CyberWire Daily - DDoS is on an upward trend, and it’s being used for extortion. A payroll provider recovers from an unspecified cyberattack. Russia charges Group-IB CEO with treason. NSA, CISA, advise on using VPNs.
Episode Date: September 29, 2021Distributed denial-of-service attacks have been making a comeback, and many of them represent criminal extortion attempts. A major British payroll provider is recovering from a cyberattack, but it’s... not providing much information on the nature of that attack. Russian authorities arrest the founder of Group-IB on treason charges. Johannes Ullrich from SANS on Out of Band Phishing Using SMS messages. Our UK correspondent Carole Theriault wonders how online trolling is still a thing. And NSA and CISA release guidelines on secure use of virtual private networks. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/188 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Distributed denial-of-service attacks have been making a comeback,
and many of them represent criminal extortion attempts.
A major British payroll provider is recovering from a cyber attack.
Russian authorities arrest the founder of Group IB on treason charges.
Johannes Ulrich from the SANS Technology Institute on out-of-band phishing using SMS messages.
Our UK correspondent Carol Terrio
wonders how online trolling is still a thing. And NSA and CISA release guidelines on secure use of VPNs.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 29th, 2021.
Distributed denial-of-service attacks appear to be returning as a significant, if episodic, nuisance.
Atlas VPN puts the number of DDoS attacks in the first half of 2021 at a record 4.5 million.
The attacks were highest in January, tapering off a bit by June, but not by that much. The regions most affected are in
Europe, the Middle East, and Africa, but the increase has been observed in most parts of the world.
Ars Technica last week summarized a denial-of-service attack against Canadian telecom
provider VoIP.ms, based in Quebec, that's interfered with the company's ability to
provide voice service to its customers.
The DDoS incident appears to be criminal in nature
since the affected company has been approached by hoods demanding a ransom
that's fluctuated between $42,000 and $4.2 million,
which suggests a certain amateurism with respect to the criminal's placement of decimal points.
The criminals say they're from R-Evil, the well-known privateering ransomware gang,
but that seems unlikely, a little like the neighborhood goon trying to scare people
by claiming he's a wise guy from the Masucci family.
Earlier this month, the British company VoIP Unlimited sustained a similar attack, but crooks in that
case also identified themselves with equal implausibility as are evil. Another denial-of-service
attack has hit North Carolina-based voice-over IP provider Bandwidth, which bleeping computer
reports began experiencing outages on Saturday. Some reports have said the carrier,
which provides telecom services to businesses,
reports that service has returned more or less to normal,
but Bandwidth's website, as of late this morning,
was still reporting partial outages in its inbound calling services.
A company notice says, quote,
Bandwidth is currently investigating an incident
impacting inbound calls from Verizon
Wireless to the bandwidth network. Inbound calls may experience intermittent failures, end quote.
Giant Group, a large British umbrella payroll company, has, according to the register,
sustained a significant cyber attack that's delayed payment to many of the workers whose
checks are routed through the firm.
The incident began a week ago on September 22nd, and Giant appears not yet to have fully recovered.
A notice on the company's site today indicates that they're almost there, but some problems remain.
Quote,
We would like to sincerely apologize for the inconvenience and frustration you have experienced as a result of the cyber attack to our network on the 22nd September 2021.
With instances related to a cyber attack,
there are certain protocols that must be followed to ensure that the integrity of the investigation is not compromised,
and therefore we unfortunately were unable to communicate with you as quickly and openly as we wanted to.
We can confirm that our databases are encrypted.
End quote.
The company has been unusually tight-lipped concerning details of the incident
and has implied that the nature of the attack required them to hold information closely.
What that nature might be isn't clear.
After all, the company hasn't released enough information for anyone to render an informed opinion.
Giant is working with various third parties to remediate whatever issues are afflicting it.
The company did issue interim payments processed outside its normal channels to some 8,000 workers on Friday,
but there apparently remain some unsatisfied and unpaid contractors.
