CyberWire Daily - Goblin Panda sighting? The attempt on Ubiquiti. More universities feel the effects of the Accellion compromise. National Supply Chain Integrity Awareness Month. Down-market phishing.
Episode Date: April 2, 2021Goblin Panda might be out and about. Ubiquiti confirms that an extortion attempt was made, but says the attempted attack on data and source code was unsuccessful. The Accellion compromise claims more ...university victims. It’s National Supply Chain Integrity Awareness Month in the US. BOLO Mr. Korhsunov. Andrea Little Limbago from Interos on supply chain resilience in a time of tectonic geopolitical shifts. Our guest is Paul Nicholson from A10 Networks on their State of DDoS Weapons report. And some down-market phishing attempts. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/63 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Goblin Panda might be out and about.
Ubiquity confirms that an extortion attempt was made,
but says the attempted attack on data and source code was unsuccessful.
The Accelion Compromise claims more university victims.
It's National Supply Chain Integrity Awareness Month in the U.S.
Andrea Little-Limbago from Interos on supply chain resilience
in a time of tectonic geopolitical shifts.
Our guest is Paul Nicholson from A10 Networks
on their State of DDoS Weapons Report
and some down-market phishing attempts.
From the CyberWire studios at DataTribe,
I'm Dave Bittner, back again with your CyberWire summary for Friday, April 2nd, 2021.
Domain Tools has a rundown on how both state security services and criminal gangs continue to use COVID-19-themed
phishing against a wide range of targets. They're following one campaign which delivers a decoy
document to the user which leverages a signed binary and a modified DLL to execute a cobalt
strike beacon payload. Some of the activity is suggestive of Goblin Panda, a threat group aligned with the Chinese government
that's collected most actively against Southeast Asian targets,
and especially against Vietnam.
Ubiquity has confirmed it was the victim of an extortion attempt in January,
the record reports,
but the IoT shop hasn't said that either personal data or source code were compromised,
as a whistleblower had it.
The company's statement did say that it had brought in external security experts to help investigate the incident.
Quote,
These experts identified no evidence that customer information was accessed or even targeted.
The attacker, who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials,
never claimed to have access to any customer information.
This, along with other evidence, is why we believe that customer data was not the target of, or otherwise accessed in connection with, the incident.
Security Week notes that Ubiquiti shareholders have taken a bit of a bath after the incident came to light,
with its share price falling from $350 on March 31 to $290 yesterday.
Markets are always jumpy on bad news, however murky or disputed that news may be.
The Accelion compromise continues to affect users of the company's file transfer accessory with a wave of universities reporting data breaches.
The CLOP ransomware gang, also tracked as the possibly distinct but associated threat actor UNC2582,
is leaking information stolen during its operations.
Student, faculty, and staff data at Stanford,
the Harvard Business School, the University of Maryland, Baltimore, and the University of
California have been posted affected. Some individuals have begun receiving ransom notes.
The Accelion incident is an instance of the kind of software supply chain risk the U.S.
Department of Homeland Security and the intelligence community are currently interested in addressing, in part
through a program designed to raise awareness of the problem. April has been declared by CISA and
the National Counterintelligence and Security Center as the fourth annual National Supply Chain
Integrity Month, with a call to action for organizations across the country
to strengthen their supply chains against foreign adversaries
and other potential risks.
It's April, people.
Do you know where your supply chain is?
Be on the lookout for Alexander Yurich Koshunov,
an SVR officer wanted by the FBI for conspiracy to commit theft
and attempted theft of trade secrets. The wanted poster is helpfully available in Russian as well.
The indictment itself was unsealed in 2019. The wanted poster is worth a look for two reasons,
at least. First, the crime alleged involves theft of corporate trade secrets,
and it's a useful reminder that there are laws against doing that, too. Stealing classified
information isn't the only thing that will get you into hot water. Second, it's worth noting that
once the FBI has its teeth into someone, it's loathe to let go, whether that someone can be
readily extradited or not.
And finally, a couple of notes about down-market phishing attempts.
The first is the more sophisticated of the two.
