CyberWire Daily - LockBit updates. The BrakTooth bugs infesting Bluetooth. Malicious cable proof-of-concept. EU fines WhatsApp over GDPR issues. Insider threats. Action against an alleged stalkerware vendor.
Episode Date: September 2, 2021The LockBit gang jumps the gun, and crows a bit higher than the facts seem to warrant. Ghostwriter seems to ride a much bigger infrastructure than previously believed. BrakTooth bugs afflict “billio...ns” of Bluetooth devices. OMG cables include a keylogger that phones home. The EU fines WhatsApp over GDPR violations. Insider threats can be difficult to recognize. David Dufour from Webroot thinks it’s great that you haven’t been breached...yet. Our guest is Mark Nunnikhoven from Lacework with results from their Cloud Threat Report. And an alleged stalkerware vendor is sanctioned by the US Federal Trade Commission. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/170 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The LockBit gang jumps the gun and crows a bit higher than the facts seem to warrant.
Ghostwriter seems to ride a much bigger infrastructure than previously believed.
Bracktooth bugs affect billions of Bluetooth devices.
OMG cables include a keylogger that phones home.
The EU fines WhatsApp over GDPR violations.
Insider threats can be difficult to recognize.
David DeFore from Webroot thinks it's great that you haven't been breached... yet.
Our guest is Mark Nunnikhoven from Lacework with results from their cloud threat report
and an alleged stalkerware vendor is sanctioned by the U.S. Federal Trade Commission.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberW on Bangkok Airways, Bleeping Computer reports.
LockBit's proprietors have an uncertain relationship with accuracy when issuing communiques, threats, and other inducements to pay. In addition to its sad inattention to deadlines, for example, the gang
also claims to have used credentials stolen from Accenture to access and encrypt files at an
unnamed airport, and to have successfully pwned other Accenture customers with compromised credentials. The brag, however, is not only suspiciously short on corroborative detail, but simply
seems not to be true.
As Accenture commented to ThreatPost and other outlets covering this,
We have completed a thorough forensic review of documents on the attacked Accenture systems.
This claim is false.
As we have stated, there was no impact on Accenture's operations or attacked Accenture systems. This claim is false. As we have stated,
there was no impact on Accenture's operations or on our client's systems. As soon as we detected
the presence of this threat actor, we isolated the affected servers. End quote. Thai authorities
are investigating the Bangkok Airways incident. Good hunting to them.
incident, good hunting to them. UNC-1151, a Russian threat group whose activities are tracked as Ghostwriter, has been determined to have a much larger infrastructure and more
extensive operations than previously believed. Security firm Prevalion, which announced its
findings yesterday, says that it's unclear whether UNC-1151 is a single organization,
but that its infrastructure and the Ghostwriter campaign appear to have an overarching theme and direction.
Prevalian found 81 malicious domains clustered with the activity that had hitherto gone unremarked,
which would make UNC-1151's infrastructure about three times as large as earlier reports had reckoned it.
Ghostwriter has so far tended to concentrate on targets in Central and Eastern Europe.
Its approach has typically been through phishing, and it's been known to engage in influence operations.
Researchers at the Singapore University of Technology and Design have described a set
of Bluetooth classic protocol vulnerabilities, collectively known as Bracktooth.
The affected firmware is thought, the record says, to be found in more than 1,400 chipsets.
The register reports that Bracktooth's impact and severity varies considerably across different devices.
varies considerably across different devices.
The vulnerable chipsets are in an awfully large number of devices worldwide,
billions of them in the record's back-of-the-envelope calculation.
Those systems include laptops, smartphones, industrial equipment,
and other smart Internet-of-Things devices,
as is usually the case with Bluetooth bugs.
Exploitation would require that the bad actors be within short radio range of the target. The security researcher known as MG has shared a proof-of-concept hack
with Motherboard that involves a lightning cable modified with a keylogger that transmits its take
wirelessly to its controllers. Such cables had been thought to be too small to hold the necessary
malicious hardware, but MG's proof of concept, part of a suite of pen testing tools, show that
this isn't the case. Motherboard writes, the OMG cables, as they're called, work by creating a Wi-Fi
hotspot itself that a hacker can connect to from their own device. From here, an interface in an ordinary
web browser lets the hacker start recording keystrokes. The malicious implant itself takes
up around half the length of the plastic shell. MG has been able to trigger the device's payload
at ranges up to a mile. Ireland's Data Protection Commission has reported the outcome of its GDPR investigation
into WhatsApp's sharing of data with other subsidiaries of its Facebook parent.
The European Data Protection Board has approved a fine of €225 million for violations of data
transparency rules. The Ponemon Institute and DTEX Systems have published a study of insider threats.
They surveyed North American firms and found that more than half of the businesses who responded
were unable reliably to identify certain classes of insider threat. A lot of the clues being missed
are unsurprisingly behavioral. Some activities that often, but of course not inevitably,
indicate that there may be a problem with an insider include a user's opening of an unusual
number of files, unusual use of USB devices, circumvention of security controls, moving and
saving files to unusual locations, and taking various steps to cloak whatever it is that the
insider is doing online.
