CyberWire Daily - Fancy Bear’s snuffling at Gmail credentials. FIN12’s threat to healthcare, and BlackMatter’s threat to agriculture. REvil tries to reestablish itself in the underworld. Twitch update. Sachkov is charged.
Episode Date: October 8, 2021Google warns fourteen-thousand Gmail users that Fancy Bear has probably been after their passwords. FIN12, a fast-running ransomware group, is after hospitals’ and healthcare providers’ money. Bla...ckMatter remains active against the agriculture sector. REvil is back and talking on the RAMP forum, but so far it’s getting a chilly reception. Twitch traces its vulnerability to a server misconfiguration. David Dufour from webroot wonders about cracking down on crypto. Our guest is Jeff Dileo of NCC on mastering container security. And Group-IB’s CEO is charged with treason. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/195 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Google warns 14,000 Gmail users that Fancy Bear has probably been after their passwords.
Bin12, a fast-running ransomware group, is after hospitals and healthcare providers' money.
Black Matter remains active against the agriculture sector.
R-Evil is back and talking on the Ramp forum, but so far it's getting a chilly reception.
Twitch traces its vulnerability
to a server misconfiguration. David DeFore from WebRoot wonders about cracking down on crypto.
Our guest is Jeff Dilio from NCC on mastering container security.
And Group IB's CEO is charged with treason.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberW warnings to about 14,000 Gmail users, indicating that they may presently be targeted by a government cyber espionage organization.
a government cyber espionage organization. The attempts have been attributed, Bleeping Computer and the Record Report, to APT28, that is, Fancy Bear, Russia's GRU. A TAG member, Shane Huntley,
tweeted about the implications of such warnings. Google probably blocked the attempts, but you
should take prudent steps to protect yourself now because you are a potential target for the next attack.
The warning itself begins with the screamer headline,
government-backed attackers may be trying to steal your password,
and goes on to say, quote,
there's a chance this is a false alarm,
but we believe we detected government-backed attackers trying to steal your password.
This happens to less than 0.1% of all Gmail users.
We can't reveal what tipped us off because the attackers will take note and change their tactics,
but if they are successful at some point, they could access your data or take other actions
using your account, end quote. The warning concludes with a few recommendations like
advising the recipients to keep their instance of Microsoft Word up to date,
or suggesting that they open Word documents with Google Docs.
Google sends these warnings out in batches,
and a warning indicates that Gmail blocked the attempt it detected.
The reason for sending the warnings in batches,
as opposed to in onesies and twosies, as the malicious emails are detected,
is to avoid giving the bad actors, in this case Fancy Bear, unnecessarily granular and potentially useful insight into Mountain View's defensive tactics, techniques, and procedures.
Security firm Mandiant yesterday released a report on FIN12, an aggressively financially motivated ransomware gang, noteworthy for its concentration on healthcare organizations.
FIN12 concentrates on ransomware proper and hasn't followed the broader criminal trend toward double extortion.
It's also a heavy user of initial access brokers hired in the criminal-to-criminal
market. The group is also a user of the RIAC strain of ransomware. It's quick in its operations,
rapid RIAC, as Dark Reading called it, usually spending at most three days in its victims'
networks before issuing its ransom demand. That speed, Mandiant thinks, distinguishes FIN-12 from other RIAC users.
That speed is also conducive to volume. FIN-12 is believed to have demanded between $1 and $25
million apiece from its victims, and again, it's shown no compunction whatsoever about damaging
healthcare organizations. If even a small fraction of victims pay,
FIN12 has done well, financially speaking.
FIN12 appears to be a Russophone group
and probably based in Russia.
Its victims have been concentrated in North America,
but there are recent signs
that the gang is branching out to Europe and Asia.
It doesn't hit Russia,
or usually the former
Soviet republics in the near abroad, a group of countries sometimes known by the name of the
moribund association that connected them, the Commonwealth of Independent States.
Mandiant thinks Finn 12's position in the ransomware underworld reflects a trend toward
specialization in gangland.
As they put it, quote,
NBC News reviews the current series of black matter ransomware attacks against the U.S. agricultural sector.
Two Iowa-based grain cooperatives, Farmers Cooperative Company and The New Cooperative,
and Minnesota-based co-op Crystal Valley, are known to have been disrupted.
The timing of the attacks is troubling, coming as they do around the time of the harvest. The affected organizations have been reticent about sharing information, in part due to concerns over potential litigation,
and some speculate that there may be other publicly undisclosed farming sector victims.
Flashpoint researchers are tracking the resurgence of the well-known
R-Evil ransomware gang in the Groove Collective's criminal R.A.M.P. forum.
