CyberWire Daily - Hacktivism as irregular operations-short-of-war. A banking Trojan aims at fraudulent wire transfers. DTPacker’s two-step delivery. REvil re-forms? Ransomware and insider threats. DDoS in Andorra.
Episode Date: January 25, 2022Tensions remain high as Russia assembles troops near Ukraine and NATO moves to higher states of readiness. The Belarusian Cyber Partisans claim responsibility for a ransomware attack against Belarusia...n railroads. The BRATA banking Trojan spreads, as does DTPacker malware. REvil alumni may be getting the band back together. Ransomware operators working harder to recruit insiders at their targets. Joe Carrigan has the story of a romance scammer in custody. Mr. Security Answer Person John Pescatore has thoughts on BYOD. And there’s a major DDoS campaign shutting down the Internet in Andorra. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/16 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Tensions remain high as Russia assembles troops near Ukraine
and NATO moves to higher states of readiness.
The Belarusian cyberpartisans claim responsibility for a ransomware attack against Belarusian railroads.
The Barata banking trojan spreads, as does D.T. Packer malware.
Our evil alumni may be getting the band back together.
Ransomware operators are working harder to recruit insiders
as their targets. Joe Kerrigan has the story of a romance scammer in custody. Mr. Security
Answer Person John Pescatori has thoughts on BYOD. And there's a major DDoS campaign
shutting down the internet in Andorra.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, January 25th, 2022. NATO has moved air and naval units into positions to respond to further Russian incursions into Ukraine.
Reuters reports that the alliance presently has about 4,000 troops deployed in multinational battalions in Latvia, Lithuania, Estonia, and Poland.
The U.S. is said to have placed some 8,500 additional troops on alert,
prepared to be transported to the region.
U.S. Department of Defense spokesman John Kirby explained yesterday,
As you're all aware, the United States is deeply concerned about the current situation in Europe. We remain keenly focused on Russia's unusual military activities near the Ukrainian border,
including in Belarus, and consulting extensively with our transatlantic allies and partners.
The department continues to support diplomatic efforts to de-escalate the situation.
Now, as the president has said, even as we continue to prioritize diplomacy and dialogue, we must also increase readiness.
In support of its obligations to the security and defense of NATO and the security of its citizens abroad,
at the direction of the President and following recommendations made by Secretary Austin,
the United States has taken steps to heighten the readiness of its forces at home and abroad so that they are prepared to
respond to a range of contingencies, including support to the NATO Response Force if it is
activated. The U.S. commitment includes a contribution to the NATO Response Force.
The United States also has a commitment to provide forces to the NATO Response Force,
or otherwise known as the NRF, in the event that NATO
should activate that construct. As you may know, the NRF is a multinational force made up of land,
air, maritime, and special operations forces, all components that the alliance can deploy on
short notice wherever needed. Altogether, the NRF comprises around 40,000 multinational troops.
Within the NRF is something called the Very High Readiness Joint Task Force, or VJTF.
This NRF element, which is about 20,000 strong across all domains, includes a multinational
land brigade of around 5,000 troops and air, maritime,
and special operation forces components. Both of those clips courtesy of C-SPAN.
Russia, which has staged approximately 100,000 troops near Ukraine, says NATO's response,
described as hysteria, shows that Russia, not Ukraine, is the target of aggression.
Hysterical or not, The Guardian writes that Western governments are preparing an extensive
and potentially crippling sanctions regime that could be imposed on broad stretches of
the Russian economy should Moscow's pressure on Ukraine continue.
And, coincidentally or not, The National Post reports that Global Affairs Canada, a service of the Foreign Affairs Department, was hit with an unspecified cyber attack detected on January 19.
The day before, Reuters observes, the communications security establishment issued a bulletin warning that there was a Russian threat to Canadian infrastructure.
According to Computing, investigation of the incident continues.
Prime Minister Trudeau has reiterated Canadian support for Ukraine during the ongoing crisis.
