CyberWire Daily - Hacktivists or intelligence services in Iran? BOLO NIkolay K. Renouncing Conti, and all its empty promises. SEO poisoning. US cyber strategic intent.
Episode Date: October 28, 2021Iran continues its recovery from a cyberattack that disrupted subsidized fuel distribution. Wanted in Stuttgart (but living it up in Russia): ransomware kingpin Nikolay K. The Conti ransomware gang ge...ts poor customer service notices. Food distribution is on the cybercriminals’ target lists. SolarMarker’s use of SEO poisoning. The US publishes a statement of strategic intent for its cybersecurity czar’s office. David Dufour from Webroot wonders if there’s any hope at slowing down malware. Our own Brandon Karpf describes the DoD’s Skillbridge program. And decryptors are made available for three ransomware strains. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/208 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Iran continues its recovery from a cyber attack that disrupted subsidized fuel distribution.
Wanted in Stuttgart, but living it up in Russia, ransomware kingpin Nikolay K.
The Conti ransomware gang gets poor customer service notices.
Food distribution is on the cyber criminals' target list.
Solar markers use of SEO poisoning.
The U.S. publishes a statement of strategic intent for its cybersecurity czar's office. Thank you. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, October 28th, 2021. Iran continues its efforts to recover from an apparent cyber attack that crippled subsidized
distribution of gasoline throughout the country, Security Week reports. As of yesterday, only 220
of the 4,300 filling stations normally connected to the discounted fuel network had been reconnected.
About 3,000 stations are able to sell fuel offline at unsubsidized market prices.
Representatives of Iranian government are quoted by the AP as saying
that the goals of the attack were to create disorder and disruption.
Tehran has blamed an unspecified foreign government
for the disruption, but according to the BBC, another at least nominally hacktivist opposition
group calling itself Predatory Sparrow has claimed responsibility. People claiming to
represent the same group also said they were involved with the disruption of Iran's passenger
rail service earlier this year.
But it's still too early to consider anything Predatory Sparrow claims as authoritative for attribution purposes.
And of course, it's worth recalling that hacktivist groups can be entangled with state intelligence services
or can even be a front operation run by those services.
or can even be a front operation run by those services.
German authorities tell BR24 that they've identified the criminal kingpin of the once-and-future Areval gang,
or at least a member of the gang's core group.
His association with Areval goes back to the days of its Gandkrab predecessor,
which argues for some continuity of leadership across the Protean rebranding such gangs periodically undergo. German police apparently tracked Nikolay K.
by following Bitcoin transactions, and that is his hacker name, Nikolay K. He represents himself
online as a cryptocurrency trader. German federal investigators and prosecutors have obtained
an arrest warrant, but Nikolay K is at large in Russia and unlikely to ever face German justice.
He has vacationed abroad, most recently in Turkey, but apparently no extradition request
was ready at that time. More recently, apparently, he's been content to live it up on a Black Sea yacht.
No extradition treaty covers yachts in Russian territorial waters.
Turning to another gang that's recently made itself prominent in the news,
CSO reviews the Conti ransomware gang.
For all of its preening Robin Hood schtick,
Conti is even less likely than other criminal organizations to
restore victims' files or keep promises not to release stolen data. And the other criminal
organizations, remember, set a pretty low bar of good behavior. CSO quotes researchers from
Palo Alto Networks, quote, usually more successful ransomware operators put a lot of effort into
establishing and maintaining some semblance of integrity as a way of facilitating ransom payments from victims.
They want to establish stellar reputations for customer service and for delivering on what they
promise, that if you pay a ransom, your files will be decrypted and they will not appear on a leak
website. Yet, in our experience helping clients remediate attacks,
Conti has not demonstrated any signs that it cares about its reputation with would-be victims.
Demonstrating signs shouldn't be confused with saying, of course,
and Conti was busy passing out wolf tickets last week when our evil disappeared
as its infrastructure was taken down in an international law enforcement sweep. We noted yesterday the ransomware attack that
affected Schreiber Foods, a major player in the dairy industry. CyberScoop has an update which,
while noting that the company has been tight-lipped about the exact nature of the incident it sustained,
says that Schreiber Foods was still recovering its plant operations into this week.
The Wisconsin State Farmer reports that the attackers demanded $2.5 million in ransom.
Some, like Progressive Farmer, see the attack as part of a larger trend
in which criminals attack food supply chains.
It would be naive in the extreme for operators in
the agriculture or food sectors to think that they enjoy any immunity from criminal attentions.
Whatever posturing the gangs may engage in online, they really don't show much evidence
of inhibition when it comes to selecting their victims. Any rationalization seems to do when it
comes to hitting a target one might think ought to be exempt
on the grounds that striking it would damage the common good.
And in truth, most of the gangs probably can't even be bothered to engage in flimsy rationalization.
They'll take what they can.
Menlo Security has published research into the Solar Marker criminal campaign currently in progress.
They see Solar Marker criminal campaign currently in progress.
