CyberWire Daily - FBI claws back a lot of the ransom DarkSide collected. An international dragnet uses an encrypted chat app to pull in more than 800 suspects. Navistar discloses a cyber incident.
Episode Date: June 8, 2021The FBI seized a large portion of the funds DarkSide obtained from its extortion of Colonial Pipeline. An international sweep stings more than eight-hundred suspected criminals who were caught while u...sing an encrypted chat app law enforcement was listening in on. CISA advises users to update their VMware instances. A new phishing campaign distributes Agent Tesla. Ben Yelin examines renewed controversy surrounding Clearview AI. Our guest is Aimee George Leery from Booz Allen on the challenging intersection of secure spaces and work from home. And a major truck maker discloses a cyber incident. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/109 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The FBI seized a large portion of the fund's dark side obtained from its extortion of Colonial Pipeline.
An international sweep stings more than 800 suspected criminals who were caught while using an encrypted chat app law enforcement was listening in on.
CISA advises users to update their VMware instances.
A new phishing campaign distributes Agent Tesla.
Ben Yellen examines renewed controversy surrounding Clearview AI.
Ben Yellen examines renewed controversy surrounding Clearview AI.
Our guest is Amy George-Leary from Booz Allen on the challenging intersection of secure spaces and work from home.
And a major truck maker discloses a cyber incident. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 8th, 2021. The U.S. FBI yesterday seized 63.7 bitcoins, currently valued at approximately $2.3 million.
As the Justice Department primly puts it,
the funds allegedly represent the proceeds of a May 8 ransom payment
to the Dark Side gang in their course of their extortion of Colonial Pipeline.
The recovered money amounts
to a significant fraction of the 75 bitcoins, or $4.4 million, Colonial paid. The seizure warrant
gives, in a suitably redacted form, the FBI's tracking of the wallets through which the funds
passed. The money was seized when it reached a wallet for which the Bureau held the key,
which suggests that the Feds were leaning forward in the foxhole on this one.
The Justice Department explained,
As alleged in the supporting affidavit, by reviewing the Bitcoin public ledger,
law enforcement was able to track multiple transfers of Bitcoin
and identify that approximately 63.7 Bitcoins,
representing the proceeds of the victim's ransom payment,
had been transferred to a specific address,
for which the FBI has the private key,
or the rough equivalent of a password,
needed to access assets accessible from the specific Bitcoin address.
This Bitcoin represents proceeds traceable to a computer intrusion
and property involved in money laundering
and may be seized pursuant to criminal and civil forfeiture statutes.
There's also some credible speculation reported in Ars Technica
that Colonial paid not to gain access to the flawed and essentially worthless decryptor the gang offered,
but rather to aid the FBI in its work against
DarkSide. Deputy Attorney General Lisa O. Monaco made a point of thanking Colonial Pipeline in her
public statement about the case, quote, following the money remains one of the most basic yet
powerful tools we have. Ransom payments are the fuel that propels the digital extortion engine,
and today's announcement demonstrates that the United States will use all available tools
to make these attacks more costly
and less profitable for criminal enterprises.
We will continue to target the entire ransomware ecosystem
to disrupt and deter these attacks.
Today's announcements also demonstrate
the value of early notification to law enforcement.
We thank Colonial Pipeline
for quickly notifying the FBI when they learned that they were targeted by DarkSide.
There's been considerable discussion of cryptocurrency as a key enabler of the
ransomware economy, and much of that has centered on the possibility of tighter regulation,
perhaps quite restrictive, of altcoin in general. The FBI's action against DarkSide suggests an alternative approach
to taking away some of the online criminal's essential tools.
Another law enforcement action, this one both international and collaborative,
has resulted in the arrest of some 800 suspects
and the seizure of drugs, cash, firearms, and other goods.
Europol says, quote,
The U.S. Federal Bureau of Investigation, the Dutch National Police, and the Swedish Police Authority,
in cooperation with the U.S. Drug Enforcement Administration and 16 other countries,
have carried out, with the support of Europol, one of the largest and most sophisticated law enforcement operations to date in the fight against encrypted criminal activities. End quote. The operation, variously
called Trojan Shield and Ironside, had its origins with the Australian Federal Police and the FBI.
It used technical tools the AFP developed to run on top of the encrypted chat platform Anom,
the AFP developed to run on top of the encrypted chat platform Anom, which the US FBI began operating after it took down Phantom Secure in 2018. Commissioner Kershaw of the AFP called it
a world-first operation to bring to justice the organized crime gangs harming our communities
with drugs, guns, and violence. The criminals, like everyone else transacting sensitive business, appreciate
encryption. The AFP summarized the operation as follows, quote, for almost three years, the AFP
and the FBI have monitored criminals' encrypted communications over a dedicated encrypted
communications platform. The AFP built a capability that allowed law enforcement to access, decrypt and read communications on the platform.
The AFP and FBI were able to capture all the data sent between devices using the platform.
Authorities in the Netherlands, Sweden and New Zealand also commented on their roles in the sweep.
