CyberWire Daily - Election security updates from CISA. Maze says it’s out of business (and never really existed). Edward Snowden wants dual Russian-US citizenship. A botmaster goes up river.
Episode Date: November 3, 2020Notes on Election Day security, from CISA. The Maze gang finally releases its press release announcing that it’s going out of business. Mr. Snowden applies for dual Russian-American citizenship. Ben... Yelin shares his thoughts on Mark Zuckerberg’s recent Senate testimony. Our guest is Karlo Zanki from Reversing Labs on Hidden Cobra. And a botmaster gets eight years after copping a US Federal guilty plea to conspiracy. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/213 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Notes on Election Day security from CISA.
The Mays gang finally releases its press release announcing that it's going out of business.
Mr. Snowden applies for dual Russian-American citizenship.
Ben Yellen shares his thoughts on Mark Zuckerberg's recent Senate testimony.
Our guest is Carlo Zanchi from Reversing Labs on Hidden Cobra.
And a bot master gets eight years after copying a U.S. federal guilty plea to conspiracy.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, November 3rd, 2020.
Today, of course, is Election Day in the U.S.
Have you voted? We have.
And of course, it's inevitable that the big story be cybersecurity and the election.
The U.S. Cybersecurity and Infrastructure Security Agency is holding a series of media briefings throughout the day
to pass on information about election security.
A senior CISA official characterized the briefings as part of the agency's attempt to be as transparent as possible.
The good news is that there really don't seem to be any major cybersecurity risks
actively surfacing during today's voting. Iran and Russia have done a little bit of American
cage-rattling, but nothing too serious or even particularly convincing. During the first call
at 9 a.m. Eastern Standard Time, CISA made a few general points. The U.S. has learned a lot about
election security since 2016,
and CISA believes it's put what it's learned to good use at the federal, state, and local levels.
The threat landscape has been cumbered by Iranian groups and, to a lesser extent,
Russian actors, but their activities have been neither especially intense nor notably effective.
Iran has been the more active of the two, but Tehran's
disinformation efforts, threatening emails and some online video, were recognized and attributed
within 27 hours. Russian efforts have been similarly ineffective and have so far been
notably less intense than what was seen to emerge from Iran. There's no evidence that any threat actor has succeeded
in altering voter information. CISA officials made this point several times. Much voter information
is readily and freely accessible without the need for any nefarious data theft. CISA was concerned
to explain that this didn't mean voter or voting data had been changed or corrupted.
voter or voting data had been changed or corrupted. A senior CISA official said,
Elections are messy, technology fails, and we're already seeing some resilience in the process.
CISA expects technical problems in some of the thousands of polling places across the U.S., but these are expected to be part of the usual noise and not the result of cyberattacks.
The most probable cyberattacks, should any develop, are from the familiar Iranian playbook,
website defacement, distributed denial of service, and wiper attacks.
At the time of the briefing, CISA hadn't seen any pop up so far today.
CISA strongly recommends using its Rumor Control site, which you'll find at cisa.gov
slash rumor control.
It's being updated as necessary. A senior SISA official said, we're treating today as if it's
halftime. Since foreign cyber activity is largely taking the form of disinformation, and since the
goal of such disinformation appears to be the erosion of confidence in the elections, SISA
expects to remain on high alert until all votes are counted and certified in January.
Turning to crime, well, to crime reporting, that is.
We're not shoplifting or throwing rocks at cars
or anything like that, but we trust you knew that.
Turning to crime news, you'll recall that last week,
Bleeping Computer reported that the Mays ransomware gang
was ceasing operation.
At the time, Maze refused to confirm
that it was going out of business,
telling Bleeping Computer that it should
wait for the press release.
Well, the release is out.
Maze is going out of business,
and Hack Read has their press release.
They're out of business, they say,
and you should regard any future communiques,
blog posts, emails, and so on that purport to be from Mays as a scam.
And besides, they say, they never really were in business after all.
It's just clueless media hype and a bunch of hogwash put about by government tools.
They were good guys, practically Robin Hoods.
Yeah, that's the ticket.
Just out to expose businesses' careless OPSEC practices.
Their press release is composed in such fluent shadow speak that it would be a shame not to quote a little bit of it.
Quote,
Our world is sinking in the recklessness and indifference, the laziness and the stupidity.
