CyberWire Daily - Extortion is the motive in the Saudi Aramco incident. Updates on the Pegasus Project. Chinese cyberespionage and Beijing’s tu quoque. FIN7 resurfaces, and a post-mortem on Egregor.
Episode Date: July 22, 2021It’s extortion after all at Saudi Aramco. Controversy and investigation over alleged misuse of NSO Group’s Pegasus intercept tool continues. Warning of Chinese espionage from ANSSI, and China’s ...denunciation of all this kind of “baseless slander.” Phishing in Milanote. FIN7 resurfaces after the conviction of some key members. Dinah Davis from Arctic Wolf on the importance of identity management. Our guest Jenn Donahue shares key strategies for mentoring and supporting female engineers, scientists, and leaders of the future. And IBM sifts through the ashes of a ransomware gang for a look at the business of crime. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/140 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
It's extortion after all at Saudi Aramco.
Controversy and investigation over alleged misuse of NSO Group's Pegasus intercept tool continues.
Warning of Chinese espionage from ANSI and China's denunciation of all this kind of baseless slander.
Fishing in Milanote.
Fin7 resurfaces after the conviction of some key members.
Dinah Davis from Arctic Wolf on the importance of identity management.
Our guest, Jen Donahue, shares key strategies for mentoring and supporting female engineers,
scientists, and leaders of the future.
And IBM sifts through the ashes of a ransomware gang for a look at the business of crime.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, July 22, 2021. The motivation for the data theft incident at Saudi Aramco had been obscure, but it's now become clearer.
It's conventional extortion.
Saudi Aramco yesterday said, the AP reports, that the data loss incident it sustained has indeed become an extortion attempt.
Attackers who obtained company files, apparently through a third-party contractor,
are demanding $50 million in exchange for a promise to delete the data.
If they're not paid, they intend to leak the stolen files.
The controversy over the proliferation and use of NSO Group's Pegasus intercept tool continues.
The Washington Post, one of the organizations participating in the Pegasus project,
writes that among the devices compromised with the tool were phones belonging to journalists, human rights activists, business executives, and two women close to murdered Saudi journalist Jamal Khashoggi.
two women close to murdered Saudi journalist Jamal Khashoggi. NSO Group has consistently said that its product is designed for and sold to government law enforcement and security
organizations for legitimate purposes, and that the list of 50,000 phone numbers, forbidden stories,
and Amnesty International obtained has nothing to do with NSO. NSO Group CEO Shalev Julio told CTEK,
quote,
I'll give you a simple statement.
Journalists, human rights activists, and civil organizations are all off-limits,
end quote.
The list of numbers the Pegasus Project obtained
has been widely reported as amounting to a surveillance target list.
One of the leaders whose associates figure on
the list is the Dalai Lama, presently in long-term exile in India, which the Guardian suggests may
represent an interest on the part of India. NSO Group has claimed that it does what it can to
monitor abuse of its products and that it's selective in whom it sells to. But the company has long been
criticized for the misuse that's been made of Pegasus. Investigations into the use of Pegasus
are now underway in France and Israel. France is investigating reports that its leaders were
placed under surveillance from Morocco. And Israel has established a task force, the Guardian says,
to both investigate product Pegasus' reports and coordinate a response.
Allegations of the use of surveillance tools
has become a significant political scandal in India, Mexico, and Hungary.
The Electronic Frontier Foundation argues that the results of Project Pegasus
show the need for both better device security
and international bans on dragnet surveillance.
ANSI, France's national cybersecurity agency, has warned that APT31,
also known as Zirconium and Judgment Panda, a Chinese industrial espionage group,
is hijacking home routers to lend resilience to its attack infrastructure.
China continues to frame criticism of its extensive cyber espionage operations,
notably its exploitation of vulnerabilities in Microsoft Exchange Server,
but as we've seen, not confined to that particular campaign,
as essentially American-led disinformation.