Quote,
The Areval profile on R.A.M.P. was created on October 6th.
In a post underneath its profile, Areval advertised their affiliate program in detail and claimed that their practices are anonymous and secure.
and claimed that their practices are anonymous and secure.
REvil followed up their post with a claim that it will wait until November to begin actively recruiting affiliates on RAMP.
Cybersecurity analysts note that this post follows a report
that REvil was scamming their affiliates through a backdoor in their ransomware code.
End quote.
Apparently, the other crooks and lowlifes who disport themselves in RAMP aren't all ducky with R. Evil's apparent appearance there.
They don't trust them because of the way R. Evil went into temporary occultation earlier this summer.
These others expressed caution and contempt for R. Evil's reappearance.
There are accusations circulating in RAMP that R. Evil bugged out because it suffered some major security problem,
and some have gone even farther, speculating that our evil has been taken over
and is now being run by some law enforcement organization,
using the gang's name and account as a provocation and an investigatory tool.
Our evil denies this, of course, and says it's totally official,
in a criminal kind of way. Twitch blogs that its attacker gained access via an error in one of its
server configuration changes. Yesterday, the streaming service advised users that, out of an
abundance of caution, we have reset all stream keys. Depending on which broadcast software you use,
you may need to manually update your software with this new key to start your next stream.
Twitch had earlier explained, we have learned that some data was exposed to the internet due
to an error in a Twitch server configuration change that was subsequently accessed by a
malicious third party. Our teams are working with urgency to investigate the incident.
As the investigation is ongoing,
we are still in the process of understanding the impact in detail.
We understand that this situation raises concerns,
and we want to address some of those here while our investigation continues.
A Washington Post essay sees the attack on Twitch as part of a bigger trend,
a resurgence of hacktivism,
and the new hacktivists' interest in picking their targets from big tech.
Twitch is an Amazon subsidiary.
And finally, Russian authorities have now, according to Reuters,
formerly charged Group IB founder and CEO Ilya Sakhov with treason.
Meduza cites various official Russian media to the effect that Sakhov has specifically been charged
with disclosure of information that contains state secrets.
Further information won't be forthcoming since the matter is regarded as classified.
Treason charges come with a potential sentence of up to 20 years.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
Whether it's Docker, Linux, or Kubernetes, containers continue their growth in popularity,
but not without concerns about configuration and security.
Jeff Dilio is a technical director at NCC Group,
and I checked in with him for his take on container security.
I think that containers themselves are in a fairly good place at this point. There's always room for improvement, and things, I think, are getting better. I think where things are maybe falling short is in how people configure them or how people use them as part of larger systems that then configure them in ways that maybe aren't so great.
Well, let's dig into those one at a time there.
I mean, let's start with configuration.
What are some of the pitfalls there?
Containers, assuming you're referring to normal Linux containers, which are more of a concept,
they are a construct of various Linux features around isolating programs.
And not all of them are specifically designed around security specifically.
And so you need to be careful when you combine them.
Most of the container runtimes,
as we call them, like Docker, have gotten this down pretty good by default. But you can still
configure your containers to run with full admin privileges on the host. You can configure them in
ways that might be needed for enabling certain pieces of functionality, but might themselves be essentially equivalent to admin on the host,
or could be used to break out and get admin on the host.
So we kind of consider that equivalent.
There are certain things like if you were to, for example,
mount your host file system as read-writable into the container,
well, the container could probably mess with all of your users' password hashes and then log into that system possibly or mess with service configurations to automatically run code outside of the container on the host.
Things like that.
That's a bit of a stretch, someone doing that.
But those kinds of things, even there are smaller innocuous things that can
also be bad, but they get a bit technical. And to what degree are those kind of hidden traps?
I mean, are we at the point where the systems people are using are pretty well configured to
put proper guardrails on the users? I'm not sure it's really something about the systems being configured. In some cases
it is, but in general, something like Docker or ContainerD, which Docker uses under the hood,
Kubernetes uses under the hood these days, basically is just fully privileged to do what
it wants most of the time. And it ends up being on how it's told to create
containers. And so if your, whatever system you're using to give access to developers or ops people
to create those containers allows them to configure kind of whatever access they want,
that can be bad. There are various systems for access controls, but certain things are at lower
levels where just access to them in the first
place means you can tell them to do anything. So a lot of the security in locking these things down
is more in placing abstraction layers between the user and those things that kind of mediates what
they're allowed to tell it to do. So what are your recommendations then?
I mean, how do organizations go about
configuring these from the outset?
But then also, I suppose there's a certain amount of
auditing that has to go on as you go.
So there are best practices
and there are auditing tools
and they often follow against
best practices like CAS Benchmark.
