CyberWire Daily - Diplomacy and hybrid war. Heightened cyber tension as Quds Day approaches. Conti in Costa Rica. North Korean cyber operators target journalists. C2C notes.. A guilty plea in a cyberstalking case.
Episode Date: April 26, 2022Heightened cyber tension as Quds Day approaches. Costa Rican electrical utility suffers from Conti ransomware. Emotet’s operators seem to be exploring new possibilities. North Korean cyber operators... target journalists who cover the DPRK. A guilty plea in a strange case of corporate-connected cyberstalking. Bel Yelin ponders the potential Twitter takeover. Mr. Security Answer Person John Pescatore addresses questions about vendors. And cybercrime, run like a business. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/80 Selected reading. Russia’s invasion of Ukraine: List of key events from day 62 (Al Jazeera) Ukraine takes war behind enemy lines as Russian fuel depots set ablaze (The Telegraph) Russia pounds eastern Ukraine as West promises Kyiv new arms (AP NEWS) Finland, Sweden to begin NATO application in May, say local media reports (Reuters) ‘Thanks, Putin’: Finnish and Swedish Lawmakers Aim for NATO Membership (Foreign Policy) World War Three now a 'real' danger, Russian foreign minister Sergei Lavrov warns (The Telegraph) Moscow cites risk of nuclear war as U.S., allies pledge heavier arms for Ukraine (Reuters) Russia Warns of Nuclear War Risk as Ukraine Talks Go On (Bloomberg) From Jordan to Japan: US invites 14 non-NATO nations to Ukraine defense summit (Breaking Defense) State TV says Iran foiled cyberattacks on public services (AP NEWS) State TV Says Iran Foiled Cyberattacks on Public Services (SecurityWeek) Iranian hackers claim they’ve hit the Bank of Israel - but ‘no proof,’ cyber authority says (Haaretz) North Korean hackers targeting journalists with novel malware (BleepingComputer) The ink-stained trail of GOLDBACKDOOR (Stairwell) Conti ransomware cripples systems of electricity manager in Costa Rican town (The Record by Recorded Future) Emotet Tests New Delivery Techniques (Proofpoint) Ex-eBay exec pleads guilty to harassing couple whose newsletter raised ire (Reuters) Mastermind of Natick couple’s harassment pleads guilty (Boston Globe) Former eBay Executive Pleads Guilty to His Role in Cyberstalking Campaign (US Department of Justice) Cyberkriminelle bieten Schadsoftware kostenlos an (IT-Markt) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Heightened cyber tension as CUDs Day approaches.
Costa Rican electrical utilities suffer from Conti ransomware.
Emotets operators seem to be exploring new possibilities.
North Korean cyber operators target journalists who cover the DPRK.
A guilty plea in a strange case of corporate-connected cyber-stalking.
Ben Yellen ponders the potential Twitter takeover.
Mr. Security Answer Person John Pescatori addresses questions about vendors,
and cybercrime run like a business.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Tuesday, April 26, 2022.
Russia's hybrid war against Ukraine has seen, over the past day, more sabotage and long-range strikes from both sides, as
Ukrainian forces apparently extend their operations to targets inside Russia proper, and Russia
conducts airstrikes against Ukrainian installations well outside the Donbass and the Azov coast.
But there are no reports of further cyberattacks in the war, although all parties remain on alert to their
likelihood. As Quds Day approaches this Friday, a traditional time of heightened cyber tension
between Iran and other nations, especially Israel, the AP reports that Iranian media say the country
has detected and blocked hundreds of cyberatt attacks against public and private infrastructure.
Haaretz reports that an Iranian hacktivist outfit styled
Hackers of Savior has claimed a successful attack against the Bank of Israel.
The group claims to have accessed customers' accounts,
but both Israel's National Cyber Directorate and the Bank of Israel say they found
no indication of any kind of hacking into any banking network.
Conti's ransomware campaign against Costa Rica has expanded to affect the country's electrical power distribution system, the record reports.
JSEC, the organization that delivers power to the city of Cartago, said that its administrative and business systems had been disabled by the
ransomware. This doesn't, however, represent a direct attack on industrial control systems.
Power generation and distribution continue normally, Jacek says.
Proofpoint this morning reported that it's seeing unusual activity from Emotet malware-wielding
gang TA-542. The criminal group, which has been in a slow period
since going into partial hibernation early last year,
appears to be conducting low-volume testing of new techniques.
Specifically, they're using OneDrive URLs and XLL files
to deliver their malicious payloads.
The activity may also indicate a shift to more selective and limited-scale attacks
in parallel to the typical mass-scale email campaigns.
