CyberWire Daily - Homecomings, happy and not so happy. A backdoor for espionage, a Trojan for cybercrime. DDoS techniques, those iPhone zero-days, and indictments. And one guilty plea.
Episode Date: September 28, 2021The triumphant homecoming of Huawei’s CFO. Microsoft describes the FoggyWeb backdoor, a significant cyberespionage tool. Kaspersky looks at the BloodyStealer Trojan and finds it especially risky to ...gamers. A novel approach to distributed denial-of-service. Apple looks into those iPhone zero-days. Joe Carrigan looks at the latest offerings in passwordless authentication. Our guest is Mathieu Gorge of VigiTrust on how law enforcement and executives can work together to fight cyber threats. And a look at doings in cybercrime: the US arrests more than thirty members of the Black Axe gang, a Russian convict is deported back to face Russian justice, and a blockchain maven pleads guilty to helping Pyongyang. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/187 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code
N2K at checkout. That's joindeleteme.com slash N2K, code N2K.
The triumphant homecoming of Huawei's CFO.
Microsoft describes the foggy web backdoor, a significant cyber espionage tool.
Kaspersky looks at the bloody Steeler Trojan and finds it especially risky to gamers.
A novel approach to distributed denial of service.
Apple looks into those iPhone zero days.
Joe Kerrigan looks at the latest offerings in passwordless authentication.
iPhone Zero days, Joe Kerrigan looks at the latest offerings in passwordless authentication,
our guest is Mathieu Gorge of Vigitrust on how law enforcement and executives can work together to fight cyber threats, and a look at doings in cybercrime.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, September 28th, 2021. Huawei CFO Meng Wanzhou's return to China after a prolonged detention in Canada
on a U.S. warrant in connection with her company's violations of sanctions against Iran
has proven to be, Quartz reports, a moment of nationalist pride in her home country.
The Wall Street Journal reports that Chinese news media have downplayed or ignored the role of hostage diplomacy,
the release of two Canadians held in China, ascribing Ms. Meng's homecoming to the unspecified but heroic efforts of the Communist Party.
Microsoft yesterday released its study of a new persistent post-exploitation backdoor, FoggyWeb, used by the Nobelium threat
group. FoggyWeb is used both for exfiltration of victims' data, including configuration databases
of compromised Active Directory Federation service servers, decrypted token signing certificates,
and token decryption certificates, and for deploying and executing additional malware payloads.
Nobelium is Microsoft's name for the Russian government threat group others call Cozy Bear.
It's associated with Russia's SVR foreign intelligence service and sometimes with the
FSB security service. Microsoft's report includes detailed mitigation advice.
We note in the spirit of disclosure that Microsoft
is a CyberWire sponsor. Kaspersky researchers have an account of Bloody Stealer, a Trojan
currently being sold in dark web markets catering to criminals. Bloody Stealer is hawked as an
information stealer useful for employment against gamers using a range of platforms,
including Steam, Epic Game Store, and EA Origin. The Trojan is both evasive and resistant to analysis. It's also cheap, going for a monthly subscription of $10 or a lifetime subscription
of only $40, which suggests, again, how deeply commodified attack tools have become.
which suggests, again, how deeply commodified attack tools have become.
Practically anybody can afford them.
Bloody Stealer can be used against targets of many kinds, not just gaming platforms, but Kaspersky thinks gamers likely to figure high on the criminals' hit lists.
Nexus Guard describes a distributed denial-of-service attack technique, Black Storm,
more effective and potentially damaging than the more familiar DNS amplification attacks.
Vice reports that Apple is still investigating iPhone Zero days
disclosed by frustrated researcher Haber
and that Cupertino has apologized for its dilatory response to his bug program disclosures.
And now, let's check the hot sheets, the police blotter, the supermarket tabloids,
the places where the men in black would get their news,
as if the men in black needed to get their news from anywhere,
other than from us, of course.
U.S. attorneys for the eastern and northern districts of Texas
have indicted a large number of alleged criminals for
cybercrimes. The eastern district has indicted 23 alleged creeps on a variety of charges,
including romance scams, investment fraud, and business email compromise. All of the suspects
are in custody and considered, we observe, as always, innocent until proven guilty.
