CyberWire Daily - Espionage, mostly cyber but also physical. DDoS in the Philippines. TSA regulations for rail and airline cybersecurity are coming. US DoJ promises civil action for cyber failures. Twitch update. And NFTs.
Episode Date: October 7, 2021Cyberespionage seems undeterred by stern warnings. DDoS hits the Philippine Senate. The US Department of Homeland Security intends to issue cybersecurity regulations for passenger rail and airlines. T...he US Department of Justice intends to use the False Claims Act to bring civil actions against government contractors who fail to follow “recognized cybersecurity standards.” An update on the Twitch breach. Josh Ray from Accenture looks at what’s going on with Fancy Lazarus. Our guest is Sam Ingalls from eSecurity Planet on the state of Blockchain applications in cybersecurity. And what would it take to get you kids into a nice non-fungible token? For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/194 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Cyber espionage seems undeterred by stern warnings.
DDoS hits the Philippine Senate.
The U.S. Department of Homeland Security intends to issue cybersecurity regulations for passenger rail and airlines.
The U.S. Department of Justice intends to use the False Claims Act to bring civil actions against government contractors who fail to follow recognized cybersecurity standards.
An update on the Twitch breach.
Josh Ray from Accenture looks at what's going on with Fancy Lazarus.
Our guest is Sam Ingles from eSecurityPlanet on the state of blockchain applications in cybersecurity.
And what would it take to get you kids into a nice non-fungible token?
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, October 7th, 2021. The Russian threat group that successfully exploited vulnerabilities in SolarWinds last year, an SVR unit best known as either Cozy Bear or Berserk Bear,
is said by Mandiant to again be working against Western targets.
CNN quotes Mandiant's Charles Carmichael as saying,
quote,
The group has compromised multiple government entities,
organizations that focus on political and foreign policy matters,
and technology providers that provide direct or indirect access
to the ultimate target organizations within North America and Europe.
End quote.
It would appear that U.S. warnings against bad
behavior in cyberspace may have fallen on deaf ears out Moscow way. A second related CNN report
citing new research by Microsoft suggests that Russian government cyber espionage groups are
enjoying satisfying levels of success against Western targets.
Russia, with China running second, is, as Microsoft's Kristen Goodwin,
Associate General Counsel and head of Microsoft's Digital Security Unit, says,
still comfortable leaning into nation-state attacks.
Goodwin added, and we're seeing that increase.
Microsoft's study, and we note in a spirit of disclosure that Microsoft is a CyberWire sponsor,
covers the 12-month period running through this past June.
The most heavily targeted sector is governments, coming in at 48% of the attacks observed.
Non-governmental organizations and think tanks placed second at 31%.
All other sectors are distant also-rans.
Among the countries targeted by nation-state espionage services,
the U.S. has a considerable lead at 46%
over the country receiving the second greatest level of attention,
which would be Ukraine, at 19%.
Who's doing all the spy land hacking? The target list suggests that it would
be Russia, and that indeed is the case. In fact, more than half, a solid 59% of the incidents
tracked, are attributable to a single Russian threat actor, the one Microsoft tracks as Nobelium
and that others call APT-29, Cozy Bear, or The Dukes.
Coming in second is Thallium, the boys and girls from Pyongyang,
also known as Kimsuki, Black Banshee, and Velvet Colima,
but they clock in with just 16%.
There's also some old-school spy news.
Yesterday, the AP reports,
NATO expelled eight members of the Russian delegation to the Atlantic Alliance,
withdrawn their credentials,
is how Brussels describes PNGing the eight undeclared intelligence officers.
NATO also cut the size of the Russian delegation in half,
dropping their representation from 20 to 10.
Russia denied that its people were up to no good. Leonid Slutsky, who chairs the Foreign
Affairs Committee in the Dumas lower chamber, said the accusations were baseless and that
NATO's action will strain relations with Moscow. Will Russia retaliate? Probably.