Ars Technica reports that the Belarusian cyber-partisans have claimed responsibility
for a ransomware attack against Belarusian railroads
that's being called Peklo, which roughly means hellfire. The hacktivist group, which has acquired
a reputation for sophistication, has been active since at least July of 2021. It's generally a good
practice to approach hacktivism claims with healthy skepticism, and we were cautious yesterday in discussing this story.
Hacktivism, after all, is easy to claim in false flag or otherwise deniable operations.
In this case, however, the cyberpartisans are a known group
who appear to come pretty much as advertised.
CyberScoop, for one, lays out the case for the cyberpartisans being a genuine
hacktivist group. The Washington Post did the same last September, a short time after the group first
surfaced. It's believed that the cyberpartisans are a self-taught group of about 15 expatriate
Belarusian dissidents who retained some connection with disaffected members of Belarusian security services.
The cyberpartisans tweeted their explanation of why they hit the railroad,
quote,
At the command of the terrorist Lukashenka, Belarusian railway allows the occupying troops to enter our land.
We encrypted some of BR's servers, databases, and workstations to disrupt its operations.
Automation and security systems were not affected to avoid emergency situations.
End quote.
The AP reports that a spokesperson for the cyberpartisans,
New York-based Juliana Shematovets, said that, quote,
mostly commercial freight trains are affected.
We hope it will indirectly affect Russian troops as well,
but we can't know for sure. At this point, it's too early to say, end quote. So why a railroad?
Well, they're a useful way of moving large numbers of heavy combat vehicles, tanks,
infantry fighting vehicles, self-propelled artillery, and the like. Multiple sources, including CNN, Newsweek, CBS News, and ABC News,
report that the U.S. Department of Homeland Security has issued a memorandum to its law
enforcement partners warning them to prepare for Russian cyberattacks in the event of a U.S. or
NATO response to Russia's threatened invasion of Ukraine. The memorandum doesn't appear to contain much
specific information beyond a recognition of Russian cyber capabilities and an acknowledgement
that tensions in Eastern Europe are running high. So it seems to be a warning based on a priori
possibility. Good advice, nonetheless, but everyone has known for some weeks that they should be on the Kiviv for Russian
state-run hacking. The CyberWire's continuing coverage of the crisis in Ukraine can be found
on our website, thecyberwire.com. Researchers at security firm Klifi update their reports on
Brata, an Android banking trojan being used for fraudulent wire transfers. Brata has developed the following features.
It has a capability to perform the device factory reset.
It appears that TAs are leveraging this feature to erase any trace
right after an unauthorized wire transfer attempt.
It has GPS tracking capability.
It has the capability to use multiple communication channels, HTTP and TCP,
between the device and the C2 server to keep a persistent connection. And it has the capability
to continuously monitor the victim's bank application through VNC and keylogging techniques.
Brata first appeared in use against Italian banking customers. It's since spread to the United
Kingdom and Poland, and it's showing signs of finding victims in Latin America.
Security firm Proofpoint describes a novel malware packer, DTPacker. It's being used to
pack remote-access Trojans that, in turn, can steal information or install follow-on payloads,
including ransomware.
It's recently been gurgling around download locations carrying the theme of the Liverpool
Football Club. No real connection to Juergen and the Lads, it's just an adventitious and
opportunistic scam. Why call the malware DTPacker? Another accidental feature. The payload decoding
uses a fixed password that contains the
name of former U.S. President Donald Trump. But this is merely an homage, not an attribution,
and no one thinks the malware is connected to anyone at Mar-a-Lago.
The R-Evil ransomware gang, recently hit by Russia's FSB in a widely publicized enforcement action that resulted in
both arrests and asset forfeitures may be reforming, or at least some of its alumni,
who remain at large, appear to be reconstituting the operation. GovInfo Security reports that the
malware hunter team has been tracking what's either a revenant, a successor, or an imitator,
a gang that styles itself ransom cartel. There's
some speculation that the FSB's sweep may have hit more lower-level hoods than leaders,
and that in particular, our evil's coders may have remained at large.
A survey by Pulse and Hitachi connects insider threats with ransomware tactics.
