CyberWire Daily - Evil Corp identified as the threat actor behind ransomware attacks on Sinclair and Olympus. Privateering. Fin7’s front company. Sentencing in a bulletproof hosting case.
Episode Date: October 21, 2021Evil Corp is identified as the operator behind the ransomware that hit the Sinclair Broadcast Group and Olympus. The US Defense Department complains of Russian toleration for ransomware gangs. The Fin...7 gang has set up a front company to recruit talent. Betsy Carmelite from Booz Allen Hamilton on building mission-driven 5G security with zero trust. Our guest is Robert Carolina on ethics. And sentences are handed down in a bulletproof hosting case. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/203 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Evil Corps is identified as the operator behind the ransomware
that hit the Sinclair Broadcast Group and Olympus.
The U.S. Defense Department complains of Russian toleration for ransomware gangs.
The Fin7 gang has set up a front company to recruit talent.
Betsy Carmelite from Booz Allen Hamilton on building mission-driven 5G security with zero trust.
Our guest is Robert Carolina on ethics.
And sentences are handed down in a bulletproof hosting case. From the Cyber Wire studios at Data Tribe, I'm Elliot
Peltzman filling in for Dave Bittner with CyberWire summary for Thursday, October 21st, 2021.
A familiar name has cropped up in connection with the ransomware attacks against the Sinclair Broadcast Group and the multinational imaging firm Olympus. Evilcore. Bloomberg reports that the Sinclair Broadcast
Group was hit by the Russian cybercriminal organization usually known as Evilcore.
The attackers are said to have used the Macaw strain of Wasted Locker ransomware.
In a tweet, Emsisoft threat analyst Brett Callow calls Macaw simply a rebranded version of Wasted Locker ransomware. In a tweet, Emsisoft threat analyst Brett Callow calls Macaw simply
a rebranded version of Wasted Locker. Sinclair is still working on its recovery from the attack.
According to the Daily Beast, disruptions to businesses and production systems,
phones, and imagery systems have continued into the week. Macaw Ransomware, and thus by implication its proprietor, Evilcore, is also said,
by TechCrunch, to be responsible for ongoing attacks against Olympus. Olympus confirmed,
in a Tuesday statement, that its operations in the Americas had indeed sustained a ransomware attack,
and that the company was investigating the possibility that the attackers had exfiltrated data.
Olympus was hit in September by Black Matter,
and this latest attack on operations in the Americas is said to have deployed Macaw.
Evil Corps has been under U.S. sanctions since December of 2019,
which would complicate any attempt to buy back access to infected systems by paying the ransom. One purpose of adopting
rebranded malware strains may be obscuring the fact that payment of ransom to the sanctioned
entity amounts to a violation of U.S. law. You may want to pay them, and indeed recent surveys
suggest that many victims remain willing, in principle at least, to pay the ransom demanded,
victims remain willing, in principle at least, to pay the ransom demanded, but actually handing over the money would, in this case, put you on the wrong side of U.S. sanctions.
The gang's two alleged leaders, Maxim Yakubets and Igor Turashev, were also indicted by the U.S.
at the time sanctions were imposed. U.S. attorney Scott W. Brady said,
sanctions were imposed. U.S. Attorney Scott W. Brady said, quote, for over a decade,
Maxim Yakubets and Igor Turashev led one of the most sophisticated transnational cybercrime syndicates in the world, end quote. Brady characterized them as international cyber
criminals of the sort that should expect no indulgence from U.S. law enforcement authorities.
sort that should expect no indulgence from U.S. law enforcement authorities. Be that as it may,
Messrs. Yakubets and Turashev remain at large and living it up back in Russia,
where they're regarded as enjoying the protection of that country's FSB security service.
International efforts to curb ransomware thus find themselves up against persuasive corruption in Russia. As Mika Ouyang,
U.S. Deputy Assistant Defense Secretary for Cyber Policy, told Defense One, she said,
quote, one of the challenges we in the department see, and then you see this in the indictments against some of these actors, some of them have connections to the Russian state. They use their
skills that they've developed for their own personal enrichment,
and that is something the United States would never do.
