CyberWire Daily - Investigations--the SEC looks into Solarigate, German prosecutors inquire into GhostWriter. The Meris botnet is responsible for recent DDoS attacks. Implausible deniability. The SINET 16 are announced.
Episode Date: September 10, 2021The SEC’s inquiry into the SolarWinds incident may expose other, unrelated data breaches. Researchers identify an IoT botnet, Meris, as responsible for DDoS attacks against a number of banks. German... prosecutors have opened an investigation into the GhostWriter campaign. Researchers look at the cozy, implausibly deniable relationship between Russia’s security services and cyber gangs. A money-launderer gets eleven years. David Dufour from Webroot has straight talk about paying the ransom. Our guest is Jeff Williams from Contrast Security with a look at AppSec Observability. Congratulations to the SINET 16 winners. And we remember 9/11: has it already been twenty years? For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/175 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The SEC's inquiry into the SolarWinds incident may expose other unrelated data breaches.
Researchers identify an IoT botnet responsible for DDoS attacks against a number of banks.
German prosecutors have opened an investigation into the Ghostwriter campaign.
Researchers look at the cozy, implausibly deniable relationship between Russia's security services and cyber gangs.
A money launderer gets 11 years. plausibly deniable relationship between Russia's security services and cyber gangs.
A money launderer gets 11 years.
David DeFore from Webroot has straight talk about paying the ransom.
Our guest is Jeff Williams from Contrast Security with a look at AppSec observability.
Congratulations to the Cynet 16 winners.
And we remember 9-11. Hard to believe it's already been 20 years.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, September 10th, 2021. The U.S. Securities and Exchange Commission, best known by its acronym SEC,
is investigating the SolarWinds incident, and Reuters reports that the inquiry is spooking some large U.S. companies who fear that the results of the probe will expose them to liability. Reuters says, quote,
The SEC is asking companies to turn over records into any other data breach or ransomware attack
dating back to October 2019 if they downloaded a bugged network management software update from Solar
Winds Corporation, which delivers products used across corporate America, according to details
of the letters shared with Reuters. It's the any other that's got companies spooked. They're unsure
what the consequences may be if the inquiry turns up previously undisclosed data breaches.
may be if the inquiry turns up previously undisclosed data breaches.
There may be some clarity forming around the distributed denial-of-service attacks that have hit organizations including Russia's Yandex, New Zealand's ANZ Bank, which went down
again yesterday, according to the New Zealand Herald, and other targets in the US and the UK.
Curator Labs today released a description of Maris,
an IoT botnet with a quarter of a million devices.
There have been larger botnets.
Mirai, for one, had an excess of 300,000.
But unlike its well-known predecessors,
Maris relies on transmitting a high number of requests per second.
The record describes the difference between Maris and the usual sort of DDoS attack like this,
quote,
Called volumetric or application-layer DDoS attacks,
RPS attacks are different because attackers focus on sending requests to a target server
in order to overwhelm its CPU and memory.
Instead of clogging its bandwidth with junk traffic,
volumetric attacks focus on occupying servers' resources
and eventually crashing them, end quote.
Most of the devices exploited to form the botnet
were networking gear from the Latvian vendor MikroTik.
Items include routers, IoT gateways,
Wi-Fi access points, switches, and mobile networking gear.
The record reports that sources tell it the target of the Yandex DDoS attack wasn't Yandex itself,
but rather a bank that used Yandex's cloud services to host its e-banking portal.
German prosecutors have opened an investigation into the Ghostwriter campaign Berlin has attributed to Russian intelligence services, Der Spiegel reports.
Germany's foreign ministry has warned that Russia will face unspecified consequences should the cyber espionage and election-related disinformation persist.
persist. Recorded Futures' Insict Group yesterday issued a report on what it calls the dark covenant between Russian intelligence services and cybercriminals. The security
organs aren't directing the criminals, but the gangs operate at their sufferance and shape their
operations and target selection to conform to their understanding of what those services want.