Mr. Slutsky told Interfax that an asymmetric retaliation was possible,
but he didn't say what such retaliation would amount to.
The Philippine Senate is the latest high-profile organization
to find its website encumbered by distributed denial-of-service attacks,
the Inquirer reports.
Quote,
The Senate's Electronic Data Processing Management and Information System Bureau said it's
temporarily blocked access to the Senate website because of an ongoing distributed denial-of-service
attack.
Recovery is said to be in progress.
The U.S. Departments of Homeland Security and Justice have announced some new regulations,
or at least regulatory approaches.
First, DHS, whose regulations are still coming.
Addressing the 12th annual Billington Cybersecurity Summit yesterday,
U.S. Secretary of Homeland Security Alejandro Mayorkas said that
TSA would introduce new cybersecurity requirements for rail and air transport.
Reuters reported that the secretary explained that the measures would apply to higher-risk
rail companies. The focus is on passenger rail, including Amtrak and commuter lines, but
not on freight haulers, and critical airport and aircraft operators. They would be expected to
name a chief cyber official,
disclose hacks to the government and draft recovery plans for if an attack were to occur.
CNN says that TSA's coming security directive would be issued before the end of this year.
And second, justice. The Wall Street Journal reports that Deputy Attorney General Lisa Monaco announced in Aspen, also yesterday,
that the Department of Justice intended to use the False Claims Act to levy significant fines against federal contractors
who failed to meet what she characterized as required cybersecurity standards.
Those standards include prompt reporting of cyber incidents.
standards include prompt reporting of cyber incidents.
Observers continue to be astonished at the extent of this week's data breach at Twitch,
evidently at the hands of a hacktivist. PC Gamer leads with a representative quotation,
this is as bad as it could possibly get. Maybe not. In an update the company posted yesterday,
Twitch said that as far as they know, no login credentials were stolen.
And since Twitch doesn't store paycard data, those weren't exposed either.
If the data aren't there in the first place, they're not there to be stolen.
So, Twitch users, you've got that going for you.
Which is nice.
So, and finally, you've no doubt heard of NFTs, non-fungible tokens,
which essentially create property rights to digital artifacts that can be bought and sold, saved and traded,
like baseball cards for the Silicon Valley set.
They're code in a blockchain, and you gotta love that, right?
Because it's a blockchain.
So maybe you got
burned investing in Theranos, and you're looking for a surer bet, a way to really make your money
grow, so you can, say, retire to a yacht in the Black Sea with a snazzy tracksuit and an exotic
cat for a pet. And these NFT things are maybe really scratching where you itch. Well, not to
rain on y'all's parade, but put that pen down
and step away from the checkbook or that Apple Pay app on your phone. A project, Evolved Ape,
marketed to investors as NFT, attracted thousands of speculators. It had a website and a Twitter
account and everything, even a promised game, a collection of 10,000 unique NFTs trapped inside
a lawless land where they're fighting for survival. Only the strongest ape will prevail.
Anywho, as Vice reports, the whole thing turned out to be a rug pull. The head guy in charge,
who went only by the hacker name Evil Ape, disappeared, taking not only the Twitter account but also
798 Ether with him. That's $2.7 million in Yankee Greenback's sport. Retrospectively,
some of the disappointed investors say they can see some signs that Evolved Ape was less
than fully professional, maybe like the name Evil Ape. Anywho, Mr. Ape is now out there somewhere in the wind,
footloose and fancy-free, and more than two million bucks richer.
John Cleese of Monty Python fame offered, as reported by The Verge back in May,
his own investment opportunity.
It was an NFT of a digital picture of a drawing he made of the Brooklyn Bridge.
We especially like the two fish Mr. Cleese drew sporting beneath the bridge
and the way it's hard to tell the seagulls from the waves.
Sure, it's a quick drawing, but hey,
Picasso got away with that in his dove, right?
