CyberWire Daily - Hacktivism in Belarus. The Taliban’s data grab. Four rising ransomware operations. The White House cybersecurity summit with industry leaders is in progress.
Episode Date: August 25, 2021Politically motivated hacktivism in Belarus. The Taliban’s data grab in Afghanistan. Four rising ransomware operations. Mike Benjamin from Black Lotus Labs on UDP reflectors. Our guest is Chris Grov...e of Nozomi Networks with insights on OT/IoT Security. And the White House says “concrete announcements” are expected after today’s meetings on cybersecurity with industry leaders, so we’ll be staying tuned. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/164 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Politically motivated hacktivism in Belarus,
the Taliban's data grab in Afghanistan,
four rising ransomware operations,
Mike Benjamin from Black Lotus Labs on UDP reflectors,
our guest is Chris Grove of Nozomi Networks with insights on OT and IoT security,
and the White House says concrete announcements are expected
after today's meeting
on cybersecurity with industry leaders. So we're staying tuned.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday,
August 25th, 2021.
We've recently seen episodes of what appear to be politically motivated hacktivism in Iran,
seen episodes of what appear to be politically motivated hacktivism in Iran, evidently intended to discredit or otherwise inconvenience the government of the Islamic Republic. At least
two groups, Indra and Adelat Ali, have claimed credit for actions against, respectively,
support systems for passenger rail and closed-circuit television feeds at a prison.
Other groups have appeared in other countries.
Dissident hacktivists appear to have intensified their efforts against the government of President Lukashenko.
The Belarusian cyberpartisans, Bloomberg reports, claim to have compromised a large number of official databases,
including lists of alleged police informants, personal information about top government officials and spies,
video footage gathered from police drones and detention centers,
and secret recordings of phone calls from a government wiretapping system.
They've released some of these publicly, and Bloomberg says that they've shown some of the rest of their take to Bloomberg,
of the rest of their take to Bloomberg, enough to convince them that the Belarusian cyber-partisans have indeed obtained at least a significant fraction of what they claim to have taken.
Releasing lists of informants or personal information about government officials and
operators are always a serious matter, whatever one thinks of the much-criticized Belarusian
regime, generally regarded as the last traditional dictatorship
remaining in Europe. Doxing has consequences for its targets even in societies with strong
civic institutions and a tradition of the rule of law, neither of which are to be expected in
most parts of the near abroad, least of all in Belarus. Compromise of such information is unlikely in the long run to
play out benignly in Minsk. In any case, the Belarusian cyberpartisan's aim is the overthrow
of President Lukashenko's regime. The cyberpartisan said, quote,
Operation Heat Wave is part of a general plan to free the Belarusian people from tyranny,
end quote. That the hack they claim to have carried out actually took place in some form The fact that data can be toxic,
whatever government collects it,
may be seen elsewhere.
Concern persists over the growing likelihood
that the Taliban will exploit data
seized from the wreckage of the former
U.S.-supported Afghan regime.
Politico reports on the ongoing U.S. effort
to contain the damage.
Their story observes that, quote,
telecom companies store
reams of records on who Afghan users have called and where they've been. Government databases
include records of foreign-funded projects and associated personnel records, and stashes of
biometric data like fingerprints make people easy to identify, end quote. Much of this data,
the biometrics aside, which are of a different
nature and more directly related to security and intelligence, are of the sort routinely gathered
in the ordinary course of doing business. Telcos keep call records, for example, and project
managers have to account for how they're spending their resources and on how their projects are
doing with respect to cost, schedule, and performance.
Even the U.S. had to scramble to either destroy or evacuate records it held on the ground.
It's unlikely that the former regime even reached the point of scrambling,
and the Taliban is thought unlikely to show restraint in exploitation of whatever it can collect.
Palo Alto Network's Unit 42 describes four rising ransomware operations,
Hive, Hello Kitty, LockBit 2.0, and Avos Locker.
The gangs behind them run complex and effective extortion campaigns.
Unit 42 expects them to become increasingly prevalent.
Palo Alto writes, quote,
Avos Locker is ransomware as a
service that started operations in late June, using a blue beetle logo to identify itself in
communications with victims and press releases aimed at recruiting new affiliates, end quote.
Its operations claim to have counted coup against the organizations in Belgium, Lebanon, Spain, the UAE, the UK, and the US.
Their initial ransom demands have run between $50,000 and $75,000.
The researchers say that Hive ransomware is double extortion ransomware that started operations in June.
Hive uses all tools available in the extortion tool set to create pressure on
the victim, including the date of initial compromise, countdown, the date the leak was
actually disclosed on their site, and even the option to share the disclosed leak on social media.
Hello Kitty isn't a true newcomer, but it's on the rise in any case. Palo Alto says they've tracked it since 2020.