Their colleagues in the northern District have indicted 11,
one of whom is also named in dispatches from the Eastern District.
These are charged with wire fraud and money laundering.
They are also in custody, scooped up last Wednesday in a big dragnet.
The crimes charged are particularly loathsome
in that they frequently involved elder fraud.
They were also lucrative,
netting the hoods at least $17 million by the U.S. attorney for the Eastern District of Texas's
reckoning. Acting U.S. attorney Nicholas J. Ganjai said in the Justice Department's press release,
quote, the criminal conduct alleged in this case is sophisticated in its means, expansive in its scope, and callous in its aims. The indictment alleges a scheme where all manner of fraud,
including romance and investment scams, was unleashed on an unsuspecting American public,
including the elderly and most vulnerable, with the ill-gotten gains siphoned off and funneled
overseas. The amount of loss, both financial and emotional,
alleged in this case is nothing short of staggering, end quote. His colleague in the
northern district of Texas was even harsher in his estimation. Acting U.S. Attorney Prarok Shah
said at a press conference announcing the charges, quote, crimes like these are especially despicable
because they rely not only on victims' lack of internet savvy,
but also their isolation, their loneliness, and sometimes their grief.
As the victims open their hearts, the perpetrators open their wallets.
The only mistake these victims make is being generous to the wrong people, end quote.
The crew arrested are believed to be part of a transnational gang whose activities emanate from Nigeria.
The record reports that the suspects are thought to be members of the Black Axe,
a Nigerian criminal confraternity that emerged from university student associations in the 1970s with quasi-religious overtones.
Members are said to hold that they have a duty to prey on the gullible,
the unwary, the weak. They're known for human trafficking, violence and drug trafficking,
and of course, online fraud. 419 scams, the familiar Nigerian print scam,
is often used as an initiatory crime for new members.
What else? Well, there's this. Some third-hand news of gangland, but it looks
legit. Reuters reports that TASS, the Russian news service, is authorized to disclose that one
Alexei Burkov has been deported from U.S. confinement back to Russia. He was arrested
in Israel in December of 2015 and extradited to the United States in November 2019. In January of 2020,
Mr. Burkoff pleaded guilty to fraud, identity theft, computer intrusions, and money laundering.
He was operating websites that facilitated carding and other computer crimes. Why the man booted him
out of the U.S. is unclear since the U.S. and Russia don't have an extradition treaty,
but Mr. Burkoff isn't likely to be getting a hero's welcome in Moscow.
He's wanted there on Russian charges, too. The Wall Street Journal says a U.S. cryptocurrency expert has pleaded guilty to illegal export of blockchain technology to North Korea.
Virgil Griffith took the plea yesterday in a Manhattan federal court.
He'd been, until his arrest in November of 2019, a senior researcher for the Ethereum Foundation.
The occasion for his offense was his attendance of a 2019 conference on blockchain technology
where he consulted with the North Koreans. The U.S. attorney for the Southern District of New York
charged him
with conspiring to violate the International Emergency Economic Powers Act, the law that
prohibits U.S. citizens from exporting goods, services, or technology to North Korea. The
blockchain may still look like something out of a techno-libertarian wild, wild west,
but prudent desperados should know that law west of the Pecos stops somewhere
east of Pyongyang. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it
comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. When a data breach or other security incident occurs, many organizations
are hesitant to call in law enforcement. There are a number of reasons for that reticence,
be it fear of additional scrutiny, bad PR if the incident goes public,
or just a general distrust of the police.
Matthew George is CEO and founder of Vigitrust,
a provider of integrated risk management SaaS solutions.
I checked in with him for insights on how we might see better collaboration
between law enforcement and the private sector.
So you have to understand the life of a CISO, right?
So if you look at a CISO,
a CISO is the person whose name nobody knows
if everything goes well.
But the minute something goes wrong,
they're public enemy number one.
