CyberWire Daily - Facebook’s back up, and the outage was due to an error, not an attack. A look at AvosLocker and Atom Silo ransomware. The case of the Kyiv ransomware gangsters. Thoughts on the Pandora Papers.
Episode Date: October 5, 2021Facebook restores service after dealing with an accidental BGP configuration issue. There’s now a data auction site for AvosLocker ransomware. Atom Silo ransomware is quiet, patient, and stealthy. T...he state of investigation into those two guys collared on a ransomware beef in Kyiv last week. Ben Yelin is skeptical of data privacy poll results. Our guest is Microsoft’s Ann Johnson, host of the newest show to join the CyberWire network, Afternoon Cyber Tea. And what would they have thought of the Pandora Papers in Deadwood, back in the day? For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/192 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Facebook restores service after dealing with an accidental BGP configuration issue.
There's now a data auction site for Avos Locker ransomware.
Adam's silo ransomware is quiet, patient, and stealthy.
The state of investigation into those two guys collared in a ransomware beef in Kiev last week.
Ben Yellen is skeptical of data privacy poll results.
Our guest is Microsoft's Anne Johnson,
host of the newest show to join the CyberWire network,
Afternoon Cyber Tea.
And what would they have thought of the Pandora Papers
in Deadwood back in the day?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, October 5th, 2021.
We're able to update yesterday's story about widespread outages in Facebook, Instagram, and WhatsApp.
Facebook has restored services after yesterday's outages that also affected Instagram and WhatsApp, the Wall Street Journal reports.
So, services have been restored and any remaining minor issues are being cleaned up. The incident doesn't appear to have been the result of an attack, but rather, as initial speculation tended to regard it,
as the consequence of an internal error. Facebook's engineering team explained the
incident as follows, quote, Our engineering teams have learned that configuration changes
on the backbone routers that coordinate network traffic between our data centers Facebook tweeted its apologies yesterday in the middle of the outage.
Quote,
yesterday in the middle of the outage.
Quote,
To the huge community of people and businesses around the world who depend on us, we're sorry.
We've been working hard to restore access to our apps and services and are happy to report they are coming back online now.
Thank you for bearing with us.
End quote.
Observers at the DDoS protection shop CloudFlare offered an account of the issues they saw in Facebook's BGP configuration that provide further explanation of the outage.
BGP, by the way, stands for Border Gateway Protocol.
Krebs on security notes that the Facebook.com domain was yesterday briefly listed by several domain registries as being up for sale. That, of course, is wildly implausible.
But it happens when automated searches find domains that appear vacated or abandoned,
which was one of the effects of the BGP problems at Facebook.
So, if you are a potential buyer attracted by the prospect of owning Facebook's domain,
sorry Charlie, the bots don't have a good ability sometimes to distinguish the
real from the apparent. MIT Technology Review explains the consequences of the outage for
those portions of the world where Facebook is essentially the way people access the internet.
In those regions, a Facebook outage is effectively an infrastructure crash and brings with it all the usual worries, concerns, and conspiratorial speculations
such incidents bring in their train.
The criminal proprietors of Avos Locker Ransomware
are following the now-familiar path of the double extortion gangs
who threaten to auction the data of victims who refuse to pay, the record reports.
Avos Locker's site, in addition to sporting a new dark look, has now set up a page where it can
eventually offer stolen information for sale. All data is for sale, says the page, with the words
FOR and SALE in the big capital letters of the Act Now advertising screamer, Contact us with your offers, they go on to say, adding,
We only sell data to third parties if the owner of said data refuses to pay.
Auctioning stolen information in a double extortion move makes business sense in a criminal sort of way,
since the earlier widespread practice of vindictive doxing,
just dumping information online without charging for it,
simply gave other parasitic crooks an opportunity to scoop up the data and resell it, usually on Telegram.
So why settle for a pure intimidation and revenge play when you can monetize the bycatch of your extortion?
Avos Locker, the record says, is a relatively young outfit, first coming to notice
in July of this year, but they're so far a second-tier player. The good news, the record
writes, is that despite the clever feature, the Avos Locker gang is not one of today's top or
most active ransomware groups, with fewer than 10 attacks carried out per week, according to data provided by
the ID ransomware service.
Security firm Sophos describes Adam Silo, another recently discovered ransomware gang,
and its use of DLL sideloading and exploitation of Confluence to accomplish relatively stealthy
attacks.
The vulnerability in Atlassian's Confluence server and data center
that Adam's silo is exploiting has been patched recently,
but it's also been under active exploitation.