It began as a Windows shop, but last month it fielded a Linux variant that worked against
VMware's ESXi hypervisor, a product that's widely used in cloud and on-premises data centers.
Hello Kitty asks for a lot, as much as $10 million, but the researchers say the gang has so far been paid only three times,
and that their total take has amounted to around $1.5 million.
LockBit 2.0 is the venerable operator,
coming in at a positively hoary, by gangland standards, three years of age.
Like Avos Locker, it's a ransomware-as-a-service
provider. Palo Alto regards their marketing to potential new affiliates as particularly slick.
They claim 52 victims among organizations located in Argentina, Malaysia, Australia, Brazil,
Switzerland, Germany, Italy, the U.S., Mexico, Belgium, Austria, Romania, and the U.K.
U.S. President Biden has convened a meeting of industry leaders at the White House for
discussions of ways of improving cybersecurity. According to the Washington Post, participants
include the CEOs of Apple, Amazon, and JPMorgan Chase, as well as CEOs from major insurance, energy, and water companies.
Representatives of computer education not-for-profits are also attending.
The meeting has been planned for a month, and administration sources tell the record that,
quote, you will definitely be seeing a set of concrete announcements.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The team at Nozomi Networks recently released the latest version of their OT-IoT security report,
reviewing the incidents and trends they've been tracking in the first half of this year.
I checked in with Chris Grove, security strategist at Nozomi Networks, for highlights from the report.
So, first, the sector that most vulnerabilities have been found in recently
is the critical manufacturing sector. So the types of devices you'll find in there are
programmable logic controllers, or they're PLCs. And they come from companies like Rockwell,
Siemens, and others. We're not throwing anyone under the bus here. I'm not mentioning
them because they've had a certain number of vulnerabilities. But typically, the manufacturers you'll find in the operations side are not the same ones that we'll find on the IT side.
Interesting.
And are the issues here primarily ones of configuration or are there built-in vulnerabilities in these devices or is it a combination of both?
in these devices, or is it a combination of both?
So it depends on where the operator is in their journey of what we call the IT-OT convergence,
which is where the IT systems are sort of creeping
into the operations side.
And more and more things that the operations technology folks
leverage nowadays sort of come from IT.
Like having authentication on a system is not something typically that they would have had before.
So in order to bring it in, they would bring in IT-type technologies to get there.
The problem is that the technologies are so different and the teams that work on them are so different
that the languages that they use
could be totally different as well. And so it's going to really depend on where they are in their
journey. If they still have an IT cybersecurity team that doesn't know where the factory is,
they don't know anyone out there at the plant, they're going to be more challenged to solving
these types of problems than someone who has a fully integrated cybersecurity team on the operations side.
And then they understand the ramifications of those vulnerabilities.
But if I just simplify it, generally, the operations technology vendors are producing what's called insecure by design products.
producing what's called insecure by design products that these PLCs and these remote terminal units and this OT hardware is not designed to withstand an attack. It doesn't
have built-in defenses. It doesn't have update mechanisms or authentication, even built-in
firewalling, virus scanning. None of that stuff exists in these industrial controllers. So the vulnerabilities that we find tend to be much more important because we rely on this
hardened layer around that operations technology to protect it. So a vulnerability in an IT system
could lead to something much worse. Just look at what happened to Colonial Pipeline,
where an IT system came under attack.
It was their scheduling system, which caused a problem on the OT side that resulted in the
shutdown of the pipeline. So what are the recommendations here? How do you suggest that
folks best go about defending themselves? So first, a mature cybersecurity program is going to be the
best defense. So start investing last year. You need it in place before the incident happens.
When you're in the midst of an emergency, it's not the right time to start shopping for defenses.
Doing tabletop exercises and asking the organization the tough questions that many
times don't get asked. Like, we got breached. First, let's move to a post-breach mentality.
Let's not pretend like our defenses are working. They got in, just like these other hard targets
they get broken into. So let's stop pretending like it's never going to happen.
Let's say that it happened. What do we need to move forward? What tools will we need? What data will we need? How do we recover these systems and get them back in our control? And then how do we
make that whole process better? And in many cases, they're going to find out the things that they
need were visibility. They needed to know the blast radius of the attackers, how they got in, where did they go, where are they now, where are they lurking, and
where are they going to emerge from once we clean this environment up. And then they're going to
need backups. And backups not just for machines, but operational backup. How do you restore operations
when multiple components are down? And that's a little
bit more than just putting data together. That's restarting a complicated machine. And then SaaS,
software as a service. But the number one thing organizations can do is really move to that post
breach mentality. Stop pretending like the defenses will always be there. We have to start thinking
that the attackers are here today.
We just haven't detected them yet.
And whether it's nation state actors
or whether it's ransomware operators,
their sophistication is much higher now than it used to be.
