CyberWire Daily - Lots of coordinated inauthenticity, but a small return in influence. Confidence building in cyberspace? CISA reports finding that a Federal agency was hacked. Cyberattacks on hospitals are up.
Episode Date: September 25, 2020Facebook takes down three Russian networks for coordinated inauthenticity: a lot of activity but not much evident ROI. Russia calls for confidence-building measures in cyberspace. CISA detects a succe...ssful incursion into an unnamed Federal agency. Governments warn of heightened rates of cyberattacks against medical organizations. Mike Benjamin from Lumen joins us with details on Alina malware. Our guest is James Dawson with insights on how to best calibrate your security budget. And there’s a not-guilty plea in the case of the attempted bribery of a Tesla insider. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/187 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Facebook takes down three Russian networks for coordinated inauthenticity.
Russia calls for confidence-building measures in cyberspace.
CISA detects a successful incursion into an unnamed federal agency.
Governments warn of heightened rates of cyberattacks against medical organizations.
Mike Benjamin from Lumen joins us with details on Alina malware.
Our guest is James Dawson with insights on how to best calibrate your security budget.
And there's a not guilty plea
in the case of the attempted bribery
of a Tesla insider.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, September 25th, 2020.
Facebook yesterday identified and took down three more networks for coordinated inauthenticity behavior, or in Facebook's more specific formulation, quote, Facebook says that they targeted a wide range of countries
and that they shared an overarching operational style. They focused, first, on creating fictitious
or seemingly independent media entities and personas to engage unwitting individuals to
amplify their content, and second, on driving people to other websites that these operations control.
Grafica, which assisted Facebook with its investigation and assessment,
notes that the offending network clusters operated across multiple platforms.
Despite the operators' efforts, none of the clusters succeeded in going viral.
So, their activities were marked by information laundering,
an increasingly common tactic in influence operations.
Facebook found that the clusters, as it called them, used a mix of legitimate and fictitious profiles.
Their activity broke down as follows.
The first network consisted of 214 Facebook users, 35 pages, 18 groups, and 34 Instagram accounts.
It was, for the most part, interested in Syria and Ukraine,
to a lesser extent in Turkey, Japan, Armenia, Georgia, Belarus, and Moldova,
with a still smaller fraction focused on the UK and the US.
Facebook's report says, quote, They used fake accounts to create elaborate fictitious personas across many
internet services, posing as journalists to contact news organizations purporting to be
locals in countries they targeted, and managing groups and pages, some of which proclaim to be
hacktivist groups. These clusters also focused on driving people to their off-platform sites
and other social media platforms where, among other themes,
they promoted content related to past alleged leaks of compromising information.
All of this activity was largely a fizzle. Facebook says the whole operation had a
negligible following across its platforms. Facebook attributes the activity to the
Russian military. We observe that in the context of cyber conflict, Russian military usually means GRU.
The second network consisted of one page, five Facebook accounts, one group, and three Instagram accounts.
It concentrated on Turkey and Europe, with some reach into the United States.
It relied on fake accounts to drive traffic to a nominally independent think tank in Turkey.
The accounts represented themselves as locals from Turkey, Canada, and the U.S.
Facebook, which notes that this network also recruited people to write for them,
connects the activity to the troll farmers at St. Petersburg's Internet Research Agency.
It, too, attracted almost no followers.
The third network enjoyed more success than the others,
but that success was nothing to write home about either.
It included 23 Facebook accounts, 6 pages, and 8 Instagram accounts,
and it focused on global audiences,
but especially on the near abroad, with an emphasis on Belarus.
It used fictitious persona to post and comment on content, manage pages, amplify content,
and drive visitors to off-platform sites that posed as independent journals whose editors and
researchers were soliciting articles. Facebook connects this network to Russian intelligence
services.
As we mentioned, this crew attracted more followers than the others,
but still fell short of achieving much reach.
It's perhaps no accident that the third group advertised more than the others.
They spent about $10,000 on Facebook ads.
The second group spent just $4,800,
and the cheapskates of the first group forked over just a cool six, count them, six bucks in total.
As Dorothy Sayers wrote back in the day, it pays to advertise.
Potential sponsors take note. Use your marketing budget for good instead of evil. Some, but not all, and not even the majority of the inauthentic activity was directed
against U.S. elections, which remain a flashpoint in Russo-American relations. According to Reuters,
Russian President Putin today said that the U.S. and Russia should agree not to meddle in one
another's elections. He called for a comprehensive treaty that would amount to a non-aggression pact in cyberspace, or at least a confidence-building treaty similar to Cold War-era agreements designed to reduce the possibility of accidents at sea and in international airspace.
President Putin said, in part,
One of the main strategic challenges of our time is the risk of a large- no fighting in the war room, gentlemen.
The U.S. Cybersecurity and Infrastructure Security Agency, CISA, Dust off the hotline and no fighting in the war room, gentlemen.