Anyone at Cyber Command or NSA who thinks that they're going to go home
and, like, conduct a ransomware attack against the city in Russia,
the FBI would like to have words with them
because that is just not something that we would view as acceptable in the
United States, and we would take law enforcement action against those individuals. We believe that
responsible states should take responsibility for the actions of their forces. End quote.
Don't believe the Deputy Assistant Secretary? Well, disbelieve at your peril, should you be
an American government operator thinking about a post-government career as a mercenary or privateer.
Lawfare takes a look at the recent case of three former U.S. personnel who undertook to do just that, while working for the Emirati firm Dark Matter.
Under a deferred prosecution agreement, they'll stay out of jail, and if they keep their noses clean for three years
in strict accordance with the terms of the agreement, the government will drop the charges.
But one of the terms of the agreement is that they'll forfeit money they made during the incident.
So, there's a degree of seriousness in the U.S. about cybercrime that seems to be lacking in Russia.
In the criminal-to-criminal malware supply chain,
one key player, the Russian gang Fin7,
is representing itself online as a legitimate company,
the Wall Street Journal reports in an exclusive.
Bastion Secure, which the journal archly notes
uses the letters BS as its logo,
claims to be a provider of cybersecurity services.
The point of their online presence appears to be recruiting. As the journal writes,
quote, the Bastion Secure website, which uses the logo BS, has listed jobs that are technical in
nature and appear similar to work that would be performed at any security company. Programmers, system administrators, and people who are good at finding bugs in software.
Prospective hires will work nine-hour days on a predictable schedule,
Monday to Friday, according to the company website.
Lunch breaks are provided, the site says.
End quote.
Much of the journal's story is sourced to Recorded Future,
who posted their analysis to their company blog this morning.
One bit of information they shared is that this isn't the first time
Fin7 has put up a front company.
In 2018, the U.S. Justice Department determined that
Combi Security, another bogus cybersecurity shop,
was in fact functioning as a public,
innocent-seeming face of Fin7. Fin7 has historically been known for a range of
financial crimes, especially carding operations. Its latest solicitations suggest that the gang
is not only organizing itself as if it were a startup, with all the business functions and
division of labor that suggests, but that it
may be branching out into the lucrative ransomware market. And finally, two operators of a bulletproof
hosting service, widely used by cybercriminals, have been sentenced to terms in prison by the
U.S. District Court for the Eastern District of Michigan. Pavel Stasi of Estonia received 24 months in prison.
His colleague, Alexander Skorodumov, a Lithuanian national, got 48.
The U.S. Justice Department worked for a bulletproof hosting organization
founded and led by two co-defendants, Alexander Krinchishkin and Andrei Skvortsov,
both Russian nationals.
Their service played a significant role in that C2C underworld market,
renting IP addresses, servers, and domains to crooks that used them in various capers.
Some of the malware the service provided have names that will be familiar.
Zeus, SpyEye, Citadel, and the Black Hole Exploit Kit,
active against U.S. victims between 2009 and 2015.
The Justice Department hopes, among other things,
that the case will serve as a deterrent to other cybercriminals.
So don't sign up with the gangs, kids,
no matter how good those lunch breaks might sound.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's Vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks,
and connected lives.
Because when executives
are compromised at home,
your company is at risk.
In fact,
over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
Robert Carolina is a lawyer at UK law firm Origin Limited, where he specializes in technology and cybersecurity. I recently spoke with Robert Carolina on the Caveat podcast about ethics
in cybersecurity. Here are some highlights from that conversation.
Any kind of guidance material that would really help a cybersecurity practitioner answer really
difficult questions.
And frankly, there wasn't really very much at all that I thought was valuable.
Now, don't get me wrong.
There were a lot of ethics statements out there because for some reason, there's not
just one organization that purports to represent security practitioners.
There seem to be lots and lots of them.
They just grow up like – they sprout up like weeds in the back garden or something like that.
But most of them that had ethics statements, the ethics statements, they had these kind of like bromides.
Like, all right, well, principle one, first do no wrong or don't be evil or, you know, your job is to protect this or, you know, protect.