Security firm Avanon describes the curious case of a legitimate business using phishing techniques to attract business.
A business, we should say, that is, in other respects, legitimate. That is, it delivers
a legal and real service. It's not the usual straight-up scam we're accustomed to seeing with
phishing attempts, the widow of the Nigerian prince, the email from country X's minister of
the gosh-darn oil, and so on. In this case, Avanon says that one Para LLC, a firm based in the Silver State of Nevada, is using, quote,
all the methods you would expect from a well-organized phishing spam campaign, spoofing the sender in the email header to impersonate an email from the organization,
rotating domains and links, rotating the sending IP addresses, and changing the subjects and bodies of the emails themselves, end quote.
The point is to lend legitimacy to the appeal for business by presenting an appearance similar to
that of a state employee pension fund. Even the firm's name nudges in that direction since
HERA is a commonly used acronym for Public Employee Retirement Account. That similarity and the various
solicitations coming from the Nevada-based business has prompted at least one lawsuit.
Legal Newsline reported in October that a Colorado Public Employee Retirement Association,
which also goes by PARA, filed a complaint in a Denver court in an attempt to get PARA LLC
to quit it. The plaintiff alleges that Para LLC has solicited Colorado's public employees under false pretenses
and has misrepresented that the third-party investment representatives are approved by
Para or the Para employee when they are not.
It adds, Para LLC has contacted thousands of Colorado public employees in an effort
to take advantage of and benefit from Para's goodwill and reputation with its membership.
End quote.
The case has been moved to federal court at the defendant's request, where it's on a pandemic-related hold.
This isn't unsophisticated, so why do we suggest it's downmarket?
Well, we do so because it reminds us of a family of physical
junk mail that clogs our physical mailboxes. A company sends a prospectus in a plain,
vaguely official-looking envelope without the gaudy colors and other meretricious trappings
of junk mail. It may even be festooned with some vaguely heraldic-looking device. Eagles are nice in the U.S. We assume
Canadian junk mail gets maple leaves, with other national styles imitated elsewhere. You open it,
maybe expecting something from, oh, Medicare, or the tax people, or the local water department,
but a close reading leads you to say phooey and be done with it.
So perhaps this is a natural evolution of junk mail
into the virtual realm. The other phishing attempts we'll mention, and we promise this is the last of
it today, come to us from security firm Great Horn, which is throwing up its hands at the lame stuff
that's in circulation. Here's one example. A couple of bogus messages misrepresent themselves as originating from Microsoft Teams.
The fish bait is a communication about bonuses,
and the first message tells the recipient to just send it over now.
You have wasted time a lot.
There are two problems with this.
First of all, there's an improper comma splice joining the two independent clauses,
and a lot is misspelled as one word.
Second, the tone is angry and impatient, which isn't in most people's experience the way
businesses tend to communicate by text. There's a follow-on message also reaching for a sense of
urgency. If I don't respond within a timely manner, you would loose the bonuses. What do you mean,
within a timely manner, you would loose the bonuses.
What do you mean, I?
And are we going to loose the bonuses the way the Titans in that movie would loose the Kraken?
Even the Titans got it wrong.
Our ancient mythology desk wonders
what a Germanic Kraken is doing over there
in Greek mythology anyway.
Calling all sellers. Thank you. with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io Distributed denial-of-service attacks tend to make news whenever a new record is set
for the number of bots in a botnet or the traffic being unleashed on a victim.
The tools available to DDoS perpetrators continue to evolve in their
sophistication. The team at A10 Networks recently published their State of DDoS Weapons report.
Paul Nicholson is Senior Director of Product Marketing at A10 Networks.
So this report is a little bit unique compared to others because we're tracking DDoS weapons,
and these are potential weapons which could be used to attack networks.
So we think this is very useful for the community out there to look at what types of attacks could hit their network
and what they need to defend against.
So I think it actually helps a lot of organizations shore up their defenses.
Well, before we dig into some of the details here,
can you give us a little idea of where we stand? What's the state of things?