It is, the government-controlled Global Times says,
a wide-ranging plot to slander and contain China. The co-conspirators include the U.S., NATO, the European Union,
Australia, Britain, Canada, Japan, and New Zealand, with U.S. President Biden cast in the unlikely
role of Professor Moriarty, the criminal mastermind pulling the secret strings.
The Global Times argues that, quote, this unusually broad coalition of Western countries
has coalesced to publicly blame China for cyber attacks, end quote. Really, Beijing's
representatives say, the international villain is the U.S., which since 2000 has engaged in relentless cyber espionage against China.
It's all in vain, of course, since China's rise is inevitable and irreversible.
But still, Beijing says, it's time the U.S. were brought to book as a rogue state.
So the response is a routine to Kuo Kui.
One novel wrinkle in the Global Times article is its identification of the SWIFT international fund transfer system
as a tool of the U.S. intelligence community,
which uses it to track and presumably influence the flow of money to and through the world's banks,
especially those in the Middle East and Latin America.
especially those in the Middle East and Latin America.
Security researchers at Avanon have found the popular Milanote collaboration and note-taking app being used to host and distribute phishing messages with malicious links.
The victims get an email with an attachment said to be an invoice.
Opening the attachment renders a document with a link inviting the perspective mark to open docs.
If the mark clicks, they're directed to a page in Milanotes, which again invites them to open
docs. If they do, at this point they're taken to the malicious link. It's a multi-stage phishing
lure, and at each stage it more or less looks like something from the collaboration tools
many use in ordinary business. So caveat clicker.
eSentire reports that despite the arrest and conviction of some leading members of the
Fin7 gang, the criminal group also known as Carbonac, Fin7 is back in action. The gang used
a bogus legal action against Brown Foreman, the large Louisville-based distiller whose brands include Jack Daniels and Old Forrester as its fish bait.
Quote,
The initial stage of the malware arrives as an Excel attachment, which downloads and executes a variant of the JSS loader remote access Trojan,
Ecentire writes, adding that
The variant has been reported as being used by the
FIN7 group. The malicious Excel document leverages Windows management instrumentation to install the
rat. Once installed, JSS Loader provides the threat group with a backdoor to the victim's
computer and the organization, end quote. FIN7 is financially motivated, involved in credit card theft and
having some connections with the RIAC ransomware gang. Most recipients of an odd-looking letter
of complaint might well regard it as fishy, but eSentire points out that large law firms working
across several verticals are the kind of target that might well be inclined to open it as a routine
communication. This particular phishing attempt seemed opportunistic and not necessarily long
prepared or closely targeted. Researchers at IBM's X-Force, sifting through the ashes the
Egregor ransomware gang left behind when it was burned and dismantled back in February in an international
sting operation, have offered some insights into the way the gang presented itself in chats with
its victims. The gang offered holiday wishes, clucked over the hard times the victims might
be going through, and complained about the boss because, gosh darn it, we're just regular working
stiffs over here, and our suits are as much a pain in the patootie as yours probably are.
So the chatter presented the gang as well-organized with well-defined roles,
including the financial department, data manager, IT specialists, PR manager,
publications manager, and decryption tool mastermaker.
It's what might be called military-grade organization,
if we hadn't forsworn using that expression. Let's just say that the hoods want to be perceived as
running their criminal operation like a business. And all that compassion? Eyewash and smug PR.
So they really are running their crimes like a certain kind of business. But don't be deceived.
As IBM puts it, despite the holiday wishes and reduced ransom in some instances,
the December 2020 chat logs obtained by X-Force and Scilara
demonstrate that many Egregor attacks were a successful, ruthless criminal operation. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than
8,000 companies like Atlassian and Quora have continuous visibility into their controls with
Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. There are encouraging signs that more women are pursuing technology careers and cybersecurity careers in particular.
Jen Donahue is a captain in the U.S. Navy and president of J.L. Donahue Engineering, as well as being a popular lecturer and mentor.
She joins us with insights on providing meaningful mentorship to that next generation of young women.
So I think that I've been an engineer since I was about 10 years old.