Russian authorities have detained Ilya Sakhov, founder and chief executive of cybersecurity firm
Group IB, on suspicion of state treason, Reuters reports. Authorities searched Group IB's Moscow
offices yesterday. TASS was authorized to quote presidential spokesman Dmitry Peskov
as saying the Kremlin was aware of the arrest from media reports, but that he had no further
information to offer. Reacting to the alarming development, Group IB confirmed that authorities
had been through their Moscow office this week. The company is confident that Sakhov will be
vindicated and that Dmitry Volkov will run the company during Sackhoff's detention. The company says
its continuing operations and that customers' data are safe in its decentralized infrastructure.
Group IB has international headquarters in London, Singapore, Dubai, and New York.
Founded in Russia, the company now regards Singapore as its primary
headquarters. NSA and CISA late yesterday released guidance on how to configure and use virtual
private networks safely and securely. VPNs provide access to protected networks and are therefore
especially attractive targets for cyber attacks.
Rob Joyce, director of cybersecurity at NSA, said,
Exploiting remote access VPNs can become a gateway to large-scale compromise.
We created guidance to help organizations understand what to look for when choosing VPNs
and how to configure them to reduce the risk of being exploited.
Use these recommendations to verify any VPNs are securely configured.
End quote.
The particular classes of threats to organizations using VPNs include, the fact sheet says,
credential harvesting, remote code execution of arbitrary code on the VPN device,
cryptographic weakening of encrypted traffic sessions,
hijacking of encrypted traffic sessions, And these threats are often the entering wedge for more extensive and persistent attacks against networks.
NSA and CISA advise avoiding dodgy VPN providers.
They primly describe them as non-standard and to look for standard protocols and strong encryption when selecting a service
and look for services that permit you to fully inspect them
Once a VPN is selected, the fact sheet recommends active hardening
Require only strong approved cryptographic protocols, algorithms, and
authentication credentials, reduce the remote access VPN attack surface, protect and monitor
access to and from the VPN, and finally secure the network entrance. The document has detailed
suggestions under each heading and is worth reading in full. The agency's nine-page fact
sheet concludes,
quote,
Remote access VPNs are entryways into corporate networks and all the sensitive data and services they have.
This direct access makes them a prized target for malicious actors.
Keep malicious actors out by selecting a secure, standards-based VPN
and hardening its attack surface.
This is essential for ensuring a network's cybersecurity. End quote. And who's the threat to VPNs?
Nation states mostly, NSA and CISA says,
and those two agencies would be in a position to know.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you
get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one
third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Our UK correspondent, Carol Theriault, has been pondering online trolling.
She joins us with this commentary.
So today I want to talk about cyber trolling. Why is it still a scourge out there? An article
on trolling and the conversation suggests that online behavior is often characterized by a
tendency to act in a less inhibited way than one might act in person. So they would maybe post
abuse that they would never share if the person was standing in front of them. Research suggests
that this lack of inhibition stems from our feeling of anonymity and invisibility online,
and the absence of any perceived authority to prevent us from misbehaving. Tom Langford,
a security consultant at SentinelOne, had this to say.
Trolling has been a problem for humankind ever since we were able to communicate with each other
without having to be face to face. Even more recently, last century, for instance,
poisonous pen letters being sent through people's letter boxes in small villages, etc. It's a
phenomenon that's been with us for a long time.
So it's not surprising, really, that it hasn't changed much. It's probably on the increase now,
though, because people are more isolated from each other. They grow, therefore, a lot more
opinionated. And so therefore, the trolling increases as people become more angry and more
upset with the world around them.
In other words, we've all suffered during this global pandemic, some more than others.
And if you're an unhappy camper, you may want to share your misery.
Okay, so how to avoid trolling?
There are two things that I would suggest.
One, stay calm.
Even if you're reading something that is so inflammatory and it makes your blood boil,
do not respond. Do not engage. Because the rule is do not feed the trolls. Cyber trolls
thrive on attention. And if you don't give them any, they may get bored and go bug someone else.