They see Solar Marker as one of an increasing number of threat actors who use search engine optimization poisoning, that's SEO poisoning,
as an evasive approach that can bypass many traditional network defenses.
It's enjoyed a high rate of success recently.
Menlo says, quote,
Attackers commonly use this technique to artificially
increase the rankings of their malicious pages. They do this by injecting the malicious website
with keywords that users search for. Across our customer base, we have seen a wide variety of
search terms that led to malicious pages. We have observed over 2,000 unique search terms that led to malicious websites.
End quote.
The attack typically unfolds like this.
You search for something in whatever search engine you prefer.
The search engine results return websites that host malicious files, typically PDFs.
If you click on the poisoned link, you're taken to a compromised site that invites you to download the document that appears to be what you're looking for.
Should you click, you'll be taken through a series of HTTP redirections,
at the end of which a malicious file is downloaded onto the endpoint.
One interesting side note, the payloads were typically large, ranging in size from 70 to 120 megabytes. Their large size, paradoxically, enabled them to avoid detection since they exceeded the size limits content inspection engines normally define.
Menlo offers a couple of safeguards organizations and individuals might employ.
First, you can block downloading Windows executable file downloads from unwanted categories. And second, you might consider blocking sites whose top-level domains are either.site or.tk.
The White House has published a strategic intent statement for the Office of the National Cyber
Director. The stated goal is a world in which Americans are free to be enriched, empowered, and enlivened by digital connectivity instead of burdened by it.
The document is striking in its recognition that cybersecurity is a complex set of many small problems and not something addressable by a single moonshot.
Some good news on the ransomware front.
Some good news on the ransomware front.
Security firm Avast is making decryptors available for ransomware strains,
including Adam's Silo, Babook, and Lockfile.
And we say bravo, Avast.
And finally, we remind you again that Halloween is almost upon us.
But of course, if you're here in North America,
society at large is so heavily pumpkinized this week that you hardly need us to tell you that.
Still, we continue our series of sharing scary stats
and stuff that have come over the transom from industry.
Did you know, for example, that as Bitglass says,
only 12% of enterprises are consistently able to detect insider threats stemming from personal mobile devices, including those that are off-premises or lack agents?
Well, you do now.
And how about this from Valamail, whose look at the landscape of fraud concludes that almost 3.5 billion bogus emails go out every day.
And who knows, odds are some of them are going to land in your inbox.
ForgeRock says that in 2018, data breaches exposed 2.8 billion consumer records,
and that cost the U.S. organizations involved more than $654 billion.
No wonder Jumio says that one in five adults in the U.S. get a case of the
unsafe willies up their spine when they think about using online sharing services.
Scary stuff, huh kids?
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com
slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Thank you. executives, and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Careful listeners to our daily podcast may have noticed the addition of a few
new names in our end credits, among them Brandon Karpf. Brandon is a cryptologic warfare
officer in the United States Navy, having served at NSA and U.S. Cyber Command, and he comes to us
through the military's SkillBridge program, which is designed to help service members transitioning
into the private sector. I was at the point where I knew the industry I wanted to go into.
Because of my career in the military, I had fallen in love with cybersecurity.
I knew that that is the domain I wanted to work in.
I didn't know the work role.
I didn't know where or what company, but I knew I wanted to work in the cybersecurity community.
Well, for our listeners, describe how the program works,
because you're working with us right now, but you're still a bit under the wing of the Navy,
right? Yeah, it's exactly right. And SkillBridge is an incredible Department of Defense program.
And in fact, it is partly built for people like me, but it's even more built for the enlisted sailors,
soldiers, Marines, airmen who have less experience out in the private sector.
And the whole idea of SkillBridge is with your commanding officer's approval, that's
your senior boss.
With their approval, you can spend up to the final six months on active duty working for a private company.
And so basically what that means is your commanding officer approves you to go work and basically be an intern or a fellow at a private company for your last anywhere from three to six months of active duty.
And work as a member of that company, not really report
back to the military. I have to go back at the end for one day only just to kind of say goodbye.
And that was the deal with my commanding officer. But she, and to her credit, she knew that it was
going to cause a gap in her manning because the Navy was not going to send her another person
to fill my role. But she saw the value of the program and approved me to go participate.
And it's an incredible program. And I really do hope that more people use it across the entire
joint force. Just in the last couple weeks of me being at the Cyber Wire, I've learned more than I
anticipated. Just being part of a team in a private company, seeing the daily communications
and the daily work and how things get done, there are some similarities with the military,
but there's a lot of differences. And it's a very different environment. I can't
imagine just jumping into a company, needing a paycheck day one and getting out of the military
and being stressed about all that on top of learning the job. You're on your, I guess you're
on your final approach, right? Or if you're, I guess a sailor's metaphor would be you're heading
towards the dock, right?
Exactly.
Pulling into port.
I'm pulling into port.
Pulling into port.
There you go.
I guess I could have said final approach if you were a naval aviator.
But so what happens next?