And it's not a matter of if, it's a matter of when.
So we have to really start preparing for that day.
That's Chris Grove from Nozomi Networks. than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can
keep your company safe and compliant. And I'm pleased to be joined once again by Mike Benjamin.
He's the Vice President of Security and Head of Black Lotus Labs at Lumen Technologies.
Mike, it's always great to have you back.
I wanted to touch base with you today on something we've been seeing a bit more in the news,
and that's ransom DDoS.
A little bit different.
First of all, can you give us a little background and describe to us how do you defineom DDoS. A little bit different. First of all, can you give us a little background
and describe to us how do you define Ransom DDoS?
Yeah, absolutely.
So the Ransom DDoS space,
or you'll also hear it called DDoS extortion,
just to remove confusion with ransomware,
really is in a place where an actor threatens to,
or actually does,
denial of service attack you as the victim,
and then demand money to not do it again.
And so either by just the risk of it occurring
or the proof that they can do it,
they're hoping that you pay them financially
to avoid further outage or further impact
to whatever it is they're trying to knock off the internet.
Now, is this a new thing?
I have a recollection of hearing of this sort of thing in the internet. Now, is this a new thing? I have a recollection of hearing of this
sort of thing in the past. Unfortunately, it's not new. We've been tracking this for a number of
years. And most recently, in the late summer last year, there was a large resurgence of this
occurring. And really what's changed throughout time is whether they launch attacks,
how big they are,
how much money they ask for,
things like that.
So last year was unique
that they were attacking
the vast majority of the time.
In years past,
we could just seen them threaten.
And this year,
after a little throughout the winter,
we're seeing it come back
and again, they're attacking.
And so rather than just sending an email
and hoping to make a
few dollars, they are causing impact and they are launching attacks. And so similar to the campaigns
we saw last year, but like you said, it did occur and then it stopped and now it's back again.
And what's going on in terms of being able to figure out who might be behind this?
Well, the work that we do at Black Lotus Labs,
we are using network data in order to trace back where attacks come from.
And that's true of malware.
It's true of accessing our remote access treasure and whatever it is,
but also true of denial of service attacks.
And so we work with other network providers,
and we try to find where the origin of an attack is.
And some attacks are straightforward because they come in an unspoofed manner,
very often from a Linux system of some sort, often an IoT device or an IoT DDoS botnet.
But in some cases, or the most common these days, is coming from a spoofed origin.
And so it does require a little bit extra work in order to find where that spoofed origin is.
And then to work with whatever that sort of stub of the internet is,
that first front door into the internet,
to make sure that they're deploying anti-spoofing technology
and making sure that that first entrance can't allow that packet into the internet.
When it comes to the DDoSing itself, what's the scale that we're
talking about here? Well, attacks in general these days can get into a relatively common occurrence
of hundreds of gigabits a second. In the case of this particular actor, the last few weeks,
what we've been seeing is more in the tens of gigabits. But if you think about your average
connection to your average company, tens of gigabits. But if you think about your average connection to your average company,
tens of gigabits is more than enough to cause a material impact to network connectivity.
Thankfully, for a larger infrastructure, that's not going to cause that big of an impact.
But even folks with large capacity may have applications sit on a single server.
Tens of gigabits of inbound traffic can cause a problem for most any server.
And so what's your advice for folks to prevent this?
Well, the first is making sure that there's filtering on protocols that aren't needed as far upstream as possible.
So the protocols that are used in those UDP attacks are what we would call reflection or amplification attacks,
are what we would call reflection or amplification attacks,
where a request is sent to a real server,
but the response is sent to where the actor spoofed it from.
And so that being the victim.
So major DNS servers, NTP, a number of other services will be the source of the packet.
However, while we all do need DNS and NTP
in most of our infrastructure,
we don't need it on every IP address.
And the actor is using things like connectionless LDAP, Mencash D, SS NTP or our DNS through, at least it's not knocking the entirety of the network connection down.
So that's sort of step one is making sure the front door is as closed as possible.
The next is thinking about how to distribute applications and distribute infrastructure and put things in more places.
Obviously, it's harder to attack something if it exists in more places.
But at the end of the day, there does hit a volume.
And while I said earlier that we see tens or hundreds of gigabits,
we have seen terabits of attack traffic.
At some point, it does require DDoS mitigation from an upstream.
At some point, it does need some help.
But those other things can be there to help along the way.
All right. Well, good advice as always. Mike Benjamin, thanks for joining us.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado. Cozy up with the familiar flavors of pistachio
or shake up your mood with an
iced brown sugar oat shaken espresso.
Whatever you choose,
your espresso will be handcrafted with
care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Trey Hester, Puru Prakash, Justin Sabey,
Tim Nodar, Joe Kerrigan, Kirill Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data
workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.