A contention we note that's basically been true since that talking snake offered what's-her-name some discount fruit.
Anyway, the Mazers go on.
If you are taking the responsibility for other people money and personal data, then try to keep it secure.
And, as they say, the Maze Cartel was never exist and is not existing now.
It can be found only inside the heads of journalists who wrote about it. So there.
Actually, while it may well be the case that the Maze Gang,
unusually nasty innovators in the field of ransomware,
may be going, going, and possibly gone,
it's unlikely that the individual goons who worked in the crew will be downing tools.
Look for them to hang out a new shingle,
either together or as independents.
Edward Snowden tweets that he's applied for Russian citizenship.
He explains that he's doing so for family reasons.
He and his wife, Lindsay Mills, are expecting their first child,
and they don't wish to risk the possibility of separation.
Mr. Snowden says he will hold dual Russia-U.S. citizenship.
He hopes to raise his child as an American and to return one day to the United States.
And finally, a word from the courthouse.
Alexander Brovko, identified as both a Russian national and as formerly of the Czech Republic,
has been sentenced to eight years in prison for his role in trafficking and monetizing botnets.
Mr. Brovko in February pled guilty to conspiracy to commit bank and wire fraud.
The U.S. Department of Justice says that, in the aggregate,
Brovko's botnets are thought to have cost victims more than $100 million.
We wish him a tranquil sabbatical at Club Fed.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, Thank you. been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Carlos Zanke is a reverse engineer from Reversing Labs, and he and his team recently published the
results of their look at Hidden Cobra.
He joins us with their findings.
Yeah, Hidden Cobra, also known as Lazarus Group, has been active for around 10 years.
So generally they are well known.
It is believed they are sponsored by North Korean government.
They are known for several campaigns.
North Korean government. They are known for several campaigns, probably the most best known by Sony Pictures packing campaign.
And they're involved in one of our incidents. Also several bank stealing information, cryptocurrency stealing campaigns and different stuff. They tried to gain financial benefits,
political revenge or different stuff.
They are known to often recompile their tools to highly customize malware used on different targets.
And they also reuse the tools but with
different infrastructure as such stuff it is often not easy to detect new
variants because they change their samples to avoid the antivirus detection. And when we talk, let's say, about some non-state-sponsored actors,
they release big campaigns targeting a large number of people
and hoping that big numbers will go into their favor.
Let's say you send an email campaign to millions of people
using the same samples and hope that 10% of that million targets would get infected by your malware.
And non-state-sponsored actors are often happy with that result.
State-sponsored actors like Hidden Cobra often don't go for such high-numbered campaigns,
often don't go for such high-numbered campaigns,
but focus their tools on smaller, more valuable targets and do more adapting of the solution for that target.
And it's not easy to protect from such attacks
when you have small clues that could help you detect those threats like IP addresses, domains and such stuff.
At this moment they are quite active in cyberspace.
Over the last 10 years they conducted several campaigns, did quite a lot of damage during those campaigns. And we believed that they could be interesting
to general research community
and potential targets in industry
and government institutions.
And we believed our threat research
could give additional bonus knowledge
which could help protect
from these malicious threat actors.
That's Carlo Zanchi
from Reversing Labs.
Cyber threats are evolving every second, and staying ahead is more than just a challenge
it's a necessity that's why we're thrilled to partner with threat locker a cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security,
also my co-host over on the Caveat podcast.
Hello, Ben.
Hello, Dave.
You and I recently, over on Caveat,
we were talking about how the big folks from the big
social media companies, your Zuckerbergs, your Jack Dorseys, were put in front of Congress to
testify. And Mark Zuckerberg's testimony gathered some attention here. I'll quote him talking about
Section 230. He said,
Section 230 made it possible for every major internet service to be built and ensured important
values like free expression and openness were part of how platforms operate. Changing it is
a significant decision. However, I believe Congress should update the law to make sure
it's working as intended. This gathered a lot of commentary from both directions, but I think there are
plenty of people out there who are cynically saying that Mr. Zuckerberg is arguing in his
own interest that changing Section 230 would have some business advantages for him. What are your
thoughts here, Ben? Sure. So just to refresh, Section 230 generally provides immunity from the Twitters, the Facebooks, the Googles of the world, from liability.