Better than a poke in the eye with a sharp stick
or thousands of NFTs trapped inside a lawless land.
Stupid ape.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Sam Ingalls is a contributing writer and researcher for eSecurity Planet.
His recent article, The State of Blockchain Applications in Cybersecurity, looks at some of the challenges blockchain technology has to overcome
before it's likely to see widespread adoption.
So blockchain technology has had a big impact on the global financial system,
but what are blockchain's uses within cybersecurity?
At this point, everyone and their mother has heard of blockchain technology,
and starting in 2009, the still anonymous Satoshi Nakamoto
developed and deployed Bitcoin using blockchain as its underlying technology.
A decade later, and the applications of blockchain technology beyond an alternative to currency
remain elusive and largely untested. Considering the priority that is cybersecurity today,
the article looks at how blockchain and technology works and how it could be of
use to organizations in preserving their network's integrity.
Is it fair to say that because of it being so strongly associated with cryptocurrencies that, you know, blockchain technology itself has a bit of a PR problem?
Oh, absolutely. So the rise of blockchain technology alongside cryptocurrency has been a complicated relationship.
Media coverage, passionate investors, and growing recognition by traditional financial institutions
all play into why blockchain's big news. But the intense focus on its financial applications
also might have deterred a prompter expansion of blockchain's applications to other verticals of
the digital
ecosystem. Though cryptocurrency seems to gain legitimacy every day, we can't forget that for
the better part of the 2010s, the industry was riddled with speculation and little respect from
traditional banking. So as far as jumping to its applications within cybersecurity and beyond,
yes, it has been a long time coming.
Well, let's dig in and talk some about the applications to cybersecurity. I mean,
what are some of the areas that you cover here where the blockchain and cybersecurity are a good
match? The cybersecurity applications of blockchain continue to be a work in progress,
and the marketplace is still in its infancy. That said, some of the
more useful applications we're seeing involve preserving data integrity within public or
pseudo-public networks, verifying and logging business events, which include everything from
patch management to supply chain logistics. And lastly, securing identity authentication,
which mitigates the risk of false key propagation, identity theft, and insider risk.
And to dive in just a little bit deeper and get more specific, a few examples of blockchain-based cybersecurity startups include BlockArmor, which is a network security-focused firm using blockchain to enforce a zero-trust architecture. There's
Ukraine-based Hacken, focusing on contract audits for several top blockchains, helping organizations
evaluate and verify protocols before deployment. There's Highland Credentials, which was once a
part of MIT Media Lab, which is building a blockchain-secure digital records platform,
Media Lab, which is building a blockchain-secure digital records platform, which uses their open standard blockerts.
Companies can streamline identity verification in real time.
And then finally, Chronicled is a blockchain platform focused on life sciences industries
like pharmaceuticals, commodities, and precious metals.
Using blockchain-enabled IoT devices, the firm's technology tracks
supply chain activity, offering more visibility into shipments, logistical challenges, and
counterfeiting. What about some of the big providers, you know, the Amazons or the IBMs of
the world? They have some sort of plug-and-play solutions here for people who want to dip their toes in the blockchain waters?
They sure do. So AWS and IBM blockchain are both great examples of blockchain as a service options.
Microsoft Azure just this earlier this year decided that they will not continue with their blockchain initiative. And that is more of an indicator of specialization as AWS and IBM
blockchain and others continue to grow and really absorb the marketplace. With that being said,
though they may offer blockchain solutions, they are fairly experimental and give developers and organizations globally a chance to work with and play with blockchain
in considering applications for their own organization.
It strikes me that blockchain technology's impediment is not the technology itself.
It has some very legitimate uses, and put in the right places, it is effective technology.
It seems like, particularly when it comes to sophisticated security people, when you even mention it, you get a lot of eye rolls.
Indeed.
that people understand that blockchain as a technology is a lot more powerful and has a lot more use cases than just financial applications or just financial exchanges.