And also be careful about sharing inflammatory posts and messages and articles. A lot of these are designed to get
you to share because it's so crazy or outrageous or makes your blood boil. But effectively,
you're becoming a pawn in the game by sharing this information with others.
Do your research before you share. That's why Twitter's recent stop and think algorithm is
interesting. It's trying to
stop people sharing things based on having been clit-jacked by the title. And number two,
if you find yourself in a situation where you're a victim of cyber trolling,
the two keywords are block and report. New tools to report abuse are improving all the time. Make
sure you're familiar with them before you find yourself in this type of pickle.
This was Carol Theriault for the Cyber Wire.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant. And I'm pleased to be joined once again by Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute
and also the host of the ISC Stormcast podcast.
Johannes, it's always great to have you back.
You know, over on the Hacking Humans podcast in particular,
my co-host Joe Kerrigan and I often talk about SMS messaging
and the varying degrees of security that come with it or perhaps do not,
whether or not it's better than nothing.
You wanted to talk to us today about some out-of-band phishing
that you've been tracking using SMS messages.
Yeah, so one thing that has been happening for a while
is that you basically just got what amounts to a phishing message
as an SMS message.
The advantage for the phisher, of course,
is that the corporate mail filters and such
usually can't look at SMS messages as they look at the email.
An interesting sort of combination we have seen lately
is where the initial message arrives as an email,
but then the message instructs you to send an SMS
to a specific phone number,
and then in return, you'll receive the actual phishing link
that, if you click on it on your phone, will direct you to a
fairly well-done website that then, of course, asks you, in this case, for your Outlook 365 credentials.
I mean, that seems like a significant extra step here. What is the social engineering hook that
they're using to convince you to do something like this?
Well, there are a couple of ways how they sort of made it a little bit more enticing, I think, for people to follow it.
First of all, the message that you're supposed to send to this phone number actually included the company name.
So you're almost feeling like you're authenticating to this phone number.
Hey, it's actually me. I work for this company.
you're almost feeling like you're authenticating to this phone number.
Hey, it's actually me.
I work for this company. And I think it was about getting your email allowance increased
or one of these messages.
So that's part of it.
I think the other part is that phone companies are getting a little bit better
in filtering some of that spam by not sending mass SMS messages
to millions of users, but only sending them to people who actually responded to the initial email, they now have to send way less messages and may not trigger these filters.
among the phone companies to reduce the spam.
Obviously, users complain about getting all these spam SMS messages.
And they, in general, try to more or less eliminate any kind of automated messaging coming from a full 10-digit phone number
without paying extra, of course.
That's the other trick to this.
So probably the spammers are trying to adapt to this a little bit
by sending less messages, using stolen credentials
without sort of running up a bill that's large enough
where they would actually get flagged as fraudulent.
Yeah, it's fascinating too, because if you are initiating the exchange,
then when you get that message from the phishing folks,
it's going to come back into one of your folders that it's from a known entity because you started it.
You sent them the initial message.
Correct. That's exactly what also some of these fraud algorithms are looking for.
If you initiated the message, then the reply, of course, can't be spam because
you asked for it. So that's, I think, how they bypass some of these algorithms. And by also
splitting the entire process between email and SMS, it's very hard for any kind of corporate
security tool or such to correlate everything that's happening here.
So is the primary solution here,
are we talking about security awareness training or are there technical measures as well?
Security awareness training is part of it.
And then, of course, yes, your credentials will get phished eventually,
so better do something like multi-factor authentication.
In the recent month or so, I looked at couple of uh phishing sort of back ends where
basically the attackers are collecting uh the passwords and the good news here is i see very
few people falling for it so maybe the education is sort of paying off for it but it usually only
takes like a day or less for a phishing site to get blocked
and you get your red warning screen.
And before that, if it's only like a dozen or so users
that actually fall for your average, not very sophisticated phish.
All right. Well, still something to be aware of.
Johannes Ulrich, thanks for joining us. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here
tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.