Pulse and Hitachi connects insider threats with ransomware tactics. Over half of the 100 security and IT executives surveyed said that they or their employees had been approached by cyber criminals
who sought to enlist the insider's aid in conducting ransomware attacks. That represented
an increase of 17% over those who reported attempts at recruitment when the survey was last conducted in November.
Most of the contacts, 59%, were by email,
with 27% and 21% of the contacts coming respectively by phone call or social media.
Bleeping Computer speculates that the great resignation renders employees
who may already have one foot out the door more susceptible to this sort of recruitment.
Andorra's internet has been disrupted by a distributed denial-of-service attack that
struck the country from Friday through Monday. The motive, you ask? Why pick on Andorra?
Well, the record has an answer. It seems those responsible for the DDoS attacks were intending to block Andorans from
participating in the Twitch Rivals Squid Craft Games, a Minecraft competition open to Spanish-
speaking competitors and offering the winner a $100,000 purse. We note, once again, Minecraft
competition has been the occasion for a large DDoS incident. The original Mirai infestation had its origin in an attempt to block the purveyors' competitors
from closing in-game sales to Minecraft players.
Many people at the time thought Mirai had to be a nation-state operation,
a rehearsal for a widespread attack against communications infrastructure.
It wasn't, and it's worth recalling the complexities
of attribution, especially now, during heightened international tensions. And that initial Mariah
attack? It wasn't a bear, a panda, or even a kitten. It was just some guy in New Jersey.
Forget about it.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and
their families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
John Pescatori has been in the cybersecurity world for a while now,
has been around the block a few times,
has seen a few things, and has lived to tell the tale.
He joins us on the last Tuesday of each month to help answer your questions.
In this segment, we call Mr. Security Answer Person.
Mr. Security Answer Person.
Mr. Security Answer Person Mr. Security Answer Person
Hello and welcome back to Mr. Security Answer Person.
I'm John Pescatori.
Let's get into our question for this week.
BYOD asks,
Like many companies, at the start of the pandemic, we were forced to let all employees remotely access work systems using their home computers and personally owned phones and tablets.
We were originally planning to return to offices and terminate that access, but it looks like the new normal means continuing it.
How do I convince management of the high level of risk
of allowing bring your own device to continue?
Well, that is a very timely question
as Omicron slams into us,
but I think it is the wrong question.
Here's the thing.
Turns out we've really been allowing BYOD use
ever since Outlook Web Access first shipped
with Exchange Server 5.0 in 1997.
OWA was then incorporated into the IE browser a few years later by Microsoft.
So realistically, since about 2000 or so,
employees at many organizations have been using browsers to read, store,
and send sensitive business email and attachments from their home PCs
and personally owned mobile devices.
Turned out, users were silly enough to read email 24 hours per day.
Theoretically, productivity went up.
But we really did not see great leaps in data leakage.
And don't try to tell me, well, that is only email.
Every audit finds email carrying sensitive and critical business data
because email is still the major way businesses communicate both internally and externally. Don't get me wrong, there have been exposures, especially on computer kiosks at
conferences and other public locations. Okay, I'm skewing old here. I guess I should explain.
For you younger folks, before you were allowed to do work email from your phone or tablet
when you were on travel, conferences would set up email lounges with kiosks where you could start up a browser and read your email.
If it was done right, all your information would be deleted when you were done,
but very often it wasn't done right.
Ironically, not long after, in 2007, the iPhone came out,
followed by the Android phone in 2008,
and the iPad in 2010, allowing everyone to read email
while pretending to listen to the conference speaker.
Those badly implemented Windows-based computer kiosks disappeared and BYO took over,
which actually turned out to be much safer.
The odd reality is that many home users these days are using much more secure technology than what their employer provides.
The iOS and Android operating systems were designed from day one
with full-time internet connectivity in mind
and include advanced security techniques like sandboxing and file encryption.
They enforce application whitelists called fun names like App Store and Play,
which do a great job of blocking malware and don't seem to bother users at all.
The browsers and operating systems used on those devices
are largely set to just patch themselves continually. Most of the devices even include biometrics,
and the users are happy to log in with those fingerprint and or facial sensors. Can you
say all those things about your company-issued PCs?
