CyberWire Daily - Espionage phishbait in South and Southwest Asia. A utility recovers from a cyber incident. GAO tells the US Congress cyber strategy is wanting. Investigations, Moscow and Missouri style.
Episode Date: December 3, 2021SideCopy, a Pakistani APT, is phishing for information in both India and Afghanistan. A Colorado electrical utility continues to recover from a cyber incident it sustained early last month. The GAO te...lls the US Congress that the nation still lacks a comprehensive cybersecurity strategy. The Missouri Highway Patrol continues, for some reason, to investigate a responsible disclosure as a criminal hack. Dinah Davis from Arctic Wolf on hackers targeting Minecraft. Our guest is Blake Darché from Area 1 Security with research on phishing. And it appears Moscow thinks a Group-IB leader outed Fancy Bear to the US. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/231 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A Pakistani APT is fishing for information in both India and Afghanistan.
A Colorado electrical utility continues to recover from a cyber incident it sustained early last month.
The GAO tells the U.S. Congress that the nation still lacks a comprehensive cybersecurity strategy.
The Missouri Highway Patrol continues, for some reason, to investigate a responsible disclosure as a criminal hack.
Dinah Davis from Arctic Wolf on hackers targeting Minecraft.
Our guest is Blake Darche from Area One Security with research on phishing.
And it appears Moscow thinks a Group IB leader outed Fancy Bear to the U.S.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, December 3rd, 2021.
Security firm Malwarebytes has released additional information on Sidecopy, a Pakistani APT that Facebook last month had identified as prospecting personnel
of the former pre-Taliban government of Afghanistan with romantic lures.
former pre-Taliban government of Afghanistan with romantic lures.
Sidecopy used new variants of the Steeler data theft tool,
and the information it collected included access to government portals,
Facebook, Twitter, and Google credentials,
banking information, and password-protected documents. In addition to Afghanistan,
Sidecopy seems mostly interested in collecting against India.
Some of the new infection vectors Sidecopy is using include malicious Microsoft Publisher documents and trojanized applications.
The hook is commonly embedded in an archive file.
The fish bait itself tends to fall into two broad categories.
The first of these Malwarebytes calls targeted lures,
that is, bait designed to attract the eye of specific victims.
The company's researchers say,
We believe this category is very well customized
to target government or military officials.
This variety of fish bait consists of reports
on military and intelligence activities,
including documents that describe various aspects of military education.
The second kind of lure Malwarebytes calls generic,
adapted to use in the broad net of a spam campaign.
These are, for the most part, either pictures of young women
or resumes that purport to record young women's careers.
of young women or resumes that purport to record young women's careers.
The name Sidecopy is derivative, a coinage intended to suggest the way in which Sidecopy's infection chain appears to be trying to imitate the one used by the Sidewinder APT.
Sidewinder, by the way, is a suspected Indian APT noted for its focus on South Asian targets,
which suggests that SideCopy may be waving a false flag,
small enough that it might be better described as a false fig leaf.
SideCopy itself seems to have some other significant similarities with Transparent Tribe,
and if you're filling out your APT scorecards org chart,
consider penciling them in as a transparent tribe subunit. Malwarebytes points out that Cisco Talos and Secrite both have
good background material on side copy, a recommendation we'll happily second.
ZDNet reports that Delta Montrose Electric Association, DMEA, which operates in the U.S. state of Colorado, continues to work toward recovery of systems affected by an unspecified cyber incident the company detected in early November.
members this Monday, in which she explained, quote, On November 7, 2021, we discovered a targeted effort to access portions of our internal network system by an unauthorized party. This
resulted in multiple days of downtime for DMEA's internal network. We could not access or operate
certain systems, such as phone, email, and payment processing. End quote. The cooperative doesn't call the incident a ransomware attack, but it sounds like it.
Delta Montrose's live update page describes the episode as follows.
Quote,
DMEA lost 90% of internal network functions and a good portion of our data,
such as saved documents, spreadsheets, and forms, was corrupted.
It also impacted our phones and emails.
Our power grid and fiber network remain unaffected by the incident. End quote. The incident seems to
have affected billing most severely, and the cooperative thinks it may be able to restore
payment services to its kiosks by Monday, but that in any case it will suspend any penalties or disconnections until January 31st
at least. The update page says that a forensic inspection of the co-op's networks has convinced
it that no sensitive data were compromised. Quote, immediately following the incident,
DMEA retained forensic experts to perform an investigation. The forensic team confirmed that there was no
breach of sensitive data within our network environment. We always encourage all members
to follow best practices for password security, including using two-factor authentication
whenever possible. End quote. A report the U.S. Government Accountability Office delivered to
Congress yesterday makes the case that U.S. critical infrastructure remains at serious risk from cyberattacks.
The report calls out what it sees as a lack of a comprehensive cybersecurity strategy and concludes,
quote, the federal government needs to move with a greater sense of urgency in response to the serious cybersecurity threats faced by the nation and its critical infrastructure.
End quote.