The report concludes,
Nearly half of companies find it impossible or very difficult to prevent an insider attack
at the earliest stages of the insider threat kill chain.
53% of companies find it impossible or very difficult to prevent an insider attack
when data is being aggregated, a key indicator of intent of an attack. Only 32%
of companies say their organizations are very or highly effective in preventing the leakage of
sensitive information, and 15% of organizations state that no one has ultimate authority and
responsibility for controlling and mitigating workforce risks. And insiders can retain their ability to do damage even after
they've left, and they may be especially likely to do so if they've parted on unhappy terms.
A Brooklyn, New York woman, Juliana Barile, this week took a guilty plea to one count of
computer intrusion in a U.S. federal court. The U.S. Attorney's Office for the Eastern District
of New York said that she accessed the systems of the New York Credit Union, where she'd lost
her temporary position and destroyed more than 20 gigabytes of information. Acting U.S. Attorney
Jacqueline Kasoulis described the offense in the case, quote, in an act of revenge for being
terminated, Barile surreptitiously accessed the computer system affected her former employer, that wasn't the only victim.
Michael J. Driscoll, assistant director in charge of the FBI's New York field office, commented,
quote,
Ms. Barile may have thought she was getting back at her employee by deleting files.
However, she did just as much harm to customers.
Her petty revenge not only created a huge security risk for the bank,
but customers also, depending on paperwork and approvals to pay for their homes,
were left scrambling. An insider threat can wreak just as much havoc, if not more,
than an external crime. The bank and customers are now faced with a tremendous headache of
fixing one employee's selfish actions. End quote. And finally, the U.S. Federal Trade Commission
has taken action against SpyPhone over allegations that the stalkerware app company secretly harvested and shared data on people's physical movements, phone use, and online activities through a hidden device hack.
Effectively finding the company to have offered stalkerware, the FTC has banned SpyPhone from offering, promoting, selling, or advertising
any surveillance app, service, or business.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility
is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak.io. Mark Nunnikovan is the Distinguished Cloud Strategist at cloud security provider Lacework.
They recently released their 2021 Cloud Threat Report, and I caught up with Mark Nunnikovan for the highlights.
Threat Report, and I caught up with Mark Nunnikovan for the highlights.
The biggest things was, you know, one of the key themes is that cybercriminals are aggressively pivoting to go after businesses in the cloud. They're doing that, I think, because it's a more
direct vector, whereas in an on-premise environment, you've got that really strong perimeter
with, you know, which it works to some extent.
You know, there's pros and cons to that.
But when it comes to the cloud, because everything is automated and based on APIs, it's a little bit easier to probe and to see what's going on potentially for cyber criminals.
So we're seeing them look to try to get that access to the point where even a new sort of trend in the underground market is these initial access brokers who are selling cloud credentials, so whether that's Azure, AWS, or Google Cloud, to make it easier for these criminals to start pointing their attacks at new victims.
Can you differentiate for us sort of the spectrum of things we're talking about here?
Because we have – there's never a shortage of stories about people who accidentally leave their data waving in the wind in a cloud bucket.
And I suspect that's part of this, but there's more to it as well, yes?
Yeah, absolutely.
That's a very astute observation.
And that bucket thing is one of my biggest challenges.
It is my mountain to climb in that that is constantly a challenge.
And, I mean, for me, it always highlights the complexity of configuring cloud services.
And there's always something changing. There's always new features and functionality. And as someone building in the cloud, it's hard to keep on top of that. So,
you know, people are making mistakes and that's natural. That's what we do. But in particular,
with those buckets is that they start locked down is what really frustrates me. And they get
explicitly opened up by a mistake somewhere. But what we're talking about in this report
is different than that. Even though misconfigurations continue to be the number one security issue in the cloud,
what we're talking about is the specific actions that cybercriminals are taking.
So instead of you making a mistake, we're looking at the adversarial motion of them coming in and
saying, I know you're in the cloud, Dave. I'm going to come after you. You know, I think there's a perception that part of the move to the cloud involves
taking advantage of the greater security capabilities that are provided by these
large providers, that they're going to be able to have a bigger team than you would individually.
Is that a misperception? Do we have a false sense of security there?
a misperception? Do we have a false sense of security there? I think it's not inaccurate,
but it's also not the complete picture. So the way that security works in the cloud and operations work in the cloud is through something called the shared responsibility model. Now, that's not
specific to any CSP. That's just how it works, is that you as a builder, as a user, are sharing
these responsibilities with the providers. And there's roughly six areas where work needs to be done every day.
So you start way down at the physical infrastructure layer,
virtualization, OS, apps, and data.
And at the lowest sort of most primitive level in the cloud,
if you asked for a server, you're going to see three of those things.
So half of those things go to the cloud service provider.
You're never going to touch physical.
You're never going to touch the core infrastructure.
You don't run that virtualization layer.
They do all that, and they do it at a world-class level.
But it's up to you to run that server.
So if you want to set your administrator password
or your root password to password, you could do it.
That's absolutely not a good move,
but it's your area of responsibility,
so you can take that step.