Here's a short anecdote. Back when I worked at Gartner, a mid-sized telecoms company asked
me this very same question
because they were trying to fight off requests to use iPads.
I had to tell them that several months before their service VP had scheduled a call with me
on how to set up iPads securely so service techs could carry electronic copies of service manuals
versus having to try to schlep paper manuals, which were often out of date,
up to the tops of poles and towers.
I gave him some basic policy minimums, including forcing use of fingerprint sensors for login with timeout, etc.
Turns out the service VP bypassed IT and IT security, bought his tech's iPads out of his own budget,
configured them pretty securely, and had been using them safely for months.
Running browser-based email access access too, by the way. The security group had no idea this was going on, and my accidentally
exposing it caused them and the CIO to go to the CEO and explain the risk. The CEO said,
wait, let me get this straight. Service had a problem. IT could not help them, so they solved
it themselves. IT security thinks it is too risky,
but can't point to any issues that have occurred in nearly six months of use. Why are you wasting
my time? So unless you've had some major documented security incidents during this
widespread use of BYOD, I'm going to suggest that instead you ask me, how can I convince
management to support changes to make sure long-term use of BYOD maintains productivity and safety and security?
Great question.
Start by pointing out that most online services are moving to require two-factor authentication for all access.
And that the company should move to that for all remote access from both corporate and personally owned devices.
remote access from both corporate and personally owned devices. Show them the Microsoft research that proves 99.9% of all account compromises would have been stopped if even just text messaging as
a second factor in logging in was in use. Then, propose some key capabilities like backup and
recovery, which must be extended to personally owned devices. If you'll be working in hybrid mode
with employees regularly going from working at home
to working from offices,
get the backing for implementing network access control
and risk segmented network zones.
Call it zero trust if you must.
There are a lot of good guidelines out for doing this.
It is actually much harder to find success stories
for trying to go backwards
and only allow work to be done from corporate issued
and heavily
managed devices. Remember when Casual Friday seemed risky? We certainly aren't going back
to dress codes. It's more like every day is Casual Friday. The mainframe isn't coming back either,
but it turns out we can harden heterogeneous mixes of devices and meet business demands
for productivity and speed of changes while minimizing risk.
After all, that's what they pay us for, making sure the business can do business while the risk is minimized.
Minimize, not completely avoid it.
A closing thought.
Did you ever notice that many college campuses started out with paved walkways that made nice right angles between buildings
to support large rectangular grassy courtyards as envisioned by the architect. Of course, students immediately started walking diagonally
across the grass, creating muddy paths for the shortest way to their next class. Most campuses
simply paved the diagonal paths, but some did try to put up stay off the grass signs or put in hedges
and fences to block the way. Guess which approach won out in the long run?
Mr. Security Answer Person.
Thanks for listening. I'm John Pescatori, Mr. Security Answer Person.
Mr. Security Answer Person.
Answer.
Person.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information
Security Institute and also my co-host over on the Hacking Humans podcast. Hello, Joe.
Hi, Dave.
Interesting story from our friends over at the Naked Security blog by Sophos,
written by the great Paul Ducklin.
Duck.
And this is about a romance scammer who targeted 670 women, gets 28 months in jail.
What's going on here, Joe?
It doesn't seem like he's getting a lot of time for targeting close to 700 women, but he conned nine of them out of 20,000 pounds, which is about 27,000 US dollars.
We've seen bigger takes in these kinds of scams. I'm hoping that no one has lost their life savings
in this. And by the looks of this, these aren't really life savings amounts, which is good. I'm
glad that nobody has been terribly hurt by this. but this guy who's 41 years old pled guilty to charges of fraud and money laundering. And he did scam one
person out of 9,500 pounds in a fake 10 month relationship. So he was working this woman for
10 months and got her to send him 9,500 pounds. The story he was using was he spun a hard luck
story about how he'd run short of money after paying for funerals of a group of people who died in a tragic industrial accident.
And then he needed money for equipment, for drilling equipment, as he was hiring a business in an overseas venture, rather.
And I like what Duck says here, but it was all a pack of lies.
So he's been arrested arrested and I guess he's
reached a plea agreement, so he's going to do 20, what,
eight months? Yeah.