The St. Louis Post-Dispatch has published an update concerning the discreditable episode
in which the governor of the U.S. state of Missouri denounced one of the paper's reporters as a criminal hacker
for disclosing the discovery of an exposed database to the Department of Elementary and Secondary Education.
Apparently, the department had prepared a statement thanking the reporter for bringing the matter to their attention,
but that statement was preempted the following day by the governor's call for prosecution.
The Post-Dispatch writes that it obtained an email under Missouri sunshine laws
that gave the Department of Elementary and Secondary Education's first proposed public response. Quote,
in an October 12 email to officials in Governor Mike Parson's office, Mallory McGowan, spokeswoman
for DESE, sent proposed statements for a press release announcing the data vulnerability the
newspaper uncovered. We are grateful to the member of the media who brought this to the state's attention,
said a proposed quote from Education Commissioner Margie Van Deven, end quote.
That, of course, was not the way the governor decided to frame the incident.
At a news conference he held on October 14th after the story ran,
Governor Parson said, quote,
We will not let this crime against Missouri
teachers go unpunished, and we refuse to let them be a pawn in the news outlet's political vendetta.
Not only are we going to hold this individual accountable, but we will also be holding
accountable all those who aided this individual and the media corporation that employs them,
end quote. The report also provides additional grounds for
thinking DESC simply had a misconfigured database readily discoverable from the internet,
that the reporter hacked nothing, and that indeed there was no network intrusion.
The Post-Dispatch didn't run the story until October 14th after it had notified DESC and
after the department had taken steps to secure the data.
The governor's office has apparently continued to double down on its claim
that the reporting was politically motivated criminal hacking.
In any case, as of yesterday, the Post-Dispatch writes,
the Missouri Highway Patrol still had an open investigation into the case.
The Cyber Wire contacted the governor's office in October
about the incident but has not received a response. Bloomberg Businessweek describes the ongoing
Russian treason prosecution of Group IB executive Ilya Sokov, but Kremlin believes him responsible
for tipping the U.S. off to fancy bears activities around U.S. elections. Details of the charges are
state secrets, but three sources have told Bloomberg that Sockhoff provided information
to the U.S. that enabled them to identify the GRU operators responsible for Fancy Bear's attempts
to meddle with the 2016 U.S. presidential election. Group IB, whose headquarters moved from Moscow to Singapore in
2019 as the company sought to develop an international practice, has cultivated relationships
with a number of non-Russian law enforcement operations. It's now in a position of being
mistrusted by Russia while not being fully trusted by the U.S., Bloomberg Businessweek reports.
There's also, the report says, the possibility of some guilt by association.
Quote, a central figure is Sergei Mikhailov, 47,
a former senior official with the Federal Security Service, or FSB,
the main domestic successor to the Soviet-era KGB,
who led investigations into cybercriminals in Russia.
Mikhailov was arrested in Moscow in December 2016,
one month after the U.S. presidential election, and charged with treason.
He was convicted in 2019 and sentenced to 22 years in prison
after a trial in which Sokov was a key witness for the prosecution,
according to Mikhailov's defense team,
which has accused Sokov of providing false testimony.
End quote.
So much for turning state's evidence.
Sokhov faces up to 20 years in a labor camp should he be convicted.
He has from the outset denied the charges
and says he provided no secret information to foreign intelligence services.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on
point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have
continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. The folks at Area 1 Security recently released a study titled,
It Started Out With a Fish, highlighting the serious potential impact of business email compromise.
Blake Darchais is co-founder and chief security officer at Area 1 Security.
I think one of the top things there is supply chain compromises where we see an
organization have a variety of partners. One of those partners gets compromised and then that
partner is used to try to hack into your system. Or they might be used to try to impersonate you,
impersonate that vendor or partner to your organization in order to move money fraudulently.
So there's a lot of different supply chain weaknesses
that we see out there.
And I think the supply chain problem
is only growing in magnitude
as more and more organizations
adopt a digital transformation
as part of COVID-19 and just general IT trends.
There's more and more attack surface for attackers to hit.
And we see that on a continual basis.
I think Microsoft SharePoint is a great example
where Microsoft pretty much has lost full control
of Microsoft SharePoint.
And Microsoft SharePoint and Microsoft OneDrive
are two of the top attack vectors today on the internet.
And Microsoft is almost powerless to stop it.
And it's a real problem.
There was a recent case where someone on Twitter
that was a former Microsoft employee was critiquing Microsoft
for actually just turning a blind eye to the problem
because so many organizations running Office 365
had been compromised that they were all hosting ransomware now
and people were getting hit with ransomware
at these different organizations
due to one organization's misconfiguration. So I think there's a wide variety of attacks and a wide variety of pieces
of cloud infrastructure that facilitate those attacks. Are there any areas of this that you
feel aren't getting the attention they deserve? Are there elements of this that are being ignored?
I think by and large BEC attacks do not get the attention they deserve
because they're very difficult to quantify, if that makes sense.
Much more so than APT attacks where a hacker came in,
took over an organization and stole a bunch of data.
People can wrap their head around people stealing a bunch of data
and trying to steal source code.