The Central Unit of the Netherlands Police says it contributed by developing high-quality
technological tools and making them available to the other participating countries, thus enabling
the analysis and interpretation of the millions of messages gathered. The head of intelligence
for the Swedish police acknowledged the FBI's role, quote, thanks to valuable intelligence that
the FBI has shared with us, we have been able to arrest a significant number of leading actors within the violent crime and drug networks in Sweden.
End quote.
And the New Zealand police cited international cooperation as essential to stopping contemporary organized crime,
so much of which is transnational.
So how do you get hundreds of dangerous hoods, who presumably have at least a rudimentary level of net-savvy caution,
to start yakking their business to one another over a chat app that includes the FBI and the AFP as quiet listeners?
You do it through an influencer, of course, since this is, after all, the 21st century.
The BBC says criminals were gulled into using the app by one Hakan Ayik,
a fugitive and alleged drug kingpin who served as an unwitting Judas goat. They got him to use it,
and the others followed suit because it seemed like a good idea at the time. Mr. Ayik, who the
Australian papers call the Facebook gangster, lived large and wasn't shy about posting selfies of his shirtless,
tattooed, scowling self, looking for all the world like a prison gang leader we've seen on
those endless reruns of Law & Order we've been binging on during the pandemic.
Police are suggesting, with a straight-faced schadenfreude worthy of Detective Briscoe,
that it would be to Mr. Ayik's advantage if he were to turn himself in
because the authorities will treat him better than the criminals he influenced.
Europol says we should expect a lot more arrests in the near future.
It's not, of course, all success today.
CISA, the U.S. Cybersecurity and Infrastructure Security Agency,
has warned that a VMware vulnerability is being actively exploited in the wild
and that users should update their software immediately.
Fortinet reports that it's found a new variant of Agent Tesla in circulation
being distributed by a phishing campaign that steals Bitcoin addresses
and other personal information from infected devices.
steals Bitcoin addresses and other personal information from infected devices.
And for all of law enforcement's recent successes, ransomware and other attacks continue.
U.S. truckmaker Navistar disclosed yesterday in a Form 8K that it learned of a credible potential cybersecurity threat to its information technology system on May 20.
On the 31st of that month, it received a claim that certain data
had been extracted from the company's IT system.
It's engaged in investigation and remediation and has notified law enforcement.
Navistar says its operations have remained largely unaffected.
Thank you. agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time
visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak.
Learn more at blackcloak.io.
In the shift to working from home that many of us experienced during the global pandemic,
one group of workers faced with specific challenges are those working in secure environments,
folks with security clearances who have to show up in person.
As convenient as it might be,
it's simply not practical to convert that spare bedroom or walk-in closet into a skiff.
Amy George-Leary is an executive vice president at Booz Allen, and she joins us with insights on how she and her colleagues have faced these challenges head-on. Security cleared individuals
are essential workers, and they come from many
backgrounds, military backgrounds, which face even greater challenges than our remote colleagues
and really shouldn't miss out on this sort of flexible work. But we've put some focus,
for sure, on creating flexible security-cleared environments and flexible non-secure, you know,
for our non-secure employees as well. And really focusing on, you know, job satisfaction and performance
across the year. At the start of the pandemic, you know, we put away or reprioritized, I should say,
about $100 million towards employee support and resilience. And that took on everything from job support, you know, around testing protocols, telework equipment, to dependent care support.
And, you know, even, you know, for parents and children helping others, wellness, work flexibility, just general support in general, because, you know, we didn't know, you know, how long this was going to last, what the requirements or needs of our employee population was going to be.
So we really, you know, had to scramble there at the beginning to say, you know, how could we
take something, reprioritize it, and put in place things that would address the diverse
needs of our diverse population. Have you seen any shifts in expectations from employees? Are they looking
for different arrangements within offices, more private spaces, things like open bullpens? Are
people requesting adjustments having been through everything we've been through in the last year?
I think so. One know, one of the first
steps for really creating, you know, a flexible environment is making sure that we foster an
environment where our employees feel empowered to communicate what they want and what they need
professionally and personally. So we did a lot with our leaders, reaching out to all of our
employees and, you know, making sure we understood what their circumstances were,
what their challenges were, and how we could help, and that our leaders stay connected through
various ways, whether it be just personal conversations, visits to the SCIFs, for example.
But again, if they feel comfortable communicating and working with their leaders,
we can all lean in and help, whether it be, again, like I said, a flex schedule or modified hours, some kind of hybrid schedule or whatever that looks like.
You know, we're also, you know, working with our clients, right, to come up with a different delivery model.
You know, for example, you know, a team might have a designated on-site team, which are then supported by remote team members.
So some of the work, for example, in the secure environment where you're working with classified information,
take some of the work and do the non-classified work or use notional data outside and then hand it off to the team working inside, right,
to then apply and integrate the solution into that environment, right?
So we're doing some things like that, which we're having some success with as well.
That's Amy George-Leary from Booz Allen.
Thank you. businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security.
But more important than that, he's my co-host over on the Caveat podcast, which if you have not yet checked out, what are you waiting for? Hello, Ben.
Hello, Dave. What an introduction. Thank you.
Thank you. Well, you know, you've earned it. So my story I want to talk about this week comes from the BBC and it's titled- The Biebs, as they call it.