Confluence is a widely used workspace
that facilitates a team's collaboration on projects.
Adam's silo was both quiet and patient
in obtaining access to vulnerable confluence
instances. The ransomware the gang uses is, according to Sophos researchers, virtually
identical to lock file, and so the novelty and sophistication lie in the modes of intrusion.
The first stage of the attack took place on September 13th, which Sophos says was a full 11 days before the ransomware campaign proper was executed.
Initial access was gained through an object graph navigation language injection attack, and Sophos notes,
It's possible that this was done either by an Atom silo affiliate or through the services of an initial access broker.
Initial access brokers have become a familiar kind of player in the criminal-to-criminal market.
That access was followed by an unsigned DLL sideload attack,
which in turn served as a backdoor that enabled the attackers to download malware
that permitted remote execution of Windows shell commands through the Windows management interface.
At this point,
lateral movement began, and eventually, on September 24th, they began file discovery and exfiltration. Once the data they wanted were stolen, they dropped their all-in-one
attack executable, and that's all she wrote, as they say in the old movies.
Sophos discovered this complex activity when they were called in
to provide incident response support to an unnamed organization. One recurrent lesson,
once vulnerabilities are announced and patches are released, there's a criminal rush to exploit them
before everyone gets around to patching. That seems to have been the case here. So, if you're a Confluence user, do patch.
And finally, we'll pass over all the derriere covering and under-the-rugs sweeping and pious
platudinizing about equity and transparency that the Pandora Papers have prompted among
the rich and famous, and also the good people of South Dakota.
To read more about it, see the selected reading in our daily news briefing
or the accounts in Pro-Privacy and Pro-Policy.
Instead, we return to the question of the criminal affiliation
of the two gentlemen arrested in Ukraine on a ransomware beef last week.
That affiliation remains unknown.
They're said to be members of a Russian-speaking gang,
but beyond that,
authorities, including those whom the Register colorfully but indelicately refers to as
Ukrainian fuzz, are keeping what they know or suspect to themselves. But one lesson for
criminals everywhere, if you're counting on your letter of mark from the FSB to keep you out of the clutches of the fuzz. Work from Russia. We know,
we know, Ukraine is tempting. And a lot of people in Kiev speak Russian. But as Ukraine itself will
remind you, Ukraine's not Russia. And to get out of jail free card from the FSB isn't likely to be
honored by the Kharkiv fuzz. There was a lot of online woofing and hallooing about the
possibility that they were members of REvil, but this appears in the register's plausible
explanation to be based on a simple misunderstanding. Europol tut-tutted that the crooks had been
responsible for extortionate demands as high as 70 million euros. The R-Evil connection is that the gang
had been known to demand 70 million dollars,
but evidently the Twitterverse has some difficulty
distinguishing euros from dollars.
They're not the same, and the current exchange rate is,
let's see, $1.16 to the euro.
The investigation is proceeding,
and no doubt we'll eventually find out
who the two alleged gentlemen of crime were working with, or for, or under.
In the meantime, the Ukrainian fuzz are on the case with the assistance of French fuzz and American fuzz and general European fuzz,
all of whom are serious about putting their resource euros and dollars where their enforcement mouths are.
Good hunting to the fuzz in all civilized countries.
And to return to South Dakota for a minute, because we can't help ourselves,
we'd like to ask everyone out there in the Mount Rushmore state
if Wild Bill Hickok or Calamity Jane or Poker Alice or even Potato Creek Johnny would have spent their time setting up
shell corporations back in the
deadwood of its outlaw heyday.
We didn't think so either.
It's like finding Wild Bill
holding an online MBA instead
of eights and aces.
Sad.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you
know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Anne Johnson is Corporate Vice President of Security, Compliance, and Identity at Microsoft.
She's also the host of the podcast Afternoon Cyber Tea, which we are pleased to say is the newest addition to the CyberWire network.
Well, Anne Johnson, welcome to the CyberWire.
Thank you so much. It's great to join you today.
So today we are talking about your podcast. This is ACT, the Afternoon Cyber Tea,
which is joining the Cyber Wire network here. And of course, excited to have you join us. Can you
give us a little bit of the background here? What is the origin story of the Afternoon Cyber Tea
podcast? I love talking about Afternoon Cyber Tea. So we're going to season five and we
really wanted to improve the distribution and the audience and Cyber Wire was such a wonderful
opportunity. But how we started is I wanted to do a podcast a couple of years ago to really bring
industry thought leaders together and to have, you know, conversations that weren't necessarily
product specific or company specific, but really talked about solving some of the hardest
problems in the industry and thinking about, you know, how we can actually provide better
solutions or better insight to other folks.