Yeah, so it's interesting because this data is some of the first data which we've had,
which reflects the impact of COVID-19 and what might have happened out there. So what we've
seen from our honeypots and other sources
is the number of weapons has increased in the second half of 2020.
So it went up from 10 million to 12.5 million.
And this is kind of in line with what we've seen
over all our reporting periods from 2018 through now,
which is roughly a 12% increase over time. So this problem is
getting larger. And even with the pandemic, that hasn't changed.
As we look forward, what's your outlook here? I mean, in terms of this arms race between the
folks coming at us and the defenders, what do you think we're in for in the next year or so?
Well, one thing I think we've seen the trend,
like I said, I think it was, I said it was like 12% increase
over the reporting period from 2018.
So we don't necessarily see a change in the landscape
in terms of will it escalate?
It probably will because you look at the new technologies out there
like 5G and some of these other things,
it's basically the ability to transmit more data more frequently
from more different devices and IoT devices, of course, right?
So there's a lot of potential vectors out there for exploiting,
so we think it will increase.
The good news, however, is I'm heartened to see
there's a lot more data going out there,
whether it's the AWS threat report,
which also sometimes mentions DDoS attacks,
or there's some very good information I was just reading recently
where Microsoft has given a lot of statistics
around what attacks they're seeing on the Azure network,
public, by the way.
So having this data, I think, and also this threat report, obviously,
it allows someone who's maybe doing corporate defenses
or service provider defenses a window into what the community is seeing out there
and allows them to think, hey, I see Aten mentioned SSDP
is the top amplification weapon out there in this report.
Maybe I should see A, if I should have it enabled, or where I should lock it down, etc.,
just so that they can't participate in a potential attack out there
as a system which is being used in an amplification attack, as an example.
That's Paul Nicholson from ATEN Networks. There is a lot more to our
interview. Don't forget to go listen to extended versions of this and many other interviews at
CyberWire Pro. It's on our website, thecyberwire.com.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Andrea Little-Limbago.
She's the Vice President of Research and Analysis at Interos.
Andrea, it's always great to have you back.
You are going to be doing a presentation at this year's RSA,
which is, of course, virtual and online.
And you're going to be talking about supply chain resilience,
a lot of geopolitical stuff going on in the world these days.
What can you share with us about your presentation?
Yeah, thanks so much for having me.
There's a lot going on as far as transformations and the way that the world's even just being structured and with tech wars going on, trade
wars, obviously the pandemic continues to disrupt. And really, it's been something that has upended
supply chains across the globe. And looking at that, but overlaying it with some of the
discussions that you and I have had in the past about digital authoritarianism and digital
democracies and that divide that's going on as far as the splintering of the internet and
really bring all these multiple layers together to highlight a way ahead during such a time of
disruption. And it really, you know, it's amazing just how much has shifted over the last year and
how much things are really continuing to shift. And when you think about supply chain resilience,
things are really continuing to shift.
And when you think about supply chain resilience,
we've heard a lot almost a year ago about the shortage in various kinds
of personal protective equipment,
but we've also seen very much so manufacturing shifts.
We've seen the impact of geographic concentration risks.
And then you've got issues of product risks
that we have seen very much so highlighted
really over the last year as well.
And so a lot of these trends that were underlying prior to COVID have been accelerated.
And we'll be looking at how, viewed through the lens of the techno-dictators
and what the democracies are doing in return,
we're looking at through that lens as far as, you know, what is the way ahead?
And with a focal point being that we can either allow the techno-dictator model
to continue to disrupt,
or we need to really have a solid and strong democratic alternative. And so we'll talk about
what some of those alternatives might be. We'll address some of the steps that democracies are
already taking, which are, you know, actually over the last year, again, there have been a lot of
changes in that area. And, you know, even on top of all that is how industrial policy and cyber
policy are really starting to integrate quite a bit as far as even on top of all that is how industrial policy and cyber policy are really
starting to integrate quite a bit as far as even on the tech stacks that are becoming a means of
dividing between trusted and untrusted networks. So it's a lot that we're packing in, but there's
a lot going on in the world right now. So hopefully I'll be pulling it together into a coherent story
with some recommended paths ahead. You know, you use the term techno-dictator.