Researchers at Stairwell have released an extensive report on Goldback Door,
malware deployed by APT37, the DPRK cyber threat group, also tracked as Ricochet Colima.
The researchers say,
Stairwell assesses with medium-high confidence that Goldback Door is the successor of
or used in parallel with the malware BlueLight, attributed to APT37 Ricochet Colima.
This assessment is based on technical overlaps between the two malware families and the impersonation of NK News, a South Korean news site focused on the DPRK.
Much of the activity in the current campaign is directed at data exfiltration.
Bleeping Computer notes that Pyongyang regards new reporting as a fundamentally hostile activity, which would account for the attention being paid
to journalists. The U.S. Department of Justice has announced that one of those accused of
cyber-stalking, the couple who ran a mom-and-pop e-commerce newsletter, has taken a guilty plea.
James Bao, 47, of San Jose, California, eBay's former senior director of safety and security,
San Jose, California, eBay's former senior director of safety and security, pleaded guilty to one count of conspiracy to commit stalking through interstate travel and through facilities
of interstate commerce, two counts of stalking through facilities of interstate commerce,
two counts of witness tampering, and two counts of destruction, alteration, and falsification
of records in a federal investigation.
The stalking seems to have been unusually malign and focused.
The U.S. Attorney's Office explained,
The campaign included sending anonymous and disturbing deliveries to the victims' home,
sending private Twitter messages and public tweets criticizing the newsletter's content
and threatening to visit the victims,
traveling to their home to surveil the victims
and installing a GPS tracking device on their car.
Sentencing is expected in September.
And finally, free trials can be used to attract customers in the criminal-to-criminal market
just like they are in legitimate markets.
ITMarket discusses the case of the Ginzo InfoStealer,
which, while in GData's estimation isn't particularly novel, is wooing clients and building reputation in the C2C market.
So the criminals, like many other businesses, aren't selling steak, they're selling sizzle.
And step right up, they're offering their criminal customers free stuff as an incentive.
And who doesn't like free
stuff? Do you know the status of your compliance controls right now? Like, right now? We know that
real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.O.
Mr. Security Answer Person.
Mr. Security Answer Person.
Hello and welcome back to Mr. Security Answer Person.
I'm John Pescatori.
Let's get into our question for this week.
This week I'll attempt to answer two related but diametrically opposed questions at once.
Security Person A asks,
I worked in IT before transferring into the Security Operations Group.
In IT, there seems to be relentless market consolidation of vendors,
as well as pressure from the CIO to reduce the number of suppliers used. In IT security,
it seems there are literally thousands of vendors with new ones showing up each week and almost no pressure to consolidate. What's up with that? Security person B asks, what can we do to keep
small, innovative security vendors alive? It seems like the big vendors spend most of their time trying to lock us into their product line
and very rarely innovate or meet our individual needs.
But when we find a small vendor with a cool and useful product,
within two years, almost invariably, they are acquired by a big security vendor
and the product line is either dumbed down or disappears.
Will this ever change?
Well, this reminds me of one of those optical illusions
where half the people see the dress as blue and black and the other half see it as gold and white.
It is hard to get good data, but CompTIA said a few years ago that there were over 525,000
IT product and service companies in the U.S. alone. CyberDB says there are about 3,500
information security vendors in the U.S. This means security vendors are only 0.7% of the overall IT vendor count,
which is actually quite low compared to the spending ratio between the two areas,
where IT security spending is somewhere around 5% of overall IT spending.
So by that metric, it does not really seem like there are too many security vendors.
On the other hand, and there's always another hand,
every time a new threat comes out,
there does seem to be a wave of new security vendors
getting funded to create solutions aimed at that threat.
Which, of course, makes no sense.
The Verizon Data Breach Investigation Report
has used both the CAS critical security controls
and the MITRE ATT&CK framework
to show there is a small number of root causes
that enable the vast majority of threats.
It doesn't matter whether a threat comes from a botnet or is ransomware or a data breach.
Good security solutions should work across broad classes of threats.
Common sense says you really don't need a different toothpaste or toothbrush for your molars or those pointy teeth up front.
But rather than go on yet another rant about vendor marketing,
let me try to answer the real question here.
How many security vendors do I need?
Like all such broad questions, any meaningful answer, we'll start with it depends on.
But first, let's establish some edge limits.
One security vendor will never be sufficient for all but the smallest of companies,
small office, home office, and the like. Many security vendors have tried to be one-stop security shopping
companies. I call them security department stores. And it has never gone well and never lasted long.