It's too soon to tell
whether U.S. carrots and sticks will inhibit the privateering, but the Insikt report thinks there
are signs Russian President Putin is feeling some pressure to make a gesture in the direction of
international good citizenship. The report's executive summary says, quote, the open assertion
made by U.S. President Joe Biden that Russian cyber criminals are protected by the Russian The report's executive summary says, The report adds that this is forcing Russian domestic law enforcement
to demonstrate that they are cracking down on ransomware operators.
U.S. Cyber Czar Chris Inglis cautions against expecting any
quick Russian reform or a departure from long-standing Russian intelligence and security
practices. He sees deterrence in cyberspace as complicated. It's not, he thinks, a problem we're
going to shoot our way out of. A cyber criminal associated with North Korean hackers, Galeb Alamary, a native of
Mississauga, Ontario, and 36 years young, has been awarded an 11-year sabbatical courtesy of the U.S.
Bureau of Prisons. Mr. Alamary, who holds both U.S. and Canadian citizenship, took a guilty plea
to two federal counts of money laundering. The U.S. and Canadian citizenship, took a guilty plea to two federal counts of
money laundering. The U.S. attorney for the Central District of California explained that Mr. Alamri
received funds from bank cyber heists and fraud schemes, and once the ill-gotten funds were in
accounts he controlled, Alamri further laundered the funds through wire transfers, cash withdrawals,
Alamri further laundered the funds through wire transfers, cash withdrawals, and by exchanging the funds for cryptocurrency.
The funds included those from North Korean perpetrated crimes, including the 2019 cyber heist of a Maltese bank and the 2018 ATM cash-out theft from Bank Islami in Pakistan. Other victims of Alamri's crimes include a bank headquartered in India,
as well as companies in the U.S., the U.K., individuals in the U.S., and a professional
soccer club in the United Kingdom. Mr. Alamri's North Korean friends, the Hidden Cobra Gang,
are generally held to be connected to the Lazarus Group and to be stealing on behalf of the Kim regime in Pyongyang.
He's thought to have collaborators elsewhere, too. One of his co-conspirators is allegedly
the Nigerian social media star-influencer Ramon Olorunwa Abbas, known by his hacker name
Ray Hushpuppi, or just Hushpuppi for short. Mr. Puppy is also currently in U.S. custody.
The Cynet 16 were announced this week. This annual competition has for years brought some
of the most promising startups in cybersecurity into the spotlight. This year's winners,
in reverse alphabetical order, are Valtix, specialists in multi-cloud network
security whose solution promises both simplicity and adaptability. Strata, which delivers enterprise
identity management also for multi-cloud environments. Sevco Security, provider of
asset inventory necessary for the dynamic self-awareness necessary to security. Security
with a final I, offering artificial
intelligence solutions for security, privacy, governance, and compliance for multi-cloud,
SaaS, and self-managed data systems. Perimeter 81, which has a secure access service edge platform
designed to support a remote workforce. Pentera, an automated pen testing shop for safe emulation of attacks.
Jupiter One, an asset management company that provides security context to cloud users.
Inky, the Maryland-based anti-phishing company whose cloud-based artificial more-than-intelligence
spots fraud and social engineering in email. Gray Noise, whose solution tells security
practitioners what they don't have to worry about, saving labor by cutting down on false alerts and security noise.
Gramatech, developer of software assurance tools and advanced cybersecurity solutions designed to ease the challenges of DevSecOps.
ForAllSecure, which offers application testing intended to make developers' lives easier.
which offers application testing intended to make developers' lives easier.
Hermetic, whose solution offers multi-cloud continuous protection for users of AWS, Azure, and Google Cloud.
Sequence Security, who offers a complete API inventory
and data leak protection solution.
Baffle, a cloud data protection shop that offers data tokenization,
de-identification, and database encryption
to protect data from source to destination.
Axis Security, a zero-trust, secure-access service edge provider whose agentless solution enables secure employee access.
AppOmni, whose SaaS security management platform delivers visibility into security configurations, user permissions, and third-party apps.
This year, Synet singled out three companies to watch. into security configurations, user permissions, and third-party apps.
This year, Cynet singled out three companies to watch,
early-stage startups it regards as already adding value.
Scythe, an adversary emulation platform,
DeepFactor, which offers continuous AppSec observability, and Corsha, multi-factor authentication for machine-to-machine communications.