Can you spell that out for us?
What does that mean?
Sure, absolutely.
And so what we've seen over the last few years,
and it started in the world of cyber norms,
which are basically the rules of the road
for how you behave in cyberspace.
And the techno-dictators are those that,
the governments that are really using
a whole range of digital information technology
to surveil, repress, manipulate information,
it's really for complete information control.
And what we saw a lot was they started off
using a lot of these mechanisms domestically,
but then they apply them internationally.
And so from the whole range of disinformation
to cyber attacks, but also thinking about
on the tech side,
leveraging technology for implementing backdoors for access.
And then even just thinking about the surveillance
and repression that's going on across the globe
and internet blackouts.
So it's really full information control
is the strategy for the techno dictators.
And it has been able to spread for quite some time.
And it's been over a decade now
where we've seen internet freedoms decline.
We've seen democracy decline for over a decade.
So it's really having a global impact.
And it hasn't been until very recently where we've started seeing democracies realize that they need to get into the game of figuring out what an alternative counterweight might be.
be. And it has taken a lot for both on the purely cybersecurity side, looking at the various norms and how those are trying to be shaped through the international governmental organizations,
but it's also seeing how the supply chains are being used as well as a mode for disruption and
also as a mode for compromise. And so a lot of this discussion will be bringing together trade
policy and cyber policy and how they overlap, especially when it comes to the various kinds of technologies that are out there.
You know, I've seen word coming out of the Biden administration, for example, that this is something that they may be focusing on, that we don't try to ease up some of that dependence on some of the foreign nations that we might have adversarial relationships with,
that there needs to be more than one source
for some of these things.
Yeah, and that's exactly right.
We're seeing it a whole lot more being discussed.
There was an executive order just went out
that addressed as one component of it
the need for working with alliances
and for creating a means to have alternative suppliers
so you don't have all your eggs in one basket
like we've had for quite some time.
And so it's not just the U.S. And this is, I think, for me, one of the most important parts
of this is, while the U.S. has elevated this role of what a digital democracy could do,
especially the U.S. has mainly been working on it through sticks versus carrots as far as
implementing a range of prohibited companies from any kind of partnership.
But across the globe, we're seeing both other democracies
are doing that as well as far as prohibiting certain companies,
but also there's this really big push towards alliances.
And that's where I see a lot of transformation starting to emerge
is having the democracies come together as an alliance.
And so one that helps overcome issues of protectionism
because no country can be completely self-sufficient.
We still have a global economy.
And so looking at how the various democracies
and like-minded nations can come together,
create various kinds of alliances
to create greater security.
And there's a lot of tech and research components
that go under that.
It gets into trusted software and hardware.
And so it really gets into the entire tech stack
and brings in as well these digital norms
of what's appropriate behavior as well.
So it really brings together all different components
of cybersecurity together into an alliance system,
which I think is, you know, it's a bit overdue,
but it's one of those things that we've been living
in the post-World War system for quite some time,
and we really need to evolve it into the digital era.
And this is one way that we're seeing that.
One good example of it is the Quad,
which is India, Australia,
the U.S. and Japan
looking at building trusted supply chains
together. And so it's something to
keep an eye on
over the next year, but definitely it's
something that was in the most recent executive
order, and it's something that we keep seeing other
democracies as well saying it's increasingly a priority for them too.
All right.
Well, Andrea Little-Limbago,
thanks for joining us.
Great, thank you.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Quality never goes out of style.
Listen for us on your Alexa smart speaker, too.
We hope you'll take a few moments this weekend and check out Research Saturday
and my conversation with Fernando Martinez and Tom Hagel from AT&T Alien Labs
on malware using the new Izuri memory loader.
That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe
where they're co-building the next
generation of cybersecurity teams and
technologies. Our amazing Cyber Wire
team is Elliot Peltzman,
Puru Prakash, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris
Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, Thanks for listening, and special thanks to Elliot Peltzman for filling in yesterday.
We'll see you all back here next week. Thank you. ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.