I mean, as this transition is looming, what are your thoughts there?
How are you feeling about that?
I'm feeling good.
I did not feel good in the beginning.
It's a real hit to your confidence.
I, like anyone, suffer from the imposter syndrome.
So the question in my head this whole time and now and probably into the future is, am
I actually cut out to work in the private sector?
the future is, am I actually cut out to work in the private sector? It might sound funny to someone who didn't serve in the military, but military service, that life in some ways is a lot easier
than working in the private sector. It's easy to do that work because you know what's expected of
you every single day. There's a baseline. There's a bar. As
long as you don't fall below that bar, you're fine. And that bar is pretty much set at 80%.
That bar is not set at 100%. There's some people that go above and beyond and like to operate
above that bar, but you don't have to. It's pretty comfortable. Yeah, with military service comes the moving every
two to three years and yeah, getting deployed and being away from family and that stuff sucks.
But at the same time, it is very easy to get into that rhythm and do that for your entire life.
And unfortunately, a lot of people fall into that trap. And I have too. It's anxiety-inducing going off of that highway. It is
a highway. It is straight and narrow. And I knew for the next 20 years exactly what jobs I would
have to do to get promoted, exactly where I would have to go to get promoted and get to retirement.
And that would be my professional career. I have taken the off ramp and here there be dragons. That's United States
Naval Officer Brandon Karpf currently working with us here at the Cyber Wire, courtesy of the
U.S. Military's SkillBridge program. Cyber threats are evolving every second, Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by David DeFore. He's the Vice President
of Engineering and Cybersecurity at WebRoot. David, great to have you back. You know,
and Cybersecurity at WebRoot.
David, great to have you back.
You know, the past couple of segments you and I have done together,
we've been talking about how things seem to be
headed in the same direction that they have been.
You know, ransomware just keeps on going.
I'm curious for your insight on,
are there things to be optimistic about
or are there efforts underway
to sort of stem the tide of malware that seems to be getting worse and worse year after year?
No, we should just give up.
Probably I'll go home and call it a day because it's over.
This is what I get for asking.
Yeah.
All right.
David DeFore, thanks for joining us.
Great being here, David.
Sunny as always.
Yeah.
Honestly.
But seriously.
Right.
On a serious note, you know, it seems like when we're in the midst of a big boom like ransomware is right now and it's causing lots of trouble that we never get ahead of stuff.
But for those of us like myself, I won't lump you in there,
David. You're a spring chicken. I'm in my 50s. 10, 15 years ago, the big, big, big problems were
your computer getting infected and locked up and you had to rebuild it, reimage it. Or then we saw
botnets, worms, spreading malware, spreading and stealing data.
And I don't want to say we solved those problems, but we did a lot to make those things difficult
enough that the bad actors had to go on to something new.
And unfortunately, that's something new is ransomware.
And where I'm going with this is it's, you this is it's a game, chicken and egg, where we're going to see what they come out with.
We're going to come up with some solutions that make it so hard that folks don't use that.
There's going to be a lull, and then we'll go through the cycle again with whatever's coming new.
It's not like people are going to magically stop attacking, you know,
computer networks. It's that it just takes us a little time. We've come up with some good
solutions and then we go to what's next. It's how it is. What is on your radar in terms of things
that are coming or efforts that you see that could really move the needle? Yeah. So from a ransomware perspective, it's all about backups first.
They've gotten, what's super interesting, by the way,
is they've gotten really good at infecting backups
and laying dormant until the infected backups are the primary backups
so you don't have actually good backed up data.
So being on top of that and being able to remediate in real time,
you know, when something is infected, it basically eliminates the issue. I think we're going to see
some of that over the next few years, where it's basically recovering in real time to mitigate the
ransomware exposure. And then eventually we'll crack the nut on how to identify ransomware
strains quickly through ML or behavioral heuristic analysis. And once we can start doing that,
we'll start to see a real slowdown in ransomware simply because we can shut it down right away.
We'll be able to hit the panic button and stop it and then recover. And then people will
look back and say, man, remember the 2020s when ransomware was so bad? I really think those things
where we can get ahead of it, it's going to trigger and we can prevent it from causing damage
is what's really going to allow us to get ahead of ransomware. Yeah, it's interesting. I mean,
get ahead of ransomware. Yeah, it's interesting. I mean, I think back to, you know, the decades that we all had dealt with spam in our inboxes, you know, and that's pretty much a solved problem
these days. I mean, you know, we pretty much got that under control and looking forward to the
days when some of these other biggies are in the same category. Well, what's interesting, David,
I mean, we're starting to see an uptick in worms
and things that deploy ransomware inside networks. So it's the old adage that what's old is new.
So the minute we think ransomware is on the decline, somebody will come out with some new
spam technology and that's what will be getting us. So it's always fun to see it.
Fun is one word for it. Sure.
Interesting. Let's call it that.
Okay. All right. Well, always a pleasure. David DeFore, thanks for joining us.
Great being here, David. Thank you.
Thank you. where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpeep, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.