The Biebs, as the kids are calling it today. And it's titled, Legality of Collecting Faces Online Challenged.
Looks like some folks are targeting Clearview AI.
What's going on here, Ben?
So we've talked about Clearview AI on this podcast and on the Caveat podcast.
It's used by a lot of law enforcement agencies in the United States.
It's this robust facial recognition technology
where Clearview scrapes images from social media sites,
makes those available to law enforcement agencies.
And they have contracts with law enforcement agencies
all across the United States.
They do not have contracts with any entities
in the European Union.
And that's what plays into this story.
So five individuals across the European Union
are challenging the methods of collecting photos
and selling them to private firms and law enforcement
under GDPR.
Under GDPR, any European citizen can ask the company
if their faces are in their database, and they can request that that biometric data no longer be included in any searches.
with EU law enforcement.
But anytime they have received one of these requests,
they've complied with the terms of GDPR and removed these faces from the database.
And they've also mentioned, I think not inaccurately,
that not only the U.S. government,
but other governments have found this sort of image scraping
to be a very effective law enforcement tool.
And so I think that was a large part
of their response to this.
They've not only faced challenges in the European Union,
the UK and Australia,
data regulators in both of those countries
have launched a probe into Clearview AI.
The ACLU is pursuing a lawsuit against them in Illinois.
The new California CCPA law means that users in that state
can opt out of having their data sold.
We're still in kind of the infancy of people getting outraged
at Clearview AI.
It was only a year ago that there was an expose
in the New York Times on what exactly it was doing.
And I think we're going to see many more of these types of challenges going forward.
Yeah, you know, what this reminds me of is, and I think one of the things that you don't often think about when it comes to facial recognition software in particular,
is how you can be tagged in the background of
other people's photos. So, you know, my family goes to Disney World, right? And we're minding
our own business, having fun riding Space Mountain. And some other family is taking a picture of their
family. We happen to be walking by in the background, well, technologies like Clearview can recognize us, tag us in a photo that we did not take. We did not know.
We didn't consent to being a party in that photo at all.
Right. It's just an accidental sort of drive-by photo that we were in. And yet,
by using someone else's photo, you can precisely tag where we were,
when we were, because take the metadata from the photo, GPS, all that sort of stuff,
and accidentally get dragged into this web of information gathering.
Yeah, I mean, I think what's fundamentally at issue here is who owns all of
the images of us that happen to be put online, especially through methods where we did not
consent to them being put online. When you post a photo to Facebook, you've read the EULA, you're
complying with all of the mumboumbo in that 100-page document
that you've certainly looked over.
And I'm sure there's something in there about what you can do with,
what Facebook and law enforcement can do with the data that you've uploaded.
But if you are just in the background of a picture,
you certainly didn't consent to that,
and it's still being used as part of this database
and being sold to law enforcement across the country without really any sort of robust government oversight.
national question, particularly when we talk about EU citizens who've had their photos taken and sent to law enforcement agencies in the United States. So you have some of those cross
jurisdictional issues. And I think it's important that regulators in all countries, in the EU,
in the United States, sort of clarify once and for all this basic question of, can you, without any
authorization, can Clearview AI capture these photos of unsuspecting citizens? And, you know,
just because this image is online doesn't mean it can be appropriated by Clearview and sold to
your garden variety law enforcement agency.
So I think those are very important questions that have to be answered.
And I think we're going to start to see a developing body of law on this as there are
more and more of these challenges across different countries.
Let me ask you sort of a nitpicky privacy question here.
I mean, so you and I often talk about the
expectation of privacy in a public place, right? And that there is no expectation of privacy in
a public place. We can take a picture and that's what that is. And so back to my example of say,
Disney World, or let's even say a national park, you know, something that's not private land.
That's one thing. What if I'm at a party?
What if we're at a friend's house?
Private property, someone's home, not out in public, and someone else takes a picture,
and I'm in the background of that picture.
They upload that picture.
I don't know I was in the background of that picture.
Now I get scraped and tagged.
Any difference here?
There are a couple of perspectives you have to think about here.
There's the policy and ethical perspective,
which is, I think most people would not want as a policy pictures where somebody's in the background to be available online
and sold to law enforcement agencies.
From a Fourth Amendment perspective, think about the two-part test here.
Are you
exhibiting a subjective expectation of privacy? Not really if you're at a party in somebody else's
house. And is that privacy something society is prepared to recognize as reasonable? Again,
you are willingly out at somebody else's house. It's not your own house. You're at a party with
a large gathering of people,
that does diminish your expectation of privacy
from a Fourth Amendment perspective.
Not unreasonable to think folks would be taking photos at a party.
Exactly, exactly.
Now if they're peering into your home and taking photos,
that's a separate issue when you're trying to conceal yourself
and maintain your privacy.
But again, I don't think the Fourth Amendment should be the be-all and end-all
for the policy questions here, which is, should we allow Clearview AI
to collect all of this data and sell it to law enforcement?
That's kind of separate from the issue of whether it passes constitutional muster.
All right. Well, Ben Yellen, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing
at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.