And then there are kind of the nitty-gritty of access control review. There's kind of a whole
series of things that can be looked at. I would kind of break it down into maybe two or three
groups, maybe four, depending on how deep you want to go, where you have,
there is the configuration and the access controls and who can do what and who can get in
and what they're allowed to do, right? Then there is the actual things that are running
and how privileged they are and what risk that poses if they were to get compromised.
And then there is the code that actually gets run
and how that's assembled and built.
And if you're handling your dependencies properly
or running untrusted images
or allow untrusted images to be run potentially.
And then there is the lower, lower level of configuration
of all the components of the system
and what's accessible and whatnot.
And so some of those
things are fairly reasonable for organizations to do themselves, and some of them not so much.
That's Jeff Dilio from NCC Group. There's a lot more to this conversation. If you want to hear
more, head on over to CyberWire Pro and sign up for Interview Selects, where you get access to this
and many more
extended interviews.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized
applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by David DeFore.
He's the Vice President of Engineering and Cybersecurity at Webroot.
David, always great to have you back.
You know, we've seen some noises coming from inside the federal government that they might be doing some cracking down on how some of these cryptocurrency exchanges
work, trying to go at things like money laundering and so forth. What is your take on the progress
we're seeing here? Well, I think it's interesting. I think you have to do something. You can't not
do anything just because you don't know what to do. And I think it is a good first step. I think
from a money laundering perspective, they definitely need to do something. Never mind should crypto be regulated or not. That's a whole
SEC, you know, financial industry discussion. But from a purely cybersecurity perspective,
you know, we've seen a huge shift away from a market for stolen credit cards. You know,
back 10 years ago, David, when we were, you know, getting into this industry,
stolen credit cards were a big deal. Stolen bank accounts were a big deal because that's the way cybercriminals got
paid. They would pay to get credit cards or bank accounts. And then when they did some bad action,
they would use that stolen credit card or stolen bank account to execute their transactions.
And with the advent and just the sheer growth of crypto,
we've seen the shift from that.
So what's ironic is we've seen a shift away
from people stealing accounts and credit cards
to using crypto, which is good.
But unfortunately, that's empowered ransomware
because nobody calls up and asks for a check
for ransomware.
They want Bitcoin.
Right.
And I mean, I think it's fair to say that the cryptocurrencies
are really major enablers when it comes to things like ransomware.
So, you know, I can't help wondering,
do we need some sort of increased oversight over this?
I guess the devil's in the details, right?
I mean, it's hard to imagine enabling something like that without hurting some of the things that make crypto crypto.
You're spot on.
And this is where we need some really smart people to think about this so that we don't – and I'm not big anti-government or anything like that.
I'm all about things that make sense.
And I do think there needs to be some understanding, some slight regulation on this.
But how do you not go too far and, like you say, eliminate what the value of cryptocurrency is?
And I know a lot of people in government would like to just shut all cryptocurrency down because
they can't control it. But there is a middle ground somewhere. It does help a lot of folks in third world countries or countries where there is an unstable currency. So there's a lot of good cryptocurrencies do. The trick will be how do we find that balance? And do we need to find the balance is a discussion we should have as well. Are we knee-jerk reacting to something where we should be fixing the ransomware problem, not fixing the problem of how people are paying the ransom.
I mean, there's a discussion that should be had there.
Because honestly, and David, just to add to that, as I'm thinking through this, I promise
you, if they stop the ability to use crypto to pay for ransomware attacks, we'll go right
back to having bank accounts stolen and credit cards stolen.
And they'll start using, there'll be an industry for that again.
Yeah, yeah.
I guess, you know, looking to have it be more of a speed bump than anything.
Yeah.
And, you know, there's a lot of, unfortunately, smart people on both sides of this.
And I say, unfortunately, because no matter what the smart people on the side trying to prevent this ransomware and crypto being used for nefarious reasons, there's smart people on the other side
who are going to figure out other ways to do it and find some other barter system or something of
that nature to actually transact these things. It won't go away. But I guess like we said at
the beginning here, you've got to figure out, you've got to do something. You can't just let it keep happening.
Yeah, absolutely.
All right.
Well, David DeFore, thanks for joining us.
Great being here, David.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's episode of Research Saturday and my conversation with Matt Stafford from Prevalient.
We're going to be discussing his team's report,
Diving Deep into UNC-1151's Infrastructure, Ghostwriter, and Beyond.
That's Research Saturday. Check it out. The Cyber Wire podcast is proudly produced in Maryland out
of the startup studios of Data Tribe, where they're co-building the next generation of
cybersecurity teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brandon Karp, P Peru Prakash, Justin Sabey, Tim
Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening.
We'll see right back. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.