And as you go into something like a container,
you can get rid of that operating system
that goes to the CSP.
As you go into SaaS levels,
so things like buckets,
even the application is the CSP.
But at the end of the day,
you still have a ton of power with these services
and a lot of options.
So you're responsible for that part of the model
and configuring the service.
And that's where we see those mistakes bubble up.
With the general sense of security,
the challenge is just scope. And that's where we see those mistakes bubble up. With the general sense of security, the challenge is just scope. And that's why we see attackers coming after those cloud credentials and
using those initial access brokers, because what they're trying to get there is not one particular
service. They're trying to be able to log in as you into AWS or into Google or into Azure and then
spin up whatever they want. So they're going undercutting what you've built and saying,
we just want the tools that you're building with,
and we're going to take advantage of that.
So given the information you've gathered here,
what are your recommendations?
How can organizations do a better job of protecting themselves?
Yeah, and that's a really good question
because every situation is somewhat unique,
but there are some generic things that we can recommend to people.
And the first is really understand that shared responsibility model. Know what you are on the hook for, what you should be
looking at, and what you can let AWS or Google or Microsoft concern themselves with. But from there,
you really need to start to understand what standard or normal looks like in your account.
Because the criminals are coming in as authenticated users. They're not trying to blow away the firewall or evade your security controls.
They're coming in as Mark or as Dave.
And now you as a defender need to know what is our normal activity?
What do we normally do?
So if you normally only have five to ten servers running in your account and all of a sudden there's a thousand, you should know that that should raise some questions.
So as a defender, you need to change as opposed to looking for binary answers. We're stopping them.
We're not stopping them. You need to really understand your environment and say, this is
standard or normal behavior, and this is anomalous behavior. And when it's an anomaly, you need to
figure out whether that's a bad thing or a good thing. That's Mark Nunnikovan from Lacework.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is David DeFore.
He's the Vice President of Engineering and Cybersecurity at WebRoot.
David, it's always great to have you back.
You know, there is a phrase that gets tossed around a lot,
and it's not a matter of if, it's a matter of when,
when it comes to companies being breached.
There's a variant on that that is you may not think you've
been breached, but you just haven't discovered the breach yet. I wanted to check in with you.
What's your take on that approach? Yeah. So, David, it's great to be back as always. And I
couldn't agree more. It's that what's the sailor saying there, those who get seasick and those who have yet to be seasick because it's going to happen.
And you just have to prepare for it. It's one of those things that if you're not preparing for it,
you're crossing your fingers and hoping it happens to the next guy because data breaches happen
constantly. And we're not just talking about ransomware attacks. We're talking about data
being stolen, things of that nature. It's going to happen. How does this change an organization's
approach, though? When you come into it assuming that either a breach is going to happen or a
breach has happened, how does that change how you design your defenses? Well, that's a great
question, and it depends. A lot of times, the security folks, your CISO may live in a vacuum from your data protection folks. Hopefully that's starting to really coalesce and come together. There's a couple of things people really have to do. You have to take our PCI compliance. And it's a little bit mundane, but it's important because it reminds us.
And I'm saying that because I believe it.
I hate taking the stuff, but you do need to do it.
Now we have to do GDPR compliance testing as well.
And so what that really points to is you have to take the time to know what data you have
and then isolate that data.
Because a lot of times companies grow from these little
startups where there was five people and they had to know everything and they never have taken the
time to really isolate and understand the data that they have to ensure that if they are breached,
if it's a ransomware attack, they can get it back. If the data has been stolen,
they know what was stolen and what their exposure is.
How do you go about that sort of inventory while you're in the midst of business?
You know, it's like that old phrase or that old saying about, you know, changing the oil
in your car while the engine is running.
That's exactly right.
And you have to just decide you're going to do it.
And it does cost money.
And there are tools that help you, but those tools will not do it for you. So you have to find people to bring on board. And it of them, but it is so important, David, that you understand your data,
where it lives, how it traverses, that kind of thing. Do you think that this is the right
approach or are you on board with taking this avenue that you assume a breach?
I definitely am. And not just a breach from the point of it might be ransomware or a
breach from the point of it might be someone steals our data. A lot of your folks listening
know I talk about the Air Force a lot. I was in the Air Force. And I saw that whole hierarchical,
monolithic way of approaching security. And I'm a huge believer in it needs to be smaller,
more nimble teams that understand stuff. Because then you can react to how breaches happen. And I'm a huge believer in it needs to be smaller, more nimble teams that understand stuff because then you can react to how breaches happen. And you have groups that can quickly
define what happened, understand it, because these things don't happen in a vacuum. You might have
multiple things fail at once and you need to be able to respond to them and know what is going
to happen. And most of the time you need that team to be able to communicate with
each other, to be able to have the air cover from executives to take the time to understand what
really happened. Because a lot of times what you think happened in the first hour is not what you
find out happened two days later. You've got to really have those teams who can dig into it and
understand. All right. Well, David DeFore, thanks for joining us.
Hey, great being here, David.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio
or shake up your mood
with an iced brown sugar oat shake and espresso.
Whatever you choose,
your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Puru Prakash,
Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.