CyberWire Daily - Hot wallets hacked. Pegasus found in US State Department personnel’s phones. Cozy Bear update. Cybersecurity on the Russo-US summit agenda. US Cyber Command says it’s imposing costs.
Episode Date: December 6, 2021Cryptocurrency exchange loses almost $200 million as two hot wallets are compromised. Phones belonging to US State Department personnel concerned with Uganda are found to have been infected with NSO G...roup’s Pegasus surveillance technology. Mandiant reports recent activity by the threat group thought responsible for the SolarWinds compromise. Cybersecurity will be on the agenda at tomorrow’s Russo-US summit. Caleb Barlow outlines threats to the Winter Olympics. Rick the-toolman Howard looks at the marketing hype-cycle. And US Cyber Command says it’s been imposing costs. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/232 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A cryptocurrency exchange loses almost $200 million
as two hot wallets are compromised.
Phones belonging to U.S. State Department personnel concerned with Uganda
are found to have been infected with NSO Group's Pegasus surveillance technology.
Mandiant reports recent activity by the threat group thought responsible for the SolarWinds compromise.
Cybersecurity will be on the agenda at tomorrow's Russo-U.S. summit.
Caleb Barlow outlines threats to the Winter Olympics.
Rick the Toolman Howard looks at the marketing hype cycle.
And U.S. Cyber Command says it's been imposing costs.
From the Cyber Wireire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, December 6, 2021.
Altcoin exchange BitMart suspended deposits and withdrawals Saturday, the company's CEO tweeted,
after the exchange identified a large-scale security breach affecting two of its hot wallets.
BitMart attributes the incident to a stolen private key, and it hopes to gradually begin resuming normal trading tomorrow.
private key, and it hopes to gradually begin resuming normal trading tomorrow.
In response to this incident, BitMart has completed initial security checks and identified affected assets. This security breach was mainly caused by a stolen private key that had two of
our hot wallets compromised. Other assets with BitMart are safe and unharmed. We are now doing
our best to retrieve security setups and
our operation. We need time to make proper arrangements and your kind understanding
during this period will be highly appreciated. In terms of asset deposit and withdrawals,
we are confident that deposit and withdrawal functions will gradually begin in December 7,
2021. The detailed timelines will be announced very soon.
The blockchain security firm PexShield estimates total losses at about $196 million.
They characterize the incident as pretty straightforward, transfer out, swap, and wash.
BitMart's CEO says the exchange intends to compensate affected depositors from the company's own funds.
He tweeted, quote,
BitMart will use our own funding to cover the incident and compensate affected users.
We are also talking to multiple project teams to confirm the most reasonable solutions, such as token swaps.
No user assets will be harmed, end quote.
token swaps. No user assets will be harmed, end quote. It's worth noting that The Weeknd's volatility in cryptocurrencies, and volatility means a turbulent drop in price, was not related
to and still less caused by the BitMart incident. Market Insider noted that The Weeknd saw the
global cryptocurrency space losing about $400 billion in value.
The total market value of all tokens fell from over $2.6 trillion to under $2.2 trillion this morning.
The price drop began Friday before the Bitmark incident occurred.
In any case, the decline in the altcoin markets is being attributed to regulatory uncertainty
and broader concerns about economic conditions and the so far unknown effects of the Omicron variant of COVID-19.
Reuters reported Friday that the phones of U.S. State Department personnel in Uganda were infested with Pegasus surveillance software.
Pegasus surveillance software.
NSO Group has said that Pegasus will not run on phones registered with the characteristic plus-one U.S. country code, but the affected State Department personnel used phones registered
with foreign country codes.
It's unclear which customer deployed the tool in this incident.
The Israeli embassy in Washington said that, quote,
If these claims are true, it is a severe violation, end
quote, of Israeli cyber export control law. The absolute numbers involved are relatively small,
said to amount to 11 infestations, but targeting of U.S. diplomats is both new and troubling.
NSO Group says it's investigating allegations of Pegasus abuse and that it intends to revoke the use of Pegasus by any customer it finds violated N.S.O. Group's terms of service.
What agency or organization deployed Pegasus against U.S. diplomatic personnel working in or around Uganda is unclear.
unclear. There are no immediate reports of evidence linking the infestation to Uganda's government, for example, but investigation remains in its earlier stages. The company itself may have
its suspicions. It says it hasn't yet confirmed that its tools were in fact used, but it has,
in recognition of how serious the allegations are, decided to terminate relevant customers'
the allegations are, decided to terminate relevant customers' access to the system.
Those relevant customers aren't specified. NSO Group also promises to cooperate with official investigations. Security Week quotes the company as saying,
On top of the independent investigation, NSO will cooperate with any relevant government authority
and present the full information we will have.
The news is generally regarded as being very bad for NSO Group, which is in debt and under
pressure, Vox reports, and the patience of important governments is likely to be nearing
exhaustion. The U.S. some weeks ago placed NSO Group on the Commerce Department's entity list, a set of sanctioned organizations.