Congratulations to all of them, winners and honorable mentions alike.
The Cynet 16 companies have over the years assembled an enviable record of success
and a reputation for successful innovation,
and the Class of 2021 are likely to continue that tradition.
And finally, tomorrow is the 20th anniversary of 9-11,
Al-Qaeda's terror attacks against the World Trade Center and the Pentagon, attacks that took the
lives of thousands in New York and Arlington, and hundreds aboard the four airliners the terrorists
hijacked and drove into the ground. Our CSO and senior fellow Rick Howard was in the
Pentagon that day, and he's posted an essay on what he saw and how he remembers it. All of us
old enough to remember the attacks have our own recollections of that day. Tomorrow, we'll be
sparing a thought for those who died, both immediately and in the aftermath, and for the heroism of those who responded,
both immediately and during the global war on terror that followed.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Jeff Williams is CTO and co-founder at application security platform provider Contrast Security. They recently released the latest version of their application security
observability report.
Jeff Williams joins me to share what they found.
Observability essentially means, can we see what's going on inside an application?
And we focus on security observability. So what we want to do is try to reveal what's going on inside applications from a security perspective.
And, you know, it's kind of invisible
to most people. When you use your app on your phone or something to send a check or something
or check your balance or something, there's a ton of software. It's not just what's on your phone,
it's on the backend APIs and web applications that are out running the cloud somewhere.
They connect to backend systems inside the bank. And that whole software
ecosystem is really complicated. There's a ton of security defenses and unfortunately,
a lot of vulnerabilities in that whole environment. So take us through some of the key findings here.
I mean, what are some of the things that you discovered here? Yeah, so we discovered 34% this year. Last year, it was 26%. This year, 34% of applications
have serious vulnerabilities. And that is just a jump-off-the-page, like, holy crap kind of
statistic. I mean, it's shocking that almost a little over a third of applications have serious vulnerabilities.
And, you know, 30, and the number is, you know, on average, like, you know, around 30 vulnerabilities.
That's a terrifying number. airplanes, and every time you did a safety check on the airplane, you discovered 30 vulnerabilities
and 34% of airplanes had these problems, you wouldn't fly.
And so what are your recommendations here?
I mean, how do people come at this issue?
Well, from the big picture, I think it's important to understand that there's a risk.
First step to solving any problem is recognizing that there is one. So we need really good data, like the data in this report that
drills into exactly what the problems are and where they live and starts us on detailed metrics
that we can understand. So I think the first step is like, let's get a program in place that allows
us to measure our code in our particular organization and understand what we got and then start improving that over time.
And there's kind of three areas that I think are really important to focus on. introduce new vulnerabilities like the traditional kinds of application vulnerabilities, SQL
injection, cross-site scripting, XXE, SRF.
There's a whole litany of these things.
You have to put a program in place to make sure you identify those things and prevent
them.
The second thing is manage your open source supply chain.
You're bringing in all this code, and it's allowing you to very rapidly produce
awesome applications. But along with that code comes a responsibility. You've got to make sure
that you're keeping it up to date and understanding where those libraries might have known
vulnerabilities in them and updating your applications so that they're using safe versions of those libraries.
And then the last piece is runtime protection.
So what we talked about so far was kind of in the development process
and getting applications into production.
But in production, you have to be able to see who's attacking you,
what kind of attacks they're sending,
and have some defense against those attacks in production.
And the average application that we saw, and there's details on this in the study, of course,
but the average application has over 13,000 attacks every single month.
And while 99% of those are what we call probes, they don't really reach the vulnerability
they were targeting.
It's still a huge number.
And you have to be aware of that.
1% is still a lot of attacks.
That's Jeff Williams from Contrast Security.
There's a lot more to this conversation.
If you want to hear the full interview,
head on over to CyberWire Pro
and sign up for Interview Selects,
where you'll get access to this and many more extended interviews.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by David DeFore.
He's the Vice President of Engineering and Cybersecurity at Webroot.
David, always great to welcome you back.
You know, I think we go back and forth between the general advice that you should not pay the ransom, that paying the ransom is
supporting a bad ecosystem. But then the flip side of that is that sometimes you got to get
business back in business and that paying the ransom could be the quickest pathway to that.