Similarly, many big IT infrastructure players like Cisco, IBM, Intel, and Microsoft have bought up
all kinds of security products and tried to say, we are the infrastructure
and we can secure the infrastructure. This never works. There are a lot of reasons why this will
always be true. First off, we know from experience with the IBMs, Microsoft, Oracles, and many other
big vendors that anytime a vendor gets too high a market share, their innovation goes down and
their willingness or ability to meet customer needs drops dramatically. Pricing
may stay low or even get lower, but value goes down. So it's kind of a good thing that in security
we still usually see two or three vendors with large but nearly equal market shares versus one
with 80% market share. Second, Microsoft Windows has conclusively proven over the last 30 years
that monocultures are bad for security. This is true in the food
chain and it has proven true in the software world as well. But I think most importantly,
it's nearly impossible for one security company to be good, let alone great, across the many
different technology areas that need protection. One simple division, network security versus
host-based security, where nearly completely different technical skills and understandings of differences in managing each technology you're needed. When I was with
Gartner, I had a $100 bet with a Fortune 100 CEO that no vendor would be a leader in both a network
security and a security software magic quadrant. And 15 years later, I'm still winning that bet.
So what am I saying? Two security vendors is probably okay? Well, not so fast.
I've always broken the security markets into three broad segments. Keep the bad guys out.
Pretty much everything threat or vulnerability facing. Firewalls, intrusion detection and
prevention, vulnerability management, host-based security, etc. Changes are driven by new forms
of attack or discovery of new types of
vulnerabilities. Let the good guys in. This is mostly authentication and access control.
Changes in this area are driven by business changes, not threats. Keep the wheels on.
Governance risk compliance, security management tools, forensics, incident response, backup
recovery, etc. Efficiency is job one here.
These are well-known tasks. We need to do them more efficiently and with lesser skilled folks.
Realistically, Fortune 1000-sized companies will need at least a few security vendors in each of these three areas. That probably means somewhere between 10 and 12 security vendors in use
will prove to be the average or maybe even the low end of average. By the way, that doesn't even include the number of open source security tools in use,
a topic for another Mr. Security Answer Person episode.
Will this ever change?
The movements of business applications to cloud services and on-premise virtualized
data centers has the potential to change this because of the blurring of network and host
in a virtualized environment.
But this does require a much more converged virtual admin, security admin, IT admin
form of governance that enterprises have been very slow to move to. So the bottom
line, if you're using 50 different security vendors you probably have a
problem. If you're using just one or two security vendors you're likely more
focused on compliance than actual security.
Moving that security vendor Goldilocks just right zone down from a dozen security vendors to a handful requires both high maturity security processes and governance integration across
cloud, virtual data center, and IT admin. Easy to say, hard to do.
Hard to do.
Mr. Security Answer Person.
Thanks for listening.
I'm John Pescatori, Mr. Security Answer Person.
Mr. Security Answer Person.
Mr. Security Answer Person with John Pescatori airs the last Tuesday of each month right here on the Cyber Wire.
Send in your questions for Mr. Security Answer Person to questions at thecyberwire.com.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. Thank you. you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security
and also my co-host over on the Caveat podcast.
Hello, Ben.
Hello, Dave.
So I don't know if you noticed, Ben.
I know you're active on Twitter.
Twitter may have a new owner soon. Hello, Dave. So I don't know if you noticed, Ben, I know you're active on Twitter. Twitter may have a new owner soon.
It sure does.
Mr. Elon Musk, eccentric billionaire extraordinaire, has purchased Twitter for the low price of $44 billion.
The money he found in his couch cushions, no doubt.
What do you make of this?
I mean, from a serious point of view,
what are the policy implications we could see of Twitter changing hands here?
So it's unclear at this point.
He's spoken broadly in the past
about being an absolutist in terms of free speech,
which would seem to indicate
that he would be for looser content moderation practices.
Twitter does do things like shadow bans or diminishing
the content of users that post objectionable material. It's also done very high profile
things like permanently banning the account of former President Donald Trump. And if Elon Musk
is buying this for an ideological purpose and that he wants to have a platform that is absolutist in
its posture on free speech, I think that could have pretty wide-reaching implications for Twitter.
President Trump could be back on it. There could be more leeway for people to post content that
might have otherwise have been banned because it's offensive, because it's considered abusive,
and that might affect
the business prospects of Twitter. We talked about on the Caveat podcast, it's always a fine line
because if you loosen content moderation too much, you're going to end up with a platform full of
bots, trolls, neo-Nazis. Right. Well, and look at some of these other platforms that have spun up
that where this has been the thing that they've led with that, you know, you'll be able to say whatever.
They just don't seem to gain popularity because it's no fun.
Right. Nobody wants to be on a platform that's been overrun by these bots, spam, et cetera, that we just don't want to deal with.
Yeah.
So I think he's going to have to straddle the line on that.
I guess I'm confused as to why he's making this purchase.