And it's like, but nothing in there that you could really use as a teaching tool, certainly
nothing in there that I could use to advise someone who is trying to figure out what's the
ethical thing to do in a certain circumstance. You know, things like comply with the law,
be aware of all legal obligations. And that was the other. And of course, some of the older codes, that's all they focused on was the law. They weren't focusing on
ethics. They were focusing on the law. If you go to even older codes, the law that they're most
focused on is copyright. Don't steal software. So the oldest ones were don't steal software.
Then the more recent ones were don't spy on people because data protection.
And then comply with law.
Well, great.
How do I navigate some really difficult problems on that answer?
You don't.
And that really concerned me.
Let me tell you the reason I'm concerned because security practitioners live in a world – cybersecurity practitioners live in a world where they operate using a special set of skills.
I know that's not a callback to Liam Neeson.
I mean it's just – it's like being an airline pilot or a physician or a surgeon.
It's a very special set of technical skills.
Secondly, people work outside the glare of public supervision.
If you're going to do a job as a cybersecurity professional, you're very often in a dark room
someplace without anyone looking over your shoulder. Your client might not even see what
you're doing or whatever you're doing is invisible and there's no one in the community who can see
you as you do it. Third thing, people who do cybersecurity are placed in a really unique position of trust.
Very often, a security practitioner, especially if they're working in-house, will be given
privileged access to a whole lot of systems.
And once that happens, a very uncomfortable thing begins to happen.
And that is the practitioner is put in a position of asymmetric power with respect to their client, with respect to their employer.
And that's just a fancy way of saying if you've got the keys to the kingdom and someone honks you off, you can say, well, you know, if you don't do what I say, I'll delete all your stuff or you'll never find it again.
Right.
You know, there's two ways to have – there's two ways to get yourself in a situation of ransomware.
One is to be hit with, you know, with the Trojan horse that comes onto your machine.
The other is to have an unethical cybersecurity practitioner who decides they're going to hold all your data for ransom.
Before we had cybersecurity people, were there other people in organizations who were in a similar sort of situation?
Someone whose capabilities perhaps outstripped what they should have been?
Well, it's not so much outstripped what they should have been.
I mean because there's a lot of people who work in society who are in a position where they could have asymmetric power over clients.
You look at any of the traditional professions, lawyers, medical doctors, for that matter, electricians.
I mean, what do all these groups have in common?
And that is they're doing something.
They're providing a service to people who don't really understand how the service works.
You're dealing with clients who don't necessarily know a good practitioner from a bad practitioner.
necessarily know a good practitioner from a bad practitioner, and you're dealing with a circumstance if somebody doesn't have a strong ethical compass, they can really do a lot of harm
to members of the public. But it's a terrible spot for people to be in. Now, again, the practitioners
that I've dealt with over the years, the cybersecurity practitioners that I've dealt with over the years have almost universally been good people.
I've been happy to deal with them.
I've been proud to work with them, and just it's been wonderful to support them.
I think a lot of people perceive ethics as a threat to their ability to provide services because everyone says, oh, do you want this to be an
ethical profession? Oh, yes, yes, we'll vote for ethics. Okay, well, let's sit down and actually
write very specific rules about what's allowed and what's not. Oh, well, you see, now people
start to get a little bit nervous. Why? A code of ethics reduces degrees of freedom.
That's lawyer Robert Carolina. You can hear the rest of our conversation over on
the Caveat podcast. Cyber threats are evolving every second and staying ahead is more than just
a challenge. It's a necessity. That's why we're thrilled to partner with ThreatL are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Betsy Carmelite.
She's a senior associate at Booz Allen Hamilton.
Betsy, it is always great to have you back.
Today, you and I are talking about building mission-driven 5G security with zero trust.
And I have to say, I'm going to count on you to save us from falling into a game of buzzword bingo here. No problem. Where are we going to start here, Betsy?
Yeah. And this is not the first time that you and I have spoken about 5G, security, and zero trust.
And we did talk about it earlier with a focused view on the aspect of least privilege access
in a specific use case around a DOD logistics warehouse and the compromise of that.
But I did want to talk a little bit more broadly because we see agencies now working
to meet the executive order 14028's mandates to implement zero trust.