What's your take on this? Well, hey, David, it's great to be back. And here's what I think. I think
you shouldn't pay the ransom because you've done all of your homework up front
on how you're going to recover from a ransomware attack.
So you're just going to execute that recovery plan.
No need to pay the ransom.
Problem solved, right?
Well, all right.
Well, thanks for joining us, Dave.
Meanwhile, back in the real world.
Go on.
Right.
So, honestly, I think you have to evaluate.
Can you recover or at least get back to an operational state that gets you close to normal?
Or do you need to pay a ransom?
It is literally, that's why they call it a ransom.
And you have to make that choice as the leadership of that organization.
And I don't think anyone has a right to tell you one way or the other to not pay it. If your business is going to shut down,
you got to pay this ransom, right? Yeah. Yeah. But are you coming at it from the point of view
that you should do everything in your power planning-wise, preparation-wise, so that paying the ransom is the last resort? I am absolutely advocating that.
I mean, the most recent attack on the pipeline,
they paid a considerable amount in the millions.
And if they'd have just spent a tenth of that up front annually,
they would have protected themselves and their infrastructure,
which was critical infrastructure to the U.S. So, yeah, I think that we pay lip service to it, but we just don't spend the money
to protect ourselves. But what are your recommendations there in terms of those
preparations? What are some of the things that organizations should be doing so that they don't
have to pay the ransom? You know, it's the same old backup and restore.
Don't just back up your data and think it's good. You got to have a recovery process.
You also have to make sure you're patching your critical systems. You can't leave
operational infrastructure that has Windows 95 computers that haven't been patched in the last
20 years sitting out there and not expect you're going to get hacked. You've got to be able to understand what you've got, what your exposure is, and back it up.
And then also, you know, David, I'm going to go down a little bit of a tangent here.
If you are attacked, do you have a team that can communicate with these people? Do you have a plan
in place? Not just how would you recover, but how are you going to handle this? Are you just going
to get your CISO on the phone? He's going to call up the people that have hacked you, but what's your plan
there? There's a lot that needs to be taken into account outside of just your internal planning on
how to address it. Well, and also we've got the whole thing with data exfiltration. I mean,
it's not just about the files being locked up. You have to establish
what exactly did they take? That's exactly right. And understanding that from a bigger picture.
And that goes to, you know, understanding, you know, where they attacked, how long the file
lived there and that kind of thing. So, you know, we're seeing a lot more of this in our threat
report. We saw a massive uptick in these type of attacks,
which was good because we saw a downtick in other types of attacks, but that means this is where the
money is. But David, one thing, I'm really going to go off on a tangent here. I think people need
to be careful when they're patting themselves on the back because one of these attacks, the
government got the money back and the organization that attacked the pipeline, they all but apologized
for doing that because they don't want you to know they're out there. They don't want to attack
infrastructure. So I personally would not have shouted it from the mountaintops that we were
able to get some of the ransom back because I promise you these folks are one, annoyed,
two, very capable, and three, going to make sure that never happens again.
So we need to be careful.
I'm not saying we shouldn't protect ourselves.
I'm not saying we shouldn't get things back.
But we need to take a very humble approach to this, make sure we're doing the work properly, and try to protect ourselves because you can't go after these people.
They disappear like the wind.
because you can't go after these people.
They disappear like the wind.
So I think people should calm down a little bit and not, if you're a government official,
don't be all proud that you got some money back
because I'm afraid it's going to come back
to bite us on the next one.
That's my opinion, by the way.
No one said that.
No one, I got to say that right now.
I believe that.
Yeah, fair enough, fair enough.
All right, well, David DeFore, thanks for joining us.
Great being here, David.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Be sure to check out this weekend's Research Saturday and my conversation with John Hensinsky from Expel.
We're going to be discussing their research on stopping ransomware attacks
aimed at WordPress CMS installations
via drive-by downloads disguised as Google Chrome updates.
That's Research Saturday.
Do check it out.
Our amazing CyberWire team is Elliot Peltzman,
Trey Hester, Puru Prakash, Justin Sabey,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson, Thanks for listening.
We'll see you back here next week. Thank you. gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.