And this basically started when I had a Barbie house and I had more fun actually tearing it apart, putting it back together, reconfiguring it than I ever did actually playing with Barbie.
I mean, I honestly don't think she ever got to live in the house because it was always being renovated.
And that's basically how it all started.
And I have had the most exciting journey.
I went to Texas A&M.
I became an ocean engineer.
Then I joined the Navy, and I became a civil engineer with them
and got to travel all over the world,
did all kinds of really interesting projects from building roads,
drilling and blasting,
schools, I mean, you name it, had an incredible time. And once I was done with my active duty time, I decided to get out and join the civilian world, became another civil engineer as a project
manager. I built the two runways down at the San Jose airport and then decided I needed
a little bit more. And so I went to UC Berkeley, which is about the opposite of Texas A&M,
and got my master's and PhD in engineering seismology. Now on your way up, I mean, I'm
thinking particularly in the Navy as an engineer, were there any particular challenges that you faced being a woman in a male-dominated field?
Absolutely.
Back in the 90s, they started to allow women into more combat positions.
And so I was one of the very first female officers that joined the Naval Mobile Construction Battalions.
There was only three of us female officers in a sea of, you know,
what was a boys club since 1942. And that had a lot of challenges with it because there were so
many ingrained psyche, you know, as far as like, you know, the way things that, you know, are
supposed to be done. And then you start to introduce females into it. And it was, you know,
it sort of broke for a couple of years and it was, it was really difficult. Being an engineer and just sort of the way that I was, I grew up on a street with all guys,
you know, climbing trees and jumping fences. It wasn't as tough for me as some of the other
females that hadn't had that experience where they were around guys all the time.
And so you did see some sexual harassment and they just really got kind of picked on.
And that was one of the things that
was really hard, but there was a lot of others that were really supportive of us and being there.
And those are the people that you really try to align with as much as possible to really try to
help you out. You know, similarly in cybersecurity, it's an ongoing challenge to attract young women and women who are thinking
of changing careers to the industry, because historically, I think it's fair to say that
it's been considered a bit of a boys club. We've made a lot of progress along the way,
but there's still plenty of work to be done. And I'm curious what your insights are on
what you think are effective ways to welcome women into the field?
I think that there's twofold.
So one of them is the recruiting piece, and then the other one is the retaining piece.
And so on the recruiting piece, I think that's where I think we all need to do a better job
of looking at women who have that fire and that drive that you can just see is like,
this is someone who really wants to excel, you know, no matter what, and really look to try to recruit those types of folks, because
those are the ones that are really going to try to stick around and make a difference. And then
for the ones that are already in, I think it's really incumbent upon us to look down in the field
and try to find others that we can reach out a hand and try to help them up.
You know, do what we can to mentor them.
I mean, mentoring is so important.
You know, as a young engineer, man, I never had a mentor.
I was a wild little thing running around. And if I had a mentor, it probably would have been a whole lot easier.
But it made as many mistakes as I did.
But now that I look at it, I feel like that's one of my purposes is I need to
find others that I can help mentor so that maybe they have it a little bit easier than what I did.
And what do you hear from the young women coming up when they discover that there are folks like
you out there who want to lend that hand, who want to reach out and nurture them on the way up?
I think it's a revelation. But at the same time, I'm noticing,
because I used to teach at UC Berkeley for a couple semesters,
they were enthralled by the fact that they actually had a female professor.
And one of my good friends is there now.
She took my place whenever I moved up to Oregon.
But she has so many young women coming into her office all day saying,
wow, I see that you did it.
I can do this too.
And that's the type of momentum that we need to have.
And so it's so important to recognize that there are some women out there that would really like to be mentored.
And I would say, you know, being a female and in a position of leadership, I think that that's something that we should do.
But I think it's also incumbent upon the men as well.
Because men usually have more of a position of power,
you know, for them to be able to sponsor somebody and bring them up.
That's Jen Donahue. She's president of J.L. Donahue Engineering.
Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
And joining me once again is Dinah Davis.
She's the VP of R&D Operations at Arctic Wolf.