The U.S. Cybersecurity and Infrastructure Security Agency, CISA,
reports that an unnamed U.S. federal organization was successfully hacked by an attacker who used stolen credentials to gain access to the agency.
The attacker was able to browse the network, obtain, zip, and probably exfiltrate some of the files it located.
obtain, zip, and probably exfiltrate some of the files it located.
How the attacker got the credentials is unknown,
but CISA's educated guess is that they were obtained from an unpatched Pulse Secure VPN vulnerability, CVE-29-11510.
CISA says it detected the problems with its Einstein intrusion detection system.
Einstein is deployed across the federal civilian agencies,
not the.mil domain and not certainly the other national security agencies,
mostly in the intelligence community that are exempt from CISA oversight.
That would seem to narrow the range of possible victims, but the story is still developing.
Governments are increasingly concerned
about rising rates of cyber attacks
against healthcare organizations,
the Wall Street Journal reports.
Contrary to hopes expressed early in the pandemic,
the honor among thieves,
the thieves themselves promised,
hasn't really materialized,
and hospitals are increasingly suffering from ransomware.
It's a global problem.
The Journal quotes authorities from Europe, North America, Asia, and the Pacific, hospitals are increasingly suffering from ransomware. It's a global problem. The journal
quotes authorities from Europe, North America, Asia, and the Pacific, and the International Red Cross.
And finally, the man charged with attempting to bribe a Tesla insider to assist him in carrying
out a ransomware attack against the electric car company, Yegor Yegorovich Kryuchkov, has entered a plea of not
guilty before a U.S. federal magistrate. The Washington Post says Mr. Kryuchkov hopes to
put the whole matter behind him as soon as possible. Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
James Dawson is CISO of IT Risk Advisory, LLC.
Throughout his career, he's worked with a number of global top-level organizations to help them build their cybersecurity strategies.
He joins us today with insights on how to best calibrate your security budget.
The basics, the foundation for this is,
you know, first know in your organization
your critical processes.
What's the place do?
You know, do we make snow skis?
Do we give out bank accounts?
What do we do here?
Are we a hospital?
Do we make people healthy?
What do we do?
So know your critical processes at that organization.
So that's your first step.
Because when you talk to that C-level individual about the spend, they think in business terms.
They know what the business does.
So look at those critical processes of the business.
And in those critical processes, you've heard me say this before, inventory the applications.
In those applications, inventory the systems, the machines, the servers that manage that.
And then map the critical cyber risk from beginning to end and where humans' hands are involved.
So, I mean, are you inventorying the people as well?
So, I mean, are you inventorying the people as well?
You are. So that's where I was going to get to.
That's kind of the crux of the conversation here.
Get down to, so you've got this list of processes, five important processes we do here at the bank, let's say.
And then who is involved in those critical processes?
is involved in those critical processes. You're actually writing down the people who either manage the applications in those critical processes or are responsible for the systems, the machines that
those applications run on. There's also sometimes custodians or owners of the data, too, which could
be different than the application owner and the system owners? There is also then the user,
the worker bee, the person who's involved in the process to actually enter data in unstructured
form in the beginning of the data lifecycle, and then do something with it, manage a record,
or put it away, or store it at the end of the critical data lifecycle. That's where you need
to spend your money. Because the hackers know, you know, I mean, a cyber criminal,
whether the man or woman or the organization, they're lazy.
And I think some of your other guests have mentioned this on your show, Dave.
You know, cyber criminals are lazy.
They're going to go after and they're going to exploit the easiest place they can.
Some of your guests have also mentioned recently,
you know, entity behavior analytics,
user and entity behavior analytics, UEBA.
I know you like to spell out your acronyms all the time.
But that's where, you know, it's that behavior
in your critical data process,
in your critical process for the business,
that's where you need to spend your money.
And that's where the attackers are going to look to exploit the organization
because that's the easiest path for them to get to either extorting you
or stealing your data or holding you hostage
or whatever it is that they're after in your organization.
It's either for love or money.
Cyber criminals don't do anything for
other than love or money, as far as I can tell. You know, it strikes me that a simple way to
look at this, I can imagine people having an impulse to follow is, you know, you have that
unlikely event that could be catastrophic on one end, and then you have the likely event that's
not going to be that bad at the other end,
and then there's a spectrum of things in between. It strikes me that one of the things about
this business is that that likely thing that doesn't seem so bad because of things like
lateral movement and just the way these systems are kind of hosed up and connected, it can lead to much more serious things.
Yes, it really does.
And I like to also point out in an organization, when you're looking at cybersecurity and cyber controls and risk,
where there is a lot of human interaction in a critical process.
There are more in some parts of the organization than others.
Take JML. So that stands for joiner,
mover, lever. In all organizations you have JML activities. Someone joins, someone moves around
within the organization, or they leave the organization. JML activities are a very,
very high risk activity for the organization because that's when humans can be exploited.
If they join the organization and you haven't checked them out well,
but you give them high credentials and strong entitlements, you have a risk there.