If he's doing it because he thinks he can actually gain some value out of Twitter, make it a more profitable platform, then I think that has interesting potential.
I mean there are certainly things he could do to improve the user experience of Twitter.
prove the user experience of Twitter. And maybe because he's introduced innovations in the rest of his entrepreneurial work with Tesla, with SpaceX, maybe that's something that he can bring
to the platform. What I worry about is he's doing this as sort of a vanity project, that he was
upset by particular Twitter policies that related to content moderation. And that he thought, well,
I have a lot of money. If I'm unhappy with these policies, why don't I just buy Twitter?
Right. Buy it and fix it.
Yeah. In that case, I mean, I think we would have to worry about Twitter as we know it devolving
into something unrecognizable. Where, I guess putting it this way, we might miss the content moderation that
we had. Because there is a reason that many users, even if they say that they are free speech
absolutists, don't want to be on the platform with a lot of smut. And so I think that's the
line that he's certainly going to have to straddle. Now, there's some policy stuff coming out of the
EU right now that could intersect with this. What's going on there? So just as a coincidence, the EU
and its member states this weekend agreed on a new digital regulation policy that's going to force
tech giants, including Twitter, to better police illegal content on their platforms. Otherwise,
they'd be risking multi-billion dollar fines. And the structure of
the fines is going to be very similar to GDPR. It would be a percentage of their annual earnings.
And it's no Trump change. I mean, we're talking about potentially billions of dollars at stake.
What this legislation tries to do is a couple of things. One, it would limit how these digital
giants target users with online advertisements. So it would stop platforms
from targeting users with algorithms based on immutable characteristics like race, gender,
religion, et cetera. It would ban targeted advertisements aimed at children. The companies
are now going to have to implement new procedures to take down illegal material. So things like hate
speech, incitement to terrorism, child sexual abuse. And then e-commerce sites, things like hate speech, incitement to terrorism, child sexual abuse.
And then e-commerce sites, things like Amazon, have to prevent the sale of illegal or illicit – illegal goods or illicit material.
Some of those things I think could fly in the United States.
Certainly we have an infrastructure where we crack down on things like child sex abuse.
But when we're talking about incitement to terrorism and hate speech,
if you take Elon Musk literally and he wants to put his free speech absolutist ideology into his governance of Twitter, then we might run into some problems
as it relates to this new European regulation. We have values in the United
States that we are more, I guess, gung-ho about our belief in free speech than some of our European
counterparts. So we are more willing to accept things like hate speech and incitement to violence
in service of the idea that we should have a robust marketplace of ideas.
So that might end up being a conflict.
And we already see echoes of this.
There was a story in the Financial Times that seems to indicate European authorities saying,
look, Elon Musk, if you are going to loosen content moderation practices on Twitter to
the point that we start seeing a lot of hate speech, we start seeing a lot of incitements to domestic terrorism, then we won't be afraid to fine you and we won't be afraid to
potentially ban Twitter and the European Union. So we see this clash of ideologies that I think
is playing out in a very high profile way. You know, it reminds me of something I heard years
ago, and this is anecdotal, and so take it for what it's worth.
But I remember seeing someone say, if you want to get the Nazis out of your Twitter feed, tell Twitter you're in Germany.
Tag your location as being in Germany.
Because evidently Twitter, as required, does a really effective job of filtering out that content for German citizens.
Right.
Because they have to.
Right. Because they have to. Right.
So it's possibly, perhaps there's a technological solution to this,
but it certainly is an interesting intersection timing-wise,
you know, at this moment that Elon Musk is trying to buy Twitter,
the EU is sort of tightening down their own content moderation guidelines.
Yeah, I mean, I think we might be on a collision course.
And if we know one thing about Elon Musk is he likes to push the envelope.
He likes to be provocative.
Right.
So we could see him potentially loosening content moderation policies
to set up an ideological clash with authorities in the European Union.
And he'd bring a lot of power with him.
It's not just that he's purchasing
a multi-billion dollar company,
but we have a political culture in the United States
that really does value free speech.
So I think it would be a major ideological conflict.
I don't think we're gonna get to the point
where Twitter is banned in Europe
because Elon Musk won't institute
content moderation policies.
But I do think we're potentially on a collision course where there's going to be some back and forth ideological battle that might involve a billion dollars worth of fines that maybe Elon Musk is okay paying.
Right.
If he's willing to purchase Twitter for $44 billion, what's another billion here or there?
Just another trip to the couch and rifling through the cushions for some spare change.
All right. Ben Yellen, thanks for joining us. Another trip to the couch and rifling through the cushions for some spare change. Exactly.
All right.
Ben Yellen, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Thanks for listening.
We'll see you back here tomorrow. Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.