And so we've had a great run of bringing just people on that are really fascinating topics
like, you know, the Internet of Bodies was one of the episodes we did that was incredibly fascinating.
We did an episode related to how, you know, cybersecurity is actually related to some ancient writings.
We've had a lot of fun with it, and I hope it's been incredibly informational for the audience.
Yeah, it really is a broad spectrum of topics that you cover there. And I have to say, one of the highlights of you being in the position that you are at Microsoft is that you get to attract some really top tier guests.
pulled together onto the podcast for the season. As we're recording some of the episodes and some of the content, it's been just fascinating. I learn a lot doing it. Selfishly, I learn a lot
doing it because I just get to cover this broad range of topics. Yeah. I have to admit that's my
favorite part of this job as well. It never gets old getting to chat with smart people about
interesting things, right? Exactly. Can you give us a little preview of some of the things
that we might expect to hear this season?
I can.
I just wrapped up an episode
with Dr. Fiona Hill
to talk about the intersection
of cybersecurity and disinformation.
We've had episodes with Amy Hogan-Burney,
who leads Microsoft Digital Crimes Unit,
to talk about the fascinating work
that they do with public and private sector partnerships.
So I think that will be a great episode.
Wendy Nader, who's very well known in the industry
as a Cisco advisor, joined us to give some insights.
So you're going to see a wide range, again,
of conversation this season,
but I'm just thrilled about our guests.
Who are you targeting here in terms of the audience?
Who is the ideal listener for ACT?
I think it's any cybersecurity professional, right?
We try to keep it at a,
we do get some very technical conversations.
I had Ian Coldwater on a couple seasons ago.
We were talking about Kubernetes security as an example.
So we do get some deeply technical contact,
but it's probably more at the strategy
executive level to really talk about the trends and things that are happening in the industry.
Though, like I said, we've had some technical episodes. Even this season, Bryson Bort joined us
and talking about just some of the work he's been doing and things he's seeing in the industry. And
that lent itself to a little more technical of a conversation, which I love to have also.
the industry. And that lent itself to a little more technical of a conversation, which I love to have also. What do you get out of this? I mean, what do you take away, some of the things that
you learn yourself? I think that some of the topics are things that I am not, you know, as deep on.
So, there's that. But just meeting exciting and interesting and fascinating people that I may
have never had the opportunity to meet. We have academics that come on and just talk about the research and work that they are doing.
And then finally, appealing to the audience. I get tremendous feedback on Afternoon Cyber Tea
from the listeners. So appealing to a wide audience and letting them listen in on these
just fascinating conversations. It's not a gotcha podcast. It's not a hard podcast.
It's just two people talking and having a really
good time. And most of the episodes are pretty fun, actually. Well, I can certainly vouch for
that. And as I said, we're happy to have you joining the Cyber Wire Network here. Ann Johnson
is Corporate Vice President of Business Development, Security, Compliance, and Identity
at Microsoft. And the name of the show is ACT Afternoon Cyber Tea.
Anne Johnson, thanks so much for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the Caveat podcast.
Hello, Ben.
Hi, Dave. How are you doing?
Pretty good, pretty good.
Interesting story from the Washington Post.
This is written by Jay Green and Drew Harwell,
and it's titled, When the FBI Seizes Your Messages from Big Tech, You May Not Know It for Years.
What's going on here, Ben? So this concerns gag orders that come with government requests to
obtain data from these third parties, these big tech companies like Microsoft, Google, and Facebook.
Yeah. So let's just start with Facebook as an example.
In the last six months of 2020, Facebook received 61,000 plus requests for user data in the
United States.
And about 70% of those requests came with secrecy orders or gag orders.
What those gag orders mean is that Facebook is legally barred from disclosing the fact that they received a request, not only to the public, but to the individual whom has had their communications collected.
Whether these are chats, text messages, social media posts, the person who actually made those posts isn't aware that their information has been collected
as part of an ongoing federal investigation.
This has become a pattern, particularly over the past 20 years.
So according to the 1986 Electronic Communications Privacy Act,
federal prosecutors can't go directly or really it wouldn't be useful for them to go directly to users
to get digital information.
So the content of anything that exists in the online world.
So they go to these tech companies.
But for a number of reasons, they are distrustful of these tech companies.