A Haaretz analysis concludes that Jerusalem is unlikely to carry NSO Group's water in this case
and that the incident might represent a death knell for the company.
Threat intelligence researchers at security firm Mandiant this morning released a report
on what the company
calls multiple clusters of suspected Russian intrusion activity that have targeted business
and government entities around the globe. They're tracking two clusters in particular, UNC-3004 and
UNC-2652, both of which they associate with UNC 2452, the Russian government actor Microsoft calls
Nobelium. The SolarWinds supply chain compromise and exploitation has been widely attributed to
this group, which itself is thought to be an operation of Russia's SVR foreign intelligence
service. Mandiant calls out seven characteristics of this recent activity as being particularly
noteworthy. First, compromise of multiple technology solutions, services, and reseller
companies since 2020. The use of credentials likely obtained from an InfoStealer malware
campaign by a third-party actor to gain initial access to organizations. Use of accounts with
application impersonation privileges to harvest sensitive mail data organizations, use of accounts with application impersonation privileges
to harvest sensitive mail data since Q1 of 2021, the use of both residential IP proxy services
and newly provisioned geolocated infrastructure to communicate with compromised victims,
the use of novel TTPs to bypass security restrictions within environments including,
The use of novel TTPs to bypass security restrictions within environments,
including but not limited to the extraction of virtual machines to determine internal routing configurations,
the use of a new bespoke downloader they call C-Loader,
and finally, abuse of multi-factor authentication leveraging push notifications on smartphones.
Mandiant's attribution is tentative and cautious, but they think that
the group responsible for the recent activity is well-resourced, effective,
follows sound OPSEC, and above all, is likely to be heard from again.
A video call scheduled for tomorrow between Russian President Putin and U.S. President Biden will
take up, among other topics, cybersecurity issues, the White House announced Saturday.
Tensions over Ukraine will figure prominently in the discussion. Russia has dismissed U.S.
complaints of aggression with a two-quoque. Essentially, you want to see aggression,
America? Look in the mirror. But of course, the U.S. hasn't recently massed 170,000 troops on anyone's border.
Although there is this week's upcoming summit of democracies to which Moscow was not invited.
And that's about the same thing as 10-odd division equivalents, right?
Right?
But seriously, the tension between Russia and Ukraine is serious and potentially dangerous,
as Ukraine seeks closer ties with both NATO and the EU,
both of which Russia regards as a dangerous encroachment on its sphere of influence.
With such tension, one expects an increased tempo of cyber operations as well.
It's been known for some time that U.S. Cyber Command has adopted a more assertive posture
with respect to threat actors.
On Saturday, General Paul Nakasone, Director NSA and Commander of U.S. Cyber Command,
confirmed that this was indeed the case, and specifically so with respect to ransomware actors.
What Cyber Command had actually done,
the general didn't specify, but he did stress that it had imposed costs on some of those actors.
The New York Times quoted him as saying,
Before, during, and since, with a number of elements of our government, we have taken
actions and we have imposed costs. That's an important piece that we should always be mindful
of. End quote. To everyone at Cyber Command, we say, good hunting.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And it is my pleasure to welcome back to the show the CyberWire's own Chief Security Officer and Chief Analyst, Rick Howard. Rick, great to have you back.
Hey, Dave.
So on this week's CSO Perspectives podcast, you have invited a guest
to the CyberWire hash table to discuss a tool in your Rick the Toolman series. What are we talking
about this week? That's right. Last week, we talked about a relatively new tool designed for the
security stack. It's called XDR, or Extended Detection and Response. You remember we talked
about that. Yep. And we started seeing these things in the marketplace around 2018.
And when I was looking through the research,
one investigator's name kept coming up in the literature.
His name is John Altstick.
He's the senior principal analyst and fellow at the Enterprise Security Group,
and he covers security, operations, analytics, and risk management.
And it just so happens that I've known John for years, all right?
Of course you have.
Of course, right.
You know, he was one of the original cybersecurity committee members back some seven years ago.
So I thought he would be perfect for this Rick the Toolman episode.
Yeah, well, my recollection from last week's episode is that XDR is really just starting its journey into maturity.
It's still early days for that.
You said that Gartner has it right at the beginning of their hype cycle chart.
Yeah, which I love, by the way.
Yeah, I also remember that you had high hopes for it as a security orchestration platform.
Now, does your thoughts align with John's on this, or does he disagree with you?
Well, you know, I wouldn't say we disagree, right?
We are both old and cynical security practitioners at this point.
So John agrees with me that XDR has a lot of promise in theory, okay?
But he also knows what happens when vendors incorporate the theory into their marketing papers.
And, you know, we've seen many examples of that in the past decade. You know, just think of what marketing departments
have done with promising tech like AI and machine learning and even zero trust. And so, when you
think about all that, you get a good sense of where John is coming from. Yeah, absolutely. I
personally, I find that fascinating and also frustrating that you have these things that could be good things, but they get so overused that they just lead to everybody rolling their eyes about them.
And it's not always justified.