So any service that is an interactive computer service who publishes information from third-party users is shielded from legal liability.
And that shield from legal liability has allowed these companies to flourish.
They can't be held liable for their
content moderation decisions. So, you know, it's allowed Facebook and Twitter to experiment with
their own content moderation to allow free expression to flourish, but also give them
latitude to make decisions as to how to restrict their own platforms. We've seen this cause a good
deal of political controversy
from both the political left and the political right,
but largely for different reasons.
So on the political right, you see a lot of complaints
that social media companies are biased against conservative viewpoints.
And from their perspective, Facebook and Twitter and other companies
censor conservative articles, conservative commentary at a far more robust pace
than they do commentary from the left.
What the social media companies would say is,
we try and make politically neutral judgments on content moderation.
Whatever article you see has been removed or we've limited shares on,
it's because it's violated our terms of service.
Either it's misinformation, abusive, etc. The political left thinks that Section 230
gives too much latitude to these companies. They think that these companies aren't doing enough
to protect against misinformation, particularly as it's related to election interference, and for abuse, etc. So you have this bipartisan coalition of
skeptics against Section 230. And I think that's really important to understand. That context is
really important to understand when evaluating Zuckerberg's opening statement. I think saying
that he's amenable to getting rid of Section 230 is a way to ingratiate themselves to members
of both political parties.
I know
all of you don't like me equally.
Exactly, exactly.
So what if I said this
one thing where you hate me slightly less
after I give this opening statement?
And yeah, I mean, he knows he's been
much maligned by
the most conservative United States Sen senators and the most liberal United States senators.
So I think this is a strategic move on his part.
The other element of this which you mentioned is he has Facebook's bottom line in mind when coming up with this opening statement.
Facebook, as he says in his statement, greatly benefited from the protections of Section 230.
It allowed them to flourish. Facebook, as he says in his statement, greatly benefited from the protections of Section 230.
It allowed them to flourish.
It allowed them to make their own content moderation decisions.
So now that Facebook has nearly 100% of the market share for their type of service, for him to remove that liability shield from himself but also from other potential competitors
is, to me, really an anti-competitive practice
that's seeking to protect Facebook's place in the market.
And I think that would be the cynical look at what Zuckerberg's motivations are here.
Yeah, I was looking at one take on it over on the TechDirt website.
Mike Masnick wrote, he said, make no mistake about it, this is Mark Zuckerberg
pulling up the innovation ladder he climbed behind him.
Absolutely.
It reminds me of that old Simpsons gif where Homer Simpson drives over the bridge, and then once he's over the bridge, he sets it on fire so nobody else can cross it.
Right.
So, yeah, I mean, I think this is an instance of protecting your incumbent advantage as, you know, the Goliath
of social media giants. And I also think it's really interesting that Zuckerberg is saying
this, but so far we haven't seen the other people who are testifying at this committee hearing,
like Jack Dorsey, come out in support of some sort of Section 230 regulation. So far it's been
unique to Zuckerberg. I'll also say, you know, one thing I'm also skeptical of is he offers a critique of Section 230, and he says, I think to ingratiate
himself to politicians, that he's amenable to changes, but he doesn't really suggest what those
changes would be. If you are too strict, if you remove that liability and allow the Facebooks of
the world to get sued on the basis of their content moderation decisions,
then these companies are going to be extremely conservative
about what they allow on their platforms.
And it's going to start to look more like broadcast news,
where NBC, CBS, and ABC aren't going to put controversial content on their network
because they know that they could be fined by the FCC.
But then if you,
you know, go too far in the other direction and you're too, you know, you're too lax in terms of
content moderation, you could be allowing for the massive spread of disinformation, of abuse.
So, you know, if you're going to offer a critique of Section 230, which he does here, I think it's
incumbent upon him to offer some sort of policy solution. That's just not something that I've seen. Yeah, it's a smacks of a please don't throw
me in the briar patch. Yeah, exactly. And I can understand. I mean, it's intimidating,
even if it's via Zoom, to be grilled by a congressional committee. But yeah, I do think
we have to look at this a little bit cynically and realize the unique motivations that Zuckerberg has in these circumstances.
Yeah.
All right.
Well, Ben Yellen, thanks for joining us.
Thank you. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
That's a spicy meatball.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Ivan, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here
tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.