have already been enacted,
but Ramakrishna thinks more are in order.
He also points out that restrictive clauses in federal contracts have sometimes inhibited fuller information sharing.
The hearings are taking place before the Senate Select Committee on Intelligence.
Ramakrishna will not be the only tech executive to appear on Capitol Hill today. He'll be joined by FireEye chief
executive Kevin Mandia, Microsoft president Brad Smith, and CrowdStrike chief executive
and president George Kurtz. MSSP Alert thinks that at least two questions are likely to be
addressed during the hearings. First, how much cleaning up after the SolarWinds supply chain
compromise is likely to cost? And second, what's the impact on company revenues?
Specifically, with respect to SolarWinds itself, did its disclosures prompt buyer concerns?
Did the company lose revenue, and is it experiencing other forms of revenue pressure?
The U.S. Department of Homeland Security has announced a range of intentions
aimed at furthering President Biden's call for improved security.
The department's announcement suggests more continuity than change, as it describes with satisfaction such accomplishments as securing the 2020 election against cyberattack,
especially by timely information sharing with state and local election officials, lending urgency to remediation and providing incident response assistance,
collaborating with government and private sector partners
to defend against North Korean cyber attacks on financial institutions,
improving vulnerability disclosure,
and facilitating the growth of shared cybersecurity services
among federal civilian agencies.
Among new initiatives announced will be a campaign to reduce the risk posed by ransomware
and a new requirement that recipients of federal emergency management agency grants increase
their minimum cybersecurity spend.
And finally, be on the lookout for phishing emails baited with what appears to be notices
from shippers FedEx or DHL Express.
Armor Blocks this morning warned that a campaign was in progress and that it appeared to be targeting, for the most part, Microsoft email users.
The phish bait is pretty convincing, but of course entirely bogus.
Still, it does look like the sort of shipping notice one might receive, and it would be easy to bite.
The criminal's goal appears to be theft of work email credentials.
Deluers use convincing logos and layouts, and an unwary user more attuned to look than language might fall for them.
But some of the examples Armor Blocks gives suggest that the crooks still suffer from weak idiomatic control.
Still, look and think before you click. executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword.
It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home. Black
Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
The CyberWire's own CSO, Rick Howard, has been talking to experts about DevOps and
infrastructure as code and how that design philosophy applies to security.
He files this report.
For the past few years, the SIEM market has been going through some changes as vendors transition to delivering their product from the cloud and competing with SOAR products to move the security community closer to the DevSecOps model.
with SOAR products to move the security community closer to the DevSecOps model.
I sat down with Ariel Asaroff, founder and CEO of CoreLogic, a SIEM product on this changing and perhaps merging landscape.
I started by asking Ariel to clear up a misunderstanding in the InfoSec community about the cost of
storing SIEM data in the cloud.
I think what a lot of companies try to do, and they provide very good products,
but what they try to do is to take SIEM that was deployed on-prem and just put it on the cloud.
And then say, okay, in the cloud, my infrastructure limitations are smaller because I can easily scale
and I can use a lot of disk. So I think that the problem is solved.
But then you run into another problem, which is there's just too much data.
That means that it's extremely expensive, and that means that there's a lot of clutter.
So when we took SIEM to the cloud, we said, okay, it's not enough to just put it in the cloud.
We need to figure out a new way to handle data because companies on cloud are
actually generating a lot more data than companies on-prem because what we just said, it's easier to
scale, it's easier to add machines, it's easier to add devices. The cost of storing is not lower,
but the option of scaling the storage and machines is much easier. Among the new features in these new cloud-delivered
seams are the way that they can process alerts. Now we ingest, analyze, and then store. So we
know a lot of stuff on the data way before it's stored into the storage. So we understand,
for instance, whether a specific record has a suspected IP or specific records form an anomaly or something triggered an alert that you care about or something was enriched with your own data source making it important.
Or if you define a certain component to be critical and you define that it has to be stored.
So we know all that before we get to the point where we store the data,
so we only put the relevant information under the index,
and all the rest of the information goes to an archive
that can be queried on a lower frequency,
just in case you need the forensics or compliance reasons.
Another interesting change in the SIEM market,
as well as the SOAR market, is a convergence of the two.
SOAR tools are adopting SIEM capability
and SIEM tools are adopting SOAR capabilities.
It started with a few interesting acquisitions.
You look at Splunk and Phantom and then Sumo Logic and JASC.
So obviously we see acquisitions and then Sumo Logic and JAST. So obviously we see acquisitions
and then merging those products
into a single solution of SIEM and STORE.
I think that there's so much to do in both of them
that it's going to take some time.
At the end, just like the DevOps tools,
again, I like to compare these two markets.
DevOps tools started with Matrix products and then log analytics products in separate and then APM separately.