So they're not necessarily the most popular people
in the company, let alone in the C-suite,
let alone at the board, if they ever get a seat
at the board table. And so they tend to shy away from anything that has any kind of connection,
remote connection to legal stuff. And so to them, law enforcement means there's a legal problem,
there might be a lawsuit, there might be a lawsuit,
there might be criminal charges, whatever.
I don't deal with that.
Let the chief legal officer or the attorneys deal with that.
And what they don't understand is that the role of law enforcement
goes well beyond that type of stuff.
For instance, the FBI is doing a lot of work in the US
in terms of educating people, in terms of
talking to CISOs, in terms of talking to the security industry, generally speaking. Interpol
is doing the same, where VG Trust is based in Ireland. We have the Garda Computer Crime Bureau,
they're doing that as well. And in many countries, we're doing that. But I think that they're not necessarily invited into the organization
because the CISOs feel that maybe they're going to start digging around, you know, maybe they're
going to see stuff that we're doing that's not exactly the way we should do it. Or maybe they
know compliance better than we do or security better than we do. And they may think, they may
find issues that we're not aware of, or they may highlight issues
we are aware of, but we haven't managed to address yet. And so they see them as clearly as somewhat
of the enemy. And I think that's the wrong approach. And so what we're seeing now is we're
seeing law enforcement worldwide trying to address that misconception out there
by providing stuff back to law enforcement.
And if I may, there's another point there
in that you look at public-private partnership,
generally speaking, whether it's for security or not,
there's always a feeling from the industry
that the industry gives way more to the government
than the government gives back.
And that feeling is very true in cyber.
There's kind of a feeling that collectively the security industry and the industry generally speaking
is providing a lot of data to the government so that they can help them with protecting the organizations,
but the government is not they can help them with protecting the organizations, but the government
is not necessarily reciprocating. So there's kind of that idea that, hey, you know, I scratch your
back, but you don't scratch mine. What part does law enforcement have to play in fostering this
relationship? Should they be doing a better job at outreach at saying, you know, if we come and engage with you,
it's not going to be a fishing expedition?
Yeah, I think that's a fair point.
I do believe that some of them are doing a good job at that.
They're still kind of faced with some pushback,
as I explained earlier.
But yes, they need to,
I think they need to really share information, right? And that's the
issue that there's still that kind of conception out there that we are going to share information
with them, but they're not going to share information with us. At VG Trust, we have a
global advisory board, which is a non-commercial think tank with about 700 members, CISOs, board of directors, regulators, law
enforcement, academia, and so on. And the guys that we have that come to talk to our advisory
board, and some of them are actually full members of the board, are from FBI, Interpol, local police,
and they share data. And yes, they share data to a smaller group of people
that they've already vetted and so on,
but they're quite happy to share some data
and they're happy to say,
hey, we're seeing that type of attack.
We're seeing a rise of that type of attack
in that particular industry, in that particular region.
Hey, we're seeing a type of attack we've never seen before.
We're also seeing attacks that we don't understand.
Have you guys seen those attacks?
And it's kind of that whole idea of creating a dialogue and a two-way street as opposed to a
one-way one. So to that extent, I believe that they still need to do a better job at volunteering
information to the public. I mean, the selected public in terms of CISOs, but I do believe they are going the
right direction. That's Mathieu Gorge from Vigitrust.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your
company safe and compliant. And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute,
also my co-host on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Interesting article.
This is from Wired, written by Lily Hay Newman,
and it's titled, You Can Now Ditch the Password on Your Microsoft Account.
This is something we talk about a lot over on Hacking Humans.
Right.
People dealing with passwords.
So what's going on here, Joe?
Dave, it seems like passwords or getting rid of passwords has been on the horizon like fusion power, right?
Right.
I use this reference frequently.
But it's always been 10 years away, 10 years away.
No matter when you ask. Exactly. Yeah. I use this reference frequently, but it's always been 10 years away, 10 years away.
No matter when you ask.
Exactly.
Yeah.
But the thing to remember about passwords is it's a terrible solution that was developed very early on in the early days of computing as a means to make sure that people weren't hogging up all the resources on a time-sharing computer.