I know, and it turns people off, right, because, you know, security people are notorious for this.
It's either the perfect thing since sliced bread or it's horrible.
There's no middle ground, right?
Right.
That's true.
or it's horrible.
There's no middle ground, right?
And so you need to get vendors to wrestle with all these terms
and it turns people off.
And then all those great things
like zero trust, machine learning,
these are all great things for us.
And don't get turned off by them.
Yeah.
All right.
Well, we will look forward
to this week's episode
of CSO Perspectives.
That is part of CyberWire Pro.
You can find out about that
on our website,
thecyberwire.com. Rick Howard, great talking to you. Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
and i'm pleased to be joined once again by caleb barlow caleb it's always great to have you back you know we are coming up on the winter olympics which is always exciting but with that comes folks
who are out there to do bad things to the Olympics in the cyber domain. Where are we coming
into this? I mean, when we look back on the history of this, I don't recall any major interruptions to
any of the games, but that doesn't mean that the folks out there weren't doing a good job thwarting
them. Well, let's start with a little history lesson, Dave. You know, the opening ceremonies
were interrupted in Korea in 2018 when a cyber attack took out internet access and
telecasts, grounded broadcasters' drones, and actually shut down the Olympic website,
even preventing spectators from printing out their reservations and attending the open ceremony.
So there were, believe it or not, a lot of empty seats. Now, in the lead-up to the 2012 London
Games, there was a loss of blueprints to the Olympic Stadium building management system that
were found on a hacker's computer. Now, nothing really happened with this, but it certainly,
you know, raised everybody's hackles. But probably the most interesting attack was in 2016 on the
World Anti-Doping Agency, where records of athletes were accessed, publicly released,
and most interestingly, Dave, they were changed in an effort to swing public sentiment
about doping, representing one of the first and most significant instances of a data integrity
attack that we've seen to date. Yeah, you know, to me, that is a part of all this that really
doesn't get mentioned perhaps as much as it deserves to be, which is this whole notion of data integrity that we talk about, you know, people, wipers getting their stuff wiped out or locked up with ransomware.
But just knowing that your data is what it says it is, to me, that's a whole other thing.
And we rarely talk about that.
We do.
And I, you know, I've said on this show many a times, I think one of the biggest things companies need to really start thinking about isn't what happens when your data gets locked up.
What happens when somebody changes your data?
How do you verify that your data is integral?
And if you have a data integrity event, do you have the runbooks to deal with it?
Because it's a special class of problem.
special class of problem. But I think one of the reasons why we've seen this in the Olympics is,
hey, not only the Olympics bring out the best athletes, but they also typically bring out the best hackers, right? You have nation states, you have activists, you have politics, all of this
stuff is coming together in the soup. And I don't think this year's Olympics are going to be any
different. I mean, first of all, it's in Beijing, which would normally just be a big old
red flag for spectators. But I guess the good news here because of COVID is international spectators
aren't allowed because of COVID. So, you know, if you are traveling, let's say maybe you work for a
broadcast agency or something, bring burner equipment, burner phones, and not your corporate
laptop. But, you know, but even folks at even folks at home watching, phishing attempts are always through the roof.
I think listeners here know, don't click on the link.
Go directly to the news site.
But I suspect if I was going to predict what we're going to see this year, I think we're going to see misinformation attempts and maybe disruption attempts.
I mean, this is
the venue of where these things would be most impactful. Yeah, I mean, you can certainly see
the international publicity, the potential for embarrassment and those sorts of things. I mean,
do you think the folks in China are up to the task here of defending themselves?
Well, I mean, the good news is coming out of Tokyo, I mean, Tokyo really didn't have much to say from a cybersecurity perspective, right? They did a
really great job. So hopefully those organizing committees and those teams are really working
together. And, you know, hey, as much as the Chinese are good on offense, I'm sure they're
probably pretty good on defense here too. So, you know, we'll see if they're up to the task
and we'll see what happens.
Yeah.
Hope for the best, prepare for the worst, right?
Well, yeah.
So, Dave, what would be your Olympic event if you were an athlete?
I mean, I'm not saying you're not an athlete, Dave.
You're actually a pretty buff guy.
But what would be your sport?
I could be the announcer.
I could see that.
I could see that. Uh, you know, uh, I have to say I was, uh, athletics were never a strong suit of me,
but I was a fairly fast sprinter. So if there was any, anything that I showed any sort of,
uh, biological, uh, proclivity for it would be running a short distance in a short amount of
time. So I guess that, that would be it. But Dave, it's the Winter Olympics, so you better start practicing the luge.
Oh my gosh, you're right.
Winter Olympics.
See, there you go.
I don't even know what the events are.
I could ride a mean sled.
I could do this luge.
Sure.
Why not?
All right.
Caleb Barlow, thanks for joining us. We'll be right back. iced brown sugar oat shaken espresso. Whatever you choose, your espresso will be handcrafted
with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast
is proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Puru Prakash,
Justin Sabey, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Ben Ikmo, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. Thank you. act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.