For one, the tech companies hold a lot of information.
Law enforcement is going to want to maintain good relationships with them,
lest they release something that sheds the government in a negative light. Law enforcement
is very wary of customers becoming aware of the fact that they're under investigation so that
they would go out and destroy additional evidence. So you see this proliferation of gag orders.
This is particularly acute in the national security context with something called
national security letters, where companies will get a subpoena saying you need to hand over these
records. You can't tell anybody about it. This is for national security purposes. We've seen an
explosion of these types of cases over the past 20 years. We've had a lot of litigation. Sometimes
there is a good justified reason to have these
gag orders. It really could interrupt an investigation. There might be national
security implications. You know, there might be implications in terms of bringing down like an
organized crime ring. If one member of that ring is notified that their communications are under
surveillance, then the Justice Department or any other federal agency
might lose progress in their fight against one of those organized crime communities.
But there are lots of cases where that type of secrecy is not justified. And the fact that
these gag orders came with 70% of these requests, I think it would be hard to say that everything
contained in that 70% was necessary in terms of having a gag order.
The Justice Department and members of Congress are both looking into ways to try to ameliorate this problem.
Come up with some sort of standard where gag orders are only employed when absolutely necessary.
Sometimes that's going to require a layer of judicial review.
Sometimes that's going to require a layer of judicial review.
So law enforcement might have to get a court order to make one of these requests with a gag order. And this contravenes what happens now where generally, at least in the national security context, you receive the gag order and then you can challenge it in court.
That's often a very cumbersome and costly process.
Right, right. It seems like there's
bipartisan support for reform here. Absolutely. I mean, this is definitely not a partisan issue.
Anytime we talk about, you know, the excesses of big tech and government surveillance,
you're going to get critics from both the left and the right. And I think that's absolutely true
in this context. There's been a long running effort to do away with both national security letters generally
and also gag orders and all different types of contacts from members of both parties. So I do
think this is something where you'd have bipartisan space to make some type of policy decision,
whether that's through Congress or through the executive branch. But the fact that the Justice Department for the first time really
is actually reviewing the pattern and practice of issuing these gag orders, I think it's a positive
sign that, you know, we might get some programmatic changes here. Yeah, just a little interesting
little side nugget in this article here that I hadn't really considered is they make the point that
when it comes to, for example, physical evidence, you know, if law enforcement wanted a bunch of
your papers, there's no gag order necessary. It's nonsensical because...
Yeah, you know if they come take your papers.
Right. Exactly. When it's something physical, you know that they've come and taken it. But in the digital realm, they can take it, they can view it, they can analyze it without you
knowing. And that's a big difference here. And that's, I think, where some folks are calling
foul constitutionally. Yeah. I mean, that is absolutely what's programmatic. I mean,
the reason we have the Fourth Amendment is we don't want the government snooping through our
stuff. Right. And if they are snooping through our stuff, they have to have
a good reason. They have to go through our judicial system. And, you know, with physical
searches, it's very obvious when we've been searched, we can use all of the constitutional
tools at our disposal to challenge that search. They find evidence that we've committed a crime
and we, you know and we go on trial.
We can seek to suppress that evidence saying, hey, you busted into my house at three in the morning
for no reason. That's a violation of the Fourth Amendment. In this area, we don't have that.
Not only are the consumers not aware that tech companies are receiving these subpoenas,
but the tech companies don't really know what to do when they receive one of these requests with a gag order.
They know that some of them, the gag order probably has merit.
Some of them, they're not sure.
Often these requests are extremely vague.
And so they don't know, the tech companies don't know
which ones are worth challenging.
As a result, they only end up challenging a small fraction of them.
And that ends up being a major detriment to the consumer because to make their lives a little bit easier, Microsoft and Google in most circumstances are just going to hand over the conversation and not make a big fuss about it.
Right. And why should the big tech companies have the burden of trying to make that decision?
to make that decision.
Right.
I mean, there's nothing inherently,
there's nothing positive about the fact that we give this responsibility to the tech companies.
Right.
Especially when we know that they're receiving
60,000 requests in a six-month period.
You can have a giant legal department,
you're still going to have a resource problem
where you're not going to be able to challenge
every single one of these gag orders.
Yeah.
All right.
Well, interesting for sure.
Again, that article is from The Washington Post.
It's titled, When the FBI Seizes Your Messages from Big Tech, You May Not Know It for Years.
Ben Yellin, thanks for joining us.
Thank you. Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Trey Hester,
Brandon Karp, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.