Dinah, it's always great to have you back.
We want to touch base today about Operation Ironside, which in itself, you know, sounds like an old TV show that my parents watched. But beyond that, I think there's more to it.
Can you unpack it for us? What are we talking about here today?
Yeah, I think like Operation Ironside is like the whole reason a lot
of people get into cybersecurity. It's just the coolest part. And you just know one day this is
going to be some cool movie and you can already start imagining like who is playing what character,
right? So Operation Ironside is something that was run by the FBI and the Australian Federal Police.
So I'm just going to call that AFP going forward because that's just long.
Fair enough.
So in 2018, they took down a secure chat app called Phantom Secure.
And they went out for beers after.
This is the story that i heard
they went out for beers after some of the fbi guys some of the us the afp guys and they were
kind of like joking that like wouldn't this be a great time to fill the void in the market for
a secure chat app we could do that we don't i my My parents have a barn, right? I have a piano. Right? Yeah. Okay,
let's do it. So then like an FBI guy goes, well, actually we have a guy that we're using as an
informant and he actually has an app like this.
Maybe we could write some back doors into it.
Yeah, that's what they actually did.
So this informant gave them access to this new tool called Anom,
and the idea was to get it into the hands of criminals, and all the data would be sent back
to the FBI and the AFP. Right. So I'm a bad guy, and I figure that I need a secure way to communicate
with my partners in crime, and word on the street from other folks in similar lines of business is that
this Anam app is secure and a great way to do that.
Yes, exactly.
That's exactly it.
And then meanwhile, behind the scenes.
Everything is being recorded.
Every single message is going back to the FBI and the AFP.
Every single one.
What do you make of this? I mean, when I heard this story, part of me thought to myself,
is there anybody I can trust? Like, you know, does this mean I can't trust apps like Signal?
You know, like, do you have any thoughts along those lines?
Yeah, it totally makes you think twice about things, right?
And I do think it is going to erode trust in those types of things. Now, I would say apps like Signal have a much more, like, they're widely used, they're marketed, they're on the legal market.
They're going to want to prove that they don't have backdoors. Whereas this was clandestine. In fact, one of the cool parts
about it for me was how you actually get into the app. So you actually buy this as a whole phone,
like it's a burner phone that you buy and the only apps that look to be
on there is like your text messaging and calculator and to get into the app you would actually type a
like a password number into the calculator app and then that would open it so like it was really
thought out well because if they gave these phones like let's say you got arrested and um law
enforcement took your phone they would
just look at it and go oh it's just a burner phone with a calculator app on it nothing's there
right right so these criminals really thought they were talking across super secure communications
and that meant that they didn't like use codes at all, like any coded words or anything.
They really just said everything.
And eventually, how did this become public knowledge?
How did the cat get out of the bag?
Yeah, so actually somebody on, this became really, really big in biker gangs in Australia and then other organized crime around the world.
And they actually had a security expert on their side, and they noticed that the traffic was going
to the U.S., like all the traffic. And they thought, hmm, this is kind of bad. So I think
from there, the AFP and the FBI thought, hmm, our gig might be up here, so we better just drop the hammer. And they made 224 arrests
on more than over 500 charges just in Australia alone. And they seized 3.7 metric tons of drugs
and $35 million in cash. And they even said that they would probably notice a drop in crystal meth
in the sewage systems in Australia because of this hit.
Wow. That's amazing.
Yeah.
Wow. All right. Well, I mean, I guess, you know, hats off to the FBI and their partners in Australia
for having the vision to conceive of this and then see it through, right?
Sounds like it was a big success.
Yeah, it's pretty cool.
Can't wait to see the movie.
Yeah, I don't know.
Maybe we can get Tom Cruise, Tom Hanks.
I don't know who would be the best star.
And any of those guys can handle it.
Denzel Washington, he'd be great too.
Yeah, that'd be good.
All right.
Dinah Davis, thanks for joining us. No problem.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at
thecyberwire.com.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Thanks for listening. We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.