And then they're all combining to these mega observability platforms. I think the same will
happen with security. It's going to take some time. SIEMs have been around since the early 2000s,
but SOAR has only popped up in the last three years. Still, it wouldn't surprise
me that in just a few short years, we won't have separate categories for these products.
They will merge into a bigger product of combined capability.
Thank you. suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security
and also my co-host on the Caveat podcast.
Ben, great to have you back.
Good to be with you again, Dave.
Interesting article. This is from the Courthouse News Service, and it's written by Thomas F.
Harrison. It's titled, First Circuit Upholds Border Searches of Phones and Laptops.
This is an ongoing thing here. More, I don't know, confirmation that the folks at the border have the right to rifle through our
belongings? Yeah, it sure is. So we've seen a lot of conflicting case law on this. This is a pretty
serious problem because the last year for which we have reliable data, 2017, there were 30,000
of these searches at the border. So it's more common than you would think. And this, we're talking about searches
of the digital devices of U.S. persons.
So it's not, you know,
searching people who are tourists
to this country or who are immigrating
to this country. It's people who are
U.S. citizens. So what the
First Circuit is saying in this decision
is that border searches
qualify as what's known as
a special need in Fourth Amendment jurisprudence,
meaning it's a special governmental need beyond mere law enforcement,
beyond the mere apprehension of criminals.
Because we need strict border searches to protect our national integrity, to protect our safety.
And so as a result of that,
they are saying that warrantless searches
of these devices at the border,
so at airports or at border crossings,
are allowed even if the border agents
don't actually have any suspicion.
And this is in conflict of what
another judicial circuit has said.
The Ninth Circuit said that
in order to have these searches, you have to have at least reasonable suspicion that you're going to find something of value.
Obviously, I respect the need to protect our borders, to make sure that everybody we let into the United States or back into the United States is not going to do anything to jeopardize our security.
But, you know, there are some issues in having these suspicionless searches at the border.
One thing that this case brings up is there are some racial and ethnic biases that go into the decisions to search devices.
So all of the plaintiffs in this case brought by the ACLU and the Electronic Frontier Foundation are Muslims or people of color.
So I think it's something where suspicionless is maybe the term of art, but there perhaps is some suspicion merely on the basis of somebody's race or ethnicity.
And I think that's something for which we need to be mindful.
on the basis of somebody's race or ethnicity.
And I think that's something for which we need to be mindful.
Yeah, this article points out some nuance here that I was not aware of.
It says that current government policy
is that agents can rummage through phones and laptops
for no reason,
although they can't access the internet while they search
and they must have reasonable suspicion
to hook the device up to an external machine
to extract data or to view deleted or encrypted files.
Put everything on the cloud, people. That seems to be the lesson here.
Be careful what you write in your notes application
because that's right there for the taking. Or, as we've talked about,
any alerts you're getting, notifications on your phone,
or the picture that you use as your background,
don't show yourself selling drugs in that picture.
Right, right.
Yeah, I mean, it seems like that's kind of a,
and I'm sure there are reasons for it,
but it seems to me to be, at least on its face,
kind of an arbitrary dividing line.
If it's okay to rummage through somebody's device,
how much of a difference does it make
if you have internet connectivity?
I mean, I guess it makes some difference,
but it just seems to me like a bizarre place
to draw a distinction.
Does this push us one step closer
to having this head to the Supreme Court?
Yeah, so anytime you see a circuit split like this,
that usually means that we're on a collision course that will end up at the Supreme Court? Yeah, so anytime you see a circuit split like this, that usually means that we're on a collision course
that will end up at the Supreme Court.
It doesn't always mean that,
but it certainly makes it more likely.
This means that you've had some of our most prominent jurists
looking at the same issue and coming to different conclusions.
And that might require something that leads
to a Supreme Court resolution.
Yeah. I suppose in this case, that would be welcome to have some, I don't know,
some finality on this. Yes, just some clarity. So people that can have expectations when they're
crossing the border, is it acceptable for Customs and Border Patrol agents to search my laptop without any suspicion.
Right now, it's largely unclear
and perhaps based on where you are making your border entry
because that determines which federal
court of appeals has jurisdiction.
The First Circuit is in the Northeast,
so make of that what you will.
The Ninth Circuit is on the West Coast.
Perhaps there are some important nuance and differences in terms of the geography
you can shop your border crossing
based on privacy
how you want to come in and out
maybe I'll use the LA airport
instead of the New York airport
even if it's a little bit out of the way
just a little bit out of the way, right?
Just a little, just a little, yeah.
All right, well, interesting development for sure.
Ben Yellen, thanks for joining us.
Thank you. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
So much pin-punishing power, it's almost unfair.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar, Thank you.
Thanks for listening. We'll see you back here tomorrow. needs AI solutions that are not only ambitious, but also practical and adaptable. That's where
Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided Thank you.