For the meantime, while that continues to receive so much media attention
and is simply worth as much of it as it is,
so it really does come with time and buy-in as well as market is. So it really does come with time and buy-in, as well as, you know, a market adoption.
Until we start seeing organizations implementing blockchain security solutions,
no other organization is going to want to take that jump.
That's Sam Ingalls from eSecurity Planet. security planet.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And I'm pleased to be joined once again by Josh Ray. He is Managing Director and Global Cyber Defense Lead at Accenture Security.
Josh, it's always great to have you back.
I wanted to check in with you today on the Fancy Lazarus Group.
I know you and your team have been tracking this organization.
Can you give us a little bit of background on this group and the types of things that you all are seeing from them?
Yeah, absolutely, Dave. And thanks again for having me back. background on this group and the types of things that you all are seeing from them?
Yeah, absolutely, Dave. And thanks again for having me back. So, you know, the Fancy Lazarus group is a topic that's come up a lot with our clients over the last, you know, month or so.
And for those that aren't familiar, from about May to July of this year, there's this group that's
using this moniker Fancy Lazarus, and they've conducted
what we consider seemingly indiscriminate and opportunistic DDoS attack combined with extortion
emails. And they're targeting a lot of organizations in the finance, energy, and telecommunications,
but also the insurance verticals. And just so you know, I mean, this notion of Fancy Lazarus,
the moniker, we think almost certainly references the Russia-linked Fancy Bear and the North Korea-linked Lazarus Group.
And they really use that, we think, as a means to intimidate the targeted organization.
Can you give us some details on how they operate, what exactly they're up to?
So they start typically with an email demand ransomware payment.
So they start typically with an email demand ransomware payment.
And then if this is not received, the actors threaten to launch into a DDoS attack against the victim's network.
The extortion amount typically changes from half a Bitcoin to about four Bitcoin.
And they do that in increments daily until the extortion fee is actually met. But our intel team really thinks that the amount is determined
according to the organizational size.
So if the payment's not received, the extortion email contains threats
to increase the intensity of the attack, claiming that the volumes
would go all the way up to about 10 terabytes per second.
However, our team has observed actually a much lower intensity level.
From May to June, we've actually seen, and several DDoS However, our team has observed actually a much lower intensity level.
From May to June, we've actually seen, and several DDoS protection companies have reported,
that they seem to be focused on discovering unprotected assets by viewing the Border Gateway protocol routing table to ensure that they want to make sure that basically they're targeting organizations that don't have essentially like third-party protection
or a DDoS protection vendor that could help them.
So, you know, there's obviously a mitigation there that's screaming out here.
Right, right.
At the top of the list of mitigations.
Yeah, yeah.
And, you know, we've seen that, you know, our team really assesses that, you know, this is very much an opportunistic criminal group performing these attacks rather than an organized nation-state affiliated organization.
And, you know, we really try to prescribe a list of recommendations, as you mentioned before.
Having things like a third party help you with
your DDoS protection is always something that's really important. Implementing things like
effective traffic monitoring, intercepting and filtering, possible things like DDoS scrubbing,
hardware services that are out there, as I mentioned before. Using signature detection,
of course, is always very useful to drive some levels of anomaly detection across your network traffic that would deviate from the norm.
But doing things like having endpoint security and network intrusion detection and prevention systems in place, because what we're seeing here is maybe even a blended attack. So being on the lookout for, while the DDoS attack is occurring,
there could be other types of exfiltration happening at the same time.
So don't just be so focused on the extortion and the DDoS attempts,
because there may be some side, third channel type of attack
that could be occurring that may be exfiltrating data from a different part of your organization.
So kind of being on the lookout for that while
this activity may be targeting your organization.
So even a little bit of misdirection thrown into the mix there.
Absolutely right. All right. Well, Josh Ray, thanks for joining us.
Thank you, Dave.
right. All right. Well, Josh Ray, thanks for joining us. Thank you, Dave.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.