Yeah.
Right?
And to allocate that time.
And even the first time it was implemented,
somebody found a way around it. But I digress. So we have these passwords now. We've been using passwords and we've been trying to secure passwords with hashing. And humans are terrible
at developing passwords that are random. So we've been recommending using a password manager.
People don't do that because it has friction.
People hate using passwords.
It seems like passwords hate people.
People hate passwords.
Yeah.
So, we've been saying we should just get rid of passwords, and we haven't really found a good way to do that.
Well, Microsoft has finally taken a step in that direction with their Office 365 product or Microsoft 365 product.
You can now opt for the passwordless means of authentication.
And there are a number of ways you can do that. Number one is you can use some kind of biometric
device, right? Like if your phone or your computer has a fingerprint reader, you can use that instead
of a password. You can use an app on your phone that you're logged into your Microsoft account,
and it says, here's a code, or is this you Yep. And then you say yes and that authenticates you, right?
You can use a YubiKey. And this happens to be the one I like the best using a YubiKey. And then
there are other ways to log in, like a verification sent to your phone or as an email as an alternative
to a password. Yeah. All right. Now, I'm less inclined to like those, right?
Because of SIM swapping, if they're going to send you an SMS or if they're going to
send you an email, now it's dependent upon how secure your email is.
Right.
Right.
Also, if Microsoft is your email provider and you're needing to authenticate to that,
you know, there's kind of a loop there.
Right.
Right.
So, I recommend the YubiKey over the other ways of
doing it. I'm not a big fan of biometrics. The app is actually fine. You and I have talked about
biometrics. And actually, if you're talking about using modern biometrics and you said,
I'm just going to use that, I wouldn't argue with you about it. I do have some concerns about it
long-term. If there ever becomes a problem with the protocol or a way to spoof the
biometric information, that biometric information is by its very nature immutable and cannot be
changed. And that's really the crux of my problem. So I don't have a threat model in mind,
but when a threat does attack that authentication method, there will be little we can do to change how we authenticate.
Yeah. We should mention, I mean, this article points out that Microsoft has made this available
to their enterprise users for a while now. They have 200 million users on that side. So they've
really had an opportunity to test this with a large group of people. And this is what they're
rolling out to consumers. And I wonder, with an organization as large as Microsoft, with the influence they have,
I should mention, by the way, Microsoft is a CyberWire sponsor. With the scale and influence
that they have, could they really shepherd in a change here? Could this be a step along the way
to be done with passwords once and
for all? Yeah, I think Microsoft is a big player in this field. And as a player, by their nature,
they're kind of a leader here. Other developing organizations, I mean, Apple already has the
Face ID as a means of authentication, right? So other organizations like Google and Amazon and
Facebook and all these other big ones that you always think of, they could start following suit with this and ditching passwords or at least offering users the opportunity to ditch a password.
I do like of all these methods, my favorite is the authentication token. These are usually based on something called universal two-factor. And that is a form of public key,
private key authentication,
which is something we've been looking for for years
as an easy way to do that.
And universal two-factor has been around for a while,
but it is a good way to do public key,
private key authentication.
Because let's say someone does breach Microsoft
and steals all the information about the users.
If you're talking about password hashes, well, those are crackable unless you have a really strong password.
But if you're talking about public keys, they're useless.
They're absolutely useless.
The only use that public key has is for authenticating the person who has access to the private key.
Right, right. Yeah, there's an interesting quote in here from Brett Arsenault,
who is Microsoft's chief information security officer.
And he says, you think that everyone hates passwords,
but there is one faction of people who love passwords.
They're called criminals.
I think that's right.
That's a very astute observation.
Yeah, they love them. I think it'll be interesting That's a very astute observation. Yeah. They love them. I think
it'll be interesting to see if this becomes the default where you can, when you sign up for a new
account with Microsoft or some of these other providers, do these passwordless options,
are they the default? You could still use a password if you wanted to, but they really try
to channel you into this new way. I think that could be a good move. Yeah, I think it could be as well.
Yeah. All right. Well, Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive
alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.