The article has a great quote from a guy named Dominic
Muggan, who is
a manager at the National Crime Agency in the
UK. He says that this guy had
no regard for these women. He went to great lengths
to gain their trust, fabricating stories to exploit
them out of thousands. This
is a typical pattern of romance fraudsters. They work to build rapport before making such requests. Romance fraud
is a crime that affects victims emotionally and financially, and in some cases impacts their
families. We want to encourage everyone who thinks they've been a victim of this to come forward,
not to be ashamed of it. That's important. We talk about that a lot. A lot of times people
are embarrassed by this. You know, how could I have been so silly? Once they realize it's a scam, they won't talk about it with anybody else.
That's not the right response. You have to talk about it. You have to come forward and say,
this has happened. The best option is to go to law enforcement and complain that you have
been the victim of a crime here. What's interesting is because they're actually working on people,
they rely on the relationship, none of your technical protections are going to
work, right? Antivirus will do you no good against transferring money out to a bad guy. Web filters
and other things will not help you. And they have all kinds of different methods for working.
But there's another thing that Paul talks about in this article that I want to touch on here.
And he says the aftermath of this is often overlooked.
And namely, it's the romance scam victims sometimes will alienate the victim from their
friends and family as a means of keeping the money coming, right? So it's one of the tactics
they use. It's isolation. But once the scam is over, that damage is still there. That relational
damage, like between the victim and maybe a kid or a friend, it's done.
And they have a hard time trying to get past that.
So it's actually a long-term kind of problem.
And people don't like admitting when they're wrong.
It's just part of our nature.
And people, again, these people feel embarrassed and they just can't say, it's tough to say.
I'm not saying they can't say.
It's just tough to say, you know, look,
I should have listened to you. I'm sorry. It's hard for people to do that.
Well, and I think too, for those of us who are on the more knowledgeable side of these things,
you know, for those of us who are cybersecurity professionals, to me, this is a good reminder to go to your loved ones, your friends, your family, particularly those elderly people who are the folks that these romance scammers often try to hit.
And just preemptively tell them that if you find yourself a victim to something like this or you think something like this might be coming at you, please let me know.
And I will not judge you.
I will not get mad at you.
I will not be embarrassed so that they know that you have their back and their
best interest in mind ahead of time. And if you think they're being a victim of a scam and you
tell them and they get angry, the final thing that you say is, look, I understand that you're upset.
I think you're in a scam. And when you realize this is a scam, please do not hesitate to call
me back. I will not be mad at you. I understand what's going on here. Okay. Don't let this become a barrier between you and your family members or your friends. Paul has a great
bullet list of what to do. Number one, don't blame yourself if you get reeled in. This is a great
thing. A lot of people go, how could I have been so stupid? You know, it's not that you're stupid.
It's that you're an emotional being with emotions and this person victimized you. It is not because
of you. This person did something bad. That is not because of you, this person did something bad.
That is not,
and you were probably trying to be a good person,
a trusting person.
This is not an indication of your character.
This is an indication of their character being bad.
Consider reporting your scam to the police.
Always do that.
I think it's,
even though it's tough and embarrassing to come forward,
we've had some really high profile people on Hacking Humans
who have come forward with scams that they've been hit with where they've lost large sums of money. I think
those people are remarkably courageous. It's very important to publicize these things and to get it
out there. Look for a support group that's helpful. Listen openly to your friends and families when
they try to warn you. That's one of the key things. I say watch out for the isolation tactics
as well.
That's not just in social engineering scams,
but in a lot of abusive relationships,
isolation tactics are a hallmark of those things.
So you got to be on the lookout for those.
And get out as soon as you realize this is a scam.
Don't spend time.
Don't go after the sunk cost here.
If it's a scam, walk away.
Just go, oh, I got scammed.
I'm done.
You know, that's got to be your attitude.
All right. Well, good guidance for sure. Again, the article is over on the Naked Security blog from the folks at Sophos.
Yes, and I'd like to ask this guy to enjoy his 28-month vacation.
There you go. Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity
teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Bilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.