But I think in terms of just the day-to-day grind,
you might get two or three BEC attacks a week
where someone's trying to move $50,000, $30,000, $100,000,
and then another week it's $50 million.
It's just continual, if you know what I mean.
And people are really underestimating the number of BEC attacks there are.
By our estimation, we were comparing against some FBI reporting.
We think BEC attacks are underestimated by over 90%.
So, I mean, given that, what are your recommendations then?
I mean, how should organizations best protect themselves against this?
I think people need to, organizations need to take advantage of next-generation anti-phishing technologies to look for
inconsistencies in behavior, in language,
in the way an attack is written. There's several different companies
out there that can help in this space. They also need to be very mindful of
the email attacks that might lead to a voice-style
phishing attack where
the user might try to authenticate you on the phone with a, you know, one of these fake
impersonation generators where it'll mask and make it seem like your voice is someone else's.
And I think, you know, you need to be mindful of all these things. You need to add, you know,
really defense and depth. It's kind of like peeling back the onion. You can never have too many layers of security.
How do you balance that, though,
without having too much friction for your users?
I think a lot of good security solutions
don't impact users on a continual basis, right?
And they should be kind of more transparently
in the background, right?
And the more the user is being impacted
on a minute-to-minute basis on everything they do,
the less functional that security actually is.
In the perfect world, you just do not want to have
to be impacting your users that much.
I think the most famous example of user impact
is two-factor authentication.
It's a real pain, everyone needs to do it. But at the end of the day, without two-factor authentication, right? Right. You know, it's a real pain. Everyone needs to do it.
But at the end of the day,
without two-factor authentication,
you know, that's a real vector
that could account, you know,
password guessed basically
with a brute force attack.
Yeah, I mean, it's an interesting thing.
You know, I find myself personally
on those occasions when I'm, you know,
banging my head against the desk
because I'm in some sort of
two-factor authentication rat hole.
I just take a deep breath and remind myself, this is for security. This is for security.
Yeah, I agree with you. I mean, I run into the same challenge where it's like, oh,
I have to two-factor authenticate to something, like my phone's out of power or my key's somewhere else. And I'm like, oh, why now? You know what I mean? And it's always when you don't want to do it, right?
So you're trying to finish something easy up
and it's like, no, it's time to re-authenticate right now.
And you're like, seriously?
Right now?
Every single time.
No, my old college roommate swore
that all electronic devices come equipped
with a critical need sensor
so they know when you need them most.
And that's when they decide to fail. I would agree with your college advice, for sure.
That's Blake Darche from Area One Security.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. And I'm pleased to be joined once again by Dinah Davis.
She is the VP of R&D Operations at Arctic Wolf
and also the founder and editor-in-chief at Code Like a Girl.
Dinah, always great to have you back.
You know, my two sons have, and particularly my older boy,
was very, very active in the Minecraft world,
spent and continues to spend a lot of time there.
And lately, there have been some hackers who've been going after Minecraft.
What's the latest there, Dinah?
Yeah, this headline got me right away. So I was
scrolling through the headlines and I saw this headline that's like ransomware targeting
Minecraft. And I'm like, Minecraft, they're children. What are you encrypting? They're like,
they're cool. They're cool house they built there. The farm. What's going on and well okay so they're not actually going after kids so there's
a subculture with minecraft that i wasn't aware of which is there's these things called alt lists
and they i guess have stolen minecraft accounts right so usernames and passwords of stolen Minecraft accounts and people go and buy those so that they can go and do untoward things on Minecraft that would get them banned.
So they can go bully people. They can go do things like that. Right.
And so the hackers are actually targeting those alt lists.
So the hackers are actually targeting those alt lists.
So when somebody downloads one of those, they think they've purchased an alt list where they're going to get extra free accounts on Minecraft.
And then what they're actually getting is ransomware.
So as soon as they open that file up, then their whole system gets encrypted.
So the question is, are the ransomware people helping us like getting people to stop buying the alt lists? Right. I was thinking the same thing. Like who's the victim
here? Or, you know, like, or how, I guess, how much empathy should we have for people getting
their, their hands slapped when they're out to do something bad to begin with? I'm not sure.
On a platform that's mostly children.
Yeah, that's true.
Two wrongs don't make a right.
But think about the mess that would be if your son did that.
Oh my God.
He didn't know what an alt list was or something, downloaded it, and now all of your stuff is
encrypted.
Brutal.
On the home computer.
Yeah, on the home computer.
Exactly.
Yeah, I mean, it's a great point.
And I guess, I guess what the take home here is that if you have someone in your life who's playing Minecraft, you might want to drop this information to them in case they may be, I don't know, thinking of dabbling in some of these alt lists.
Yeah, yeah.
I think that's about all you can do.
Yeah.
All right.
Interesting stuff.
Dinah Davis, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Be sure to tune in to this weekend's Research Saturday and my conversation with Christo Boucher from NCC Group's Research and Intelligence Fusion Team.
We're discussing their research into a cyber criminal group they call SnapMC.
That's Research Saturday. Check it out.
That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Thank you. where Domo's AI and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.