If they're moving into or out of a high-risk position where they have strong entitlements
and they have a lot of access to your critical data,
you need to be cognizant of that risk at that very point in time. That's where you need to spend the money. And of course,
levers. You know, even though a person may leave an organization and you try to make sure that you
change all the, you know, credentials and entitlements that that individual had. In that JML process, the lever portion of
JML tends to be the riskiest because that individual was an insider and they should be
still considered an insider when you're looking at your controls for the lever portion of the
JML processes. Usually all of that happens in HR. So there are always critical processes in HR
in every organization
because you need people to do your work
and provide your service.
That's James Dawson from IT Risk Advisory, LLC.
CyberWire Pro subscribers can find an extended version
of my conversation with James Dawson.
It's on our website, thecyberwire.com.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is mike benjamin he's the head of black lotus labs at century link mike it's always great to have you back um we want to touch on a bit of uh malware that you
all have been tracking and uh you call it alina yeah so the black Lotus Labs team here at CenturyLink, we do a lot of work on global DNS traffic.
As I'm sure many folks are aware, DNS is a great indicator of things happening from an hour campaign perspective.
And recently, we were looking through our data and found a pretty sizable anomaly in the usage of a particular set of domains.
And upon diving in a little more deeply,
we found that it was clearly exfiltrating data.
And you can tell that in DNS
when there's a whole ton of queries to a single domain
and every subdomain is different.
That way DNS doesn't cache it
and the information can be transferred all the way
to the owner of the domain.
And so as the team opened up that data and took a little closer look,
what we were able to glean is that it was actually exfiltrating credit cards.
And so this particular malware family we're talking about is a point-of-sale malware.
And DNS was the mechanism in which it was stealing all the credit cards,
it was doing all its comms back to its C2,
and the way it was maintaining that communication channel over time in what are often at least decently enclosed
environments and secured environments where credit card processing is occurring.
You know, we really seem to see that credit card processing or hitting those point of sale
terminals, that's always an attractive target.
It is. That's where the money is, right?
And so as long as people can make money off these credit cards, they are going to target them.
And so, you know, over the years, we've seen everything from a small restaurant with a single
computer in a back room being attacked to large companies that are, you know, hitting the front
page as we see their point-of-sale machines infected with malware.
So it's really a lucrative way for them to spend their time.
As long as they can both successfully attack, extract the data, and then sell it somewhere,
it's going to be a target. No matter how much work we do to prevent it, there's profit to be made.
Can you take us through some of the details? How exactly
does Alina work? Yeah, so its persistence method looks very much like any other Windows malware.
And so I think many folks know, but some may not, that a lot of point-of-sale machines are
Windows computers. At the end of the day, they need to perform computing functions,
and Windows is a platform commonly used, so why not use it for this as well? And so the malware gets installed through a variety of methods into the computer, persists,
and sits there just monitoring memory. And thankfully, scraping memory is a little bit
intensive, but at the end of the day, if they can scrape memory and look for a certain combination
of numbers, of which credit card numbers look relatively distinct there's even
an algorithm that can be used to validate that that string of numbers it finds is a credit card
it can then match it and then send it back over dns so as i mentioned it'll perform a dns look
up with a very unique encoding therefore it's not cached and the actors run the authoritative name
servers for that domain so every time a query comes in,
it's unique, they get to see it, and they know how to decode it. And that's how they're extracting
the credit cards and being able to persist across a network that may not allow outbound HTTP,
may not allow a lot of outbound connectivity, but clearly it's allowing outbound DNS,
and that's how they're being successful. Wow, I have to say that's pretty clever.
DNS, and that's how they're being successful.
Wow, I have to say, that's pretty clever.
Yeah, DNS exfiltration, you'll find, is a common tool for folks.
When an outbound HTTP proxy prevents something from functioning or just doesn't allow HTTP, a lot of folks are still using name resolution even just for internal domains.
And so as we think about ways to prevent such an attack, making sure
that if an environment is intended to be closed off, DNS is a part of closing that off. It's
really important. DNS can still be used on a localized basis to do things like resolve internal
file shares and internal comms inside a network. It doesn't have to reach out to the internet in order to do that.
And so that, along with a basic upkeep on an endpoint, at the end of the day, it's a Windows
computer. There's a lot of best practices on how to secure a Windows computer and how to monitor
for malware, et cetera. Being able to do those two things can be really effective in preventing
this kind of an infection from a point-of-sale malware perspective.
All right.
Well, Mike Benjamin, thanks for joining us.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It will save you time, keep you informed, and it softens hands while you do the dishes.
You're soaking in it.
Listen for us on your Alexa smart speaker, too.
Be sure to check out Research Saturday and my conversation with Chaz Hobson from Quo Intelligence. We're going to be discussing four attacks that utilize various tools from the Golden Chickens malware as a service portfolio.
That's Research Saturday.
Check it out.
Thank you. Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.