And they're currently reviewing and commenting on the draft OMB guidance
that gives agencies until the end of September 2024
to meet specific Zero Trust goals and provide deliverables.
So we're getting closer to the realities and the applicability of Zero Trust
among these organizations.
So first, Zero Trust, as you know, is not a new concept.
It's never been more vital for national defense and critical infrastructure.
And embracing Zero Trust now is about stepping up and owning the risks that threats can emerge
inside, not just outside the perimeter and traditional network boundaries.
And it's also about proactively countering these risks by design. So that's where 5G comes in.
And we're looking at how the 5G application, still in its nascent development phase,
really needs to take on the zero trust model to really question the premise that
users, devices, and network components deserve to be trusted just because they're in the network.
So help me understand that. I mean, why 5G specifically? What is the security concern there?
When you add in the layer of 5G to the application of the zero trust mindset,
embracing zero trust in this setting is uniquely challenging because 5G will usher in so much
change. Fifth generation technology will completely transform global communication
networks. We're looking at billions more devices, sensors, and systems connected worldwide.
Downloads will be faster, latency lower, and the capacity to connect more devices to the network
will skyrocket. And committing to zero trust in the 5G setting now could help organizations get
ahead of challenges that could rapidly mount as 5G
rolls out or find organizations left behind in the years to come.
So again, in looking at practical applicability, let's stay a little bit with the use case
of the DoD because the DoD does have a 5G strategy implementation plan in which it declared
that zero trust quote is ideally suited for the emerging 5G strategy implementation plan in which it declared that Zero Trust, quote,
is ideally suited for the emerging 5G network infrastructure,
end quote.
DoD is now exploring how to use 5G for autonomous vehicles,
intelligence surveillance and reconnaissance,
command and control, and training systems
featuring augmented and virtual reality.
So all of this is now being developed.
So to your point around buzzwords and where we go,
this is a reality of where we're going in the future.
So is this a matter of, you know, it's time to get on board here
that organizations need to be really focusing on this?
Yeah, as innovation around 5G is ongoing, improves,
increases, we should be thinking about the adoption of zero trust and data protection
strategies. And there is that risk that comes with innovation. 5G technology could increase
the attack surface for malicious actors by introducing new vulnerabilities and expanding the number of potential targets.
This is really par for the course with the introduction of new technology.
Also, to operate through existing 5G infrastructure worldwide, the DoD will need to overcome significant security vulnerabilities that adversaries could exploit on a global scale.
So in some cases, operating through 5G will mean relying on public and untrusted telecommunications infrastructure, both in the United States or in coalition partner countries.
And more risky operations might depend on those gray zone network infrastructures controlled by organizations that don't share DoD mission goals.
And operations in contested areas would face the toughest security risks.
So 5G giveth and 5G taketh away, right?
Right, right.
So where's a good place to start here? I mean, how do organizations get going? We look at four steps to realize zero trust for 5G and the adoption of the pillars around zero
trust. And then I want to talk a little bit about some of the requirements that help start those
steps down the path to implementing 5G and zero trust. So first, diagnose. It starts with taking stock of your current capabilities,
evaluating the maturity and the effectiveness
relative to the threats you face,
and looking at critical gaps.
Next, we look at design.
So if you're armed with a threat-centric understanding
of where you are,
look for a target for where you need to be
and then align that target to your zero trust
strategy. Third, develop support strategies with a zero trust architecture and technical design,
so security by design. And we recommend using vendor assessments to identify the right solutions
for your needs. And then finally, deploy, operationalize your design by configuring and integrating solutions that do close those gaps identified in the diagnose phase.
Creators of 5G ecosystems need to combine zero-trust architecture, 5G DevSecOps, and a 5G workforce, as well as vulnerability research and embedded security. So there are lots of components to consider putting in that roadmap to make this a longer journey.
And we know zero-trust is a longer journey that you need to spread throughout
the entire 5G architecture. All right. Well, Betsy Carmelite, thanks for joining us. Thanks, Dave.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technology.
Our amazing CyberWire team is Trey Hester,
Brandon Karpf, Puru Prakash, Justin Sabey,
Tim Nodar, Joe Kerrigan, Karol Theriault, Thanks for listening. Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.